profile
viewpoint
Akihiro Suda AkihiroSuda NTT Tokyo, Japan https://akihirosuda.github.io/ A maintainer of Moby(dockerd), BuildKit, containerd, and runc. https://twitter.com/_AkihiroSuda_ ("AkihiroSuda" without underscores is NOT my Twitter)

aind-containers/aind 995

AinD: Android in Docker. Ain't an emulator.

AkihiroSuda/buildbench 60

benchmark tool for Docker, BuildKit, img, Buildah, and Kaniko

AkihiroSuda/aspectgo 36

Aspect-Oriented Programming framework for Go

AkihiroSuda/containerized-systemd 15

Dockerfile examples for containerized systemd (mainly for test environments)

AkihiroSuda/awesome-swarm 10

[OUTDATED] :whale: :whale: :whale: A curated list of Swarm (Docker >=1.12) resources and projects

AkihiroSuda/containerd-fuse-overlayfs 5

fuse-overlayfs plugin for rootless containerd

AkihiroSuda/boot2docker 3

Lightweight Linux for Docker

AkihiroSuda/buildkit_poc 2

temp buildkit playground

AkihiroSuda/containerd 1

An open and reliable container runtime, by Docker

AkihiroSuda/aind 0

AinD: Android in Docker. Ain't an emulator.

push eventaind-containers/aind

Akihiro Suda

commit sha 26c95723c313ee1c6629556e5908fdf61f48ebc3

update anbox Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Akihiro Suda

commit sha f9bde9cdffe19db58bffe5899b0fb1928cc3f35c

Merge pull request #41 from AkihiroSuda/c update anbox

view details

push time in 6 hours

PR merged aind-containers/aind

update anbox
+4 -58

0 comment

3 changed files

AkihiroSuda

pr closed time in 6 hours

push eventAkihiroSuda/aind

Akihiro Suda

commit sha 26c95723c313ee1c6629556e5908fdf61f48ebc3

update anbox Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 7 hours

PR opened aind-containers/aind

update anbox
+4 -58

0 comment

3 changed files

pr created time in 7 hours

push eventAkihiroSuda/aind

Akihiro Suda

commit sha 74a78820826bb5a94c7b5588dbc5af0d34fc7b12

Merge pull request #37 from AkihiroSuda/c Dockerfile: fix

view details

Atef Ben Ali

commit sha 1262eb57eb7b6c4a4ef71b900539686e87ff35d5

fix typo

view details

Akihiro Suda

commit sha 1b5e4ffc409fef0f222631f6e1dab75921a9d4e3

Merge pull request #39 from atefBB/patch-1 Fix typo

view details

Akihiro Suda

commit sha 143af2263bcae641eb47591f66b735d23b845c50

update anbox Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 7 hours

push eventmoby/buildkit

Tonis Tiigi

commit sha 1f9599aba3bd5adecba0d112b9845f2943c8408a

llb: move source mapping to llb metadata Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>

view details

Tonis Tiigi

commit sha 6073e6cff3775966bc4c96305147be5947af8df1

llb: enable source tracking Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>

view details

Tonis Tiigi

commit sha e536302180ab69722632a1c7d1c16d82dbc41741

dockerfile: keep mapping on #syntax error Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>

view details

Tonis Tiigi

commit sha 75d64ffb4a02b0655ccc31ab7e4393dec720d146

fix proto indentions Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>

view details

Tonis Tiigi

commit sha 90c5e674962c6ed723231bde431926d5d09cc847

client: add source mapping tests Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>

view details

Tonis Tiigi

commit sha 6dee7ee0fc323ba460170a18bec718290a4d46d8

dockerfile: add source mapping tests Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>

view details

Tonis Tiigi

commit sha d173e3dca8ea2325bbd41a4c5b1877cebb5c8f22

pb: add more comments Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>

view details

Edgar Lee

commit sha 7a90a36b4631e47a75dd45f57e68752a9dcfe652

Support multiple source maps and locations for source-level stacktraces Signed-off-by: Edgar Lee <edgarl@netflix.com>

view details

Edgar Lee

commit sha 59fa9fc9a0957aca156a985107277c18fa5c2ae7

Allow multiple source locations to be added as a constraint Signed-off-by: Edgar Lee <edgarl@netflix.com>

view details

Edgar Lee

commit sha 7c81e16b8af4175859a4f79997d1ba9e9f6c23f0

Fix duplicate source maps and fix issue preventing multiple locations per source map Signed-off-by: Edgar Lee <edgarl@netflix.com>

view details

Edgar Lee

commit sha fbee6cccbd1e4aa5c343cf8c97ed5f9835f73cc4

Fix source map test in client_test Signed-off-by: Edgar Lee <edgarl@netflix.com>

view details

Akihiro Suda

commit sha d6f5e972def2243620d03b37cd5a500eb8849efc

Merge pull request #1494 from tonistiigi/errdefs2 llb: add source tracking support

view details

push time in 9 hours

PR merged moby/buildkit

llb: add source tracking support

Adds ability to store location in original source location in llb graph. If an error occurs on build, source location can be accessed from the error.

@hinshun This uses the nested Defintion approach we discussed on slack. PTAL. One of the unexpected side-effects is that ops.proto where Definition is defined was using gogo while grpc.Status uses plain protobuf types. It turns out that if I mix these types with imports the unmarshaler breaks down on the map keys. So I needed to change errdefs to use gogo as well and add a bunch of hacks to make it work with grpc. Kind of regretting ever using gogo but no way to change it anymore.

@thaJeztah @tiborvass This PR introduces backward-incompatible changes to protobuf definitions. Previous changes that will not work anymore were only merged in master and not under v0.7. So this should be harmless but we need to make sure we don't do moby releases with current master vendored and this PR not vendored.

+2506 -506

6 comments

28 changed files

tonistiigi

pr closed time in 9 hours

issue commentmoby/buildkit

Inconsistent caching behavior in rootless Docker

Is this specific to rootless?

edrevo

comment created time in 9 hours

Pull request review commentmoby/moby

remove group name from identity mapping

 func setupRemappedRoot(config *config.Config) (*idtools.IdentityMapping, error) 		// update remapped root setting now that we have resolved them to actual names 		config.RemappedRoot = fmt.Sprintf("%s:%s", username, groupname) -		// try with username:groupname, uid:groupname, username:gid, uid:gid,+		// try with username and uid, 		// but keep the original error message (err)-		mappings, err := idtools.NewIdentityMapping(username, groupname)+		mappings, err := idtools.NewIdentityMapping(username) 		if err == nil { 			return mappings, nil

there can be multiple lines

akhilerm

comment created time in 9 hours

pull request commentmoby/moby

seccomp: remove the unused query_module(2)

@justincormack PTAL?

KentaTada

comment created time in 12 hours

pull request commentmoby/moby

Enable userns by default

Maybe this PR can be also decompose into a set of small PRs before making it default. Especially Address with userns=host container fs has ownership set to the remapped root instead of real root. .

@cpuguy83 WDYT?

cpuguy83

comment created time in 12 hours

issue openedopencontainers/runc

support seccomp flags such as SECCOMP_FILTER_FLAG_SPEC_ALLOW (OCI Runtime Spec v1.0.2)

OCI Runtime Spec v1.0.2 supports specifying three seccomp flags: SECCOMP_FILTER_FLAG_TSYNC, SECCOMP_FILTER_FLAG_LOG, and SECCOMP_FILTER_FLAG_SPEC_ALLOW (https://github.com/opencontainers/runtime-spec/commit/d1ef109cd0b39239ff82c267df314f7ed2da576b). However, these flags are currently unimplemented by runc (but implemented by crun).

Notably we should support SECCOMP_FILTER_FLAG_SPEC_ALLOW (Disable Speculative Store Bypass mitigation, since Linux 4.17). The mitigation is enabled by default when a seccomp profile is specified and has serious performance impact on bytecode interpreters including Ruby and Python.

http://mamememo.blogspot.com/2020/05/cpu-intensive-rubypython-code-runs.html

On the host:

$ ruby -ve 't = Time.now; i=0;while i<100_000_000;i+=1;end; puts "#{ Time.now - t } sec"'
ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-linux]
1.321703922 sec

On a Docker container:

$ docker run -it --rm ruby:2.7 ruby -ve 't = Time.now; i=0;while i<100_000_000;i+=1;end; puts "#{ Time.now - t } sec"'
ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-linux]
2.452876383 sec

If you specify an option "--security-opt seccomp=unconfined" for docker run command, it runs as fast as the host.

$ docker run --security-opt seccomp=unconfined -it --rm ruby:2.7 ruby -ve 't = Time.now; i=0;while i<100_000_000;i+=1;end; puts "#{ Time.now - t } sec"'
 ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-linux]
 1.333669449 sec

created time in 12 hours

Pull request review commentcontainerd/cgroups

[Carry #150] Added support for memory.events stats

 message MemoryStat { 	uint64 usage_limit = 33; 	uint64 swap_usage = 34; 	uint64 swap_limit = 35;+    // memory.events (101-200)

RFC: Is this numbering scheme right way? cc @stevvooe

AkihiroSuda

comment created time in 13 hours

pull request commentopencontainers/runc

Cpu quota fixes

The indentation seems broken. Other parts look good.

kolyshkin

comment created time in 15 hours

Pull request review commentopencontainers/runc

Cpu quota fixes

 EOF     check_systemd_value "TasksMax" 20 } -@test "update cgroup v1 cpu limits" {-    [[ "$ROOTLESS" -ne 0 ]] && requires rootless_cgroup-    requires cgroups_v1+function check_cpu_quota() {+	local quota=$1+	local period=$2+	local sd_quota=$3++	if [ "$CGROUP_UNIFIED" = "yes" ]; then+		if [ "$quota" = "-1" ]; then+			quota="max"+		fi+		check_cgroup_value "cpu.max" "$quota $period"+		check_systemd_value "CPUQuotaPerSecUSec" $sd_quota+	else+		check_cgroup_value "cpu.cfs_quota_us" $quota+		check_cgroup_value "cpu.cfs_period_us" $period+		# no systemd support in v1+	fi+} -    # run a few busyboxes detached-    runc run -d --console-socket $CONSOLE_SOCKET test_update-    [ "$status" -eq 0 ]+function check_cpu_shares() {+	local shares=$1++	if [ "$CGROUP_UNIFIED" = "yes" ]; then+		local weight=$((1 + ((shares - 2) * 9999) / 262142))+		check_cgroup_value "cpu.weight" $weight+		check_systemd_value "CPUWeight" $weight+	else+		check_cgroup_value "cpu.shares" $shares+		check_systemd_value "CPUShares" $shares+	fi+} -    # check that initial values were properly set-    check_cgroup_value "cpu.cfs_period_us" 1000000-    check_cgroup_value "cpu.cfs_quota_us" 500000-    check_systemd_value "CPUQuotaPerSecUSec" 500ms+@test "update cgroup cpu limits" {+	[[ "$ROOTLESS" -ne 0 ]] && requires rootless_cgroup -    check_cgroup_value "cpu.shares" 100-    check_systemd_value "CPUShares" 100+	# run a few busyboxes detached+	runc run -d --console-socket $CONSOLE_SOCKET test_update+	[ "$status" -eq 0 ] -    # systemd driver does not allow to update quota and period separately-    if [ -z "$RUNC_USE_SYSTEMD" ]; then-        # update cpu period-        runc update test_update --cpu-period 900000-        [ "$status" -eq 0 ]-        check_cgroup_value "cpu.cfs_period_us" 900000+	# check that initial values were properly set+	check_cpu_quota 500000 1000000 "500ms"+	check_cpu_shares 100++	# updating cpu period alone is not allowed+	runc update test_update --cpu-period 900000+	[ "$status" -eq 1 ] -        # update cpu quota-        runc update test_update --cpu-quota 600000+	# update cpu quota+	runc update test_update --cpu-quota 600000+	[ "$status" -eq 0 ]+	check_cpu_quota 600000 1000000 "600ms"++        # remove cpu quota

nit: indent

kolyshkin

comment created time in 15 hours

pull request commentopencontainers/runc

libct/cgroups/utils: fix/separate cgroupv1 code

LGTM

kolyshkin

comment created time in 15 hours

push eventopencontainers/runc

lifubang

commit sha a67dab0ac2dd3829858e35ba643613a1e358ba87

Revert "CreateCgroupPath: only enable needed controllers" 1. Partially revert "CreateCgroupPath: only enable needed controllers" If we update a resource which did not limited in the beginning, it will have no effective. 2. Returns err if we use an non enabled controller, or else the user may feel success, but actually there are no effective. Signed-off-by: lifubang <lifubang@acmcoder.com>

view details

lifubang

commit sha 275157193cf9e739a53e1be9973f9bb85d1e4129

add testcase for enable all supported controllers in cgroupv2 Signed-off-by: lifubang <lifubang@acmcoder.com>

view details

Akihiro Suda

commit sha 7673bee6bfbc28c8cfbc64165eea29b83e9957f0

Merge pull request #2395 from lifubang/updateCgroupv2 Partially revert "CreateCgroupPath: only enable needed controllers"

view details

push time in 18 hours

PR merged opencontainers/runc

Partially revert "CreateCgroupPath: only enable needed controllers"

fix #2394

  1. Partially revert "CreateCgroupPath: only enable needed controllers" Because if we update a resource which did not limited in the beginning, it will have no effective.
  2. Returns err if we use an non enabled controller, or else the user may feel success, but actually there are no effective.

For #2367 , I think we don't need fully revert https://github.com/opencontainers/runc/commit/4b4bc995ad4ee4679ffbe38f1672be01c24256fc , because rootless need some part in it to check errors.

Signed-off-by: lifubang lifubang@acmcoder.com

+65 -69

11 comments

3 changed files

lifubang

pr closed time in 18 hours

issue closedopencontainers/runc

`runc update` broken in cgroup v2

If we update a resource which did not limited in the beginning, it will have no effective. For example: We use default config.json to create a container, and then run:

runc update --cpu-quota 1 test
runc update --cpuset-cpus 1 test

It has no error input, but actually it has no effective.

closed time in 18 hours

lifubang

Pull request review commentmoby/moby

remove group name from identity mapping

 func setupRemappedRoot(config *config.Config) (*idtools.IdentityMapping, error) 		// update remapped root setting now that we have resolved them to actual names 		config.RemappedRoot = fmt.Sprintf("%s:%s", username, groupname) -		// try with username:groupname, uid:groupname, username:gid, uid:gid,+		// try with username and uid, 		// but keep the original error message (err)-		mappings, err := idtools.NewIdentityMapping(username, groupname)+		mappings, err := idtools.NewIdentityMapping(username) 		if err == nil { 			return mappings, nil

always lookup by both name and by number, and concat them

akhilerm

comment created time in 21 hours

issue commentmoby/moby

idtools: NewIdentityMapping should not take groupname as an argument

We don't need to do that then

AkihiroSuda

comment created time in a day

issue commentmoby/moby

idtools: NewIdentityMapping should not take groupname as an argument

Just take username string as the argument, and look up the username into UID number

AkihiroSuda

comment created time in 2 days

pull request commentkubernetes/kubernetes

vendor: update google/cadvisor and opencontainers/runc

cc @kolyshkin

giuseppe

comment created time in 2 days

Pull request review commentkubernetes/kubernetes

vendor: update google/cadvisor and opencontainers/runc

 func setResourcesV2(cgroupConfig *libcontainerconfigs.Cgroup) error { 	if err := propagateControllers(cgroupConfig.Path); err != nil { 		return err 	}-	allowAll := true-	cgroupConfig.Resources.AllowAllDevices = &allowAll+	cgroupConfig.Resources.Devices = []*libcontainerconfigs.DeviceRule{+		{+			Type:        'a',+			Permissions: "rwm",+			Allow:       true,+			Minor:       libcontainerconfigs.Wildcard,+			Major:       libcontainerconfigs.Wildcard,+		},+	}+	cgroupConfig.Resources.Memory = -1+	cgroupConfig.Resources.CpuWeight = 100+	cgroupConfig.Resources.PidsLimit = -1++	cpuset, err := ioutil.ReadFile(filepath.Join(cmutil.CgroupRoot, "cpuset.cpus.effective"))+	if err != nil {+		return fmt.Errorf("failed to read controllers from %q : %v", cmutil.CgroupRoot, err)+	}+	cgroupConfig.Resources.CpusetCpus = string(cpuset)+	cgroupConfig.Resources.HugetlbLimit = []*libcontainerconfigs.HugepageLimit{

Is this something new in this PR?

giuseppe

comment created time in 2 days

Pull request review commentcontainerd/stargz-snapshotter

Define log message for failure of remote snapshot preparation

 import ( const ( 	targetSnapshotLabel = "containerd.io/snapshot.ref" 	remoteLabel         = "containerd.io/snapshot/remote"++	// remoteSnapshot is a key for log line, which indicates whether `Prepare`+	// method successfully prepared targeting remote snapshot or not, as defined+	// in the following:+	// - "true"  : indicates the snapshot has been successfully prepared as a+	//             remote snapshot+	// - "false" : indicates the snapshot failed to be prepared as a remote+	//             snapshot+	// - null    : undetermined+	remoteSnapshot = "containerd.io/snapshot/prepare/remote.snapshot"

too long maybe

ktock

comment created time in 2 days

Pull request review commentmoby/moby

refactor some CPU RT and CFS code

 func WithCgroups(daemon *Daemon, c *container.Container) coci.SpecOpts { 			parentPath = filepath.Clean("/" + parentPath) 		} -		if err := daemon.initCgroupsPath(parentPath); err != nil {-			return fmt.Errorf("linux init cgroups path: %v", err)+		mnt, root, err := cgroups.FindCgroupMountpointAndRoot("", "cpu")+		if err != nil {+			return errors.Wrap(err, "unable to init CPU RT controller")+		}+		// When docker is run inside docker, the root is based of the host cgroup.+		// Should this be handled in runc/libcontainer/cgroups ?+		if strings.HasPrefix(root, "/docker/") {+			root = "/"

not new here, but wouldn't it work with systemd?

kolyshkin

comment created time in 3 days

push eventmoby/buildkit

Anurag Goel

commit sha 3cca54206556dbd7d0151db95c7d29135d422767

Fix shell args expansion in buildctl-daemonless.sh When the special positional params character isn't enclosed in double quotes it prevents users from passing in arguments spanning multiple words. For example, `--opt build-arg:"word1 word2"` fails. Enclosing in double quotes treats each parameter as a separate word. More here: https://tiswww.case.edu/php/chet/bash/bashref.html#index-_0024_0040 Signed-off-by: Anurag Goel <anurag@render.com>

view details

Akihiro Suda

commit sha 7f4214f5b4b314ff3e4bfb3117556369974f75ad

Merge pull request #1504 from anurag/ag/fix-shell-expansion Fix shell args expansion in buildctl-daemonless.sh

view details

push time in 3 days

PR merged moby/buildkit

Fix shell args expansion in buildctl-daemonless.sh

When the special positional params character isn't enclosed in double quotes it prevents users from passing in arguments spanning multiple words. For example, --opt build-arg:"word1 word2" passes word2 as a separate parameter to buildkit. Enclosing $@ in double quotes treats each parameter as a separate word.

More here: https://tiswww.case.edu/php/chet/bash/bashref.html#index-_0024_0040

+1 -1

0 comment

1 changed file

anurag

pr closed time in 3 days

Pull request review commentcontainerd/stargz-snapshotter

Define log message for failure of remote snapshot preparation

 import ( const ( 	targetSnapshotLabel = "containerd.io/snapshot.ref" 	remoteLabel         = "containerd.io/snapshot/remote"++	// logPrepareRemoteFailure is log message for indicating failure of+	// preparing remote snapshot. This is used by tests in this project+	// to make sure layers have been prepared as remote snapshots.+	logPrepareRemoteFailure = "failed to prepare remote snapshot"

consider using JSON lines rather than defining this kind of magic string

ktock

comment created time in 3 days

Pull request review commentopencontainers/runc

cgroup2: exec: join the cgroup of the init process on EBUSY

 func (p *setnsProcess) start() (err error) { 	} 	if len(p.cgroupPaths) > 0 { 		if err := cgroups.EnterPid(p.cgroupPaths, p.pid()); err != nil && !p.rootlessCgroups {-			return newSystemErrorWithCausef(err, "adding pid %d to cgroups", p.pid())+			// On cgroup v2 + nesting + domain controllers, EnterPid may fail with EBUSY.+			// https://github.com/opencontainers/runc/issues/2356#issuecomment-621277643+			// Try to join the cgroup of InitProcessPid.+			if cgroups.IsCgroup2UnifiedMode() {

I guess it is worth trying to join pid1 even on other errors

AkihiroSuda

comment created time in 4 days

pull request commentcontainerd/containerd

cgroup2 CI

Yes AFAIK

AkihiroSuda

comment created time in 4 days

push eventcontainerd/containerd.io

Derek McGowan

commit sha ddf42c8687386c99d5cb347dea9384006121d853

Update latest release to 1.3.4 Signed-off-by: Derek McGowan <derek@mcg.dev>

view details

Akihiro Suda

commit sha 53a00683dbef6aa3d8e32248d5de1314bd89f74b

Merge pull request #65 from dmcgowan/update-latest Update latest release to 1.3.4

view details

push time in 4 days

PR opened docker/docker-ce-packaging

docker-rootless-extras: add dockerd-rootless-setuptool.sh

dockerd-rootless-setuptool.sh was added to Moby in https://github.com/moby/moby/pull/40950

+1 -1

0 comment

1 changed file

pr created time in 4 days

create barnchAkihiroSuda/docker-ce-packaging

branch : dockerd-rootless-setuptool.sh

created branch time in 4 days

pull request commentopencontainers/runc

cgroup2: exec: join the cgroup of the init process on EBUSY

@kolyshkin @cyphar @giuseppe PTAL

AkihiroSuda

comment created time in 4 days

push eventrootless-containers/usernetes

Akihiro Suda

commit sha da7a70555b300c405e0c3cc2fcb2b092879f5c67

update components Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Akihiro Suda

commit sha 80ed86652fc1ce1e21877077e6b56b3ea5cfa8f3

Merge pull request #158 from AkihiroSuda/a update components

view details

push time in 4 days

push eventcontainerd/containerd

Phil Estes

commit sha 55b88c45982dc4a9d7d4f1d3c17d93240bf7b108

Enable GH Actions for release/1.3 Configuration that matches the Travis setup for release/1.3. Backported test fix for golangci-lint check; synced timeout for lint with master. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

Sebastiaan van Stijn

commit sha 229bfe25628327073223d0b13cb5dcfe137dd260

service_windows.go: remove unused "service" variable This was added in 40d898a820a557e92eb94d61ed29e1d24327c1a8, but doesn't appear to be used. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

Phil Estes

commit sha c77ae0e5c688661bd68f97faf901fdc44385d878

Re-add socat based on continued dependency Unlike master, release/1.3 still has the socat dependency from CRI. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

Akihiro Suda

commit sha 3943a5373108f3299758abc1030ccf5d8ee7842e

Merge pull request #4280 from estesp/enable-actions-1.3 [release/1.3] Enable GH Actions for release/1.3 branch

view details

push time in 4 days

PR merged containerd/containerd

[release/1.3] Enable GH Actions for release/1.3 branch

Configuration that matches the Travis setup for release/1.3.

Copied script changes from master for actions; lint fix in resolver test and updated to golangci-lint version from master, as well as matched 3m timeout for linting from master.

Cherry picked 4756258faf55c1e2b4eb601c9fb669ecb3b43e8b from master to fix lint issue on Windows (unused var).

Signed-off-by: Phil Estes estesp@linux.vnet.ibm.com

+367 -19

1 comment

8 changed files

estesp

pr closed time in 4 days

pull request commentdocker/buildx

README.md: add usage of linuxkit/binfmt

@tonistiigi PTAL

AkihiroSuda

comment created time in 4 days

PR opened rootless-containers/usernetes

update components
+35 -35

0 comment

5 changed files

pr created time in 4 days

push eventAkihiroSuda/usernetes

Akihiro Suda

commit sha fab326eb80df3c5be3f0b576869f1143b43f4ef4

Merge pull request #157 from AkihiroSuda/a Fedora 32

view details

Akihiro Suda

commit sha da7a70555b300c405e0c3cc2fcb2b092879f5c67

update components Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 4 days

push eventAkihiroSuda/containerd

Akihiro Suda

commit sha af131d725873472f2dca1adfe81192f1c30d479a

cgroup2 CI Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 4 days

push eventAkihiroSuda/containerd

Akihiro Suda

commit sha 8872cb914cafa5d8f5ae3c04d0f9c5171a56e099

cgroup2 CI Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 5 days

push eventAkihiroSuda/containerd

Akihiro Suda

commit sha 8029d49959678ec11c53b00b33d2c44ae44ce685

cgroup2 CI Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 5 days

push eventAkihiroSuda/containerd

Akihiro Suda

commit sha 6c2bf30a7ed63d27b1301472aba32e2ac9f5451e

cgroup2 CI Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 5 days

push eventAkihiroSuda/containerd

Akihiro Suda

commit sha dcfc19e53a54284bc9e754345431efadcf4e3aa7

cgroup2 CI Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 5 days

push eventAkihiroSuda/containerd

Akihiro Suda

commit sha c4504b3ffaa98bcf6191e8701cb1bead3a35041c

cgroup2 CI Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 5 days

pull request commentmoby/moby

Dockerfile: bump CRIU 3.14

@kolyshkin PTAL

thaJeztah

comment created time in 5 days

push eventAkihiroSuda/containerd

Akihiro Suda

commit sha d58366e19eb18bdcf48add65ed6111ea58897603

cgroup2 CI Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 5 days

push eventAkihiroSuda/containerd

Akihiro Suda

commit sha d420053c74b61873e5a3e9bd6497b532646d5009

cgroup2 CI Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 5 days

push eventAkihiroSuda/containerd

Akihiro Suda

commit sha 2d6b604f37cf58b0147ae14d975673fb02dc4b31

cgroup2 CI Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 5 days

push eventAkihiroSuda/containerd

Akihiro Suda

commit sha cd1f95fcd88eb798aba9780ed7da4ac279d403fd

cgroup2 CI Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 5 days

push eventAkihiroSuda/containerd

Akihiro Suda

commit sha 101e4fd089f2c39e92480c240ff21a3d65cc38b4

cgroup2 CI Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 5 days

push eventAkihiroSuda/containerd

Akihiro Suda

commit sha e140fd60e7ab3a6fbe3c7889aae58737fdfee025

cgroup2 CI Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 5 days

push eventAkihiroSuda/containerd

Akihiro Suda

commit sha 5e280d062ebfde89f874d2571afa28bd8baa3fcd

cgroup2 CI Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 5 days

PR opened containerd/containerd

cgroup2 CI

Fedora 32 Vagrant is used for testing cgroup2.

Currently the test is executed with RUNC_FLAVOR=crun.

+103 -2

0 comment

6 changed files

pr created time in 5 days

create barnchAkihiroSuda/containerd

branch : ci-cgroup2

created branch time in 5 days

pull request commentopencontainers/runc

Fix setting some systemd limits, add more tests

LGTM

kolyshkin

comment created time in 5 days

PR opened opencontainers/runc

README.md: fix a dead link easy-to-review
+1 -1

0 comment

1 changed file

pr created time in 5 days

create barnchAkihiroSuda/runc

branch : typo20200521

created branch time in 5 days

push eventopencontainers/runc

Chris Aniszczyk

commit sha 5c2a97828cbdf25029b770ef370fcb92490fbd56

Add CII Badge to README https://master.bestpractices.coreinfrastructure.org/projects/588 Signed-off-by: Chris Aniszczyk <caniszczyk@gmail.com>

view details

Chris Aniszczyk

commit sha 7376bdc1428422f229aa689ae2fef37e6a77a83a

Fix reference to badge Signed-off-by: Chris Aniszczyk <caniszczyk@gmail.com>

view details

Akihiro Suda

commit sha 8cd84e35f87835c98f156bddc53965d75a23d064

Merge pull request #2333 from opencontainers/add-cii-badge Add CII Badge to README

view details

push time in 5 days

PR merged opencontainers/runc

Add CII Badge to README easy-to-review status/3-docs-review

https://master.bestpractices.coreinfrastructure.org/projects/588

Signed-off-by: Chris Aniszczyk caniszczyk@gmail.com

+1 -0

8 comments

1 changed file

caniszczyk

pr closed time in 5 days

pull request commentopencontainers/runc

Add CII Badge to README

LGTM, merging

caniszczyk

comment created time in 5 days

pull request commentopencontainers/runc

libct/cgroups/utils: fix/separate cgroupv1 code

LGTM

kolyshkin

comment created time in 5 days

pull request commentopencontainers/runc

remove cgroup path recursively in cgroup v2

LGTM

lifubang

comment created time in 5 days

pull request commentmoby/moby

Support containerd-based graphdriver

I was thinking we would just do a hard cutover to containerd that is opt-in. This would use the containerd content store, image store, snapshotters, and distribution code.

Changing the distribution code without breaking compatibility is hard, so I think we should prioritize this PR over the distribution code.

ktock

comment created time in 5 days

pull request commentmoby/moby

Update project/PACKAGERS.md

Please use real name for signing

ericthkr

comment created time in 5 days

Pull request review commentmoby/moby

Update project/PACKAGERS.md

 This will create a static binary under the file "./VERSION". This binary is usually installed somewhere like "/usr/bin/docker". -### Dynamic Daemon / Client-only Binary--If you are only interested in a Docker client binary, you can build using:--```bash-./hack/make.sh binary-client-```+### Dynamic Daemon  If you need to (due to distro policy, distro library availability, or for other reasons) create a dynamically compiled daemon binary, or if you are only

seems not addressed yet

ericthkr

comment created time in 5 days

pull request commentmoby/moby

Update project/PACKAGERS.md

Looks good but please sign: git commit -a -s --amend

ericthkr

comment created time in 5 days

Pull request review commentopencontainers/runc

Fix setting some systemd limits, add more tests

 EOF     [ "$status" -eq 0 ]     check_cgroup_value "cpu.cfs_period_us" 1000000     check_cgroup_value "cpu.cfs_quota_us" 500000+    check_systemd_value CPUQuotaPerSecUSec 500ms+     check_cgroup_value "cpu.shares" 100+    check_systemd_value CPUShares 100

nit: quote everything consistently?

kolyshkin

comment created time in 5 days

push eventopencontainers/runc

Adrian Reber

commit sha 944e0570256fae1299c2b1a1c5e2324aa8187641

Update to latest go-criu (4.0.2) This updates to the latest version of go-criu (4.0.2) which is based on CRIU 3.14. As go-criu provides an existing way to query the CRIU binary for its version this also removes all the code from runc to handle CRIU version checking and now relies on go-criu. An important side effect of this change is that this raises the minimum CRIU version to 3.0.0 as that is the first CRIU version that supports CRIU version queries via RPC in contrast to parsing the output of 'criu --version' CRIU 3.0 has been released in April of 2017. Signed-off-by: Adrian Reber <areber@redhat.com>

view details

Akihiro Suda

commit sha cd4b71c27a494cdaaaa9c4c06e477225f52c7053

Merge pull request #2409 from adrianreber/go-criu-4-0-0 Update to latest go-criu

view details

push time in 5 days

PR merged opencontainers/runc

Update to latest go-criu area/checkpoint-restore

This updates to the latest version of go-criu (4.0.0) which is based on CRIU 3.14.

As go-criu provides an existing way to query the CRIU binary for its version this also removes all the code from runc to handle CRIU version checking and now relies on go-criu.

An important side effect of this change is that this raises the minimum CRIU version to 3.0.0 as that is the first CRIU version that supports CRIU version queries via RPC in contrast to parsing the output of 'criu --version'

CRIU 3.0 has been released in April of 2017.

The big decision here is if we want to limit runc to CRIU >= 3.0. I guess older versions are not really working with runc anymore so that I do not see it as big problem.

I will update this PR to point to the 4.0.0 go-criu release once go-criu is tagged.

CC: @kolyshkin

+2185 -1335

5 comments

15 changed files

adrianreber

pr closed time in 5 days

pull request commentopencontainers/runc

Update to latest go-criu

LGTM

adrianreber

comment created time in 5 days

pull request commentopencontainers/runc

Partially revert "CreateCgroupPath: only enable needed controllers"

LGTM (if green)

lifubang

comment created time in 5 days

pull request commentmoby/moby

Support containerd-based graphdriver

@cpuguy83 :+1: for per-container snapshotter opt, but it can be another PR

ktock

comment created time in 5 days

push eventAkihiroSuda/containerd

Akihiro Suda

commit sha 820391ccab6b1ba7ed33134839ee48faa9d27c38

cgroup2: implement `containerd.events.TaskOOM` event How to test (from https://github.com/opencontainers/runc/pull/2352#issuecomment-620834524): (host)$ sudo swapoff -a (host)$ sudo ctr run -t --rm --memory-limit $((1024*1024*32)) docker.io/library/alpine:latest foo (container)$ sh -c 'VAR=$(seq 1 100000000)' An event `/tasks/oom {"container_id":"foo"}` will be displayed in `ctr events`. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 5 days

PR closed containerd/cgroups

Reviewers
Added support for memory.events stats

Fixes #149 Added support for memory.events stats.

Signed-off-by: Boris Popovschi zyqsempai@mail.ru

+117 -70

7 comments

4 changed files

Zyqsempai

pr closed time in 5 days

pull request commentcontainerd/cgroups

Added support for memory.events stats

carried as https://github.com/containerd/cgroups/pull/160

Zyqsempai

comment created time in 5 days

PR opened containerd/cgroups

[Carry #150] Added support for memory.events stats

Carry #150 Fix #149

+324 -109

0 comment

4 changed files

pr created time in 5 days

create barnchAkihiroSuda/containerd-cgroups

branch : carry-150

created branch time in 5 days

Pull request review commentopencontainers/runc

Partially revert "CreateCgroupPath: only enable needed controllers"

 func CreateCgroupPath(path string, c *configs.Cgroup) (Err error) { 		// enable needed controllers

ping @lifubang

lifubang

comment created time in 5 days

pull request commentmoby/moby

Update project/PACKAGERS.md

Please squash the commits and sign

ericthkr

comment created time in 5 days

Pull request review commentmoby/moby

Update project/PACKAGERS.md

 following: ./hack/make.sh dynbinary-client ``` -This will create "./bundles/$VERSION/dynbinary-client/docker-$VERSION", which for-client-only builds is the important file to grab and install as appropriate.+For more information you can visit the [Docker CLI](https://github.com/docker/cli) repository.
### Client
`docker` client is not included in this repo.
See [`github.com/docker/cli`](https://github.com/docker/cli).
ericthkr

comment created time in 5 days

Pull request review commentmoby/moby

Update project/PACKAGERS.md

 following: ./hack/make.sh dynbinary-client

dynbinary

ericthkr

comment created time in 5 days

Pull request review commentmoby/moby

Update project/PACKAGERS.md

 This will create a static binary under the file "./VERSION". This binary is usually installed somewhere like "/usr/bin/docker". -### Dynamic Daemon / Client-only Binary--If you are only interested in a Docker client binary, you can build using:--```bash-./hack/make.sh binary-client-```+### Dynamic Daemon  If you need to (due to distro policy, distro library availability, or for other reasons) create a dynamically compiled daemon binary, or if you are only

Please drop client

ericthkr

comment created time in 5 days

pull request commentcontainerd/cgroups

v2: fix EventChan

rebased

AkihiroSuda

comment created time in 5 days

push eventAkihiroSuda/containerd-cgroups

Akihiro Suda

commit sha 45229ee60b6d744a01351e14d6948c44aca15672

fix Vagrant on Travis (switch to KVM) Installation of VirtualBox was failing because of "gpg: no valid OpenPGP data found." error, and yet VirtualBox is less preferred over KVM. The new script is from runc: https://github.com/opencontainers/runc/blob/b207d578ec2d70e20ca6cfa8a32e49ef59dd48dd/.travis.yml#L23-L42 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Wei Fu

commit sha d77cdc42998ffb8adc38cb14962b1ef14ae733cf

Merge pull request #159 from AkihiroSuda/fix-vagrant fix Vagrant on Travis (switch to KVM)

view details

Akihiro Suda

commit sha 7a4b4074b7d191f77c127d185d7d04488f961962

v2: fix EventChan EventChan() was completely broken: * [critical] `err == nil` comparison was flipped in the opposite way * [critical] `var out map[string]interface{}` was not initialized with `make()` * [non-critical] `.(uint64)` conversin errors were not caught Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 5 days

Pull request review commentmoby/moby

Update project/PACKAGERS.md

 the file "./VERSION". This binary is usually installed somewhere like  ### Dynamic Daemon / Client-only Binary

client stuff

ericthkr

comment created time in 5 days

Pull request review commentmoby/moby

Update project/PACKAGERS.md

 the file "./VERSION". This binary is usually installed somewhere like  ### Dynamic Daemon / Client-only Binary

Just remove this section please, and add the link to https://github.com/docker/cli

ericthkr

comment created time in 5 days

pull request commentopencontainers/runc

Remove "-buildmode=pie" from platforms that don't support it

LGTM

tianon

comment created time in 5 days

Pull request review commentopencontainers/runc

Partially revert "CreateCgroupPath: only enable needed controllers"

 EOF      runc run -d --console-socket $CONSOLE_SOCKET test_cgroups_permissions     [ "$status" -eq 0 ]+    if [ "$CGROUP_UNIFIED" != "no" ]; then+        check_cgroup_value "cgroup.controllers" "$(cat /sys/fs/cgroup/cgroup.controllers)"

should be compared against /sys/fs/cgroup/user.slice/user-${uid}.slice/cgroup.controllers when rootless && RUNC_USE_SYSTEMD is set

lifubang

comment created time in 5 days

Pull request review commentopencontainers/runc

remove cgroup path recursively in cgroup v2

 func RemovePaths(paths map[string]string) (err error) { 	return fmt.Errorf("Failed to remove paths: %v", paths) } +// RemovePathUnified aims to remove cgroup path recursively+// Because there may be subcgroups in it.+func RemovePathUnified(path string) error {+	infos, err := ioutil.ReadDir(path)+	if err != nil {+		return err+	}+	for _, info := range infos {+		if info.IsDir() {+			if err = RemovePathUnified(filepath.Join(path, info.Name())); err != nil {

Yes

lifubang

comment created time in 5 days

issue openedcontainerd/containerd

panic in shim is not logged

<!-- If you are reporting a new issue, make sure that we do not have any duplicates already open. You can ensure this by searching the issue list for this repository. If there is a duplicate, please close your issue and add a comment to the existing issue instead. -->

Description

panic in shim is not logged

<!-- Briefly describe the problem you are having in a few paragraphs. -->

Steps to reproduce the issue:

  • Checkout containerd/containerd@4e08c2de67ec514b5602eea47804d41dfeabdc72
  • Add the following changes:
diff --git a/runtime/v2/shim/shim.go b/runtime/v2/shim/shim.go
index 026ebb4e..446c7354 100644
--- a/runtime/v2/shim/shim.go
+++ b/runtime/v2/shim/shim.go
@@ -146,6 +146,10 @@ func setLogger(ctx context.Context, id string) error {
 
 // Run initializes and runs a shim server
 func Run(id string, initFunc Init, opts ...BinaryOpts) {
+       go func() {
+               time.Sleep(3 * time.Second)
+               panic("test20200520")
+       }()
        var config Config
        for _, o := range opts {
                o(&config)
  • sudo containerd -l debug
  • sudo ctr run -t --rm docker.io/library/alpine:latest foo
  • Wait for 3 seconds

Describe the results you received:

Client log:

/ # ctr: rpc error: code = Unknown desc = ttrpc: closed: unknown

Daemon log:

DEBU[2020-05-20T18:10:21.227260443+09:00] stat snapshot                                 key="sha256:3e207b409db364b595ba862cdc12be96dcdad8e36c59a03b7b3b61c946a5741a"
DEBU[2020-05-20T18:10:21.231059892+09:00] prepare snapshot                              key=foo parent="sha256:3e207b409db364b595ba862cdc12be96dcdad8e36c59a03b7b3b61c946a5741a"
DEBU[2020-05-20T18:10:21.232886266+09:00] event published                               ns=default topic=/snapshot/prepare type=containerd.events.SnapshotPrepare
DEBU[2020-05-20T18:10:21.239970957+09:00] get snapshot mounts                           key=foo
DEBU[2020-05-20T18:10:21.257106464+09:00] event published                               ns=default topic=/containers/create type=containerd.events.ContainerCreate
DEBU[2020-05-20T18:10:21.261141482+09:00] get snapshot mounts                           key=foo
time="2020-05-20T18:10:21.268935307+09:00" level=info msg="starting signal loop" namespace=default path=/run/containerd/io.containerd.runtime.v2.task/default/foo pid=3874
DEBU[2020-05-20T18:10:21.296976405+09:00] garbage collected                             d=8.162005ms
DEBU[2020-05-20T18:10:21.343554990+09:00] event forwarded                               ns=default topic=/tasks/create type=containerd.events.TaskCreate
DEBU[2020-05-20T18:10:21.354678894+09:00] event forwarded                               ns=default topic=/tasks/start type=containerd.events.TaskStart
INFO[2020-05-20T18:10:24.274182871+09:00] shim disconnected                             id=foo
WARN[2020-05-20T18:10:24.274289627+09:00] cleaning up after shim disconnected           id=foo namespace=default
INFO[2020-05-20T18:10:24.274326862+09:00] cleaning up dead shim                        
DEBU[2020-05-20T18:10:24.277669022+09:00] remove snapshot                               key=foo
DEBU[2020-05-20T18:10:24.279204938+09:00] event published                               ns=default topic=/snapshot/remove type=containerd.events.SnapshotRemove
DEBU[2020-05-20T18:10:24.280867012+09:00] event published                               ns=default topic=/containers/delete type=containerd.events.ContainerDelete
WARN[2020-05-20T18:10:24.404555888+09:00] cleanup warnings time="2020-05-20T18:10:24+09:00" level=info msg="starting signal loop" namespace=default pid=3928 
DEBU[2020-05-20T18:10:24.404788417+09:00] event published                               ns=default topic=/tasks/exit type=containerd.events.TaskExit
DEBU[2020-05-20T18:10:24.404848793+09:00] event published                               ns=default topic=/tasks/delete type=containerd.events.TaskDelete
DEBU[2020-05-20T18:10:24.445476058+09:00] schedule snapshotter cleanup                  snapshotter=overlayfs
DEBU[2020-05-20T18:10:24.453806808+09:00] removed snapshot                              key=default/47/foo snapshotter=overlayfs
DEBU[2020-05-20T18:10:24.454828832+09:00] snapshot garbage collected                    d=9.25067ms snapshotter=overlayfs
DEBU[2020-05-20T18:10:24.455422398+09:00] garbage collected                             d=1.364699ms

panic("test20200520") is logged in nowhere.

Describe the results you expected:

panic("test20200520") should be logged

created time in 6 days

pull request commentopencontainers/runc

libcontainer: honor seccomp errnoRet

LGTM

giuseppe

comment created time in 6 days

PR opened containerd/cgroups

fix Vagrant on Travis (switch to KVM)

Installation of VirtualBox was failing because of "gpg: no valid OpenPGP data found." error, and yet VirtualBox is less preferred over KVM.

The new script is from runc: https://github.com/opencontainers/runc/blob/b207d578ec2d70e20ca6cfa8a32e49ef59dd48dd/.travis.yml#L23-L42

+40 -12

0 comment

3 changed files

pr created time in 6 days

create barnchAkihiroSuda/containerd-cgroups

branch : fix-vagrant

created branch time in 6 days

more