profile
viewpoint
Brian Goff cpuguy83 @Microsoft Seattle, WA

cpuguy83/chef-openldap-server 1

OpenLDAP Server Cookbook for Chef

cpuguy83/aad-pod-identity 0

Assign Azure Active Directory Identities to kubernetes applications.

cpuguy83/acs-engine 0

Azure Container Service Engine - provision and deploy container orchestrators on Azure: Kubernetes, DC/OS, and Docker Swarm.

cpuguy83/activeldap 0

ActiveLdap provides an object oriented interface to LDAP.

cpuguy83/aks-engine 0

AKS Engine: Units of Kubernetes on Azure!

cpuguy83/aws-cli 0

Universal Command Line Interface for Amazon Web Services

cpuguy83/azure-aci 0

Things releated Azure Container Instance

cpuguy83/azure-cli 0

Command-line tools for Azure.

issue commentmoby/moby

Docker bind volumes ownership inconsistency

This is all closed source on Docker's side... though I doubt much of it could be easily moved over to other platforms without significant changes.

dee-kryvenko

comment created time in 2 hours

issue commentmoby/moby

Docker bind volumes ownership inconsistency

This is a feature of Docker For Mac.

dee-kryvenko

comment created time in 2 hours

PullRequestReviewEvent

push eventcpuguy83/docker

Brian Goff

commit sha 9d9dc1cf75cf1cbbb2ac61b416d668e6624f9f8c

Sterner warnings for unathenticated tcp People keep doing this and getting pwned because they accidentally left it exposed to the internet. The warning about doing this has been there forever. This introduces a sleep after warning. To disable the extra sleep users must explicitly specify `--tls=false` or `--tlsverify=false` Warning also specifies this sleep will be removed in the next release where the flag will be required if running unauthenticated. Signed-off-by: Brian Goff <cpuguy83@gmail.com>

view details

push time in 4 hours

push eventmoby/moby

Nikolay Edigaryev

commit sha 7afef854ed14bba2cc07d53e6f21455056053a35

api: clarify "v" option behavior in the container remove endpoint Current description of the "v" option doesn't explain what happens to the volumes that are still in use by other containers. Turns out that the only volumes that are removed are unnamed ones[1]. Perhaps a good way of clarifying this behavior would be adapting the description from "docker rm --help". As for the docs/api/v1.*.yaml changes — they seem to be applicable, since the origin of this behavior dates way back to the 2016 or v1.11[2]. [1]: https://github.com/moby/moby/blob/a24a71c50f34d53710cccaa4d5e5f62169c5e1dc/daemon/mounts.go#L34-L38 [2]: https://github.com/moby/moby/commit/dd7d1c8a02d8693aa4f381f82c5bbdcad9a5ff58 Signed-off-by: Nikolay Edigaryev <edigaryev@gmail.com>

view details

Brian Goff

commit sha 0f8aaf9d9ae05fb2a9fb02ab6e02f7a6f90b2e74

Merge pull request #41486 from edigaryev/api-clarify-associated-volume-removal api: clarify "v" option behavior in the container remove endpoint

view details

push time in 4 hours

PR merged moby/moby

api: clarify "v" option behavior in the container remove endpoint area/api area/docs process/cherry-pick status/3-docs-review

Current description of the "v" option doesn't explain what happens to the volumes that are still in use by other containers. Turns out that the only volumes that are removed are unnamed ones: https://github.com/moby/moby/blob/a24a71c50f34d53710cccaa4d5e5f62169c5e1dc/daemon/mounts.go#L34-L38

Perhaps a good way of clarifying this behavior would be adapting the description from docker rm --help.

As for the docs/api/v1.*.yaml changes — they seem to be applicable, since the origin of this behavior dates way back to the 2016 or v1.11.

+17 -17

1 comment

17 changed files

edigaryev

pr closed time in 4 hours

PullRequestReviewEvent
PullRequestReviewEvent

push eventcpuguy83/docker

Brian Goff

commit sha 60b0aa26cdb83a3c7c93c5cad9ab7db929dc6582

Sterner warnings for unathenticated tcp People keep doing this and getting pwned because they accidentally left it exposed to the internet. The warning about doing this has been there forever. This introduces a sleep after warning. To disable the extra sleep users must explicitly specify `--tls=false` or `--tlsverify=false` Warning also specifies this sleep will be removed in the next release where the flag will be required if running unauthenticated. Signed-off-by: Brian Goff <cpuguy83@gmail.com>

view details

push time in 4 hours

issue commentvirtual-kubelet/virtual-kubelet

Proposal for handling v1 Leases

I would like to be able to support v1.16 at least still.

@sargun mentioned issues with the existing automatic fallback behavior where if we can't create a lease (assumming the feature is not enabled) we just do node status updates. VK ends up in this behavior where it always hits the fallback behavior due to issues on the cluster.

Splitting up these into separate controllers instead of the single loop seems like a good step here and does seem like it would prevent the automatic fallback.

Given the beta declaration of lease support, it seems fine to drop the v1beta1 lease behavior. Making sure that compilation fails for anyone using v1beta1 leases seems ideal.

Maybe we can have a special value (e.g. -1) to explicitly disable the lease controller (I suppose we could do this for all of the controllers)?

sargun

comment created time in 5 hours

issue closeddocker/cli

[Enhancement] Provide a flag that allows me to automatically agree with docker container prune

Description

In order to ease the pruning of containers in dev environment, it would be awesome if a -y flag can be provided. I would typically expect this flag to behave similarly with the behavior of sudo apt-get install -y command in Ubuntu.

Steps to reproduce the issue:

  1. Execute the following shell command
$ docker container prune

Describe the results you received:

$ WARNING! This will remove all images without at least one container associated to them.
$ Are you sure you want to continue? [y/N]

Describe the results you desire:

IMHO, being capable to run the following command on my dev machine really helps in improving the developer experience 👍

$ docker container prune -y

$ I removed dangling containers boss

closed time in 6 hours

allanchua101

issue commentdocker/cli

[Enhancement] Provide a flag that allows me to automatically agree with docker container prune

docker container prune -f does this.

$ docker container prune --help

Usage:	docker container prune [OPTIONS]

Remove all stopped containers

Options:
      --filter filter   Provide filter values (e.g. 'until=<timestamp>')
  -f, --force           Do not prompt for confirmation
allanchua101

comment created time in 6 hours

issue commentvirtual-kubelet/virtual-kubelet

Does VK support Podman runtime?

None that I know of. There was a generic CRI provider that was very incomplete. I looked at enhancing it (the CRI provider) but CRI is really not great for this and might as well use kubelet if going with a CRI implementation.

Poor12

comment created time in 6 hours

MemberEvent

issue commentmoby/moby

COPY with excluded files is not possible

https://github.com/moby/moby/issues/15771#issuecomment-550571058

bronger

comment created time in 8 hours

issue commentmoby/moby

COPY with excluded files is not possible

If you want something, you need to work on it or find someone to work on it.

bronger

comment created time in 9 hours

issue commentvirtual-kubelet/azure-aci

makefile failing in pipeline

Looks like the failure is a timeout in an API call to ACI.

MikkelHegn

comment created time in a day

issue commentvirtual-kubelet/azure-aci

makefile failing in pipeline

The pipeline ran and passed on that one: image

MikkelHegn

comment created time in a day

push eventmoby/sys

Tobias Klauser

commit sha 2fa84b5907e0d855e812e5f5dfd4e2a5ff71e804

mount: use MNT_* flags from golang.org/x/sys/unix on freebsd Bump golang.org/x/sys/unix to the latest version and use the MNT_* constants defined there instead of getting them from sys/mount.h using cgo. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Brian Goff

commit sha 4a8c65a81a10cb75cb8beac8fa9278c48ebdf933

Merge pull request #36 from tklauser/freebsd-x-sys-unix mount: use MNT_* flags from golang.org/x/sys/unix on freebsd

view details

push time in a day

PR merged moby/sys

mount: use MNT_* flags from golang.org/x/sys/unix on freebsd

Bump golang.org/x/sys/unix to the latest version and use the MNT_* constants defined there instead of getting them from sys/mount.h using cgo.

Full diff for the golang.org/x/sys/unix bump: https://github.com/golang/sys/compare/d5e6a3e2c0ae...aee5d888a86055dc6ab0342f9cdc7b53aaeaec62

+11 -14

0 comment

4 changed files

tklauser

pr closed time in a day

PullRequestReviewEvent

issue commentmoby/moby

Windows: remove direct HCS calls

No networking in containerd. So we'll still need to do whatever we do with libnetwork and hcs.

cpuguy83

comment created time in a day

pull request commentvirtual-kubelet/azure-aci

Removing reference to aci-connector

Looks like an ACI API request is timing out.

--- FAIL: TestCreateContainerGroupWithVNet (59.03s)
    client_test.go:640: Delete Container Group failed: api call to *****************************subscriptions/************************************/resourceGroups/virtual-kubelet-tests-6801be/providers/Microsoft.ContainerInstance/containerGroups/virtual-kubelet-test-container-group-04bc91?api-version=2018-10-01: got HTTP response status code 503 error code "ServerTimeout": The request timed out. Diagnostic information: timestamp '20200922T122221Z', subscription id '************************************', tracking id 'fb278049-0630-437c-aa0a-ab105208a6dc', request correlation id 'fb278049-0630-437c-aa0a-ab105208a6dc'.
MikkelHegn

comment created time in a day

push eventvirtual-kubelet/azure-aci

Mingqi Shao

commit sha ae214601d0d03bafc48b055ffc8d09a9ecca628d

add build chart file

view details

Mingqi Shao

commit sha f2f32d9ca17b892806738c745c0a41617160aac4

add new version 1.2.1.3 into charts repo

view details

Mingqi Shao

commit sha ff08174f5ca313395066235fde74eb05d42ed62e

change the installtion instruction to use the new chart URL

view details

Brian Goff

commit sha dc1bfec80d6bd4d8f3a48a4e5d0860e16cab518b

Merge pull request #63 from mingqishao/fix-helm

view details

push time in 3 days

PullRequestReviewEvent

issue commentmoby/moby

Grafana Loki Logger

Ok well, docker plugin disable -f ought to do.

cyriltovena

comment created time in 3 days

issue commentmoby/moby

Grafana Loki Logger

@pgassmann

Note that swarm has some support for managing plugins on the cluster. But... you should be able to use docker plugin upgrade to do this.

cyriltovena

comment created time in 3 days

pull request commentmoby/moby

vendor: bump moby/sys/mountinfo/v0.2.0, moby/sys/mount/v0.1.1

Agreed

thaJeztah

comment created time in 3 days

push eventmoby/moby

Kir Kolyshkin

commit sha 2502db66d0ddf789aa1d09f739db5f2add80916b

pkg/system: make EnsureRemoveAll unix-specific The tricks performed by EnsureRemoveAll only make sense for Linux and other Unices, so separate it out, and make EnsureRemoveAll for Windows just an alias of os.RemoveAll. This makes sure RecursiveUnmount is not called on Windows. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

view details

Brian Goff

commit sha a24a71c50f34d53710cccaa4d5e5f62169c5e1dc

Merge pull request #41478 from kolyshkin/ensure-rm-all-win pkg/system: make EnsureRemoveAll unix-specific

view details

push time in 3 days

PR merged moby/moby

pkg/system: make EnsureRemoveAll unix-specific

The tricks performed by EnsureRemoveAll only make sense for Linux and other Unices, so separate it out, and make EnsureRemoveAll for Windows just an alias of os.RemoveAll.

This makes sure RecursiveUnmount is not called on Windows.

Related to: https://github.com/moby/moby/pull/41458

+8 -0

0 comment

2 changed files

kolyshkin

pr closed time in 3 days

PullRequestReviewEvent

pull request commentmoby/moby

Propagate contexts down into containerd

Looks not related, I see the same failures on https://github.com/moby/moby/pull/38432

cpuguy83

comment created time in 4 days

PullRequestReviewEvent

Pull request review commentmoby/moby

Windows CI: Enable more integration tests

 func TestKillContainerInvalidSignal(t *testing.T) { }  func TestKillContainer(t *testing.T) {-	skip.If(t, testEnv.OSType == "windows", "TODO Windows: FIXME. No SIGWINCH") 	defer setupTest(t)() 	client := testEnv.APIClient()  	testCases := []struct { 		doc    string 		signal string 		status string+		skipOs string 	}{ 		{ 			doc:    "no signal", 			signal: "", 			status: "exited",+			skipOs: "", 		}, 		{ 			doc:    "non killing signal", 			signal: "SIGWINCH", 			status: "running",+			skipOs: "windows", // Windows does not support SIGWINCH 		}, 		{ 			doc:    "killing signal", 			signal: "SIGTERM", 			status: "exited",+			skipOs: "", 		}, 	}  	for _, tc := range testCases { 		tc := tc 		t.Run(tc.doc, func(t *testing.T) {+			if testEnv.OSType == tc.skipOs {+				return

I think skipping is ideal here so that the test output shows it as skipped instead of passed. Can use skip.If even like the rest of the tests.

olljanat

comment created time in 4 days

PullRequestReviewEvent
PullRequestReviewEvent

Pull request review commentmoby/moby

Sterner warnings and deprecation notice for unauthenticated tcp access

 func newAPIServerConfig(cli *DaemonCli) (*apiserver.Config, error) { 	return serverConfig, nil } +// checkTLSAuthOK checks basically for an explicitly disabled TLS/TLSVerify+// Going forward we do not want to support a scenario where dockerd listens+//   on TCP without either TLS client auth (or an explicit opt-in to disable it)+func checkTLSAuthOK(c *config.Config) bool {+	if c.TLS == nil {+		// Either TLS is enabled by default, in which case TLS verification should be enabled by default, or explicitly disabled+		// Or TLS is disabled by default... in any of these cases, we can just take the default value as to how to proceed+		return DefaultTLSValue

If tlsverify is explictitly set, then we don't want to error out/warn either.

So when tls is true, tlsverify should also be true (this is a change we discussed on the call) unless explicitly set to false. If tlsverify is set at all, tls must not be nil.

So yes, this should be correct, and is why I added the constant. When we change the default, we don't need to update the logic.

cpuguy83

comment created time in 4 days

PullRequestReviewEvent

Pull request review commentmoby/moby

Sterner warnings and deprecation notice for unauthenticated tcp access

 const ( 	DefaultCertFile = "cert.pem" 	// FlagTLSVerify is the flag name for the TLS verification option 	FlagTLSVerify = "tlsverify"+	// FlagTLS is the flag name for the TLS option+	FlagTLS = "tls"+	// The default value used for setting the tls option for tcp connections+	DefaultTLSValue = false

This is a package main, nothing can import it. I just kept it consistent with all the other constants.

cpuguy83

comment created time in 4 days

PullRequestReviewEvent

Pull request review commentmoby/moby

Sterner warnings and deprecation notice for unauthenticated tcp access

 func loadDaemonCliConfig(opts *daemonOptions) (*config.Config, error) { 	// Regardless of whether the user sets it to true or false, if they 	// specify TLSVerify at all then we need to turn on TLS 	if conf.IsValueSet(FlagTLSVerify) {-		conf.TLS = true+		v := true+		conf.TLS = &v+	}++	if conf.TLSVerify == nil && conf.TLS != nil {+		conf.TLSVerify = conf.TLS

Yes, this is what we discussed on the PR review call.

cpuguy83

comment created time in 4 days

PullRequestReviewEvent

pull request commentmoby/moby

Propagate contexts down into containerd

This seems to have made some (specific) tests flakey on s390.

cpuguy83

comment created time in 6 days

push eventcpuguy83/docker

Brian Goff

commit sha 5a6e7319ff17aeec6e9feb95493db74ad36d0fc2

Sterner warnings for unathenticated tcp People keep doing this and getting pwned because they accidentally left it exposed to the internet. The warning about doing this has been there forever. This introduces a sleep after warning. To disable the extra sleep users must explicitly specify `--tls=false` or `--tlsverify=false` Warning also specifies this sleep will be removed in the next release where the flag will be required if running unauthenticated. Signed-off-by: Brian Goff <cpuguy83@gmail.com>

view details

push time in 6 days

PR opened moby/moby

Reviewers
Allow download-frozen-images to work without `go`

Currently we use the go command to read GOARCH and use the value for matching manifests.

This change allows:

  1. Specifying the arch through TARGETARCH
  2. Falling back to dpkg if go is not available
  3. Falling back to uname -m if dpkg is not available
  4. A default value (amd64) if none of these commands is available.

Some of these fallbacks could definitely be better.

+54 -1

0 comment

1 changed file

pr created time in 6 days

create barnchcpuguy83/docker

branch : frozen_nogo

created branch time in 6 days

Pull request review commentmoby/moby

Add size option to volumes on linux/unix via xfs pquota

 var ( 		"type":   {}, // specify the filesystem type for mount, e.g. nfs 		"o":      {}, // generic mount options 		"device": {}, // device to mount from+		"size":   {}, // quota size limit 	}-	mandatoryOpts = map[string]struct{}{-		"device": {},-		"type":   {},+	mandatoryOpts = map[string][]string{

Can you explain the reason behind the changes around this?

BtbN

comment created time in 6 days

Pull request review commentmoby/moby

Add size option to volumes on linux/unix via xfs pquota

 func setOpts(v *localVolume, opts map[string]string) error { 	if len(opts) == 0 { 		return nil 	}-	if err := validateOpts(opts); err != nil {+	err := validateOpts(v, opts)+	if err != nil { 		return err 	}- 	v.opts = &optsConfig{ 		MountType:   opts["type"], 		MountOpts:   opts["o"], 		MountDevice: opts["device"], 	}+	if val, ok := opts["size"]; ok {+		size, err := units.RAMInBytes(val)+		if err != nil {+			return err+		}+		v.opts.Quota.Size = uint64(size)+	} 	return nil } -func validateOpts(opts map[string]string) error {+func validateOpts(v *localVolume, opts map[string]string) error {

Maybe pass quotaEnabled as a bool rather than the whole volume

BtbN

comment created time in 6 days

PullRequestReviewEvent
PullRequestReviewEvent

push eventcpuguy83/docker

Brian Goff

commit sha e532ae81d5959513b0945636d3c18c80f326b1b9

Sterner warnings for unathenticated tcp People keep doing this and getting pwned because they accidentally left it exposed to the internet. The warning about doing this has been there forever. This introduces a sleep after warning. To disable the extra sleep users must explicitly specify `--tls=false` or `--tlsverify=false` Warning also specifies this sleep will be removed in the next release where the flag will be required if running unauthenticated. Signed-off-by: Brian Goff <cpuguy83@gmail.com>

view details

push time in 6 days

pull request commentmoby/moby

Do not listen on TCP address if w/o TLS verify

Updated to have this work with --tls=false or --tlsverify=false

cpuguy83

comment created time in 6 days

push eventcpuguy83/docker

Brian Goff

commit sha 0790a513cb042b011a13532852c9af00920aa972

Sterner warnings for unathenticated tcp People keep doing this and getting pwned because they accidentally left it exposed to the internet. The warning about doing this has been there forever. This introduces a 30s sleep after warning. Also adds a flag `--allow-unauthenticated-machine-root-access-to-network` to disable this sleep *per unathenticated host*. Warning also specifies this sleep will be removed in the next release where the flag will be required if running unauthenticated. Signed-off-by: Brian Goff <cpuguy83@gmail.com>

view details

push time in 6 days

push eventcpuguy83/docker

Leonardo Taccari

commit sha 3d9120f7449ea00d56729773a9d23d3d7acce65b

Unify same fromStatT() implementation for FreeBSD and NetBSD Suggested by Sebastiaan van Stijn, thanks! Signed-off-by: Leonardo Taccari <leot@NetBSD.org>

view details

Sebastiaan van Stijn

commit sha 4ab96db4ab93d23a66f0ae8e63c05e3adff9d94a

vendor: github.com/moby/term 7f0af18e79f2784809e9cef63d0df5aa2c79d76e full diff: https://github.com/moby/term/compare/73f35e472e8f0a3f91347164138ce6bd73b756a9...7f0af18e79f2784809e9cef63d0df5aa2c79d76e - update gotest.tools to v3 - Use unix.Ioctl{Get,Set}Termios on all unix platforms - Make Termios type alias, remove casts vendor: golang.org/x/sys 196b9ba8737a10c9253b04174f25881e562da5b8 full diff: https://github.com/golang/sys/compare/ed371f2e16b4b305ee99df548828de367527b76b...196b9ba8737a10c9253b04174f25881e562da5b8 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Brian Goff

commit sha 72fce23fc4b66e21cc74cb3528899d3d235454b5

Merge pull request #41453 from thaJeztah/bump_moby_term vendor: github.com/moby/term 7f0af18e79f2784809e9cef63d0df5aa2c79d76e

view details

Brian Goff

commit sha f99814d749d722f9ddec30d4ee94651b9b4c7163

Merge pull request #41448 from iamleot/stat_bsd Unify same fromStatT() implementation for FreeBSD and NetBSD

view details

Sebastiaan van Stijn

commit sha 1371a629d53a7c3639f1b12522a3a4021f5644b8

update containerd binary to v1.4.1 full diff: https://github.com/containerd/containerd/compare/v1.4.0...v1.4.1 Welcome to the v1.4.1 release of containerd! The first patch release for `containerd` 1.4 includes a fix for v1 shims hanging on exit and exec when the log pipe fills up along with other minor changes. Notable Updates: * Always consume shim logs to prevent logs in the shim from blocking * Fix error deleting v2 bundle directory when removing rootfs returns `ErrNotExist` * Fix metrics monitoring of v2 runtime tasks * Fix incorrect stat for Windows containers * Fix devmapper device deletion on rollback * Update seccomp default profile Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha af3220884e9a4851435b8e8480dea5a5cb2a1db9

vendor: github.com/containerd/containerd v1.4.1 full diff: https://github.com/containerd/containerd/compare/v1.4.0...v1.4.1 Welcome to the v1.4.1 release of containerd! The first patch release for `containerd` 1.4 includes a fix for v1 shims hanging on exit and exec when the log pipe fills up along with other minor changes. Notable Updates: * Always consume shim logs to prevent logs in the shim from blocking * Fix error deleting v2 bundle directory when removing rootfs returns `ErrNotExist` * Fix metrics monitoring of v2 runtime tasks * Fix incorrect stat for Windows containers * Fix devmapper device deletion on rollback * Update seccomp default profile Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 1ed6589e391f4cea9d984b8cb8d7333d49866dae

vendor: github.com/syndtr/gocapability 42c35b4376354fd554efc7ad35e0b7f94e3a0ffb full diff: https://github.com/syndtr/gocapability/compare/d98352740cb2c55f81556b63d4a1ec64c5a319c2...42c35b4376354fd554efc7ad35e0b7f94e3a0ffb Update Capabilities - Add `CAP_PERFMON` - Add `CAP_BPF` - Add `CAP_CHECKPOINT_RESTORE` Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Olli Janatuinen

commit sha 82b5ff8026506017a3b01f7b6e0ece5c226a56bb

Windows CI: Make sure that CI fails on any error - If unit tests fails - If intergration tests fails Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com>

view details

Sebastiaan van Stijn

commit sha ef6416f3b95570567aa0ee554a496fd5203d5e84

Merge pull request #40599 from olljanat/win-integration-fail-on-error Windows CI: Make sure that CI fails on any error

view details

Brian Goff

commit sha 3956a86b6235038011bd8055b59cd24c182aa4ff

Merge pull request #41450 from thaJeztah/containerd_1.4.1 update containerd vendor and binary to v1.4.1

view details

Tibor Vass

commit sha 7f7e4abb331a2973cfb3223710cc35a3e476b1b3

Merge pull request #41460 from thaJeztah/bump_gocapabilities vendor: github.com/syndtr/gocapability 42c35b4376354fd554efc7ad35e0b7f94e3a0ffb

view details

Sebastiaan van Stijn

commit sha 9fb324f00be66e27afd4172b509ec5525b588f81

vendor: docker/libnetwork d0951081b35fa4216fc4f0064bf065beeb55a74b full diff: https://github.com/docker/libnetwork/compare/9e99af28df21367340c95a3863e31808d689c92a...d0951081b35fa4216fc4f0064bf065beeb55a74b - docker/libnetwork#2560 types: remove some dead code - docker/libnetwork#2562 client/mflag: remove use of docker/docker/pkg/homedir - docker/libnetwork#2576 Skip redundant kernel version checks - docker/libnetwork#2583 vendor: update docker to 7ca355652fe0e2f7401d424d65a81dc248360127 and reduce dependency graph Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 7cdced6f4b5a5c2b075c0d971920754664559ff1

vendor.conf: fix tar-split version comment We already updated to v0.11.1, but didn't update the comment itself Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 968133c86c0ae34f0904e83ebfa4472c623c74cc

vendor: opencontainers/go-digest v1.0.0 full diff: https://github.com/opencontainers/go-digest/compare/v1.0.0-rc1...v1.0.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Tibor Vass

commit sha 1dff568d45aae3a6682dbf7e3803feeddcfce8ea

Merge pull request #41466 from thaJeztah/bump_libnetwork vendor: docker/libnetwork d0951081b35fa4216fc4f0064bf065beeb55a74b

view details

Tibor Vass

commit sha 2513da195eef09acb56da21d7191aaa3b4ed4b35

Merge pull request #41467 from thaJeztah/bump_go_digest vendor: opencontainers/go-digest v1.0.0

view details

Brian Goff

commit sha 7cafe7d12d5ade8352e1c0297d3c8628b0fac7db

Sterner warnings for unathenticated tcp People keep doing this and getting pwned because they accidentally left it exposed to the internet. The warning about doing this has been there forever. This introduces a 30s sleep after warning. Also adds a flag `--allow-unauthenticated-machine-root-access-to-network` to disable this sleep *per unathenticated host*. Warning also specifies this sleep will be removed in the next release where the flag will be required if running unauthenticated. Signed-off-by: Brian Goff <cpuguy83@gmail.com>

view details

push time in 6 days

push eventvirtual-kubelet/azure-aci

Pengfei Ni

commit sha a1d11515dfa109572dfbaebed5f8845313d10aac

Update chart with fixes from #58

view details

Brian Goff

commit sha d42f6dec93a2a8766421de304ee71e142c286ce0

Merge pull request #61 from feiskyer/update-chart Update chart with fixes from #58

view details

push time in 6 days

PR merged virtual-kubelet/azure-aci

Update chart with fixes from #58

#58 has fixed a few chart issues, but didn't get the changes into released chart yet. This PR updates the latest chart with those fixes.

+0 -0

1 comment

1 changed file

feiskyer

pr closed time in 6 days

PullRequestReviewEvent
PullRequestReviewEvent

issue closedvirtual-kubelet/virtual-kubelet

Documentation - GPU-enabled ACI containers


Documentation Request

https://github.com/virtual-kubelet/virtual-kubelet/tree/master/providers/azure

Azure provider landing page for virtual kubelet shows GPU-enabled containers currently have documentation pending? Do we have an ETA for available or perhaps this documentation is being curated elsewhere?

closed time in 7 days

MarcosMMartinez

issue commentvirtual-kubelet/virtual-kubelet

Documentation - GPU-enabled ACI containers

Agreed, let's move to azure-aci if it is still an issue.

MarcosMMartinez

comment created time in 7 days

PullRequestReviewEvent

Pull request review commentvirtual-kubelet/virtual-kubelet

Add helpers for common setup code

 func runRootCommand(ctx context.Context, s *provider.Store, c Opts) error { 		} 	}() +	setNodeReady(pNode)+	if err := np.UpdateStatus(ctx, pNode); err != nil {+		return errors.Wrap(err, "error marking the node as ready")+	} 	log.G(ctx).Info("Initialized")  	<-ctx.Done() 	return nil } -func newClient(configPath string) (*kubernetes.Clientset, error) {-	var config *rest.Config--	// Check if the kubeConfig file exists.-	if _, err := os.Stat(configPath); !os.IsNotExist(err) {-		// Get the kubeconfig from the filepath.-		config, err = clientcmd.BuildConfigFromFlags("", configPath)-		if err != nil {-			return nil, errors.Wrap(err, "error building client config")+func setNodeReady(n *corev1.Node) {+	for i, c := range n.Status.Conditions {+		if c.Type != "Ready" {+			continue 		}-	} else {-		// Set to in-cluster config.-		config, err = rest.InClusterConfig()-		if err != nil {-			return nil, errors.Wrap(err, "error building in cluster config")-		}-	} -	if masterURI := os.Getenv("MASTER_URI"); masterURI != "" {-		config.Host = masterURI+		c.Message = "Kubelet is ready"+		c.Reason = "KubeletReady"+		c.Status = corev1.ConditionTrue+		c.LastHeartbeatTime = metav1.Now()+		c.LastTransitionTime = metav1.Now()+		n.Status.Conditions[i] = c+		return 	} -	return kubernetes.NewForConfig(config)+	// No ready condition in node status

Updated, took this special condition out since it's not going to be reached anyway.

cpuguy83

comment created time in 7 days

PullRequestReviewEvent

push eventcpuguy83/virtual-kubelet

Brian Goff

commit sha 0c64171e851a1a1e49fb6edce8a09235bc54b22f

Add v2 node provider for accepting status updates This allows the use of a built-in provider to do things like mark a node as ready once all the controllers are spun up. The e2e tests now use this instead of waiting on the pod that the vk provider is deployed in to be marked ready (this was waiting on /stats/summary to be serving, which is racey).

view details

push time in 7 days

Pull request review commentvirtual-kubelet/virtual-kubelet

Add helpers for common setup code

 func runRootCommand(ctx context.Context, s *provider.Store, c Opts) error { 		} 	}() +	setNodeReady(pNode)+	if err := np.UpdateStatus(ctx, pNode); err != nil {+		return errors.Wrap(err, "error marking the node as ready")+	} 	log.G(ctx).Info("Initialized")  	<-ctx.Done() 	return nil } -func newClient(configPath string) (*kubernetes.Clientset, error) {-	var config *rest.Config--	// Check if the kubeConfig file exists.-	if _, err := os.Stat(configPath); !os.IsNotExist(err) {-		// Get the kubeconfig from the filepath.-		config, err = clientcmd.BuildConfigFromFlags("", configPath)-		if err != nil {-			return nil, errors.Wrap(err, "error building client config")+func setNodeReady(n *corev1.Node) {+	for i, c := range n.Status.Conditions {+		if c.Type != "Ready" {+			continue 		}-	} else {-		// Set to in-cluster config.-		config, err = rest.InClusterConfig()-		if err != nil {-			return nil, errors.Wrap(err, "error building in cluster config")-		}-	} -	if masterURI := os.Getenv("MASTER_URI"); masterURI != "" {-		config.Host = masterURI+		c.Message = "Kubelet is ready"+		c.Reason = "KubeletReady"+		c.Status = corev1.ConditionTrue+		c.LastHeartbeatTime = metav1.Now()+		c.LastTransitionTime = metav1.Now()+		n.Status.Conditions[i] = c+		return 	} -	return kubernetes.NewForConfig(config)+	// No ready condition in node status

I'd rather just take this out. If it fails its a provider problem (and specifically this is for e2e in this repo only anyway).

cpuguy83

comment created time in 7 days

PullRequestReviewEvent

pull request commentmoby/sys

mountinfo: add go.mod

I'm not sure why we needed this module. Multi-module is pretty rough, especially for minimal dependencies as is.

kolyshkin

comment created time in 7 days

Pull request review commentvirtual-kubelet/virtual-kubelet

Add helpers for common setup code

 type EndToEndTestSuiteConfig struct {  // Setup runs the setup function from the provider and other // procedures before running the test suite-func (ts *EndToEndTestSuite) Setup() {+func (ts *EndToEndTestSuite) Setup(t *testing.T) { 	if err := ts.setup(); err != nil {-		panic(err)+		t.Fatal(err) 	} -	// Wait for the virtual kubelet (deployed as a pod) to become fully ready-	if _, err := f.WaitUntilPodReady(f.Namespace, f.NodeName); err != nil {-		panic(err)+	// Wait for the virtual kubelet node resource to become fully ready+	if err := f.WaitUntilNodeCondition(func(ev watch.Event) (bool, error) {

@sargun So you don't want to use a watch here? Sorry I'm just confused as to what you are looking for specifically.

cpuguy83

comment created time in 7 days

PullRequestReviewEvent

push eventvirtual-kubelet/virtual-kubelet

Lachlan Evenson

commit sha 724bddd559782815e3581420248bf7f67097d623

Add link to mailing list Signed-off-by: Lachlan Evenson <lachlan.evenson@microsoft.com>

view details

Lachlan Evenson

commit sha 9b4dc639cf2b4d25e6be4675f23d3c7ed6b105b7

Fix spacing Signed-off-by: Lachlan Evenson <lachlan.evenson@microsoft.com>

view details

Brian Goff

commit sha 4b74a01f8f4722915cfde0bc7212d6d429516bb0

Merge pull request #878 from lachie83/add-mailing-list

view details

push time in 7 days

PR merged virtual-kubelet/virtual-kubelet

docs(README): Add link to mailing list

close #419

Adds link to VK dev mailing list

Signed-off-by: Lachlan Evenson lachlan.evenson@microsoft.com

+2 -3

0 comment

1 changed file

lachie83

pr closed time in 7 days

issue closedvirtual-kubelet/virtual-kubelet

vk collaboration

Update collaboration details in the README with the new calendar link & meeting time details Investigate getting a dev mailing list for VK

closed time in 7 days

rbitia

Pull request review commentvirtual-kubelet/virtual-kubelet

Add helpers for common setup code

 func runRootCommand(ctx context.Context, s *provider.Store, c Opts) error { 		} 	}() +	setNodeReady(pNode)

@sargun are you using this code for anything other than e2e?

cpuguy83

comment created time in 7 days

PullRequestReviewEvent
PullRequestReviewEvent

issue closedvirtual-kubelet/virtual-kubelet

[Azure] Using Service Principal credentials to pull private image in ACR


Environment summary

Provider (e.g. ACI, AWS Fargate, Hyper)

ACI

Version (e.g. 0.1, 0.2-beta)

microsoft/virtual-kubelet:latest (aka. 0.2-beta-12)

K8s Master Info (e.g. AKS, ACS, Bare Metal, EKS)

AKS

Install Method (e.g. Helm Chart)

az aks install-connector [...]

Issue Details

When specifying a private image hosted on an ACR (Azure Container Registry), the Azure AD Service Principal authentication credentials are not passed to the ACI. Private images work totally fine if the pods are run on the AKS nodes, but do not behave the same way using virtual-kubelet - I naively expect the same result regardless of where the underlying pod is running.

As a workaround I have created a secret (of type kubernetes.io/dockerconfigjson) which contains the Service Credentials details needed to pull the private image from ACR (username/appId and password). And I point the spec at the secret (via imagePullSecrets). As I took a look through the provider code and noticed that it supported this feature (see below).

https://github.com/virtual-kubelet/virtual-kubelet/blob/f3ebde2533f7854698df8a298386154d423854e2/providers/azure/aci.go#L444-L472

I could not find any other references that would suggest these credentials could be automatically passed to ACI. But for the time being, my workaround functions as expected - I'm not just entirely sure if it's the best way to do it.

I also noticed that when specifying multiple auths (eg. https://example.azurecr.io and example.azurecr.io) in the docker config json secret, ACI also throws an error. So this workaround requires a secret per container registry (which is probably a good idea anyway) - if you're pulling from multiple ACRs. I'm not, but it's worth noting, because the code below suggests that you could provide multiple auths, yet I'm not sure that could ever work.

https://github.com/virtual-kubelet/virtual-kubelet/blob/f3ebde2533f7854698df8a298386154d423854e2/providers/azure/aci.go#L520-L526

I hope that's enough info.

Repo Steps

  • Create an AD SP
  • Create an ACR (and assign the Reader role to the SP)
  • Push an image to the ACR
  • Create an AKS cluster (using the SP)
  • Install the ACI connector
  • Create a deployment/pod which targets the ACI, and which uses the ACR image name (eg. example.azurecr.io/nginx:latest).
  • Check the ACI resource group's activity log for the error message (or check the ACI connector pod's logs)

Example JSON output from the resource group's activity log:

{
    ...
    "properties": {
        "statusCode": "BadRequest",
        "serviceRequestId": "eastus:36880b71-f747-4192-81d0-1002aa458943",
        "statusMessage": "{\"error\":{\"code\":\"InaccessibleImage\",\"message\":\"The image '[REDACTED].azurecr.io/[REDACTED]:latest' in container group 'default-[REDACTED]-7fb697cdbc-rmqpw' is not accessible. Please check the image and registry credential.\"}}"
    },
    ...
}

closed time in 7 days

jmshal

issue closedvirtual-kubelet/virtual-kubelet

kubectl describe : Not working, dashboard showing blank values for CPU usage for virtual kubernetes cluster


Environment summary

Provider (e.g. ACI, AWS Fargate, Hyper) ACI

Version (e.g. 0.1, 0.2-beta)

K8s Master Info (e.g. AKS, ACS, Bare Metal, EKS) AKS Install Method (e.g. Helm Chart, ) Helm

Issue Details

Issue No : 1:

kubectl describe XXXXXXXXX ABOVE COMMAND GIVES BELOW RESPONSE: even though "kubectl get pods -o wide" returns this pod error: the server doesn't have a resource type "XXXXXXXXX" Note: we are using the virtual kubernetes pod

Issue No: 2: CPU details are coming as blank even on portal: image

Here is the yaml used from this link: https://docs.microsoft.com/en-us/azure/aks/virtual-kubelet apiVersion: apps/v1 kind: Deployment metadata: name: nanoserver-iis spec: replicas: 1 selector: matchLabels: app: nanoserver-iis template: metadata: labels: app: nanoserver-iis spec: containers: - name: nanoserver-iis image: microsoft/iis:nanoserver ports: - containerPort: 80 nodeSelector: beta.kubernetes.io/os: windows kubernetes.io/role: agent type: virtual-kubelet tolerations: - key: virtual-kubelet.io/provider operator: Equal value: azure effect: NoSchedule

Repo Steps

closed time in 7 days

AfreenShaha

push eventvirtual-kubelet/virtual-kubelet

Lachlan Evenson

commit sha 5304a66f905e478945b5f753399bdccceef1681e

Remove confusing internal external verbiage Signed-off-by: Lachlan Evenson <lachlan.evenson@microsoft.com>

view details

Brian Goff

commit sha 5f5f23e668e5d4c51aa353f3cf1ee0cc64fdf441

Merge pull request #877 from lachie83/doc-update-inside-outside Remove confusing internal external verbiage

view details

push time in 7 days

PR merged virtual-kubelet/virtual-kubelet

Remove confusing internal external verbiage

closes #545

Replaces external and internal verbiage with more commonly used "on Kubernetes" and "external to Kubernetes"

Signed-off-by: Lachlan Evenson lachlan.evenson@microsoft.com

+6 -6

0 comment

1 changed file

lachie83

pr closed time in 7 days

issue closedvirtual-kubelet/virtual-kubelet

Clarify "inside" vs. "outside" in the documentation

To write the VK usage docs I borrowed liberally from the README, which speaks in terms of "inside" and "outside" a Kubernetes cluster. This language is pretty confusing. We should refine the language and standardize on some terms.

closed time in 7 days

lucperkins
PullRequestReviewEvent

issue closedvirtual-kubelet/virtual-kubelet

broken links in virtual-kubelet docs

Issue Details

On the page about providers there some links that are supposed to lead to code examples of the Provider interface implementation but they don't work.

At first I thought it was one link but after further investigation it seems all the links in that page leading to code docs or examples don't work.

closed time in 7 days

rugwirobaker

issue commentmoby/moby

Docker container exit code is zero when program is terminated with SIGSEGV

It means you either need to use "--init" or you need to explicitly setup signal handling in your program because your program is automatically dropping the default signal handlers because it is running as PID 1.

"--init" runs a small, proper PID 1 in the container for you, thus making your program not run as PID 1, and not dropping the default signal handlers.

f-squirrel

comment created time in 7 days

push eventmoby/moby

Sebastiaan van Stijn

commit sha 1371a629d53a7c3639f1b12522a3a4021f5644b8

update containerd binary to v1.4.1 full diff: https://github.com/containerd/containerd/compare/v1.4.0...v1.4.1 Welcome to the v1.4.1 release of containerd! The first patch release for `containerd` 1.4 includes a fix for v1 shims hanging on exit and exec when the log pipe fills up along with other minor changes. Notable Updates: * Always consume shim logs to prevent logs in the shim from blocking * Fix error deleting v2 bundle directory when removing rootfs returns `ErrNotExist` * Fix metrics monitoring of v2 runtime tasks * Fix incorrect stat for Windows containers * Fix devmapper device deletion on rollback * Update seccomp default profile Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha af3220884e9a4851435b8e8480dea5a5cb2a1db9

vendor: github.com/containerd/containerd v1.4.1 full diff: https://github.com/containerd/containerd/compare/v1.4.0...v1.4.1 Welcome to the v1.4.1 release of containerd! The first patch release for `containerd` 1.4 includes a fix for v1 shims hanging on exit and exec when the log pipe fills up along with other minor changes. Notable Updates: * Always consume shim logs to prevent logs in the shim from blocking * Fix error deleting v2 bundle directory when removing rootfs returns `ErrNotExist` * Fix metrics monitoring of v2 runtime tasks * Fix incorrect stat for Windows containers * Fix devmapper device deletion on rollback * Update seccomp default profile Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Brian Goff

commit sha 3956a86b6235038011bd8055b59cd24c182aa4ff

Merge pull request #41450 from thaJeztah/containerd_1.4.1 update containerd vendor and binary to v1.4.1

view details

push time in 7 days

PR merged moby/moby

Reviewers
update containerd vendor and binary to v1.4.1 area/runtime status/2-code-review

relates to https://github.com/containerd/containerd/pull/4564

full diff: https://github.com/containerd/compare/v1.4.0...v1.4.1

Welcome to the v1.4.1 release of containerd!

The first patch release for containerd 1.4 includes a fix for v1 shims hanging on exit and exec when the log pipe fills up along with other minor changes.

Notable Updates:

  • Always consume shim logs to prevent logs in the shim from blocking
  • Fix error deleting v2 bundle directory when removing rootfs returns ErrNotExist
  • Fix metrics monitoring of v2 runtime tasks
  • Fix incorrect stat for Windows containers
  • Fix devmapper device deletion on rollback
  • Update seccomp default profile
+73 -23

1 comment

7 changed files

thaJeztah

pr closed time in 7 days

PullRequestReviewEvent

push eventcpuguy83/docker

Brian Goff

commit sha 7f4545dbbfb6d6d9f4313de6afb982a9e2bb440e

Sterner warnings for unathenticated tcp People keep doing this and getting pwned because they accidentally left it exposed to the internet. The warning about doing this has been there forever. This introduces a 30s sleep after warning. Also adds a flag `--allow-unauthenticated-machine-root-access-to-network` to disable this sleep *per unathenticated host*. Warning also specifies this sleep will be removed in the next release where the flag will be required if running unauthenticated. Signed-off-by: Brian Goff <cpuguy83@gmail.com>

view details

push time in 8 days

push eventcpuguy83/docker

Brian Goff

commit sha 10f484317d202cde07b3d321bfba5b018f926ec2

Sterner warnings for unathenticated tcp People keep doing this and getting pwned because they accidentally left it exposed to the internet. The warning about doing this has been there forever. This introduces a 30s sleep after warning. Also adds a flag `--allow-unauthenticated-machine-root-access-to-network` to disable this sleep *per unathenticated host*. Warning also specifies this sleep will be removed in the next release where the flag will be required if running unauthenticated. Signed-off-by: Brian Goff <cpuguy83@gmail.com>

view details

push time in 8 days

pull request commentmoby/moby

Do not listen on TCP address if w/o TLS verify

Updated to fix tests. Had to add a special case for host addresses specified as a hostname (e.g. "localhost") since -H supports this and it is trying to skip the sleeps for loopback addresses.

cpuguy83

comment created time in 8 days

push eventcpuguy83/docker

Brian Goff

commit sha 688181df7103bdc38510d17a7a70831e758e4f0f

Sterner warnings for unathenticated tcp People keep doing this and getting pwned because they accidentally left it exposed to the internet. The warning about doing this has been there forever. This introduces a 30s sleep after warning. Also adds a flag `--allow-unauthenticated-machine-root-access-to-network` to disable this sleep *per unathenticated host*. Warning also specifies this sleep will be removed in the next release where the flag will be required if running unauthenticated. Signed-off-by: Brian Goff <cpuguy83@gmail.com>

view details

push time in 8 days

push eventcpuguy83/docker

Brian Goff

commit sha 78dfdad133942d4b0affe7c03805abe456104294

Sterner warnings for unathenticated tcp People keep doing this and getting pwned because they accidentally left it exposed to the internet. The warning about doing this has been there forever. This introduces a 30s sleep after warning. Also adds a flag `--allow-unauthenticated-machine-root-access-to-network` to disable this sleep *per unathenticated host*. Warning also specifies this sleep will be removed in the next release where the flag will be required if running unauthenticated. Signed-off-by: Brian Goff <cpuguy83@gmail.com>

view details

push time in 8 days

pull request commentmoby/moby

Propagate contexts down into containerd

For whatever reason TestCgroupNamespacesBuildDaemonHostMode was actually triggering this condition.

cpuguy83

comment created time in 8 days

pull request commentmoby/moby

Propagate contexts down into containerd

I think I found the problem:

There was a stale shim lying around due to a cancelled context being used to start a container. The container start fails due to the context, but it doesn't actually fail (this is likely a containerd bug that needs to be investigated) and the container is started, but we get an error. We try to delete the task on start failure but it fails because the task is started and must be stopped first.

To prevent this I use a fresh context when starting the task since it doesn't seem like it's possible to cancel the startup in this case.

cpuguy83

comment created time in 8 days

push eventcpuguy83/docker

Brian Goff

commit sha 7225011c047248568c9b097d035cfc202f56e7a3

Propagate contexts down into containerd These requests are historically the most problematic with regards to causing deadlocks in the engine (waiting on kill in particular). This is also helpful because the contexts (at least the timeout) is now propagated all the way into the containerd shim calls. Signed-off-by: Brian Goff <cpuguy83@gmail.com>

view details

push time in 8 days

pull request commentmoby/moby

Do not listen on TCP address if w/o TLS verify

Looks like 2 tests need an update. Will push this soon.

cpuguy83

comment created time in 8 days

pull request commentmoby/moby

Adding the ability to configure default capabilities

Sorry, it's git pull --rebase upstream mater

burnMyDread

comment created time in 8 days

pull request commentmoby/moby

Adding the ability to configure default capabilities

No can't use the GitHub UI to make changes, otherwise you won't be able to sign-off on the commit.

Should be able to git pull --rebase upstream/master from your branch, fix conflicts, and git push -f origin 39149-Defaul-Capabilities

burnMyDread

comment created time in 8 days

issue commentdocker/for-linux

Kill container command hangs indefinitely.

I don't see anything in your stack trace that would indicate that there's something stuck. It feels like this might be in the CLI since there's nothing in the daemon stack dump that seems stuck and the containers, as you say, did stop.

A-Imal

comment created time in 8 days

issue commentmoby/moby

Windows: remove direct HCS calls

@olljanat I'm not sure Docker should be tied to Windows support lifecycles.

That said it is possible we could keep hcsv1 calls behind a --runtime configuration just like we do with linux and shimv1, and indeed this might be a good way to transition and provide a way to bail out in case of problems with the containerd hcs shim.

cpuguy83

comment created time in 8 days

more