profile
viewpoint

Pull request review commentcri-o/cri-o

Allow CRI-O to manage IPC and UTS namespaces

 import ( 	"runtime" 	"sync" -	"github.com/containernetworking/plugins/pkg/ns"+	nspkg "github.com/containernetworking/plugins/pkg/ns" 	"github.com/docker/docker/pkg/mount" 	"github.com/docker/docker/pkg/symlink" 	"github.com/pkg/errors" 	"github.com/sirupsen/logrus" 	"golang.org/x/sys/unix" ) -// Get returns the NetNs for a given NetNsIface-func (n *NetNs) Get() *NetNs {+// Namespace handles data pertaining to a namespace+type Namespace struct {+	sync.Mutex+	ns          NS+	symlink     *os.File+	closed      bool+	restored    bool+	initialized bool+	nsType      string+}++// NS is a wrapper for the containernetworking plugin's NetNS interface+// It exists because while NetNS is specifically called such, it is really a generic+// namespace, and can be used for other namespaces+type NS interface {+	nspkg.NetNS+}++// Get returns the Namespace for a given NsIface+func (n *Namespace) Get() *Namespace { 	return n } -// Initialized returns true if the NetNs is already initialized-func (n *NetNs) Initialized() bool {+// Initialized returns true if the Namespace is already initialized+func (n *Namespace) Initialized() bool { 	return n.initialized } -// Initialize does the necessary setup for a NetNs-func (n *NetNs) Initialize() (NetNsIface, error) {-	netNS, err := NewNS()+// Initialize does the necessary setup for a Namespace+func (n *Namespace) Initialize(nsType string) (NamespaceIface, error) {+	ns, err := newNS(nsType) 	if err != nil { 		return nil, err 	}-	n.netNS = netNS+	n.ns = ns+	n.nsType = nsType 	n.closed = false 	n.initialized = true 	return n, nil } -func getNetNs(nsPath string) (*NetNs, error) {-	netNS, err := ns.GetNS(nsPath)+// Creates a new persistent namespace and returns an object+// representing that namespace, without switching to it+func newNS(nsType string) (NS, error) {+	typeToFlag := map[string]int{+		"net": unix.CLONE_NEWNET,+		"ipc": unix.CLONE_NEWIPC,+		"uts": unix.CLONE_NEWUTS,+	}++	flag, ok := typeToFlag[nsType]+	if !ok {+		return nil, fmt.Errorf("invalid namespace type: %s", nsType)+	}+	// TODO FIXME very netns specific+	b := make([]byte, 16)+	_, err := rand.Reader.Read(b)+	if err != nil {+		return nil, fmt.Errorf("failed to generate random netns name: %v", err)+	}++	nsRunDir := getRunDirGivenType(nsType)++	err = os.MkdirAll(nsRunDir, 0755)+	if err != nil {+		return nil, err+	}++	// create an empty file at the mount point+	nsName := fmt.Sprintf("%s-%x-%x-%x-%x-%x", nsType, b[0:4], b[4:6], b[6:8], b[8:10], b[10:])+	nsPath := path.Join(nsRunDir, nsName)+	mountPointFd, err := os.Create(nsPath) 	if err != nil { 		return nil, err 	}+	mountPointFd.Close()++	// Ensure the mount point is cleaned up on errors; if the namespace+	// was successfully mounted this will have no effect because the file+	// is in-use+	defer os.RemoveAll(nsPath)++	var wg sync.WaitGroup+	wg.Add(1)++	// do namespace work in a dedicated goroutine, so that we can safely+	// Lock/Unlock OSThread without upsetting the lock/unlock state of+	// the caller of this function+	go (func() {+		defer wg.Done()+		runtime.LockOSThread() -	return &NetNs{netNS: netNS, closed: false, restored: true}, nil+		var origNS nspkg.NetNS+		origNS, err = nspkg.GetNS(getCurrentThreadNSPath(nsType))+		if err != nil {+			return+		}+		defer origNS.Close()++		// create a new netns on the current thread+		err = unix.Unshare(flag)

We should unshare all 3 namespaces together for performance.

haircommander

comment created time in 11 hours

pull request commentcri-o/cri-o

Make config package public

/lgtm

haircommander

comment created time in 11 hours

pull request commentcri-o/cri-o

Update go-systemd to v22

/test integration_rhel

saschagrunert

comment created time in 14 hours

Pull request review commentopenshift/release

Add fips e2e aws

 objects:           setup-google-cloud-sdk         fi +        if [[ "${ENABLE_FIPS}" == true ]]; then+          oc --insecure-skip-tls-verify --request-timeout=5s get nodes -o jsonpath --template '{range .items[*]}{.metadata.name}{"\n"}{end}' > /tmp/nodes+          while read p; do+            oc debug node/"$p" -- cat /proc/sys/crypto/fips_enabled > /tmp/enabled+            if [[ $(< /tmp/enabled) != "1" ]]; then+              echo fips not enabled in node "$p", exiting+              exit 1+            fi+          done </tmp/nodes+        fi+

This looks good. @yuqi-zhang do we also want to add a check to look at machine config pools?

sallyom

comment created time in 15 hours

PR closed openshift/release

Reviewers
fips: Fail if we are unable to boot into FIPS mode lgtm size/XS

With this check, we will fail the test fast instead of running the tests on a cluster that hasn't been rebooted successfully into FIPS mode.

@ashcrow @rphillips ptal

Signed-off-by: Mrunal Patel mrunalp@gmail.com

+3 -0

18 comments

3 changed files

mrunalp

pr closed time in a day

pull request commentopenshift/release

fips: Fail if we are unable to boot into FIPS mode

This can be closed as it isn't applicable anymore.

mrunalp

comment created time in a day

pull request commentopenshift/installer

Bug 1768978: RHCOS: bump to 43.81.201911081536.0 for FIPS support

/test e2e-aws

yuqi-zhang

comment created time in 4 days

pull request commentopenshift/release

Switch fips e2e jobs to use day 1 support

/hold cancel

mrunalp

comment created time in 4 days

pull request commentopenshift/release

Add fips e2e aws

This looks fine to me. We want to use this to canary this job, right? And then expand it to the other repos?

@stevekuznetsov ptal.

sallyom

comment created time in 4 days

pull request commentopenshift/release

Switch fips e2e jobs to use day 1 support

/retest

mrunalp

comment created time in 4 days

pull request commentopenshift/release

WIP: Switch fips e2e jobs to use day 1 support

I am not sure if we should be blocking on the metal issue. @stevekuznetsov do you know?

mrunalp

comment created time in 5 days

push eventmrunalp/release

Mrunal Patel

commit sha 33123886d8f96dc701aca777dff1bc077f135111

Switch fips e2e jobs to use day 1 support Signed-off-by: Mrunal Patel <mrunalp@gmail.com>

view details

push time in 5 days

pull request commentopenshift/release

WIP: Switch fips e2e jobs to use day 1 support

We want to verify manually that day-1 works with all the fixes before switching to day 1 in the CI.

mrunalp

comment created time in 5 days

pull request commentopenshift/release

WIP: Switch fips e2e jobs to use day 1 support

/hold

mrunalp

comment created time in 5 days

PR opened openshift/release

WIP: Switch fips e2e jobs to use day 1 support

@AlexNPavel ptal

Signed-off-by: Mrunal Patel mrunalp@gmail.com

+24 -77

0 comment

3 changed files

pr created time in 5 days

create barnchmrunalp/release

branch : day_1_fips_e2e

created branch time in 5 days

pull request commentcri-o/cri-o

bump go version to build kubernetes

/lgtm

haircommander

comment created time in 5 days

pull request commentkubernetes-sigs/cri-tools

Download golangci-lint via wget

/approve

haircommander

comment created time in 6 days

pull request commentkubernetes-sigs/cri-tools

Download golangci-lint via wget

/lgtm

haircommander

comment created time in 6 days

pull request commentopenshift/origin

test: Enable inline exec and attach test

/test e2e-aws-fips

mrunalp

comment created time in 6 days

issue commentopenshift/installer

Need to enable FIPS mode on the bootstrap node if FIPS mode requested

@abhinavdahiya @wking @sdodson

jlebon

comment created time in 6 days

pull request commentcri-o/cri-o

Default to system.slice for conmon cgroup

/cherry-pick release-1.16

umohnani8

comment created time in 6 days

pull request commentcri-o/cri-o

Fix fish shell completion for new default conmon system.slice

/lgtm

saschagrunert

comment created time in 7 days

pull request commentcri-o/cri-o

Update build dependencies (go 1.13)

/lgtm

saschagrunert

comment created time in 7 days

pull request commentcri-o/cri-o

Remove sudo from CI completions generation

/test integration_rhel

saschagrunert

comment created time in 8 days

pull request commentcri-o/cri-o

Remove sudo from CI completions generation

/lgtm

saschagrunert

comment created time in 8 days

pull request commentopenshift/release

fips: Fail if we are unable to boot into FIPS mode

@stevekuznetsov ptal

mrunalp

comment created time in 8 days

pull request commentopenshift/release

fips: Fail if we are unable to boot into FIPS mode

@ashcrow Yeah, I think they are unrelated.

mrunalp

comment created time in 8 days

push eventopencontainers/runc

James Peach

commit sha 13919f5dfd2025465412b878a646db5687f774b6

Remove the static_build build tag. The `static_build` build tag was introduced in e9944d0f to remove build warnings related to systemd cgroup driver dependencies. Since then, those dependencies have changed and building the systemd cgroup driver no longer imports dlopen. After this change, runc builds will always include the systemd cgroup driver. This fixes #2008. Signed-off-by: James Peach <jpeach@apache.org>

view details

Mrunal Patel

commit sha 46def4cc4cb7bae86d8c80cedd43e96708218f0a

Merge pull request #2154 from jpeach/2008-remove-static-build-tag Remove the static_build build tag.

view details

push time in 8 days

PR merged opencontainers/runc

Remove the static_build build tag.

The static_build build tag was introduced in e9944d0f to remove build warnings related to systemd cgroup driver dependencies. Since then, those dependencies have changed and building the systemd cgroup driver no longer imports dlopen.

After this change, runc builds will always include the systemd cgroup driver.

This fixes #2008.

Signed-off-by: James Peach jpeach@apache.org

+5 -5

5 comments

4 changed files

jpeach

pr closed time in 8 days

issue closedopencontainers/runc

static build runc not support systemd cgroup driver

$ make static
CGO_ENABLED=1 go build  -tags "seccomp netgo osusergo static_build" -installsuffix netgo -ldflags "-extldflags -static -X main.gitCommit="f9efaf53b767146e1a5ce79adf6fe533e84d199a" -X main.version=1.0.0-rc6+dev " -o runc .
CGO_ENABLED=1 go build  -tags "seccomp netgo osusergo static_build" -installsuffix netgo -ldflags "-extldflags -static -X main.gitCommit="f9efaf53b767146e1a5ce79adf6fe533e84d199a" -X main.version=1.0.0-rc6+dev " -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty

build tag static_build decides only non-static build can support systemd cgroup driver , can we have another way to avoid warning in build and also support systemd cgroup driver in static build. /cc @yongtang

closed time in 8 days

Ace-Tang

pull request commentopencontainers/runc

Remove the static_build build tag.

LGTM

jpeach

comment created time in 8 days

issue commentcri-o/cri-o

Allow/define alternative options to prepare filesystem for runtimes

@zokrezyl Yeah, something like that should work. I don't think there is any validation for the image name up and down the stack atleast till it comes to cri-o. You can experiment with my-backend: and see how far you can go with it.

zokrezyl

comment created time in 8 days

pull request commentcri-o/cri-o

[WIP] update createSandboxContainer to parse hugepages limits from CRI message

@bg-chun We need to update cri api in go.mod for pulling in the proto changes. Thanks!

bg-chun

comment created time in 8 days

PR closed openshift/release

Reviewers
WIP: Smoke test for rhel-golang compiler approved do-not-merge/work-in-progress size/XS

Signed-off-by: Mrunal Patel mrunalp@gmail.com

+1 -1

3 comments

1 changed file

mrunalp

pr closed time in 8 days

pull request commentopenshift/release

WIP: Smoke test for rhel-golang compiler

Closing as this was just a smoke test.

mrunalp

comment created time in 8 days

pull request commentopenshift/release

Switch to the rhel golang builder

#5737 passed

mrunalp

comment created time in 8 days

pull request commentopenshift/release

fips: Fail if we are unable to boot into FIPS mode

/retest

mrunalp

comment created time in 8 days

pull request commentopenshift/release

fips: Fail if we are unable to boot into FIPS mode

/retest

mrunalp

comment created time in 9 days

pull request commentopenshift/release

fips: Fail if we are unable to boot into FIPS mode

Updated.

mrunalp

comment created time in 9 days

push eventmrunalp/release

Mrunal Patel

commit sha 81dda9d59a17d6552d801a1336f136ed10262daa

fips: Fail if we are unable to boot into FIPS mode With this check, we will fail the test fast instead of running the tests on a cluster that hasn't been rebooted successfully into FIPS mode. Signed-off-by: Mrunal Patel <mrunalp@gmail.com>

view details

push time in 9 days

pull request commentcri-o/cri-o

Update build dependencies (go 1.13)

/test integration_fedora

saschagrunert

comment created time in 9 days

pull request commentopenshift/release

WIP: Smoke test for rhel-golang compiler

@stevekuznetsov @jupierce This passed. Can we merge #5736?

mrunalp

comment created time in 11 days

pull request commentcri-o/cri-o

Release v1.16.0

/test integration_rhel

mrunalp

comment created time in 12 days

pull request commentcri-o/cri-o

Vendor in latest containers/libpod and containers/buildah

/lgtm

umohnani8

comment created time in 12 days

PR opened cri-o/cri-o

Reviewers
Release v1.16.0

@haircommander @umohnani8 @saschagrunert @rhatdan ptal

Signed-off-by: Mrunal Patel mrunalp@gmail.com

+1 -1

0 comment

1 changed file

pr created time in 12 days

create barnchmrunalp/cri-o

branch : bump_1.16.0

created branch time in 12 days

pull request commentcri-o/cri-o

Update go dependencies

/lgtm

saschagrunert

comment created time in 12 days

pull request commentcri-o/cri-o

Bump kubernetes to v1.17.0-beta.0

/lgtm

saschagrunert

comment created time in 12 days

PR opened openshift/release

WIP: Smoke test for rhel-golang compiler

Signed-off-by: Mrunal Patel mrunalp@gmail.com

+1 -1

0 comment

1 changed file

pr created time in 12 days

create barnchmrunalp/release

branch : sanity_check_rhel_golang

created branch time in 12 days

PR opened openshift/release

Switch to the rhel golang builder

This is for switching to the same compiler that we use for releases in CI and will allow adding per PR FIPS testing.

@jupierce ptal

Signed-off-by: Mrunal Patel mrunalp@gmail.com

+2 -2

0 comment

1 changed file

pr created time in 12 days

create barnchmrunalp/release

branch : rhel_golang

created branch time in 12 days

PR opened openshift/release

fips: Fail if we are unable to boot into FIPS mode

With this check, we will fail the test fast instead of running the tests on a cluster that hasn't been rebooted successfully into FIPS mode.

@ashcrow @rphillips ptal

Signed-off-by: Mrunal Patel mrunalp@gmail.com

+6 -0

0 comment

3 changed files

pr created time in 12 days

create barnchmrunalp/release

branch : fips_fail_fast

created branch time in 12 days

pull request commentopenshift/machine-config-operator

daemon: Refuse to disable FIPS mode

/lgtm

cgwalters

comment created time in 12 days

pull request commentopencontainers/runc

cgroup2: port over eBPF device controller from crun

LGTM

AkihiroSuda

comment created time in 13 days

pull request commentopenshift/builder

move to containers/image v5, buildah v1.11.4

@bparees ptal

nalind

comment created time in 13 days

push eventcri-o/cri-o

Peter Hunt

commit sha 74c26a8a354f6e9698d922cae950fd88dbec326e

e2e: regenerate api before making k8s there were problems found by not doing so Signed-off-by: Peter Hunt <pehunt@redhat.com>

view details

Nalin Dahyabhai

commit sha bad7423df6a885d5e1e88d7218e18e6511b456d7

Update to libpod with manifest lists, buildah v1.11.4, image v5.0.0 Switch to containers/image v5.0.0, buildah v1.11.4, and a libpod with manifest list support (commit e7540d0406c49b22de245246d16ebc6e1778df37). Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>

view details

Nalin Dahyabhai

commit sha 21de2b88125a711fdef7768a69345a2b78cf84b8

Update for containerd API change Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>

view details

Nalin Dahyabhai

commit sha 826c7ea216c39e6bd978d8600fdea7714f020daf

Move to containers/image v5 Call into github.com/containers/image/v5 instead of github.com/containers/image/v4. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>

view details

Nalin Dahyabhai

commit sha 81842ad8cc12d95c7abb8b656e55621cd9fc7b6a

bin2img: updates for API changes The manifest-lists changes to github.com/containers/image add an additional parameter to ImageDestination.PutManifest(), so start passing `nil` at the right time. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>

view details

Nalin Dahyabhai

commit sha c64d81222a1687a07ddbbed29377f6749b7c5b70

"make vendor" Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>

view details

Nalin Dahyabhai

commit sha d3ce478a29e2e12767acff5abb58203104bbd85e

image.bats: add tests to exercise manifest list support Test that we can pull an image using a tag that resolves to a manifest list, or by the digest of a manifest list, and then query it using either the list's manifest's digest or the digest of the manifest of the arch-specific image from the list which we'd expect the image library to select. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>

view details

Nalin Dahyabhai

commit sha bdb65f0cdf218ed3944a6f15cf56bc1942a2fa76

Sort RepoTags and RepoDigests when examining images CI expects the list of tags and digests that we return for an image to be the same, no matter how it specified the image to us when asking about it. Sort the lists of tags and digests to avoid problems due to our tendency to calculate and append items to lists only when they're not already present, which can produce different ordering for some of those result sets. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>

view details

Nalin Dahyabhai

commit sha 17f7682dd0dc959d166851e142cff6d335e34d7f

Add a unit test to make CI coverage checks happier Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>

view details

Mrunal Patel

commit sha 9ad059b3cfd9ca40f2a7f1efad02eb16ba36455f

Merge pull request #2859 from nalind/release-1.16-manifest-lists [1.16] support manifest lists

view details

push time in 13 days

PR merged cri-o/cri-o

Reviewers
[1.16] support manifest lists approved dco-signoff: yes lgtm size/XXL

Vendor in WIP branches for manifest list support to let CI exercise the changes. Basically, this is #2775 and #2852 for 1.16.

+17924 -10096

39 comments

464 changed files

nalind

pr closed time in 13 days

pull request commentcri-o/cri-o

[1.16] support manifest lists

/test integration_rhel

nalind

comment created time in 13 days

issue commentcri-o/cri-o

Allow/define alternative options to prepare filesystem for runtimes

@zokrezyl CRI-O and runc don't care much about how the rootfs is created so it could be supported. However, the question is how would you map from an image specified in a pod yaml to the alternate format you are proposing? Do you have a schema or a mapping in mind?

zokrezyl

comment created time in 13 days

pull request commentopenshift/builder

move to containers/image v5, buildah v1.11.4

@adambkaplan ptal

nalind

comment created time in 13 days

pull request commentopenshift/builder

move to containers/image v5, buildah v1.11.4

/lgtm

nalind

comment created time in 13 days

pull request commentcri-o/cri-o

[1.16] support manifest lists

/test e2e-aws

nalind

comment created time in 14 days

push eventcri-o/cri-o

Peter Hunt

commit sha 04eb2a23cfd19e47f0d5ab8b36107a12fa6975dd

use metrics cli to configure config Signed-off-by: Peter Hunt <pehunt@redhat.com>

view details

Mrunal Patel

commit sha eed6aa10e881d49661c6d0744b96cbefe690a9ba

Merge pull request #2930 from haircommander/metrics-cli-1.16 [1.16] use metrics cli to configure config

view details

push time in 14 days

PR merged cri-o/cri-o

Reviewers
[1.16] use metrics cli to configure config approved dco-signoff: yes lgtm needs-forwardport size/XS

Signed-off-by: Peter Hunt pehunt@redhat.com

+6 -0

18 comments

1 changed file

haircommander

pr closed time in 14 days

pull request commentcri-o/cri-o

[1.16] use metrics cli to configure config

/test integration_rhel

haircommander

comment created time in 14 days

pull request commentcri-o/cri-o

[1.16] support manifest lists

The e2e-aws tests are running

nalind

comment created time in 14 days

pull request commentopenshift/release

Add config and job to enable e2e-aws test for cri-o 1.16

/lgtm

umohnani8

comment created time in 14 days

pull request commentcri-o/cri-o

[1.16] support manifest lists

/test integration_rhel

nalind

comment created time in 14 days

pull request commentcri-o/cri-o

[1.16] support manifest lists

/lgtm

nalind

comment created time in 14 days

pull request commentopenshift/origin

UPSTREAM: <carry>: FIPS changes for passing tests

@sttts fyi.

rphillips

comment created time in 14 days

pull request commentopenshift/machine-config-operator

give etcd-metrics container privilege

@cgwalters @runcom ptal.

haircommander

comment created time in 15 days

push eventopencontainers/runc

Akihiro Suda

commit sha 9c81440fb5a7b81408b3de281e9851bc332993ec

cgroup2: allow mounting /sys/fs/cgroup in UserNS without unsharing CgroupNS Bind-mount /sys/fs/cgroup when we are in UserNS but CgroupNS is not unshared, because we cannot mount cgroup2. This behavior correspond to crun v0.10.2. Fix #2158 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Mrunal Patel

commit sha 03cf145f5a11d39e634293db88deb625a6a993a0

Merge pull request #2159 from AkihiroSuda/cgroup2-mount-in-userns cgroup2: allow mounting /sys/fs/cgroup in UserNS without unsharing CgroupNS

view details

push time in 15 days

PR merged opencontainers/runc

cgroup2: allow mounting /sys/fs/cgroup in UserNS without unsharing CgroupNS

Bind-mount /sys/fs/cgroup when we are in UserNS but CgroupNS is not unshared, because we cannot mount cgroup2.

This behavior correspond to crun v0.10.2. https://github.com/containers/crun/blob/4325a78320852aa5dacb4d403ae01b241413068c/src/libcrun/linux.c#L433-L459

Fix #2158

Signed-off-by: Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp

+8 -2

2 comments

1 changed file

AkihiroSuda

pr closed time in 15 days

issue closedopencontainers/runc

cgroup2: cannot mount /sys/fs/cgroup when running in UserNS

As of c4d8e1688c816a8cef632a3b44a38611511b7140, runc cannot mount /sys/fs/cgroup when launched in UserNS with cgroup2 unified-mode

$ rootlesskit runc run foo
WARN[0000] signal: killed                               
ERRO[0000] container_linux.go:346: starting container process caused "process_linux.go:449: container init caused \"rootfs_linux.go:58: mounting \\\"cgroup\\\" to rootfs \\\"/home/suda/tmp/runctest/rootfs\\\" at \\\"/sys/fs/cgroup\\\" caused \\\"operation not permitted\\\"\"" 
container_linux.go:346: starting container process caused "process_linux.go:449: container init caused \"rootfs_linux.go:58: mounting \\\"cgroup\\\" to rootfs \\\"/home/suda/tmp/runctest/rootfs\\\" at \\\"/sys/fs/cgroup\\\" caused \\\"operation not permitted\\\"\""
[rootlesskit:child ] error: command [runc run foo] exited: exit status 1
[rootlesskit:parent] error: child exited: exit status 1

config.json contains:

    {
      "destination": "/sys/fs/cgroup",
      "type": "cgroup",
      "source": "cgroup",
      "options": [
        "nosuid",
        "noexec",
        "nodev",
        "relatime",
        "ro"
      ]
    }

The same config works with crun v0.10.2. runc can start up when the /sys/fs/cgroup entry is not specified in the config.

closed time in 15 days

AkihiroSuda

PR merged opencontainers/runc

cgroup2: do not parse /proc/cgroups

/proc/cgroups is meaningless for v2 and should be ignored.

https://github.com/torvalds/linux/blob/v5.3/Documentation/admin-guide/cgroup-v2.rst#deprecated-v1-core-features

  • Now GetAllSubsystems() parses /sys/fs/cgroup/cgroup.controller, not /proc/cgroups. The function result also contains "pseudo" controllers: {"devices", "freezer"}. As it is hard to detect availability of pseudo controllers, pseudo controllers are always assumed to be available.

  • Now IOGroupV2.Name() returns "io", not "blkio".

Fix #2155 #2156

Signed-off-by: Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp

+18 -4

2 comments

2 changed files

AkihiroSuda

pr closed time in 15 days

issue closedopencontainers/runc

cgroup2: IOGroupV2.Name() should return "io" rather than "blkio"?

The currently implementation of IOGroupV2.Name() returns "blkio" https://github.com/opencontainers/runc/blob/c4d8e1688c816a8cef632a3b44a38611511b7140/libcontainer/cgroups/fs/io_v2.go#L21

I assume "blkio" was adopted because /proc/cgroups shows "blkio" when the IO controller V2 is enabled. However, it is called "io" in /sys/fs/cgroup/cgroup.subtree_control.

So maybe it makes more sense to let IOGroupV2.Name() return "io".

closed time in 15 days

AkihiroSuda

push eventopencontainers/runc

Akihiro Suda

commit sha 74a3fe5d1b894f01bcef94469f76ca62df80948a

cgroup2: do not parse /proc/cgroups /proc/cgroups is meaningless for v2 and should be ignored. https://github.com/torvalds/linux/blob/v5.3/Documentation/admin-guide/cgroup-v2.rst#deprecated-v1-core-features * Now GetAllSubsystems() parses /sys/fs/cgroup/cgroup.controller, not /proc/cgroups. The function result also contains "pseudo" controllers: {"devices", "freezer"}. As it is hard to detect availability of pseudo controllers, pseudo controllers are always assumed to be available. * Now IOGroupV2.Name() returns "io", not "blkio" Fix #2155 #2156 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Mrunal Patel

commit sha f04fb9980c08f674ff93ece091c222df878964e8

Merge pull request #2160 from AkihiroSuda/cgroup2-no-proc-cgroups cgroup2: do not parse /proc/cgroups

view details

push time in 15 days

pull request commentopencontainers/runc

cgroup2: do not parse /proc/cgroups

LGTM

AkihiroSuda

comment created time in 15 days

pull request commentopenshift/origin

UPSTREAM: carry: add pod logs dump to e2e

/retest

rphillips

comment created time in 15 days

pull request commentopenshift/origin

UPSTREAM: carry: add pod logs dump to e2e

/lgtm

rphillips

comment created time in 15 days

pull request commentopenshift/release

Change compiler to be rhel-7 based

This is green!

jupierce

comment created time in 16 days

pull request commentopenshift/release

Change compiler to be rhel-7 based

@stevekuznetsov

jupierce

comment created time in 16 days

pull request commentopenshift/origin

UPSTREAM: carry: add pod logs dump to e2e

@deads2k

rphillips

comment created time in 16 days

Pull request review commentopenshift/containernetworking-plugins

Revert CGO enabled / no_openssl tag

 for d in $PLUGINS; do 		plugin="$(basename "$d")" 		if [ $plugin != "windows" ]; then 			echo "  $plugin"-                        if [ $plugin == "loopback" ]; then-                           $GO build -tags no_openssl -o "${PWD}/bin/$plugin" "$@" "$REPO_PATH"/$d-                        else-                           $GO build -o "${PWD}/bin/$plugin" "$@" "$REPO_PATH"/$d-                        fi+			$GO build -o "${PWD}/bin/$plugin" "$@" "$REPO_PATH"/$d

Yes, I think we should include that as we don't think that any of these use crypto that needs to be FIPS validated. We can maintain a list of binaries that can be excluded.

dougbtv

comment created time in 19 days

pull request commentopenshift/release

Sanity check for rhel-golang builder

/retest

jupierce

comment created time in 19 days

pull request commentopenshift/release

configure release-openshift-ocp-installer-e2e-aws-fips-4.3 to run every 2 hrs

@sallyom yeah, 2 hours sounds good. Thanks :)

sallyom

comment created time in 19 days

pull request commentopenshift/containernetworking-plugins

build loopback with no_openssl tag

If we know that none of the CNI plugins use crypto that needs to be FIPS compliant then we can compile all of them with no_openssl and statically.

lsm5

comment created time in 19 days

pull request commentopenshift/release

Sanity check for rhel-golang builder

/retest

jupierce

comment created time in 20 days

pull request commentcri-o/cri-o

Allow CRI-O to manage IPC and PID namespaces

We can do this for IPC and UTS but not for PID. PID requires the first pid in the namespace to be alive. So, once all this is in place, we should need a pod image (pause) only when pid namespace is shared. For the other cases, just the pinned namespaces are enough.

haircommander

comment created time in 20 days

pull request commentopenshift/openshift-docs

Remove aws-only for autoscaling GA OCP 4.2 release notes

/lgtm

enxebre

comment created time in 21 days

PR opened projectatomic/runc

systemd: Set CollectMode to "inactive-or-failed" for GC

If a container is killed then systemd keeps the scope around unless explicitly removed.

Enabling this setting makes systemd remove the scopes even for failed scopes so they don't start piling up eventually slowing down the node.

Signed-off-by: Mrunal Patel mrunalp@gmail.com

+2 -0

0 comment

1 changed file

pr created time in 22 days

create barnchprojectatomic/runc

branch : collectmode

created branch time in 22 days

pull request commentopenshift/origin

Disable the s2i build with quota memory test

@adambkaplan ptal

umohnani8

comment created time in 22 days

pull request commentcri-o/cri-o

WIP: [1.16] manifest-lists

nvm, I see that we need to switch to github.com/containers/image.

nalind

comment created time in 22 days

pull request commentcri-o/cri-o

WIP: [1.16] manifest-lists

@nalind Is this ready?

nalind

comment created time in 22 days

more