profile
viewpoint
Michael Crosby crosbymichael Indiana http://crosbymichael.com Building things for others who build things

containerd/cgroups 495

cgroups package for Go

ClusterHQ/powerstrip 306

Powerstrip: A tool for prototyping Docker extensions

crosbymichael/boss 261

Run containers like a ross

containerd/ttrpc 207

GRPC for low-memory environments

christopherhesse/rethinkgo 139

OBSOLETE Go language driver for RethinkDB

containerd/continuity 81

A transport-agnostic, filesystem metadata manifest system

containerd/go-cni 77

A generic CNI library to provide APIs for CNI plugin interactions

containerd/go-runc 72

runc bindings for Go

containerd/fifo 60

fifo pkg for Go

crosbymichael/.dotfiles 55

bootstrap for my dev setup

push eventcontainerd/project

Akihiro Suda

commit sha cb9228bf7e1e69485610e47b30c6bae15fb3eaec

Add Tõnis Tiigi as a security advisor Tõnis is the leading maintainer of BuildKit and its relevant projects. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Michael Crosby

commit sha a8305cd536eb5c7f629f760298012e0fe4a5be88

Merge pull request #61 from AkihiroSuda/add-tonis-to-security-advisors Add Tõnis Tiigi as a security advisor

view details

push time in 2 days

PR merged containerd/project

Add Tõnis Tiigi as a security advisor

Tõnis (@tonistiigi) is the leading maintainer of BuildKit and its relevant projects.

We should collaborate with him for handling vulnerabilities.

+1 -0

1 comment

1 changed file

AkihiroSuda

pr closed time in 2 days

startedish-app/ish

started time in 2 days

issue commentcontainerd/containerd

containerd 1.4.0 opened thousands of pipes

I just tested 1.3.7 vs 1.4.0 and I don't see any different in the number of pipes that are open, it's actually less in 1.4.0. I still want to look into this more to see if there are some duplicates that are not handled correctly, but I'm not sure this is a functionality change in 1.4.0. Maybe your machines had a bad max-file configuration and that is why you see it on this server.

nerzhul

comment created time in 7 days

issue commentcontainerd/containerd

containerd 1.4.0 opened thousands of pipes

Thanks, yes I agree. We need to see if we are leaking somewhere or what is going on, even if you have a really low max-file :)

Do you have health-checks enabled for these containers? Just trying to drill down and see what area to look at first. Most of the pipes should show up like:

container 900 924 container    root    8u     FIFO               0,25       0t0      33801 /run/containerd/io.containerd.runtime.v2.task/default/test/log
container 900 924 container    root    9w     FIFO               0,25       0t0      33801 /run/containerd/io.containerd.runtime.v2.task/default/test/log
container 900 924 container    root   13u     FIFO               0,25       0t0      28963 /run/containerd/fifo/857536107/test-stdin
container 900 924 container    root   14u     FIFO               0,25       0t0      28963 /run/containerd/fifo/857536107/test-stdin
container 900 924 container    root   15w     FIFO               0,25       0t0      28963 /run/containerd/fifo/857536107/test-stdin
container 900 924 container    root   17u     FIFO               0,25       0t0      28965 /run/containerd/fifo/857536107/test-stdout
container 900 924 container    root   18w     FIFO               0,25       0t0      28965 /run/containerd/fifo/857536107/test-stdout
container 900 924 container    root   19u     FIFO               0,25       0t0      28965 /run/containerd/fifo/857536107/test-stdout
container 900 924 container    root   20r     FIFO               0,25       0t0      28965 /run/containerd/fifo/857536107/test-stdout
container 900 924 container    root   21r     FIFO               0,25       0t0      28963 /run/containerd/fifo/857536107/test-stdin
nerzhul

comment created time in 7 days

PullRequestReviewEvent

pull request commentcontainerd/project

Add Tõnis Tiigi as a security advisor

LGTM

AkihiroSuda

comment created time in 7 days

issue commentcontainerd/containerd

containerd 1.4.0 opened thousands of pipes

Also one point, why does your system have such a low limit?

my fedora box has:

cat /proc/sys/fs/file-nr 
1472    0       9223372036854775807
nerzhul

comment created time in 8 days

issue commentcontainerd/containerd

containerd 1.4.0 opened thousands of pipes

@nerzhul also. is your FD list at runtime or after these pods/containers have been drained? Is this an issue of a leak after the container has exited or a runtime issue with too many open fds?

nerzhul

comment created time in 8 days

issue commentcontainerd/containerd

LoadProcess does not error when the process does not exist in V2 runtime

Are you all looking to create a fix for this issue?

gcapizzi

comment created time in 8 days

issue commentcontainerd/containerd

containerd 1.4.0 opened thousands of pipes

Is there a way for you to get the paths of these fifos so we can see that the source is?

nerzhul

comment created time in 8 days

startednestybox/sysbox

started time in 12 days

delete branch crosbymichael/containerd

delete branch : ctr-cni

delete time in 12 days

create barnchcrosbymichael/containerd

branch : ctr-cni

created branch time in 13 days

PR opened containerd/containerd

Add CNI support to ctr run

This adds linux cni support to ctr run via a --cni flag. This uses the default configuration for CNI on ctr to configure the network namespace for a container.

Signed-off-by: Michael Crosby michael@thepasture.io

+42 -4

0 comment

2 changed files

pr created time in 13 days

Pull request review commentkata-containers/runtime

shimv2: handle ctx passed by containerd

 func (s *service) Create(ctx context.Context, r *taskAPI.CreateTaskRequest) (_ * 	s.mu.Lock() 	defer s.mu.Unlock() -	var c *container--	c, err = create(ctx, s, r)-	if err != nil {-		return nil, err-	}--	c.status = task.StatusCreated--	s.containers[r.ID] = c+	type Result struct {+		container *container+		err       error+	}+	ch := make(chan Result, 1)+	go func() {+		container, err := create(ctx, s, r)

nope, all good

YvesChan

comment created time in 16 days

PullRequestReviewEvent

push eventcontainerd/containerd

Maksym Pavlenko

commit sha d0f6895d8dd6832aa4ce3657317ca4bc9d9aad04

Revendor NRI Signed-off-by: Maksym Pavlenko <mxpv@apple.com>

view details

Michael Crosby

commit sha de546a154f84c3efbb1ad11c74dd53e14184719c

Merge pull request #4605 from mxpv/nri-fix Revendor NRI

view details

push time in 21 days

PR merged containerd/containerd

Revendor NRI

Signed-off-by: Maksym Pavlenko mxpv@apple.com

+18 -2

1 comment

3 changed files

mxpv

pr closed time in 21 days

PullRequestReviewEvent

push eventcontainerd/cri

Moritz Johner

commit sha f87302ab209aa45d87333a2eac4e0f7a1ea61b34

Add missing sandbox labels when invoking nri plugins Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

view details

Michael Crosby

commit sha a0b3b4e4da2e7802927f67efc77feb5433882b0e

Merge pull request #1593 from moolen/fix/add-nri-labels Add missing sandbox labels when invoking nri

view details

push time in 21 days

PR merged containerd/cri

Add missing sandbox labels when invoking nri needs-ok-to-test size/XS

The sandbox labels are missing when the create event is invoked, as far as i can tell this is a bug. This is a important thing to have in order to be able to differenciate the containers using their pod name, namespace or uid.

When creating the pod sandbox the labels are passed correctly: https://github.com/containerd/cri/blob/d620c30d7ecbc756f8d818237f9bccbbb7353e9e/pkg/server/sandbox_run.go#L291-L300

+2 -1

2 comments

1 changed file

moolen

pr closed time in 21 days

pull request commentcontainerd/cri

Add missing sandbox labels when invoking nri

LGTM

moolen

comment created time in 21 days

push eventcontainerd/nri

Maksym Pavlenko

commit sha fd7a26c798d396d11f29238451f33b7f244e4cce

Fix "argument list too long" error. When running from a service, each `client.New` call will append one more entry to PATH. Indirectly this affects fork/exec calls (the error message is a bit misleading, ideally it should be something like "argument list and environment are too long"). The problem can be reproduced with the following test: ``` func TestNewClient(t *testing.T) { for i := 0; i < 11000; i++ { _, err := New(); if err != nil { t.Fatal(err) } _, err = exec.Command("true").CombinedOutput() if err != nil { t.Fatal(err) } } } --- FAIL: TestNewClient (7.84s) client_test.go:17: fork/exec /usr/bin/true: argument list too long FAIL exit status 1 ``` Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>

view details

Michael Crosby

commit sha eb1350a75164f76de48e3605389e7a3fbc85d06e

Merge pull request #1 from mxpv/master Fix "argument list too long" error.

view details

push time in 21 days

PR merged containerd/nri

Fix "argument list too long" error.

When running from a service, each client.New call will append one more entry to PATH. Indirectly this affects fork/exec calls (the error message is a bit misleading, ideally it should be something like "argument list and environment are too long").

The problem can be reproduced with the following test:

func TestNewClient(t *testing.T) {
	for i := 0; i < 11000; i++ {
		_, err := New();
		if err != nil {
			t.Fatal(err)
		}

		_, err = exec.Command("true").CombinedOutput()
		if err != nil {
			t.Fatal(err)
		}
	}
}

--- FAIL: TestNewClient (7.84s)
    client_test.go:17: fork/exec /usr/bin/true: argument list too long
FAIL
exit status 1

In cri-containerd I observed this error after launching ~50 pods

Signed-off-by: Maksym Pavlenko pavlenko.maksym@gmail.com

+9 -1

1 comment

1 changed file

mxpv

pr closed time in 21 days

pull request commentcontainerd/nri

Fix "argument list too long" error.

LGTM

mxpv

comment created time in 21 days

PR closed containerd/containerd

Use path based unix socket for shims

This allows filesystem based ACLs for configuring access to the socket of a shim.

Signed-off-by: Michael Crosby michael@thepasture.io

+103 -25

1 comment

8 changed files

crosbymichael

pr closed time in 22 days

PR opened containerd/containerd

Use path based unix socket for shims

This allows filesystem based ACLs for configuring access to the socket of a shim.

Signed-off-by: Michael Crosby michael@thepasture.io

+103 -25

0 comment

8 changed files

pr created time in 22 days

push eventcrosbymichael/containerd

ktock

commit sha 03ab1b2cacdca0575cd432862eb36765707e7ffe

Add config for allowing GC to clean unpacked layers up This commit adds a flag through Pull API for allowing GC to clean layer contents up after unpacking these contents completed. This patch takes an approach to directly delete GC labels pointing to layers from the manifest blob. This will result in other snapshotters cannot reuse these contents on the next pull. But this patch mainly focuses on CRI use-cases where single snapshotter is usually used throughout the node lifecycle so this shouldn't be a matter. Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>

view details

Derek McGowan

commit sha c8b14ae4c01e620dc84704dd4b6a080eed0dc62e

Set content labels based on content type Give control of the content labeling process for children to the client. This allows the client to control the names associated with the labels and filter out labels. Signed-off-by: Derek McGowan <derek@mcg.dev>

view details

Akihiro Suda

commit sha 403dc83a291684a7d5b7b0e4dfcd60b82a7518ae

mount: retry executing the helper binary on ECHILD `exec.CombinedOutput()` intermittently returns `ECHILD` due to our signal handling. `wait(2)`: https://man7.org/linux/man-pages/man2/wait.2.html > ECHILD (for waitpid() or waitid()) The process specified by pid > (waitpid()) or idtype and id (waitid()) does not exist or is > not a child of the calling process. (This can happen for > one's own child if the action for SIGCHLD is set to SIG_IGN. > See also the Linux Notes section about threads.) Fix #4387 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

ktock

commit sha c2081369c504e799e355e3e107519994894f9915

Add doc about remote snapshotter Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>

view details

Mike Brown

commit sha 1b320bcc269c49f844cbe75b641090c894bdc9a6

update for cni config Signed-off-by: Mike Brown <brownwm@us.ibm.com>

view details

Michael Crosby

commit sha 3611efdcefe5237f49cd454fa2e3a7bc7b52ef5a

update cri to 8448b92d237e877bed1e4aa7a0baf0dee234 This includes an update of the selinux package and the ability in the CRI configuration to set the upper bounds for the selinux category labels that are generated. Signed-off-by: Michael Crosby <michael@thepasture.io>

view details

Derek McGowan

commit sha cf99e16cd0fcc86213e2528d1c724ccf9d99fe5d

Merge pull request #4420 from mikebrow/cni-config-update update for CI warning

view details

Mike Brown

commit sha 3c2a77bd7956efa1dc6681ca7c9b6869ddc4ee38

Merge pull request #4421 from crosbymichael/selinux-range update cri to 8448b92d237e877bed1e4aa7a0baf0dee234

view details

Derek McGowan

commit sha 67f19bfdd8b878d42e5e9ad39cc9816aaec50728

Merge pull request #4388 from AkihiroSuda/fix-mount-wait-no-child-processes mount: retry executing the helper binary on ECHILD

view details

Akihiro Suda

commit sha d184a0a3430dc4a17a47cce37fb36126ac0c699a

Merge pull request #4414 from dmcgowan/discard-content Set content labels based on content type

view details

Michael Crosby

commit sha 4318f93f9cbe6a943b1155a3d458c49ff1da1578

Add Spec() method to task Signed-off-by: Michael Crosby <michael@thepasture.io>

view details

Paul "TBBle" Hampson

commit sha 3795dd41aefc833e5647d397baf8712af89278b5

Always report server log from verbose integration test runs If you're adding `-v` to TESTFLAGS, you probably want to see the server logs, as well as the extra output from the testing framework. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>

view details

Paul "TBBle" Hampson

commit sha faa4ff56e41793dfa22041b89ba2c838bacd5714

Usefully fail tests with unknown or bad Windows Build version Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>

view details

Paul "TBBle" Hampson

commit sha 1ec1e9eabfbf3290e2a69b9a787a24c318535c14

Add Windows 10/Windows Server 2004 for integration tests Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>

view details

Sebastiaan van Stijn

commit sha 5b1627410df39295b69c4a0b47239591d09050b2

vendor: update containerd/continuity efbc4488d8fe1bdc16bde3b2d2990d9b3a899165 full diff: https://github.com/containerd/continuity/compare/d3ef23f19fbb106bb73ffde425d07a9187e30745...efbc4488d8fe1bdc16bde3b2d2990d9b3a899165 Fix sameFile() to recognize empty files as the same - fixes "Empty files can diff as "modified" even when they're not" Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Phil Estes

commit sha eb6354a1186044e9cbcf2c7086b2647be679ebbe

Merge pull request #4427 from TBBle/test_improvements Some small test improvements

view details

Paul "TBBle" Hampson

commit sha aa56cfc0a8a1b79e6e2322a0327db1f536a89419

Import Windows manifest into test build, rather than copying by script This will ensure that we can always get the current Windows OS build version, without being put into Windows 8 compatibility mode. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>

view details

Michael Crosby

commit sha 02afa94256dc3585634fd4c522d8616328305f12

Add --cpus flag to ctr Signed-off-by: Michael Crosby <michael@thepasture.io>

view details

Jintao Zhang

commit sha b87023185403dd4806cfe1496f7bcbd57a5db832

vendor runc library to v1.0.0-rc91-48-g67169a9d Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>

view details

Akihiro Suda

commit sha 9a3e95d351a382685d701af6209730c85172c766

Merge pull request #4430 from crosbymichael/ctr-cpus Add --cpus flag to ctr

view details

push time in 22 days

pull request commentkata-containers/runtime

hypervisor: set minimum memory for default memory much lower

@c3d ya, I agree, last I checked it’s around 15mb. 256mb is way large if we are considering this as the reasoning for the minimum value.

Overall, I think the real question is, should there be an hardcoded check or should you just rely on the underlying system to fail and propagate the error to the user?

egernst

comment created time in 22 days

Pull request review commentkata-containers/runtime

shimv2: handle ctx passed by containerd

 func (s *service) Create(ctx context.Context, r *taskAPI.CreateTaskRequest) (_ * 	s.mu.Lock() 	defer s.mu.Unlock() -	var c *container--	c, err = create(ctx, s, r)-	if err != nil {-		return nil, err-	}--	c.status = task.StatusCreated--	s.containers[r.ID] = c+	type Result struct {+		container *container+		err       error+	}+	ch := make(chan Result, 1)+	go func() {+		container, err := create(ctx, s, r)

I guess since this is a create, a hanging go routine is fine as the shim will be shutdown following the error.

I think working on the create to fully handle the context can come in a separate PR to make this even more robust :)

YvesChan

comment created time in 22 days

PullRequestReviewEvent

PR closed containerd/containerd

Use path based unix socket for shims

This allows filesystem based ACLs for configuring access to the socket of a shim.

Signed-off-by: Michael Crosby michael@thepasture.io

+103 -25

17 comments

8 changed files

crosbymichael

pr closed time in a month

create barnchcrosbymichael/ttrpc

branch : pid-match

created branch time in a month

issue closedcontainerd/containerd

selinux not working under containerd with selinux-enable=true

Description

I have two k8s cluster, one using docker and another using containerd directly, both with selinux enabled. but I found selinux not actually working on the containerd one, although this two cluster have the same version of containerd and runc.

did i miss some setting with containerd?

Steps to reproduce the issue:

  1. enable selinux by setting [enable_selinux = true] in /etc/containerd/config.toml
  2. create pod using tomcat official image
  3. check the process and file label

Describe the results you received:

# kubectl exec tomcat -it -- ps -eZ
LABEL                             PID TTY          TIME CMD
system_u:system_r:spc_t:s0          1 ?        00:00:00 java

# ls -Z /usr/local/openjdk-8/bin/java
system_u:object_r:container_var_lib_t:s0 /usr/local/openjdk-8/bin/java

Describe the results you expected:

# kubectl exec tomcat -it -- ps -eZ
LABEL                             PID TTY          TIME CMD
system_u:system_r:container_t:s0:c655,c743          1 ?        00:00:00 java

# ls -Z /usr/local/openjdk-8/bin/java
system_u:object_r:container_file_t:s0:c655,c743 /usr/local/openjdk-8/bin/java

Output of containerd --version:

# containerd -v
containerd  1.2.10 b34a5c8af56e510852c35414db4c1f4fa6172339

Any other relevant information: OS Centos7 rpm repo https://download.docker.com/linux/centos/7/ K8s version: 1.15 Containerd version: 1.2.10

closed time in a month

cyron

issue commentcontainerd/containerd

selinux not working under containerd with selinux-enable=true

This has been updated for 1.4 on CRI and we have validated this.

Please update update and you should be good to go with selinux support.

cyron

comment created time in a month

Pull request review commentkata-containers/runtime

shimv2: handle ctx passed by containerd

 func (s *service) Create(ctx context.Context, r *taskAPI.CreateTaskRequest) (_ * 	s.mu.Lock() 	defer s.mu.Unlock() -	var c *container--	c, err = create(ctx, s, r)-	if err != nil {-		return nil, err-	}--	c.status = task.StatusCreated--	s.containers[r.ID] = c+	type Result struct {+		container *container+		err       error+	}+	ch := make(chan Result, 1)+	go func() {+		container, err := create(ctx, s, r)

I think one thing that you need to be careful of is to make sure that calls within this create func handles context.Cancel() correctly. Running this in a goroutine is fine but you run the risks of this hanging forever on a cancel if the calls within this func do not also handle a canceled context.

YvesChan

comment created time in a month

PullRequestReviewEvent
PullRequestReviewEvent

startedkata-containers/runtime

started time in a month

Pull request review commentkata-containers/runtime

hypervisor: set minimum memory for default memory much lower

 const ( 	vSockLogsPort = 1025  	// MinHypervisorMemory is the minimum memory required for a VM.-	MinHypervisorMemory = 256+	MinHypervisorMemory = 8

I think you could remove the min. Finding min values are hard and can always be tricky. You can just let the underlying system fail and propagate the error up to the user and not be in the game of trying to find a min value that works for everyone.

egernst

comment created time in a month

PullRequestReviewEvent

startedvim-scripts/DrawIt

started time in a month

PullRequestReviewEvent

Pull request review commentkata-containers/runtime

cpuset: fixes to address VM sizing and constraining based on cpuset.mems

 func (s *Sandbox) calculateSandboxCPUs() uint32 { 				mCPU += utils.CalculateMilliCPUs(*cpu.Quota, *cpu.Period) 			} +			//todo we should handle error+			set, err := cpuset.Parse(cpu.Cpus)

ok, sounds good

egernst

comment created time in a month

Pull request review commentkata-containers/runtime

cpuset: fixes to address VM sizing and constraining based on cpuset.mems

 func (s *Sandbox) calculateSandboxCPUs() uint32 { 				mCPU += utils.CalculateMilliCPUs(*cpu.Quota, *cpu.Period) 			} +			//todo we should handle error+			set, err := cpuset.Parse(cpu.Cpus)

should you just have some simple sanity checks such as cpu.Cpus != "" then handle the error as you know it's invalid configuration?

egernst

comment created time in a month

PullRequestReviewEvent

startedaquasecurity/trivy

started time in a month

pull request commentcontainerd/containerd

cr: fix checkpoint from image getting skipped

LGTM

schrej

comment created time in a month

push eventcontainerd/containerd

Sebastiaan van Stijn

commit sha a6fc9ca490044ed5c6f10b954e929633a151067c

vendor: github.com/willf/bitset v1.1.11 The changes needed by opencontainers/selinux are now in a tagged release. This will make our dependency slightly ahead of what's used by opencontainers/selinux until a v1.6.1 is tagged. full diff: https://github.com/willf/bitset/compare/d5bec3311243...v1.1.11 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Michael Crosby

commit sha 585a19a76907620a20b16dca120fa63583e36232

Merge pull request #4566 from thaJeztah/bitset_1.1.11 vendor: github.com/willf/bitset v1.1.11

view details

push time in a month

PR merged containerd/containerd

vendor: github.com/willf/bitset v1.1.11 cherry-pick/1.4.x

relates to https://github.com/opencontainers/selinux/pull/114, https://github.com/opencontainers/selinux/issues/116

The changes needed by opencontainers/selinux are now in a tagged release. This will make our dependency slightly ahead of what's used by opencontainers/selinux until a v1.6.1 is tagged.

full diff: https://github.com/willf/bitset/compare/d5bec3311243...v1.1.11

+75 -22

3 comments

4 changed files

thaJeztah

pr closed time in a month

pull request commentcontainerd/containerd

vendor: github.com/willf/bitset v1.1.11

LGTM

thaJeztah

comment created time in a month

push eventcontainerd/cri

Sebastiaan van Stijn

commit sha 407c3eba2e144bb8c7dd2a2a6a912d023182443c

vendor: github.com/willf/bitset v1.1.11 The changes needed by opencontainers/selinux are now in a tagged release. This will make our dependency slightly ahead of what's used by opencontainers/selinux until a v1.6.1 is tagged. full diff: https://github.com/willf/bitset/compare/d5bec3311243...v1.1.11 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Michael Crosby

commit sha 210a86ca5bf6c8ca5f2553272d72c774b21fdec2

Merge pull request #1578 from thaJeztah/bitset_1.1.11 vendor: github.com/willf/bitset v1.1.11

view details

push time in a month

PR merged containerd/cri

vendor: github.com/willf/bitset v1.1.11 size/M

The changes needed by opencontainers/selinux are now in a tagged release. This will make our dependency slightly ahead of what's used by opencontainers/selinux until a v1.6.1 is tagged.

full diff: https://github.com/willf/bitset/compare/d5bec3311243...v1.1.11

+75 -22

4 comments

4 changed files

thaJeztah

pr closed time in a month

pull request commentcontainerd/cri

vendor: github.com/willf/bitset v1.1.11

LGTM

thaJeztah

comment created time in a month

pull request commentopencontainers/runtime-spec

MAINTAINERS: update vbatts email

ya, mine needs to be updated as well

vbatts

comment created time in a month

PullRequestReviewEvent

pull request commentcontainerd/ttrpc

Drop dependencies not compatible with gogo/protobuf

building is one thing to resolve the issue, but do we know if v2 protobuf is backwards compat(wire format) with what we have today? I wouldn't want to make any changes that breaks existing shims or force external users to have to recompile the world.

fgiudici

comment created time in 2 months

pull request commentcontainerd/ttrpc

Drop dependencies not compatible with gogo/protobuf

Thanks for the change. i'm refreshing my knowledge on that the problem and and what needs to be done. looking at it today

fgiudici

comment created time in 2 months

push eventopencontainers/runc

Akihiro Suda

commit sha 1d85333ad8393dade0c0caea3edfcd96a13b0c11

add runtime.Version() to `runc --version` Printing Go version would be helpful to debug runtime-related errors. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Akihiro Suda

commit sha 6249136a290a769263fd88d1795fbc0ae92ca342

add libseccomp version to `runc --version` Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Michael Crosby

commit sha ab740e9f7696a51c4923f27ea8ac57133e88ad72

Merge pull request #2541 from AkihiroSuda/go-version add Go version and libseccomp version to `runc --version`

view details

push time in 2 months

PR merged opencontainers/runc

add Go version and libseccomp version to `runc --version` easy-to-review enhancement

Printing these information would be helpful to debug runtime-related errors.

$ runc --version
runc version 1.0.0-rc91+dev
commit: bdbc3b06b4690dbb29838cb8358969451f21e62e
spec: 1.0.2-dev
go: go1.14.6
libseccomp: 2.4.3
+17 -1

9 comments

3 changed files

AkihiroSuda

pr closed time in 2 months

PullRequestReviewEvent

push eventcontainerd/nri

Michael Crosby

commit sha 5e52908d1c3c2b4c67e92a8781010257695c065e

skel return plugin error Signed-off-by: Michael Crosby <michael@thepasture.io>

view details

push time in 2 months

created tagcrosbymichael/slex

tag20.9.0

SSH multiplex

created time in 2 months

release crosbymichael/slex

20.9.0

released time in 2 months

push eventopencontainers/runc

Shukui Yang

commit sha cbb0a79322346aa6033b6bbf8985f8e4a5e27d1b

Make sure signalAllProcesses is invoked in the function of destroy It's expect that signalAllProcesses is invoked when container shares pid namespace. share pid ns contains the following conditions: { // no specify pid ns } { "type": "pid", "path": "/proc/${num}/ns/pid" } Signed-off-by: Shukui Yang <jryangshukui@jd.com> Signed-off-by: Shukui Yang <keloyangsk@gmail.com>

view details

push time in 2 months

PR merged opencontainers/runc

Make sure signalAllProcesses is invoked in the function of destroy when container shares pid namespace

issue description

./runc spec add pid ns config to config.json

{
    "type": "pid",
    "path": "/proc/1/ns/pid"
}

"./runc run hello" in a console and "./runc exec -t hello ash" in another console, and then exit container. we will see the following erros,

/ # exit
ERRO[0036] Failed to remove paths: map[memory:/sys/fs/cgroup/memory/user.slice/hello blkio:/sys/fs/cgroup/blkio/user.slice/hello hugetlb:/sys/fs/cgroup/hugetlb/hello net_cls:/sys/fs/cgroup/net_cls,net_prio/hello freezer:/sys/fs/cgroup/freezer/hello cpuset:/sys/fs/cgroup/cpuset/hello cpu:/sys/fs/cgroup/cpu,cpuacct/user.slice/hello cpuacct:/sys/fs/cgroup/cpu,cpuacct/user.slice/hello pids:/sys/fs/cgroup/pids/user.slice/hello net_prio:/sys/fs/cgroup/net_cls,net_prio/hello perf_event:/sys/fs/cgroup/perf_event/hello name=systemd:/sys/fs/cgroup/systemd/user.slice/user-0.slice/session-2658.scope/hello devices:/sys/fs/cgroup/devices/user.slice/hello] 

why

It's expect that signalAllProcesses is invoked when container shares pid namespace. share pid ns contains the following conditions:

{
    //no specify pid ns
}
{
    "type": "pid",
    "path": "/proc/${num}/ns/pid"
}

but the code can't do the second condition. this pr will add the second.

Signed-off-by: Shukui Yang keloyangsk@gmail.com

+2 -1

10 comments

1 changed file

keloyang

pr closed time in 2 months

PullRequestReviewEvent
PullRequestReviewEvent

create barnchcontainerd/nri

branch : prestart

created branch time in 2 months

issue openedcontainerd/cri

Add better debug logging around CNI plugins

Right now, it is hard to see what plugins, config path, or actions and errors coming from calling CNI plugins. CRI just doesn't have logging in this area. We should add this behind the debug level to help people troubleshoot network related issues.

These changes may span into our go-cni library so that stderr or typed errors can be send to the main daemon's log stream.

created time in 2 months

pull request commentcontainerd/containerd

update cri to 35e623e6bf7512e8c82b8ac6052cb1d7201

cc @egernst

crosbymichael

comment created time in 2 months

PR opened containerd/containerd

update cri to 35e623e6bf7512e8c82b8ac6052cb1d7201

This includes changes for kata or other kvm based runtimes with selinux support.

Signed-off-by: Michael Crosby michael@thepasture.io

+123 -1

0 comment

6 changed files

pr created time in 2 months

create barnchcrosbymichael/containerd

branch : cri-kata

created branch time in 2 months

Pull request review commentcontainerd/containerd

Log unexpected responses

 func requestWithMountFrom(req *request, mount, from string) *request {  	return &creq }++func (p dockerPusher) unexpectedResponse(ctx context.Context, resp *http.Response) error {+	msg := "unexpected response"+	err := errors.Errorf("%s: %s", msg, resp.Status)+	log.G(ctx).WithField("resp", resp).Debug(msg)+	body, bodyReadErr := ioutil.ReadAll(resp.Body)

How do we feel about the readall here for an unexpected response? This could be tricky as we could get a large response and OOM the daemon/machine.

I think for this to be secure, we need to have some type of upper bound on this.

errordeveloper

comment created time in 2 months

PullRequestReviewEvent

push eventcontainerd/containerd

Mike Brown

commit sha 6f4fe8245fa298f6949e7801c9eea80913f6c4c9

add help wanted, update slack Signed-off-by: Mike Brown <brownwm@us.ibm.com>

view details

Michael Crosby

commit sha d2f2733e00e23d3a78ef6acbb23649e39bf878d2

Merge pull request #4508 from mikebrow/readme-update-slack add help wanted, update slack

view details

push time in 2 months

PR merged containerd/containerd

add help wanted, update slack

Updates slack link to point to CNCF slack.

Adds a help wanted section to let people know help is needed, wanted, and welcome.

Need more documentation / material outlining how said helpers can contribute. But wanted to at least make it known/visible on the repo.

Signed-off-by: Mike Brown brownwm@us.ibm.com

+15 -4

4 comments

1 changed file

mikebrow

pr closed time in 2 months

PullRequestReviewEvent

push eventcontainerd/containerd

Brian Goff

commit sha 5f9d15eaac5d20b252f956bd80da94ec1b8244f5

shimv1: downgrade poroccess missing log to debug This `Info` log shows up for all exec processes that use the v1 shim with Docker because Docker deletes the process once it receives the exit event from containerd. Signed-off-by: Brian Goff <cpuguy83@gmail.com>

view details

Michael Crosby

commit sha dedf423b9cfcdb55ac44cfaae028f84a68e2228b

Merge pull request #4519 from cpuguy83/shim_exec_p_debug shimv1: downgrade poroccess missing log to debug

view details

push time in 2 months

PR merged containerd/containerd

shimv1: downgrade poroccess missing log to debug cherry-pick/1.4.x

This Info log shows up for all exec processes that use the v1 shim with Docker because Docker deletes the process once it receives the exit event from containerd.

+1 -1

1 comment

1 changed file

cpuguy83

pr closed time in 2 months

pull request commentcontainerd/containerd

shimv1: downgrade poroccess missing log to debug

LGTM

cpuguy83

comment created time in 2 months

delete branch crosbymichael/cri

delete branch : kata-se

delete time in 2 months

pull request commentcontainerd/cri

Handle KVM based runtimes with selinux

Humm, weird error coming from e2e. I'll look into it, does not look related but who knows when you are dealing with selinux

crosbymichael

comment created time in 2 months

push eventcrosbymichael/cri

Michael Crosby

commit sha d715d009061edf5ed0da5aa81fe7b6d2a6b3c10c

Handle KVM based runtimes with selinux Signed-off-by: Michael Crosby <michael@thepasture.io>

view details

push time in 2 months

Pull request review commentcontainerd/cri

Handle KVM based runtimes with selinux

 func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta 	}  	meta.ProcessLabel = spec.Process.SelinuxLabel++	// handle any KVM based runtime+	if err := modifyProcessLabel(ociRuntime.Type, spec); err != nil {+		return nil, err

I think this would be an error anyways but I'm updating the code to handle this case.

crosbymichael

comment created time in 2 months

PullRequestReviewEvent

Pull request review commentcontainerd/cri

Handle KVM based runtimes with selinux

 func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta 	}  	meta.ProcessLabel = spec.Process.SelinuxLabel++	// handle any KVM based runtime+	if err := modifyProcessLabel(ociRuntime.Type, spec); err != nil {+		return nil, err

let me double check

crosbymichael

comment created time in 2 months

PullRequestReviewEvent

pull request commentcontainerd/cri

Handle KVM based runtimes with selinux

/test pull-cri-containerd-node-e2e

crosbymichael

comment created time in 2 months

Pull request review commentcontainerd/cri

Handle KVM based runtimes with selinux

+/*+   Copyright The containerd Authors.++   Licensed under the Apache License, Version 2.0 (the "License");+   you may not use this file except in compliance with the License.+   You may obtain a copy of the License at++       http://www.apache.org/licenses/LICENSE-2.0++   Unless required by applicable law or agreed to in writing, software+   distributed under the License is distributed on an "AS IS" BASIS,+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+   See the License for the specific language governing permissions and+   limitations under the License.+*/++package seutil++import (+	"bufio"+	"os"++	"github.com/opencontainers/selinux/go-selinux"+)++var seTypes map[string]struct{}++const typePath = "/etc/selinux/targeted/contexts/customizable_types"++func init() {+	seTypes = make(map[string]struct{})+	if !selinux.GetEnabled() {+		return+	}+	f, err := os.Open(typePath)+	if err != nil {+		return

not in an init func

crosbymichael

comment created time in 2 months

PullRequestReviewEvent

push eventcrosbymichael/cri

Michael Crosby

commit sha 2f34a8ec6b5d1bc0ac1260c3409fe52fedfa0a94

Handle KVM based runtimes with selinux Signed-off-by: Michael Crosby <michael@thepasture.io>

view details

push time in 2 months

PR opened containerd/cri

Handle KVM based runtimes with selinux

Signed-off-by: Michael Crosby michael@thepasture.io

+116 -0

0 comment

4 changed files

pr created time in 2 months

create barnchcrosbymichael/cri

branch : kata-se

created branch time in 2 months

issue commentkata-containers/packaging

The Makefile is hard to use

@devimc thanks. That gets me much farther.

I was wondering, since this is the packaging repo, why not just automate all those steps in this repo? It would go a long way for people to contribute to kata by having a smooth build pipeline.

crosbymichael

comment created time in 2 months

delete branch crosbymichael/containerd

delete branch : runtimeroot

delete time in 2 months

pull request commentcontainerd/containerd

Add --runtime-root to ctr

@boddumanohar for v2 runtimes, you provide a directory path for the runtime to use as a state dir. This allows you to change the default path for runc to something else, incase you are running multiple instance or have different dir structures on your servers.

crosbymichael

comment created time in 2 months

push eventcontainerd/project

Derek McGowan

commit sha 77c390adb5e34cdc7733962627690ab37704fbd0

Add SECURITY.md Adds processs for reporting security vulnerabilities and joining the security announce mailing list. Signed-off-by: Derek McGowan <derek@mcg.dev>

view details

Michael Crosby

commit sha 883f4b76465edce5cb2f151236d8917e49e61290

Merge pull request #55 from dmcgowan/add-security-md Add SECURITY.md

view details

push time in 2 months

more