diff --git a/go.mod b/go.mod index f70f5dc2c1..77008bdcb0 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ replace ( github.com/containerd/btrfs => github.com/containerd/btrfs v0.0.0-20181101203652-af5082808c83 github.com/containerd/cgroups => github.com/containerd/cgroups v0.0.0-20190717030353-c4b9ac5c7601 github.com/containerd/console => github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50 - github.com/containerd/containerd => github.com/rancher/containerd v1.3.0-k3s.1 + github.com/containerd/containerd => github.com/rancher/containerd v1.3.0-k3s.2 github.com/containerd/continuity => github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02 github.com/containerd/fifo => github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c github.com/containerd/go-runc => github.com/containerd/go-runc v0.0.0-20190911050354-e029b79d8cda @@ -23,7 +23,7 @@ replace ( github.com/golangci/gosec => github.com/golangci/gosec v0.0.0-20190211064107-66fb7fc33547 github.com/golangci/ineffassign => github.com/golangci/ineffassign v0.0.0-20190609212857-42439a7714cc github.com/golangci/lint-1 => github.com/golangci/lint-1 v0.0.0-20190420132249-ee948d087217 - github.com/kubernetes-sigs/cri-tools => github.com/rancher/cri-tools v1.16.0-k3s.1 + github.com/kubernetes-sigs/cri-tools => github.com/rancher/cri-tools v1.16.1-k3s.1 github.com/matryer/moq => github.com/rancher/moq v0.0.0-20190404221404-ee5226d43009 github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v0.0.0-20180911193056-5684b8af48c1 github.com/prometheus/client_golang => github.com/prometheus/client_golang v0.9.2 @@ -67,7 +67,7 @@ require ( github.com/containerd/cgroups v0.0.0-20190923161937-abd0b19954a6 // indirect github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69 github.com/containerd/continuity v0.0.0-20190827140505-75bee3e2ccb6 // indirect - github.com/containerd/cri v1.11.1-0.20190909171321-f4d75d321c89 + github.com/containerd/cri v1.11.1-0.20191009213552-1fb415d208be github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c // indirect github.com/containerd/go-cni v0.0.0-20190904155053-d20b7eebc7ee // indirect github.com/containerd/go-runc v0.0.0-20190923131748-a2952bc25f51 // indirect diff --git a/go.sum b/go.sum index 3636e46d52..d0ae3c3f97 100644 --- a/go.sum +++ b/go.sum @@ -100,8 +100,8 @@ github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50 h1:WMpHmC6AxwWb github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw= github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02 h1:tN9D97v5A5QuKdcKHKt+UMKrkQ5YXUnD8iM7IAAjEfI= github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= -github.com/containerd/cri v1.11.1-0.20190909171321-f4d75d321c89 h1:RIq5tp1MCjyzXik4Bh8S8nKkhrp/NoFAdND3FEQ+5H0= -github.com/containerd/cri v1.11.1-0.20190909171321-f4d75d321c89/go.mod h1:DavH5Qa8+6jOmeOMO3dhWoqksucZDe06LfuhBz/xPZs= +github.com/containerd/cri v1.11.1-0.20191009213552-1fb415d208be h1:KHWCXlSziZmCfhtrX1YuWzL/EJ7OBViYvUn4wJzHZ0E= +github.com/containerd/cri v1.11.1-0.20191009213552-1fb415d208be/go.mod h1:DavH5Qa8+6jOmeOMO3dhWoqksucZDe06LfuhBz/xPZs= github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c h1:KFbqHhDeaHM7IfFtXHfUHMDaUStpM2YwBR+iJCIOsKk= github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI= github.com/containerd/go-cni v0.0.0-20190904155053-d20b7eebc7ee h1:fV37ZKnYs79fSyI3mu/XZFJVezrVsXBLbfojcTPpdXM= @@ -559,10 +559,10 @@ github.com/quasilyte/go-consistent v0.0.0-20190521200055-c6f3937de18c/go.mod h1: github.com/quobyte/api v0.1.2/go.mod h1:jL7lIHrmqQ7yh05OJ+eEEdHr0u/kmT1Ff9iHd+4H6VI= github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8 h1:83l9gPhYtgxODlZKU0Odq4pQuDcMZEVgAh364+PV3OU= github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8/go.mod h1:4XHkfaUj+URzGO9sohoAgt2V9Y8nIW7fugpu0E6gShk= -github.com/rancher/containerd v1.3.0-k3s.1 h1:8dz25shb4egTLl0nOXQdtllx20LEXsuOs4qJi/jnqqg= -github.com/rancher/containerd v1.3.0-k3s.1/go.mod h1:ZMfzmqce2Z+QSEqdHMfeJs1TZ/UeJ1aDrazjpQT4ehM= -github.com/rancher/cri-tools v1.16.0-k3s.1 h1:cv/iVFkfvDLfpSqGFwgyQbMKLGRzcXo8AALUsd8s5qE= -github.com/rancher/cri-tools v1.16.0-k3s.1/go.mod h1:TEKhKv2EJIZp+p9jnEy4C63g8CosJzsI4kyKKkHag+8= +github.com/rancher/containerd v1.3.0-k3s.2 h1:l3hHJRVNreflDuePWkJiONdSylPqNnNoqBkerqWUcFQ= +github.com/rancher/containerd v1.3.0-k3s.2/go.mod h1:ZMfzmqce2Z+QSEqdHMfeJs1TZ/UeJ1aDrazjpQT4ehM= +github.com/rancher/cri-tools v1.16.1-k3s.1 h1:iporgQ46noE6dtLzq6fWcIO2qjyPZy2m42d2P+UnGJg= +github.com/rancher/cri-tools v1.16.1-k3s.1/go.mod h1:TEKhKv2EJIZp+p9jnEy4C63g8CosJzsI4kyKKkHag+8= github.com/rancher/dynamiclistener v0.1.1-0.20191010011134-8a2488bc860a h1:1bUYAv5U/Ky4YJ9o8gWxX+vNcjpIL3JWNBao70OlkFE= github.com/rancher/dynamiclistener v0.1.1-0.20191010011134-8a2488bc860a/go.mod h1:8hbGf35mB7ormKEFqsAgjgeI5rLbj5N764jG41dNhps= github.com/rancher/flannel v0.11.0-k3s.1 h1:mIwnfWDafjzQgFkZeJ1AkFrrAT3EdBaA1giE0eLJKo8= diff --git a/vendor/github.com/containerd/containerd/.travis.yml b/vendor/github.com/containerd/containerd/.travis.yml index 2ed44d3903..d17768b326 100644 --- a/vendor/github.com/containerd/containerd/.travis.yml +++ b/vendor/github.com/containerd/containerd/.travis.yml @@ -77,6 +77,7 @@ script: - go build -i . - make check - if [ "$GOOS" = "linux" ]; then make check-protos check-api-descriptors; fi + - if [ "$TRAVIS_GOOS" = "linux" ]; then make man ; fi - make build - make binaries - if [ "$TRAVIS_GOOS" = "linux" ]; then sudo make install ; fi diff --git a/vendor/github.com/containerd/containerd/Makefile b/vendor/github.com/containerd/containerd/Makefile index 675816189d..6af6668352 100644 --- a/vendor/github.com/containerd/containerd/Makefile +++ b/vendor/github.com/containerd/containerd/Makefile @@ -203,11 +203,19 @@ man: mandir $(addprefix man/,$(MANPAGES)) mandir: @mkdir -p man -genman: FORCE - go run cmd/gen-manpages/main.go man/ +# Kept for backwards compatability +genman: man/containerd.1 man/ctr.1 + +man/containerd.1: FORCE + @echo "$(WHALE) $@" + go run cmd/gen-manpages/main.go containerd man/ + +man/ctr.1: FORCE + @echo "$(WHALE) $@" + go run cmd/gen-manpages/main.go ctr man/ man/%: docs/man/%.md FORCE - @echo "$(WHALE) $<" + @echo "$(WHALE) $@" go-md2man -in "$<" -out "$@" define installmanpage diff --git a/vendor/github.com/containerd/containerd/containerd.service b/vendor/github.com/containerd/containerd/containerd.service index 32486ef7aa..5452ea1f68 100644 --- a/vendor/github.com/containerd/containerd/containerd.service +++ b/vendor/github.com/containerd/containerd/containerd.service @@ -1,7 +1,7 @@ [Unit] Description=containerd container runtime Documentation=https://containerd.io -After=network.target +After=network.target local-fs.target [Service] ExecStartPre=-/sbin/modprobe overlay diff --git a/vendor/github.com/containerd/containerd/pkg/process/io.go b/vendor/github.com/containerd/containerd/pkg/process/io.go index 169f6c8e20..28a94a5ecd 100644 --- a/vendor/github.com/containerd/containerd/pkg/process/io.go +++ b/vendor/github.com/containerd/containerd/pkg/process/io.go @@ -40,7 +40,9 @@ import ( var bufPool = sync.Pool{ New: func() interface{} { - buffer := make([]byte, 32<<10) + // setting to 4096 to align with PIPE_BUF + // http://man7.org/linux/man-pages/man7/pipe.7.html + buffer := make([]byte, 4096) return &buffer }, } diff --git a/vendor/github.com/containerd/containerd/runtime/v1/linux/task.go b/vendor/github.com/containerd/containerd/runtime/v1/linux/task.go index 0970c3ea3b..6e7f592b82 100644 --- a/vendor/github.com/containerd/containerd/runtime/v1/linux/task.go +++ b/vendor/github.com/containerd/containerd/runtime/v1/linux/task.go @@ -91,9 +91,12 @@ func (t *Task) PID() uint32 { // Delete the task and return the exit status func (t *Task) Delete(ctx context.Context) (*runtime.Exit, error) { - rsp, err := t.shim.Delete(ctx, empty) - if err != nil && !errdefs.IsNotFound(err) { - return nil, errdefs.FromGRPC(err) + rsp, shimErr := t.shim.Delete(ctx, empty) + if shimErr != nil { + shimErr = errdefs.FromGRPC(shimErr) + if !errdefs.IsNotFound(shimErr) { + return nil, shimErr + } } t.tasks.Delete(ctx, t.id) if err := t.shim.KillShim(ctx); err != nil { @@ -102,6 +105,9 @@ func (t *Task) Delete(ctx context.Context) (*runtime.Exit, error) { if err := t.bundle.Delete(); err != nil { log.G(ctx).WithError(err).Error("failed to delete bundle") } + if shimErr != nil { + return nil, shimErr + } t.events.Publish(ctx, runtime.TaskDeleteEventTopic, &eventstypes.TaskDelete{ ContainerID: t.id, ExitStatus: rsp.ExitStatus, diff --git a/vendor/github.com/containerd/containerd/runtime/v1/shim/service.go b/vendor/github.com/containerd/containerd/runtime/v1/shim/service.go index a722ea1c23..f3e1f4b7c6 100644 --- a/vendor/github.com/containerd/containerd/runtime/v1/shim/service.go +++ b/vendor/github.com/containerd/containerd/runtime/v1/shim/service.go @@ -55,7 +55,7 @@ var ( empty = &ptypes.Empty{} bufPool = sync.Pool{ New: func() interface{} { - buffer := make([]byte, 32<<10) + buffer := make([]byte, 4096) return &buffer }, } @@ -217,7 +217,7 @@ func (s *Service) Delete(ctx context.Context, r *ptypes.Empty) (*shimapi.DeleteR return nil, err } if err := p.Delete(ctx); err != nil { - return nil, err + return nil, errdefs.ToGRPC(err) } s.mu.Lock() delete(s.processes, s.id) @@ -240,7 +240,7 @@ func (s *Service) DeleteProcess(ctx context.Context, r *shimapi.DeleteProcessReq return nil, err } if err := p.Delete(ctx); err != nil { - return nil, err + return nil, errdefs.ToGRPC(err) } s.mu.Lock() delete(s.processes, r.ID) diff --git a/vendor/github.com/containerd/containerd/runtime/v1/shim/service_linux.go b/vendor/github.com/containerd/containerd/runtime/v1/shim/service_linux.go index a4a4b90a35..65a8666e44 100644 --- a/vendor/github.com/containerd/containerd/runtime/v1/shim/service_linux.go +++ b/vendor/github.com/containerd/containerd/runtime/v1/shim/service_linux.go @@ -55,6 +55,7 @@ func (p *linuxPlatform) CopyConsole(ctx context.Context, console console.Console io.CopyBuffer(epollConsole, in, *bp) // we need to shutdown epollConsole when pipe broken epollConsole.Shutdown(p.epoller.CloseConsole) + epollConsole.Close() }() } @@ -73,9 +74,8 @@ func (p *linuxPlatform) CopyConsole(ctx context.Context, console console.Console p := bufPool.Get().(*[]byte) defer bufPool.Put(p) io.CopyBuffer(outw, epollConsole, *p) - epollConsole.Close() - outr.Close() outw.Close() + outr.Close() wg.Done() }() cwg.Wait() diff --git a/vendor/github.com/containerd/containerd/runtime/v2/runc/platform.go b/vendor/github.com/containerd/containerd/runtime/v2/runc/platform.go index 4478b55eff..aa54023970 100644 --- a/vendor/github.com/containerd/containerd/runtime/v2/runc/platform.go +++ b/vendor/github.com/containerd/containerd/runtime/v2/runc/platform.go @@ -32,7 +32,9 @@ import ( var bufPool = sync.Pool{ New: func() interface{} { - buffer := make([]byte, 32<<10) + // setting to 4096 to align with PIPE_BUF + // http://man7.org/linux/man-pages/man7/pipe.7.html + buffer := make([]byte, 4096) return &buffer }, } @@ -77,6 +79,7 @@ func (p *linuxPlatform) CopyConsole(ctx context.Context, console console.Console io.CopyBuffer(epollConsole, in, *bp) // we need to shutdown epollConsole when pipe broken epollConsole.Shutdown(p.epoller.CloseConsole) + epollConsole.Close() }() } @@ -95,9 +98,9 @@ func (p *linuxPlatform) CopyConsole(ctx context.Context, console console.Console buf := bufPool.Get().(*[]byte) defer bufPool.Put(buf) io.CopyBuffer(outw, epollConsole, *buf) - epollConsole.Close() - outr.Close() + outw.Close() + outr.Close() wg.Done() }() cwg.Wait() diff --git a/vendor/github.com/containerd/containerd/runtime/v2/shim.go b/vendor/github.com/containerd/containerd/runtime/v2/shim.go index 972f8222fe..47e927437e 100644 --- a/vendor/github.com/containerd/containerd/runtime/v2/shim.go +++ b/vendor/github.com/containerd/containerd/runtime/v2/shim.go @@ -222,11 +222,14 @@ func (s *shim) Close() error { } func (s *shim) Delete(ctx context.Context) (*runtime.Exit, error) { - response, err := s.task.Delete(ctx, &task.DeleteRequest{ + response, shimErr := s.task.Delete(ctx, &task.DeleteRequest{ ID: s.ID(), }) - if err != nil && !errdefs.IsNotFound(err) { - return nil, errdefs.FromGRPC(err) + if shimErr != nil { + shimErr = errdefs.FromGRPC(shimErr) + if !errdefs.IsNotFound(shimErr) { + return nil, shimErr + } } // remove self from the runtime task list // this seems dirty but it cleans up the API across runtimes, tasks, and the service @@ -238,6 +241,9 @@ func (s *shim) Delete(ctx context.Context) (*runtime.Exit, error) { if err := s.bundle.Delete(); err != nil { log.G(ctx).WithError(err).Error("failed to delete bundle") } + if shimErr != nil { + return nil, shimErr + } return &runtime.Exit{ Status: response.ExitStatus, Timestamp: response.ExitedAt, diff --git a/vendor/github.com/containerd/containerd/services/tasks/local.go b/vendor/github.com/containerd/containerd/services/tasks/local.go index 2833cd31bc..c93421d1fc 100644 --- a/vendor/github.com/containerd/containerd/services/tasks/local.go +++ b/vendor/github.com/containerd/containerd/services/tasks/local.go @@ -241,7 +241,7 @@ func (l *local) Delete(ctx context.Context, r *api.DeleteTaskRequest, _ ...grpc. } exit, err := t.Delete(ctx) if err != nil { - return nil, err + return nil, errdefs.ToGRPC(err) } return &api.DeleteResponse{ ExitStatus: exit.Status, @@ -257,7 +257,7 @@ func (l *local) DeleteProcess(ctx context.Context, r *api.DeleteProcessRequest, } process, err := t.Process(ctx, r.ExecID) if err != nil { - return nil, err + return nil, errdefs.ToGRPC(err) } exit, err := process.Delete(ctx) if err != nil { diff --git a/vendor/github.com/containerd/containerd/snapshots/native/native.go b/vendor/github.com/containerd/containerd/snapshots/native/native.go index 5532ea66d5..aac26d37b0 100644 --- a/vendor/github.com/containerd/containerd/snapshots/native/native.go +++ b/vendor/github.com/containerd/containerd/snapshots/native/native.go @@ -286,7 +286,15 @@ func (o *snapshotter) createSnapshot(ctx context.Context, kind snapshots.Kind, k if td != "" { if len(s.ParentIDs) > 0 { parent := o.getSnapshotDir(s.ParentIDs[0]) - if err := fs.CopyDir(td, parent); err != nil { + xattrErrorHandler := func(dst, src, xattrKey string, copyErr error) error { + // security.* xattr cannot be copied in most cases (moby/buildkit#1189) + log.G(ctx).WithError(copyErr).Debugf("failed to copy xattr %q", xattrKey) + return nil + } + copyDirOpts := []fs.CopyDirOpt{ + fs.WithXAttrErrorHandler(xattrErrorHandler), + } + if err := fs.CopyDir(td, parent, copyDirOpts...); err != nil { return nil, errors.Wrap(err, "copying of parent failed") } } diff --git a/vendor/github.com/containerd/containerd/vendor.conf b/vendor/github.com/containerd/containerd/vendor.conf index 24724fffe6..9c051167d1 100644 --- a/vendor/github.com/containerd/containerd/vendor.conf +++ b/vendor/github.com/containerd/containerd/vendor.conf @@ -20,7 +20,7 @@ github.com/gogo/protobuf v1.2.1 github.com/gogo/googleapis v1.2.0 github.com/golang/protobuf v1.2.0 github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db -github.com/opencontainers/runc 3e425f80a8c931f88e6d94a8c831b9d5aa481657 # v1.0.0-rc8+ CVE-2019-16884 +github.com/opencontainers/runc d736ef14f0288d6993a1845745d6756cfc9ddd5a # v1.0.0-rc9 github.com/konsorten/go-windows-terminal-sequences v1.0.1 github.com/sirupsen/logrus v1.4.1 github.com/urfave/cli v1.22.0 diff --git a/vendor/github.com/containerd/cri/.travis.yml b/vendor/github.com/containerd/cri/.travis.yml index c3edb9e7d1..90ac1745e5 100644 --- a/vendor/github.com/containerd/cri/.travis.yml +++ b/vendor/github.com/containerd/cri/.travis.yml @@ -21,14 +21,14 @@ cache: - "${HOME}/google-cloud-sdk/" before_install: - # libseccomp in trusty is not new enough, need backports version. - - sudo sh -c "echo 'deb http://archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse' > /etc/apt/sources.list.d/backports.list" - sudo apt-get update + # Enable ipv6 for dualstack integration test. + - sudo sysctl net.ipv6.conf.all.disable_ipv6=0 install: - sudo apt-get install btrfs-tools - - sudo apt-get install libseccomp2/trusty-backports - - sudo apt-get install libseccomp-dev/trusty-backports + - sudo apt-get install libseccomp2 + - sudo apt-get install libseccomp-dev - sudo apt-get install socat before_script: diff --git a/vendor/github.com/containerd/cri/Makefile b/vendor/github.com/containerd/cri/Makefile index 0d3d92aa2e..4d6788e9a4 100644 --- a/vendor/github.com/containerd/cri/Makefile +++ b/vendor/github.com/containerd/cri/Makefile @@ -170,7 +170,10 @@ install.tools: .install.gitvalidation .install.golangci-lint .install.vndr ## in .install.golangci-lint: @echo "$(WHALE) $@" - $(GO) get -u github.com/golangci/golangci-lint/cmd/golangci-lint + $(GO) get -d github.com/golangci/golangci-lint/cmd/golangci-lint + @cd $(GOPATH)/src/github.com/golangci/golangci-lint/cmd/golangci-lint; \ + git checkout v1.18.0; \ + go install .install.vndr: @echo "$(WHALE) $@" diff --git a/vendor/github.com/containerd/cri/pkg/config/config.go b/vendor/github.com/containerd/cri/pkg/config/config.go index add9db6944..97d4fe6be2 100644 --- a/vendor/github.com/containerd/cri/pkg/config/config.go +++ b/vendor/github.com/containerd/cri/pkg/config/config.go @@ -85,8 +85,9 @@ type CniConfig struct { NetworkPluginMaxConfNum int `toml:"max_conf_num" json:"maxConfNum"` // NetworkPluginConfTemplate is the file path of golang template used to generate // cni config. - // When it is set, containerd will get cidr from kubelet to replace {{.PodCIDR}} in - // the template, and write the config into NetworkPluginConfDir. + // When it is set, containerd will get cidr(s) from kubelet to replace {{.PodCIDR}}, + // {{.PodCIDRRanges}} or {{.Routes}} in the template, and write the config into + // NetworkPluginConfDir. // Ideally the cni config should be placed by system admin or cni daemon like calico, // weaveworks etc. However, there are still users using kubenet // (https://kubernetes.io/docs/concepts/cluster-administration/network-plugins/#kubenet) diff --git a/vendor/github.com/containerd/cri/pkg/server/container_create.go b/vendor/github.com/containerd/cri/pkg/server/container_create.go index d34e66754d..d35fff30cb 100644 --- a/vendor/github.com/containerd/cri/pkg/server/container_create.go +++ b/vendor/github.com/containerd/cri/pkg/server/container_create.go @@ -331,6 +331,7 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP customopts.WithoutDefaultSecuritySettings, customopts.WithRelativeRoot(relativeRootfsPath), customopts.WithProcessArgs(config, imageConfig), + oci.WithDefaultPathEnv, // this will be set based on the security context below oci.WithNewPrivileges, } diff --git a/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go b/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go index 39e03a116e..9d64819afa 100644 --- a/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go +++ b/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go @@ -139,14 +139,13 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox // In this case however caching the IP will add a subtle performance enhancement by avoiding // calls to network namespace of the pod to query the IP of the veth interface on every // SandboxStatus request. - sandbox.IP, sandbox.CNIResult, err = c.setupPod(ctx, id, sandbox.NetNSPath, config) - if err != nil { + if err := c.setupPodNetwork(ctx, &sandbox); err != nil { return nil, errors.Wrapf(err, "failed to setup network for sandbox %q", id) } defer func() { if retErr != nil { // Teardown network if an error is returned. - if err := c.teardownPod(ctx, id, sandbox.NetNSPath, config); err != nil { + if err := c.teardownPodNetwork(ctx, sandbox); err != nil { log.G(ctx).WithError(err).Errorf("Failed to destroy network for sandbox %q", id) } } @@ -544,10 +543,15 @@ func (c *criService) unmountSandboxFiles(id string, config *runtime.PodSandboxCo return nil } -// setupPod setups up the network for a pod -func (c *criService) setupPod(ctx context.Context, id string, path string, config *runtime.PodSandboxConfig) (string, *cni.CNIResult, error) { +// setupPodNetwork setups up the network for a pod +func (c *criService) setupPodNetwork(ctx context.Context, sandbox *sandboxstore.Sandbox) error { + var ( + id = sandbox.ID + config = sandbox.Config + path = sandbox.NetNSPath + ) if c.netPlugin == nil { - return "", nil, errors.New("cni config not initialized") + return errors.New("cni config not initialized") } labels := getPodCNILabels(id, config) @@ -556,7 +560,7 @@ func (c *criService) setupPod(ctx context.Context, id string, path string, confi // or an unreasonable valure see validateBandwidthIsReasonable() bandWidth, err := toCNIBandWidth(config.Annotations) if err != nil { - return "", nil, errors.Wrap(err, "failed to get bandwidth info from annotations") + return errors.Wrap(err, "failed to get bandwidth info from annotations") } result, err := c.netPlugin.Setup(ctx, id, @@ -567,18 +571,20 @@ func (c *criService) setupPod(ctx context.Context, id string, path string, confi ) if err != nil { - return "", nil, err + return err } logDebugCNIResult(ctx, id, result) // Check if the default interface has IP config if configs, ok := result.Interfaces[defaultIfName]; ok && len(configs.IPConfigs) > 0 { - return selectPodIP(configs.IPConfigs), result, nil + sandbox.IP, sandbox.AdditionalIPs = selectPodIPs(configs.IPConfigs) + sandbox.CNIResult = result + return nil } // If it comes here then the result was invalid so destroy the pod network and return error - if err := c.teardownPod(ctx, id, path, config); err != nil { + if err := c.teardownPodNetwork(ctx, *sandbox); err != nil { log.G(ctx).WithError(err).Errorf("Failed to destroy network for sandbox %q", id) } - return "", result, errors.Errorf("failed to find network info for sandbox %q", id) + return errors.Errorf("failed to find network info for sandbox %q", id) } // toCNIBandWidth converts CRI annotations to CNI bandwidth. @@ -623,14 +629,28 @@ func toCNIPortMappings(criPortMappings []*runtime.PortMapping) []cni.PortMapping return portMappings } -// selectPodIP select an ip from the ip list. It prefers ipv4 more than ipv6. -func selectPodIP(ipConfigs []*cni.IPConfig) string { +// selectPodIPs select an ip from the ip list. It prefers ipv4 more than ipv6 +// and returns the additional ips +// TODO(random-liu): Revisit the ip order in the ipv6 beta stage. (cri#1278) +func selectPodIPs(ipConfigs []*cni.IPConfig) (string, []string) { + var ( + additionalIPs []string + ip string + ) for _, c := range ipConfigs { - if c.IP.To4() != nil { - return c.IP.String() + if c.IP.To4() != nil && ip == "" { + ip = c.IP.String() + } else { + additionalIPs = append(additionalIPs, c.IP.String()) } } - return ipConfigs[0].IP.String() + if ip != "" { + return ip, additionalIPs + } + if len(ipConfigs) == 1 { + return additionalIPs[0], nil + } + return additionalIPs[0], additionalIPs[1:] } // untrustedWorkload returns true if the sandbox contains untrusted workload. diff --git a/vendor/github.com/containerd/cri/pkg/server/sandbox_status.go b/vendor/github.com/containerd/cri/pkg/server/sandbox_status.go index 977ef83c86..774259d2fe 100644 --- a/vendor/github.com/containerd/cri/pkg/server/sandbox_status.go +++ b/vendor/github.com/containerd/cri/pkg/server/sandbox_status.go @@ -37,11 +37,11 @@ func (c *criService) PodSandboxStatus(ctx context.Context, r *runtime.PodSandbox return nil, errors.Wrap(err, "an error occurred when try to find sandbox") } - ip, err := c.getIP(sandbox) + ip, additionalIPs, err := c.getIPs(sandbox) if err != nil { return nil, errors.Wrap(err, "failed to get sandbox ip") } - status := toCRISandboxStatus(sandbox.Metadata, sandbox.Status.Get(), ip) + status := toCRISandboxStatus(sandbox.Metadata, sandbox.Status.Get(), ip, additionalIPs) if status.GetCreatedAt() == 0 { // CRI doesn't allow CreatedAt == 0. info, err := sandbox.Container.Info(ctx) @@ -66,38 +66,45 @@ func (c *criService) PodSandboxStatus(ctx context.Context, r *runtime.PodSandbox }, nil } -func (c *criService) getIP(sandbox sandboxstore.Sandbox) (string, error) { +func (c *criService) getIPs(sandbox sandboxstore.Sandbox) (string, []string, error) { config := sandbox.Config if config.GetLinux().GetSecurityContext().GetNamespaceOptions().GetNetwork() == runtime.NamespaceMode_NODE { // For sandboxes using the node network we are not // responsible for reporting the IP. - return "", nil + return "", nil, nil } if closed, err := sandbox.NetNS.Closed(); err != nil { - return "", errors.Wrap(err, "check network namespace closed") + return "", nil, errors.Wrap(err, "check network namespace closed") } else if closed { - return "", nil + return "", nil, nil } - return sandbox.IP, nil + return sandbox.IP, sandbox.AdditionalIPs, nil } // toCRISandboxStatus converts sandbox metadata into CRI pod sandbox status. -func toCRISandboxStatus(meta sandboxstore.Metadata, status sandboxstore.Status, ip string) *runtime.PodSandboxStatus { +func toCRISandboxStatus(meta sandboxstore.Metadata, status sandboxstore.Status, ip string, additionalIPs []string) *runtime.PodSandboxStatus { // Set sandbox state to NOTREADY by default. state := runtime.PodSandboxState_SANDBOX_NOTREADY if status.State == sandboxstore.StateReady { state = runtime.PodSandboxState_SANDBOX_READY } nsOpts := meta.Config.GetLinux().GetSecurityContext().GetNamespaceOptions() + var ips []*runtime.PodIP + for _, additionalIP := range additionalIPs { + ips = append(ips, &runtime.PodIP{Ip: additionalIP}) + } return &runtime.PodSandboxStatus{ Id: meta.ID, Metadata: meta.Config.GetMetadata(), State: state, CreatedAt: status.CreatedAt.UnixNano(), - Network: &runtime.PodSandboxNetworkStatus{Ip: ip}, + Network: &runtime.PodSandboxNetworkStatus{ + Ip: ip, + AdditionalIps: ips, + }, Linux: &runtime.LinuxPodSandboxStatus{ Namespaces: &runtime.Namespace{ Options: &runtime.NamespaceOption{ diff --git a/vendor/github.com/containerd/cri/pkg/server/sandbox_stop.go b/vendor/github.com/containerd/cri/pkg/server/sandbox_stop.go index 0796f5cfdf..aab6a73013 100644 --- a/vendor/github.com/containerd/cri/pkg/server/sandbox_stop.go +++ b/vendor/github.com/containerd/cri/pkg/server/sandbox_stop.go @@ -72,15 +72,14 @@ func (c *criService) StopPodSandbox(ctx context.Context, r *runtime.StopPodSandb // Teardown network for sandbox. if sandbox.NetNS != nil { - netNSPath := sandbox.NetNSPath // Use empty netns path if netns is not available. This is defined in: // https://github.com/containernetworking/cni/blob/v0.7.0-alpha1/SPEC.md if closed, err := sandbox.NetNS.Closed(); err != nil { return nil, errors.Wrap(err, "failed to check network namespace closed") } else if closed { - netNSPath = "" + sandbox.NetNSPath = "" } - if err := c.teardownPod(ctx, id, netNSPath, sandbox.Config); err != nil { + if err := c.teardownPodNetwork(ctx, sandbox); err != nil { return nil, errors.Wrapf(err, "failed to destroy network for sandbox %q", id) } if err = sandbox.NetNS.Remove(); err != nil { @@ -156,12 +155,17 @@ func (c *criService) waitSandboxStop(ctx context.Context, sandbox sandboxstore.S } } -// teardownPod removes the network from the pod -func (c *criService) teardownPod(ctx context.Context, id string, path string, config *runtime.PodSandboxConfig) error { +// teardownPodNetwork removes the network from the pod +func (c *criService) teardownPodNetwork(ctx context.Context, sandbox sandboxstore.Sandbox) error { if c.netPlugin == nil { return errors.New("cni config not initialized") } + var ( + id = sandbox.ID + path = sandbox.NetNSPath + config = sandbox.Config + ) labels := getPodCNILabels(id, config) return c.netPlugin.Remove(ctx, id, path, diff --git a/vendor/github.com/containerd/cri/pkg/server/update_runtime_config.go b/vendor/github.com/containerd/cri/pkg/server/update_runtime_config.go index ca2684f3bb..e359582aa9 100644 --- a/vendor/github.com/containerd/cri/pkg/server/update_runtime_config.go +++ b/vendor/github.com/containerd/cri/pkg/server/update_runtime_config.go @@ -17,8 +17,10 @@ limitations under the License. package server import ( + "net" "os" "path/filepath" + "strings" "text/template" "github.com/containerd/containerd/log" @@ -33,17 +35,36 @@ import ( type cniConfigTemplate struct { // PodCIDR is the cidr for pods on the node. PodCIDR string + // PodCIDRRanges is the cidr ranges for pods on the node. + PodCIDRRanges []string + // Routes is a list of routes configured. + Routes []string } -// cniConfigFileName is the name of cni config file generated by containerd. -const cniConfigFileName = "10-containerd-net.conflist" +const ( + // cniConfigFileName is the name of cni config file generated by containerd. + cniConfigFileName = "10-containerd-net.conflist" + // zeroCIDRv6 is the null route for IPv6. + zeroCIDRv6 = "::/0" + // zeroCIDRv4 is the null route for IPv4. + zeroCIDRv4 = "0.0.0.0/0" +) // UpdateRuntimeConfig updates the runtime config. Currently only handles podCIDR updates. func (c *criService) UpdateRuntimeConfig(ctx context.Context, r *runtime.UpdateRuntimeConfigRequest) (*runtime.UpdateRuntimeConfigResponse, error) { - podCIDR := r.GetRuntimeConfig().GetNetworkConfig().GetPodCidr() - if podCIDR == "" { + podCIDRs := r.GetRuntimeConfig().GetNetworkConfig().GetPodCidr() + if podCIDRs == "" { return &runtime.UpdateRuntimeConfigResponse{}, nil } + cidrs := strings.Split(podCIDRs, ",") + for i := range cidrs { + cidrs[i] = strings.TrimSpace(cidrs[i]) + } + routes, err := getRoutes(cidrs) + if err != nil { + return nil, errors.Wrap(err, "get routes") + } + confTemplate := c.config.NetworkPluginConfTemplate if confTemplate == "" { log.G(ctx).Info("No cni config template is specified, wait for other system components to drop the config.") @@ -71,8 +92,38 @@ func (c *criService) UpdateRuntimeConfig(ctx context.Context, r *runtime.UpdateR return nil, errors.Wrapf(err, "failed to open cni config file %q", confFile) } defer f.Close() - if err := t.Execute(f, cniConfigTemplate{PodCIDR: podCIDR}); err != nil { + if err := t.Execute(f, cniConfigTemplate{ + PodCIDR: cidrs[0], + PodCIDRRanges: cidrs, + Routes: routes, + }); err != nil { return nil, errors.Wrapf(err, "failed to generate cni config file %q", confFile) } return &runtime.UpdateRuntimeConfigResponse{}, nil } + +// getRoutes generates required routes for the passed in cidrs. +func getRoutes(cidrs []string) ([]string, error) { + var ( + routes []string + hasV4, hasV6 bool + ) + for _, c := range cidrs { + _, cidr, err := net.ParseCIDR(c) + if err != nil { + return nil, err + } + if cidr.IP.To4() != nil { + hasV4 = true + } else { + hasV6 = true + } + } + if hasV4 { + routes = append(routes, zeroCIDRv4) + } + if hasV6 { + routes = append(routes, zeroCIDRv6) + } + return routes, nil +} diff --git a/vendor/github.com/containerd/cri/pkg/store/sandbox/metadata.go b/vendor/github.com/containerd/cri/pkg/store/sandbox/metadata.go index 3c4ee589bf..68f5fd881d 100644 --- a/vendor/github.com/containerd/cri/pkg/store/sandbox/metadata.go +++ b/vendor/github.com/containerd/cri/pkg/store/sandbox/metadata.go @@ -55,6 +55,8 @@ type Metadata struct { NetNSPath string // IP of Pod if it is attached to non host network IP string + // AdditionalIPs of the Pod if it is attached to non host network + AdditionalIPs []string // RuntimeHandler is the runtime handler name of the pod. RuntimeHandler string // CNIresult resulting configuration for attached network namespace interfaces diff --git a/vendor/github.com/containerd/cri/vendor.conf b/vendor/github.com/containerd/cri/vendor.conf index efe3b09109..9a785d077f 100644 --- a/vendor/github.com/containerd/cri/vendor.conf +++ b/vendor/github.com/containerd/cri/vendor.conf @@ -36,41 +36,42 @@ github.com/docker/go-metrics 4ea375f7759c82740c893fc030bc37088d2ec098 github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9 github.com/coreos/go-systemd v14 github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40 -github.com/containerd/ttrpc 1fb3814edf44a76e0ccf503decf726d994919a9a -github.com/containerd/go-runc 9007c2405372fe28918845901a3276c0915689a1 -github.com/containerd/fifo 3d5202aec260678c48179c56f40e6f38a095738c -github.com/containerd/continuity bd77b46c8352f74eb12c85bdc01f4b90f69d66b4 -github.com/containerd/containerd a3a30635ef713b544ea7feff0d12a768fd1ed636 +github.com/containerd/ttrpc 92c8520ef9f86600c650dd540266a007bf03670f +github.com/containerd/go-runc e029b79d8cda8374981c64eba71f28ec38e5526f +github.com/containerd/fifo bda0ff6ed73c67bfb5e62bc9c697f146b7fd7f13 +github.com/containerd/continuity f2a389ac0a02ce21c09edd7344677a601970f41c +github.com/containerd/containerd d4802a64f9737f02db3426751f380d97fc878dec github.com/containerd/console 0650fd9eeb50bab4fc99dceb9f2e14cf58f36e7f github.com/containerd/cgroups c4b9ac5c7601384c965b9646fc515884e091ebb9 github.com/beorn7/perks 4c0e84591b9aa9e6dcfdf3e020114cd81f89d5f9 -github.com/Microsoft/hcsshim 8abdbb8205e4192c68b5f84c31197156f31be517 +github.com/Microsoft/hcsshim 9e921883ac929bbe515b39793ece99ce3a9d7706 github.com/Microsoft/go-winio v0.4.14 github.com/BurntSushi/toml v0.3.1 +github.com/imdario/mergo v0.3.7 # kubernetes dependencies sigs.k8s.io/yaml v1.1.0 k8s.io/utils c2654d5206da6b7b6ace12841e8f359bb89b443c -k8s.io/kubernetes v1.15.0 -k8s.io/klog v0.3.1 -k8s.io/cri-api kubernetes-1.15.0 -k8s.io/client-go kubernetes-1.15.0 -k8s.io/api kubernetes-1.15.0 -k8s.io/apiserver kubernetes-1.15.0 -k8s.io/apimachinery kubernetes-1.15.0 -gopkg.in/yaml.v2 v2.2.1 +k8s.io/kubernetes v1.16.0-rc.2 +k8s.io/klog v0.4.0 +k8s.io/cri-api kubernetes-1.16.0-rc.2 +k8s.io/client-go kubernetes-1.16.0-rc.2 +k8s.io/api kubernetes-1.16.0-rc.2 +k8s.io/apiserver kubernetes-1.16.0-rc.2 +k8s.io/apimachinery kubernetes-1.16.0-rc.2 +gopkg.in/yaml.v2 v2.2.2 gopkg.in/inf.v0 v0.9.0 -golang.org/x/time f51c12702a4d776e4c1fa9b0fabab841babae631 -golang.org/x/oauth2 9f3314589c9a9136388751d9adae6b0ed400978a -golang.org/x/crypto 88737f569e3a9c7ab309cdc09a07fe7fc87233c3 -github.com/stretchr/testify v1.2.2 +golang.org/x/time 85acf8d2951cb2a3bde7632f9ff273ef0379bcbd +golang.org/x/oauth2 0f29369cfe4552d0e4bcddc57cc75f4d7e672a33 +golang.org/x/crypto 5c40567a22f818bd14a1ea7245dad9f8ef0691aa +github.com/stretchr/testify v1.3.0 github.com/seccomp/libseccomp-golang v0.9.1 github.com/pmezard/go-difflib v1.0.0 github.com/modern-go/reflect2 1.0.1 github.com/modern-go/concurrent 1.0.3 -github.com/json-iterator/go 1.1.5 -github.com/google/gofuzz 24818f796faf91cd76ec7bddd72458fbced7a6c1 -github.com/emicklei/go-restful v2.2.1 +github.com/json-iterator/go v1.1.7 +github.com/google/gofuzz v1.0.0 +github.com/emicklei/go-restful v2.9.5 github.com/docker/spdystream 449fdfce4d962303d702fec724ef0ad181c92528 github.com/davecgh/go-spew v1.1.1 diff --git a/vendor/github.com/kubernetes-sigs/cri-tools/cmd/crictl/container.go b/vendor/github.com/kubernetes-sigs/cri-tools/cmd/crictl/container.go index 8c93643d0c..0dff1cecbb 100644 --- a/vendor/github.com/kubernetes-sigs/cri-tools/cmd/crictl/container.go +++ b/vendor/github.com/kubernetes-sigs/cri-tools/cmd/crictl/container.go @@ -574,7 +574,7 @@ func CreateContainer( // Try to pull the image before container creation image := config.GetImage().GetImage() - if _, err := PullImage(iClient, image, auth); err != nil { + if _, err := PullImageWithSandbox(iClient, image, auth, podConfig); err != nil { return "", err } } diff --git a/vendor/github.com/kubernetes-sigs/cri-tools/cmd/crictl/image.go b/vendor/github.com/kubernetes-sigs/cri-tools/cmd/crictl/image.go index cbb3422611..f4ac1a430e 100644 --- a/vendor/github.com/kubernetes-sigs/cri-tools/cmd/crictl/image.go +++ b/vendor/github.com/kubernetes-sigs/cri-tools/cmd/crictl/image.go @@ -478,12 +478,6 @@ func normalizeRepoDigest(repoDigests []string) (string, string) { return repoDigestPair[0], repoDigestPair[1] } -// PullImage sends a PullImageRequest to the server, and parses -// the returned PullImageResponse. -func PullImage(client pb.ImageServiceClient, image string, auth *pb.AuthConfig) (resp *pb.PullImageResponse, err error) { - return PullImageWithSandbox(client, image, auth, nil) -} - // PullImageWithSandbox sends a PullImageRequest to the server, and parses // the returned PullImageResponse. func PullImageWithSandbox(client pb.ImageServiceClient, image string, auth *pb.AuthConfig, sandbox *pb.PodSandboxConfig) (resp *pb.PullImageResponse, err error) { diff --git a/vendor/github.com/kubernetes-sigs/cri-tools/cmd/crictl/stats.go b/vendor/github.com/kubernetes-sigs/cri-tools/cmd/crictl/stats.go index 88654b47fa..c79ceab5fc 100644 --- a/vendor/github.com/kubernetes-sigs/cri-tools/cmd/crictl/stats.go +++ b/vendor/github.com/kubernetes-sigs/cri-tools/cmd/crictl/stats.go @@ -92,7 +92,7 @@ var statsCommand = cli.Command{ defer closeConnection(context, runtimeConn) id := context.String("id") - if id == "" && context.Args() != nil { + if id == "" && context.NArg() > 0 { id = context.Args()[0] } diff --git a/vendor/github.com/kubernetes-sigs/cri-tools/cmd/crictl/util.go b/vendor/github.com/kubernetes-sigs/cri-tools/cmd/crictl/util.go index 07f6fb9874..e717017fb2 100644 --- a/vendor/github.com/kubernetes-sigs/cri-tools/cmd/crictl/util.go +++ b/vendor/github.com/kubernetes-sigs/cri-tools/cmd/crictl/util.go @@ -210,7 +210,7 @@ func outputProtobufObjAsYAML(obj proto.Message) error { func outputStatusInfo(status string, info map[string]string, format string) error { // Sort all keys - keys := make([]string, len(info)) + keys := []string{} for k := range info { keys = append(keys, k) } @@ -267,7 +267,7 @@ func marshalMapInOrder(m map[string]interface{}, t interface{}) (string, error) v := reflect.ValueOf(t) for i := 0; i < v.Type().NumField(); i++ { field := jsonFieldFromTag(v.Type().Field(i).Tag) - if field == "" { + if field == "" || field == "-" { continue } value, err := json.Marshal(m[field]) diff --git a/vendor/modules.txt b/vendor/modules.txt index fde7bc5a36..30f82f7ede 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -151,7 +151,7 @@ github.com/container-storage-interface/spec/lib/go/csi github.com/containerd/cgroups # github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1 => github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50 github.com/containerd/console -# github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69 => github.com/rancher/containerd v1.3.0-k3s.1 +# github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69 => github.com/rancher/containerd v1.3.0-k3s.2 github.com/containerd/containerd github.com/containerd/containerd/api/events github.com/containerd/containerd/api/services/containers/v1 @@ -288,7 +288,7 @@ github.com/containerd/continuity/pathdriver github.com/containerd/continuity/proto github.com/containerd/continuity/syscallx github.com/containerd/continuity/sysx -# github.com/containerd/cri v1.11.1-0.20190909171321-f4d75d321c89 +# github.com/containerd/cri v1.11.1-0.20191009213552-1fb415d208be github.com/containerd/cri github.com/containerd/cri/pkg/annotations github.com/containerd/cri/pkg/api/runtimeoptions/v1 @@ -619,7 +619,7 @@ github.com/juju/errors github.com/karrick/godirwalk # github.com/konsorten/go-windows-terminal-sequences v1.0.2 github.com/konsorten/go-windows-terminal-sequences -# github.com/kubernetes-sigs/cri-tools v0.0.0-00010101000000-000000000000 => github.com/rancher/cri-tools v1.16.0-k3s.1 +# github.com/kubernetes-sigs/cri-tools v0.0.0-00010101000000-000000000000 => github.com/rancher/cri-tools v1.16.1-k3s.1 github.com/kubernetes-sigs/cri-tools/cmd/crictl github.com/kubernetes-sigs/cri-tools/pkg/version # github.com/lib/pq v1.1.1