The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/crio-lxc/pull/14
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
- passes through namespace config as specified in https://github.com/opencontainers/runtime-spec/blob/v1.0.0-rc4/config-linux.md#namespaces
- adds a test for namespace sharing
- fixes tests to clean up created containers
From 71f195b3d423e1abf8b82d4357cfa1122511090d Mon Sep 17 00:00:00 2001
From: Michael McCracken <mikmc...@cisco.com>
Date: Wed, 1 May 2019 18:27:57 -0700
Subject: [PATCH 1/5] create: handle namespaces in spec
Signed-off-by: Michael McCracken <mikmc...@cisco.com>
---
cmd/create.go | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 52 insertions(+)
diff --git a/cmd/create.go b/cmd/create.go
index 2d53b6c..c3edad9 100644
--- a/cmd/create.go
+++ b/cmd/create.go
@@ -9,6 +9,7 @@ import (
"os/exec"
"path"
"path/filepath"
+ "regexp"
"strings"
"time"
@@ -42,6 +43,17 @@ var createCmd = cli.Command{
},
}
+// maps from CRIO namespace names to LXC names
+var NamespaceMap = map[string]string{
+ "cgroup": "cgroup",
+ "ipc": "ipc",
+ "mount": "mnt",
+ "network": "net",
+ "pid": "pid",
+ "user": "user",
+ "uts": "uts",
+}
+
func ensureShell(rootfs string) {
shPath := filepath.Join(rootfs, "bin/sh")
if exists, _ := pathExists(shPath); exists {
@@ -202,6 +214,46 @@ func configureContainer(ctx *cli.Context, c
*lxc.Container, spec *specs.Spec) er
return errors.Wrap(err, "failed to set hook version")
}
+ procPidPathRE := regexp.MustCompile(`/proc/(\d+)/ns`)
+
+ var nsToClone []string
+ var configVal string
+ seenNamespaceTypes := map[specs.LinuxNamespaceType]bool{}
+ for _, ns := range spec.Linux.Namespaces {
+ if _, ok := seenNamespaceTypes[ns.Type]; ok == true {
+ return fmt.Errorf("duplicate namespace type %s",
ns.Type)
+ }
+ seenNamespaceTypes[ns.Type] = true
+ if ns.Path == "" {
+ nsToClone = append(nsToClone,
NamespaceMap[string(ns.Type)])
+ } else {
+ configKey := fmt.Sprintf("lxc.namespace.share.%s",
NamespaceMap[string(ns.Type)])
+
+ matches := procPidPathRE.FindStringSubmatch(ns.Path)
+ switch len(matches) {
+ case 0:
+ configVal = ns.Path
+ case 1:
+ return fmt.Errorf("error parsing namespace
path. expected /proc/(\\d+)/ns/*, got '%s'", ns.Path)
+ case 2:
+ configVal = matches[1]
+ default:
+ return fmt.Errorf("error parsing namespace
path. expected /proc/(\\d+)/ns/*, got '%s'", ns.Path)
+ }
+
+ if err := c.SetConfigItem(configKey, configVal); err !=
nil {
+ return errors.Wrapf(err, "failed to set
namespace config: '%s'='%s'", configKey, configVal)
+ }
+ }
+ }
+
+ if len(nsToClone) > 0 {
+ configVal = strings.Join(nsToClone, " ")
+ if err := c.SetConfigItem("lxc.namespace.clone", configVal);
err != nil {
+ return errors.Wrapf(err, "failed to set
lxc.namespace.clone=%s", configVal)
+ }
+ }
+
// capabilities?
// if !spec.Process.Terminal {
From 8fbba421bedf68439fdc0b72d38d2a6cd4335411 Mon Sep 17 00:00:00 2001
From: Michael McCracken <mikmc...@cisco.com>
Date: Thu, 2 May 2019 12:10:24 -0700
Subject: [PATCH 2/5] helpers: fix var reference in crictl func
want to substitute, not run CRICTLDEBUG
Signed-off-by: Michael McCracken <mikmc...@cisco.com>
---
test/helpers.bash | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/test/helpers.bash b/test/helpers.bash
index 9b906db..1741ea1 100644
--- a/test/helpers.bash
+++ b/test/helpers.bash
@@ -54,7 +54,7 @@ function crictl {
# watch out for: https://github.com/kubernetes-sigs/cri-tools/issues/460
# If you need more debug output, set CRICTLDEBUG to -D
CRICTLDEBUG=""
- $(which crictl) $(CRICTLDEBUG) --runtime-endpoint "$TEMP_DIR/crio.sock" $@
+ $(which crictl) ${CRICTLDEBUG} --runtime-endpoint "$TEMP_DIR/crio.sock" $@
echo "$output"
}
From d7ed2812ea42801e86d999a6e9e13cfcece4a86c Mon Sep 17 00:00:00 2001
From: Michael McCracken <mikmc...@cisco.com>
Date: Thu, 2 May 2019 16:38:08 -0700
Subject: [PATCH 3/5] test: clean up created containers
Signed-off-by: Michael McCracken <mikmc...@cisco.com>
---
test/basic.bats | 2 ++
test/manual.bats | 2 ++
2 files changed, 4 insertions(+)
diff --git a/test/basic.bats b/test/basic.bats
index b9a8c6d..70e9317 100644
--- a/test/basic.bats
+++ b/test/basic.bats
@@ -15,4 +15,6 @@ function teardown() {
podid=$(crictl pods | grep nginx-sandbox | awk '{ print $1 }')
crictl create $podid test/basic-container-config.json
test/basic-pod-config.json
crictl ps -a | grep busybox
+ crictl stopp $podid
+ crictl rmp $podid
}
diff --git a/test/manual.bats b/test/manual.bats
index 7dc4ecf..ec8246c 100644
--- a/test/manual.bats
+++ b/test/manual.bats
@@ -14,4 +14,6 @@ function teardown() {
@test "manual invocation" {
crio-lxc --debug --log-level trace --log-file "$TEMP_DIR/log" create
--bundle "$TEMP_DIR/dest" alpine
crio-lxc --debug --log-level trace --log-file "$TEMP_DIR/log" start alpine
+ crio-lxc --debug --log-level trace --log-file "$TEMP_DIR/log" kill alpine
+ crio-lxc --debug --log-level trace --log-file "$TEMP_DIR/log" delete alpine
}
From c7d98002c17563dc55f8483a02b633b07f13dcee Mon Sep 17 00:00:00 2001
From: Michael McCracken <mikmc...@cisco.com>
Date: Thu, 2 May 2019 16:38:27 -0700
Subject: [PATCH 4/5] test: manual: replace shell with sleep so container stays
running
so we can test killing and deleting
Signed-off-by: Michael McCracken <mikmc...@cisco.com>
---
test/manual.bats | 1 +
1 file changed, 1 insertion(+)
diff --git a/test/manual.bats b/test/manual.bats
index ec8246c..1ec28ed 100644
--- a/test/manual.bats
+++ b/test/manual.bats
@@ -5,6 +5,7 @@ function setup() {
skopeo --insecure-policy copy docker://alpine:latest
oci:$ROOT_DIR/test/oci-cache:alpine
umoci unpack --image "$ROOT_DIR/test/oci-cache:alpine" "$TEMP_DIR/dest"
sed -i -e "s?rootfs?$TEMP_DIR/dest/rootfs?" "$TEMP_DIR/dest/config.json"
+ sed -i -e "s?\"/bin/sh\"?\"/bin/sleep\",\n\"60\"?"
"$TEMP_DIR/dest/config.json"
}
function teardown() {
From ae8352f59b8980ad4e799c1e1f393db5835e8c23 Mon Sep 17 00:00:00 2001
From: Michael McCracken <mikmc...@cisco.com>
Date: Thu, 2 May 2019 18:52:03 -0700
Subject: [PATCH 5/5] test: check that container correctly shares a namespace
Signed-off-by: Michael McCracken <mikmc...@cisco.com>
---
test/manual.bats | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/test/manual.bats b/test/manual.bats
index 1ec28ed..265e1fb 100644
--- a/test/manual.bats
+++ b/test/manual.bats
@@ -5,7 +5,9 @@ function setup() {
skopeo --insecure-policy copy docker://alpine:latest
oci:$ROOT_DIR/test/oci-cache:alpine
umoci unpack --image "$ROOT_DIR/test/oci-cache:alpine" "$TEMP_DIR/dest"
sed -i -e "s?rootfs?$TEMP_DIR/dest/rootfs?" "$TEMP_DIR/dest/config.json"
- sed -i -e "s?\"/bin/sh\"?\"/bin/sleep\",\n\"60\"?"
"$TEMP_DIR/dest/config.json"
+ sed -i -e "s?\"/bin/sh\"?\"/bin/sleep\",\n\"10\"?"
"$TEMP_DIR/dest/config.json"
+ sed -i -e "s?\"type\": \"ipc\"?\"type\": \"ipc\",\n\"path\":
\"/proc/1/ns/ipc\"?" "$TEMP_DIR/dest/config.json"
+
}
function teardown() {
@@ -13,8 +15,12 @@ function teardown() {
}
@test "manual invocation" {
- crio-lxc --debug --log-level trace --log-file "$TEMP_DIR/log" create
--bundle "$TEMP_DIR/dest" alpine
+ crio-lxc --debug --log-level trace --log-file "$TEMP_DIR/log" create
--bundle "$TEMP_DIR/dest" --pid-file "$TEMP_DIR/pid" alpine
crio-lxc --debug --log-level trace --log-file "$TEMP_DIR/log" start alpine
+ pid1ipcnsinode=$(stat -L -c%i /proc/1/ns/ipc)
+ mypid=$(<"$TEMP_DIR/pid")
+ mypidipcnsinode=$(stat -L -c%i "/proc/$mypid/ns/ipc")
+ [ $pid1ipcnsinode = $mypidipcnsinode ]
crio-lxc --debug --log-level trace --log-file "$TEMP_DIR/log" kill alpine
crio-lxc --debug --log-level trace --log-file "$TEMP_DIR/log" delete alpine
}
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
