Make multi-container the default mode for runsc
And remove multicontainer option. PiperOrigin-RevId: 215236981 Change-Id: I9fd1d963d987e421e63d5817f91a25c819ced6cb
This commit is contained in:
parent
43e6aff50e
commit
a2ad8fef13
|
@ -193,10 +193,6 @@ type Config struct {
|
||||||
// disabled. Pardon the double negation, but default to enabled is important.
|
// disabled. Pardon the double negation, but default to enabled is important.
|
||||||
DisableSeccomp bool
|
DisableSeccomp bool
|
||||||
|
|
||||||
// MultiContainer enables multiple containers support inside one sandbox.
|
|
||||||
// TODO: Remove this when multiple container is fully supported.
|
|
||||||
MultiContainer bool
|
|
||||||
|
|
||||||
// SpecFile is the file containing the OCI spec.
|
// SpecFile is the file containing the OCI spec.
|
||||||
SpecFile string
|
SpecFile string
|
||||||
|
|
||||||
|
@ -224,7 +220,6 @@ func (c *Config) ToFlags() []string {
|
||||||
"--debug-log-dir=" + c.DebugLogDir,
|
"--debug-log-dir=" + c.DebugLogDir,
|
||||||
"--file-access=" + c.FileAccess.String(),
|
"--file-access=" + c.FileAccess.String(),
|
||||||
"--overlay=" + strconv.FormatBool(c.Overlay),
|
"--overlay=" + strconv.FormatBool(c.Overlay),
|
||||||
"--multi-container=" + strconv.FormatBool(c.MultiContainer),
|
|
||||||
"--network=" + c.Network.String(),
|
"--network=" + c.Network.String(),
|
||||||
"--log-packets=" + strconv.FormatBool(c.LogPackets),
|
"--log-packets=" + strconv.FormatBool(c.LogPackets),
|
||||||
"--platform=" + c.Platform.String(),
|
"--platform=" + c.Platform.String(),
|
||||||
|
|
|
@ -85,14 +85,14 @@ func (f *fdDispenser) empty() bool {
|
||||||
// and all mounts. 'rootCtx' is used to walk directories to find mount points.
|
// and all mounts. 'rootCtx' is used to walk directories to find mount points.
|
||||||
func createMountNamespace(userCtx context.Context, rootCtx context.Context, spec *specs.Spec, conf *Config, goferFDs []int) (*fs.MountNamespace, error) {
|
func createMountNamespace(userCtx context.Context, rootCtx context.Context, spec *specs.Spec, conf *Config, goferFDs []int) (*fs.MountNamespace, error) {
|
||||||
mounts := compileMounts(spec)
|
mounts := compileMounts(spec)
|
||||||
if conf.MultiContainer {
|
|
||||||
// Create a tmpfs mount where we create and mount a root filesystem for
|
// Create a tmpfs mount where we create and mount a root filesystem for
|
||||||
// each child container.
|
// each child container.
|
||||||
mounts = append(mounts, specs.Mount{
|
mounts = append(mounts, specs.Mount{
|
||||||
Type: tmpfs,
|
Type: tmpfs,
|
||||||
Destination: ChildContainersDir,
|
Destination: ChildContainersDir,
|
||||||
})
|
})
|
||||||
}
|
|
||||||
fds := &fdDispenser{fds: goferFDs}
|
fds := &fdDispenser{fds: goferFDs}
|
||||||
rootInode, err := createRootMount(rootCtx, spec, conf, fds, mounts)
|
rootInode, err := createRootMount(rootCtx, spec, conf, fds, mounts)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -579,8 +579,6 @@ func (l *Loader) executeAsync(args *control.ExecArgs) (kernel.ThreadID, error) {
|
||||||
return tgid, nil
|
return tgid, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO: Per-container namespaces must be supported for -pid.
|
|
||||||
|
|
||||||
// waitContainer waits for the root process of a container to exit.
|
// waitContainer waits for the root process of a container to exit.
|
||||||
func (l *Loader) waitContainer(cid string, waitStatus *uint32) error {
|
func (l *Loader) waitContainer(cid string, waitStatus *uint32) error {
|
||||||
// Don't defer unlock, as doing so would make it impossible for
|
// Don't defer unlock, as doing so would make it impossible for
|
||||||
|
|
|
@ -267,7 +267,7 @@ func Create(id string, spec *specs.Spec, conf *boot.Config, bundleDir, consoleSo
|
||||||
// started in an existing sandbox, we must do so. The metadata will
|
// started in an existing sandbox, we must do so. The metadata will
|
||||||
// indicate the ID of the sandbox, which is the same as the ID of the
|
// indicate the ID of the sandbox, which is the same as the ID of the
|
||||||
// init container in the sandbox.
|
// init container in the sandbox.
|
||||||
if specutils.ShouldCreateSandbox(spec) || !conf.MultiContainer {
|
if specutils.ShouldCreateSandbox(spec) {
|
||||||
log.Debugf("Creating new sandbox for container %q", id)
|
log.Debugf("Creating new sandbox for container %q", id)
|
||||||
ioFiles, err := c.createGoferProcess(spec, conf, bundleDir)
|
ioFiles, err := c.createGoferProcess(spec, conf, bundleDir)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -345,7 +345,7 @@ func (c *Container) Start(conf *boot.Config) error {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if specutils.ShouldCreateSandbox(c.Spec) || !conf.MultiContainer {
|
if specutils.ShouldCreateSandbox(c.Spec) {
|
||||||
if err := c.Sandbox.StartRoot(c.Spec, conf); err != nil {
|
if err := c.Sandbox.StartRoot(c.Spec, conf); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
|
@ -60,7 +60,6 @@ var (
|
||||||
network = flag.String("network", "sandbox", "specifies which network to use: sandbox (default), host, none. Using network inside the sandbox is more secure because it's isolated from the host network.")
|
network = flag.String("network", "sandbox", "specifies which network to use: sandbox (default), host, none. Using network inside the sandbox is more secure because it's isolated from the host network.")
|
||||||
fileAccess = flag.String("file-access", "exclusive", "specifies which filesystem to use for the root mount: exclusive (default), shared. Volume mounts are always shared.")
|
fileAccess = flag.String("file-access", "exclusive", "specifies which filesystem to use for the root mount: exclusive (default), shared. Volume mounts are always shared.")
|
||||||
overlay = flag.Bool("overlay", false, "wrap filesystem mounts with writable overlay. All modifications are stored in memory inside the sandbox.")
|
overlay = flag.Bool("overlay", false, "wrap filesystem mounts with writable overlay. All modifications are stored in memory inside the sandbox.")
|
||||||
multiContainer = flag.Bool("multi-container", false, "enable *experimental* multi-container support.")
|
|
||||||
watchdogAction = flag.String("watchdog-action", "log", "sets what action the watchdog takes when triggered: log (default), panic.")
|
watchdogAction = flag.String("watchdog-action", "log", "sets what action the watchdog takes when triggered: log (default), panic.")
|
||||||
panicSignal = flag.Int("panic-signal", -1, "register signal handling that panics. Usually set to SIGUSR2(12) to troubleshoot hangs. -1 disables it.")
|
panicSignal = flag.Int("panic-signal", -1, "register signal handling that panics. Usually set to SIGUSR2(12) to troubleshoot hangs. -1 disables it.")
|
||||||
)
|
)
|
||||||
|
@ -140,7 +139,6 @@ func main() {
|
||||||
Platform: platformType,
|
Platform: platformType,
|
||||||
Strace: *strace,
|
Strace: *strace,
|
||||||
StraceLogSize: *straceLogSize,
|
StraceLogSize: *straceLogSize,
|
||||||
MultiContainer: *multiContainer,
|
|
||||||
WatchdogAction: wa,
|
WatchdogAction: wa,
|
||||||
PanicSignal: *panicSignal,
|
PanicSignal: *panicSignal,
|
||||||
}
|
}
|
||||||
|
|
|
@ -57,35 +57,6 @@ const (
|
||||||
func setupNetwork(conn *urpc.Client, pid int, spec *specs.Spec, conf *boot.Config) error {
|
func setupNetwork(conn *urpc.Client, pid int, spec *specs.Spec, conf *boot.Config) error {
|
||||||
log.Infof("Setting up network")
|
log.Infof("Setting up network")
|
||||||
|
|
||||||
if !conf.MultiContainer {
|
|
||||||
// HACK!
|
|
||||||
//
|
|
||||||
// When kubernetes starts a pod, it first creates a sandbox with an
|
|
||||||
// application that just pauses forever. Later, when a container is
|
|
||||||
// added to the pod, kubernetes will create another sandbox with a
|
|
||||||
// config that corresponds to the containerized application, and add it
|
|
||||||
// to the same namespaces as the pause sandbox.
|
|
||||||
//
|
|
||||||
// Running a second sandbox currently breaks because the two sandboxes
|
|
||||||
// have the same network namespace and configuration, and try to create
|
|
||||||
// a tap device on the same host device which fails.
|
|
||||||
//
|
|
||||||
// Runsc will eventually need to detect that this container is meant to
|
|
||||||
// be run in the same sandbox as the pausing application, and somehow
|
|
||||||
// make that happen.
|
|
||||||
//
|
|
||||||
// For now the following HACK disables networking for the "pause"
|
|
||||||
// sandbox, allowing the second sandbox to start up successfully.
|
|
||||||
//
|
|
||||||
// TODO: Remove this once multiple containers per sandbox
|
|
||||||
// is properly supported.
|
|
||||||
if spec.Annotations[crioContainerTypeAnnotation] == "sandbox" ||
|
|
||||||
spec.Annotations[containerdContainerTypeAnnotation] == "sandbox" {
|
|
||||||
log.Warningf("HACK: Disabling network")
|
|
||||||
conf.Network = boot.NetworkNone
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
switch conf.Network {
|
switch conf.Network {
|
||||||
case boot.NetworkNone:
|
case boot.NetworkNone:
|
||||||
log.Infof("Network is disabled, create loopback interface only")
|
log.Infof("Network is disabled, create loopback interface only")
|
||||||
|
|
|
@ -104,13 +104,12 @@ func FindFile(path string) (string, error) {
|
||||||
// TestConfig return the default configuration to use in tests.
|
// TestConfig return the default configuration to use in tests.
|
||||||
func TestConfig() *boot.Config {
|
func TestConfig() *boot.Config {
|
||||||
return &boot.Config{
|
return &boot.Config{
|
||||||
Debug: true,
|
Debug: true,
|
||||||
LogFormat: "text",
|
LogFormat: "text",
|
||||||
LogPackets: true,
|
LogPackets: true,
|
||||||
Network: boot.NetworkNone,
|
Network: boot.NetworkNone,
|
||||||
Strace: true,
|
Strace: true,
|
||||||
MultiContainer: true,
|
FileAccess: boot.FileAccessExclusive,
|
||||||
FileAccess: boot.FileAccessExclusive,
|
|
||||||
TestOnlyAllowRunAsCurrentUserWithoutChroot: true,
|
TestOnlyAllowRunAsCurrentUserWithoutChroot: true,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue