From a2ad8fef136b31989bfcd2f40003f6113aebaf1d Mon Sep 17 00:00:00 2001 From: Fabricio Voznika Date: Mon, 1 Oct 2018 10:29:45 -0700 Subject: [PATCH] Make multi-container the default mode for runsc And remove multicontainer option. PiperOrigin-RevId: 215236981 Change-Id: I9fd1d963d987e421e63d5817f91a25c819ced6cb --- runsc/boot/config.go | 5 ----- runsc/boot/fs.go | 16 ++++++++-------- runsc/boot/loader.go | 2 -- runsc/container/container.go | 4 ++-- runsc/main.go | 2 -- runsc/sandbox/network.go | 29 ----------------------------- runsc/test/testutil/testutil.go | 13 ++++++------- 7 files changed, 16 insertions(+), 55 deletions(-) diff --git a/runsc/boot/config.go b/runsc/boot/config.go index 01da535af..cd977c8a5 100644 --- a/runsc/boot/config.go +++ b/runsc/boot/config.go @@ -193,10 +193,6 @@ type Config struct { // disabled. Pardon the double negation, but default to enabled is important. DisableSeccomp bool - // MultiContainer enables multiple containers support inside one sandbox. - // TODO: Remove this when multiple container is fully supported. - MultiContainer bool - // SpecFile is the file containing the OCI spec. SpecFile string @@ -224,7 +220,6 @@ func (c *Config) ToFlags() []string { "--debug-log-dir=" + c.DebugLogDir, "--file-access=" + c.FileAccess.String(), "--overlay=" + strconv.FormatBool(c.Overlay), - "--multi-container=" + strconv.FormatBool(c.MultiContainer), "--network=" + c.Network.String(), "--log-packets=" + strconv.FormatBool(c.LogPackets), "--platform=" + c.Platform.String(), diff --git a/runsc/boot/fs.go b/runsc/boot/fs.go index 9e8fea7e1..42e011beb 100644 --- a/runsc/boot/fs.go +++ b/runsc/boot/fs.go @@ -85,14 +85,14 @@ func (f *fdDispenser) empty() bool { // and all mounts. 'rootCtx' is used to walk directories to find mount points. func createMountNamespace(userCtx context.Context, rootCtx context.Context, spec *specs.Spec, conf *Config, goferFDs []int) (*fs.MountNamespace, error) { mounts := compileMounts(spec) - if conf.MultiContainer { - // Create a tmpfs mount where we create and mount a root filesystem for - // each child container. - mounts = append(mounts, specs.Mount{ - Type: tmpfs, - Destination: ChildContainersDir, - }) - } + + // Create a tmpfs mount where we create and mount a root filesystem for + // each child container. + mounts = append(mounts, specs.Mount{ + Type: tmpfs, + Destination: ChildContainersDir, + }) + fds := &fdDispenser{fds: goferFDs} rootInode, err := createRootMount(rootCtx, spec, conf, fds, mounts) if err != nil { diff --git a/runsc/boot/loader.go b/runsc/boot/loader.go index 1e2a12280..9fa9b51a0 100644 --- a/runsc/boot/loader.go +++ b/runsc/boot/loader.go @@ -579,8 +579,6 @@ func (l *Loader) executeAsync(args *control.ExecArgs) (kernel.ThreadID, error) { return tgid, nil } -// TODO: Per-container namespaces must be supported for -pid. - // waitContainer waits for the root process of a container to exit. func (l *Loader) waitContainer(cid string, waitStatus *uint32) error { // Don't defer unlock, as doing so would make it impossible for diff --git a/runsc/container/container.go b/runsc/container/container.go index b39d6bf12..be833c03d 100644 --- a/runsc/container/container.go +++ b/runsc/container/container.go @@ -267,7 +267,7 @@ func Create(id string, spec *specs.Spec, conf *boot.Config, bundleDir, consoleSo // started in an existing sandbox, we must do so. The metadata will // indicate the ID of the sandbox, which is the same as the ID of the // init container in the sandbox. - if specutils.ShouldCreateSandbox(spec) || !conf.MultiContainer { + if specutils.ShouldCreateSandbox(spec) { log.Debugf("Creating new sandbox for container %q", id) ioFiles, err := c.createGoferProcess(spec, conf, bundleDir) if err != nil { @@ -345,7 +345,7 @@ func (c *Container) Start(conf *boot.Config) error { } } - if specutils.ShouldCreateSandbox(c.Spec) || !conf.MultiContainer { + if specutils.ShouldCreateSandbox(c.Spec) { if err := c.Sandbox.StartRoot(c.Spec, conf); err != nil { return err } diff --git a/runsc/main.go b/runsc/main.go index 624db5f40..2a18c4b9e 100644 --- a/runsc/main.go +++ b/runsc/main.go @@ -60,7 +60,6 @@ var ( network = flag.String("network", "sandbox", "specifies which network to use: sandbox (default), host, none. Using network inside the sandbox is more secure because it's isolated from the host network.") fileAccess = flag.String("file-access", "exclusive", "specifies which filesystem to use for the root mount: exclusive (default), shared. Volume mounts are always shared.") overlay = flag.Bool("overlay", false, "wrap filesystem mounts with writable overlay. All modifications are stored in memory inside the sandbox.") - multiContainer = flag.Bool("multi-container", false, "enable *experimental* multi-container support.") watchdogAction = flag.String("watchdog-action", "log", "sets what action the watchdog takes when triggered: log (default), panic.") panicSignal = flag.Int("panic-signal", -1, "register signal handling that panics. Usually set to SIGUSR2(12) to troubleshoot hangs. -1 disables it.") ) @@ -140,7 +139,6 @@ func main() { Platform: platformType, Strace: *strace, StraceLogSize: *straceLogSize, - MultiContainer: *multiContainer, WatchdogAction: wa, PanicSignal: *panicSignal, } diff --git a/runsc/sandbox/network.go b/runsc/sandbox/network.go index 60cbbfcdb..86a52c6ae 100644 --- a/runsc/sandbox/network.go +++ b/runsc/sandbox/network.go @@ -57,35 +57,6 @@ const ( func setupNetwork(conn *urpc.Client, pid int, spec *specs.Spec, conf *boot.Config) error { log.Infof("Setting up network") - if !conf.MultiContainer { - // HACK! - // - // When kubernetes starts a pod, it first creates a sandbox with an - // application that just pauses forever. Later, when a container is - // added to the pod, kubernetes will create another sandbox with a - // config that corresponds to the containerized application, and add it - // to the same namespaces as the pause sandbox. - // - // Running a second sandbox currently breaks because the two sandboxes - // have the same network namespace and configuration, and try to create - // a tap device on the same host device which fails. - // - // Runsc will eventually need to detect that this container is meant to - // be run in the same sandbox as the pausing application, and somehow - // make that happen. - // - // For now the following HACK disables networking for the "pause" - // sandbox, allowing the second sandbox to start up successfully. - // - // TODO: Remove this once multiple containers per sandbox - // is properly supported. - if spec.Annotations[crioContainerTypeAnnotation] == "sandbox" || - spec.Annotations[containerdContainerTypeAnnotation] == "sandbox" { - log.Warningf("HACK: Disabling network") - conf.Network = boot.NetworkNone - } - } - switch conf.Network { case boot.NetworkNone: log.Infof("Network is disabled, create loopback interface only") diff --git a/runsc/test/testutil/testutil.go b/runsc/test/testutil/testutil.go index 706db74a7..07d66e469 100644 --- a/runsc/test/testutil/testutil.go +++ b/runsc/test/testutil/testutil.go @@ -104,13 +104,12 @@ func FindFile(path string) (string, error) { // TestConfig return the default configuration to use in tests. func TestConfig() *boot.Config { return &boot.Config{ - Debug: true, - LogFormat: "text", - LogPackets: true, - Network: boot.NetworkNone, - Strace: true, - MultiContainer: true, - FileAccess: boot.FileAccessExclusive, + Debug: true, + LogFormat: "text", + LogPackets: true, + Network: boot.NetworkNone, + Strace: true, + FileAccess: boot.FileAccessExclusive, TestOnlyAllowRunAsCurrentUserWithoutChroot: true, } }