packages/containerd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!85 update to 1.6.20

Browse Source 
From: @xu_lei_123 
Reviewed-by: @zhangsong234, @duguhaotian 
Signed-off-by: @duguhaotian
This commit is contained in:
openeuler-ci-bot 2023-04-20 08:58:48 +00:00 committed by Gitee
commit 83ae1e49ce
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
107 changed files with 13 additions and 17772 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
apply-patch
View File

@ -7,14 +7,11 @@
set -ex
pkg=containerd-1.2.0
pkg=containerd-1.6.20
cwd=$PWD
src=$cwd/$pkg
unzip v1.2.0.zip
if [[ ! -d patch ]]; then
tar zxf patch.tar.gz
fi
unzip v1.6.20.zip
cd $src
git init
@ -24,16 +21,6 @@ git config user.email 'build@obs.com'
git commit -m 'init build'
cd $cwd
series=$cwd/series.conf
while IPF= read -r line
do
if [[ "$line" =~ ^patch* ]]; then
echo git apply $cwd/$line
cd $src && git apply $cwd/$line
fi
done <"$series"
cd $cwd
cp -rf $src/* .
mv $src/.git $src/git
rm -rf containerd-1.2.0
rm -rf containerd-1.6.18

21
containerd.spec
View File

@ -1,17 +1,13 @@
%global goipath github.com/containerd/containerd
%global debug_package %{nil}
Version: 1.2.0
Version: 1.6.20
Name: containerd
Release: 309
Release: 1
Summary: An industry-standard container runtime
License: ASL 2.0
URL: https://containerd.io
Source0: https://github.com/containerd/containerd/archive/v1.2.0.zip
Source1: patch.tar.gz
Source2: apply-patch
Source3: series.conf
Source4: git-commit
Source5: gen-commit.sh
Source0: https://github.com/containerd/containerd/archive/v1.6.20.zip
Source1: apply-patch
BuildRequires: golang glibc-static make btrfs-progs-devel git
@ -25,9 +21,6 @@ low-level storage and network attachments, etc.
%prep
cp %{SOURCE0} .
cp %{SOURCE1} .
cp %{SOURCE2} .
cp %{SOURCE3} .
cp %{SOURCE4} .
%build
echo %{VERSION}.%{RELEASE} > containerd_version
@ -55,6 +48,12 @@ install -p -m 755 bin/ctr $RPM_BUILD_ROOT/%{_bindir}/ctr
%{_bindir}/ctr
%changelog
* Wed Apr 19 2023 xulei<xulei@xfusion.com> - 1.6.20-1
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:update to 1.6.20
* Mon Feb 27 2023 zhongjiawei<zhongjiawei1@huawei.com> - 1.2.0-309
- Type:CVE
- ID:NA

63
patch/0001-grpc-vendor-grpc-fix-grpc-map-panic.patch
View File

@ -1,63 +0,0 @@
From fe090d706a522392e30dd4c44447f915ec99c1a0 Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Sat, 22 Dec 2018 15:16:53 +0800
Subject: [PATCH 01/27] vendor: grpc: fix grpc map panic
reason: Fix grpc map panic
cherry-pick from containerd-0.2.8
a8cdda827867cec97568318368a7aa40097d0487
Fix grpc map panic
Description:
In golang, if we read/write map in different goroutine, it may panic.
We need to add lock to protect the map data when read/write the map.
Now the grpc map is only protected by a mutex while register, not
protected in reading process(handleStream function).
This MR will use a RWMutex to protect this map.
Change-Id: I786bd99234461c40fcb57621fd7c1fb4faa0c208
Signed-off-by: jingrui <jingrui@huawei.com>
---
vendor/google.golang.org/grpc/server.go | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/vendor/google.golang.org/grpc/server.go b/vendor/google.golang.org/grpc/server.go
index 4969331..77f7840 100644
--- a/vendor/google.golang.org/grpc/server.go
+++ b/vendor/google.golang.org/grpc/server.go
@@ -90,7 +90,7 @@ type service struct {
type Server struct {
opts options
- mu sync.Mutex // guards following
+ mu sync.RWMutex // guards following
lis map[net.Listener]bool
conns map[io.Closer]bool
serve bool
@@ -438,6 +438,8 @@ type ServiceInfo struct {
// Service names include the package names, in the form of <package>.<service>.
func (s *Server) GetServiceInfo() map[string]ServiceInfo {
ret := make(map[string]ServiceInfo)
+ s.mu.RLock()
+ defer s.mu.RUnlock()
for n, srv := range s.m {
methods := make([]MethodInfo, 0, len(srv.md)+len(srv.sd))
for m := range srv.md {
@@ -1221,7 +1223,9 @@ func (s *Server) handleStream(t transport.ServerTransport, stream *transport.Str
}
service := sm[:pos]
method := sm[pos+1:]
+ s.mu.RLock()
srv, ok := s.m[service]
+ s.mu.RUnlock()
if !ok {
if unknownDesc := s.opts.unknownStreamDesc; unknownDesc != nil {
s.processStreamingRPC(t, stream, nil, unknownDesc, trInfo)
--
2.7.4.3

44
patch/0002-sys-sys-count-steal-time-when-calculating-Sys.patch
View File

@ -1,44 +0,0 @@
From 003dc7956765712fdf4a893c2d541af2e2d0f300 Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Sat, 22 Dec 2018 15:44:50 +0800
Subject: [PATCH 02/27] sys: sys: count steal time when calculating
SystemCPUUsage
reason: count steal time when calculating SystemCPUUsage
cherry-pick from containerd-0.2.8
13f22eecd33d30520ace277822ac5f0acb387e75
containerd: count steal time when calculating SystemCPUUsage
[Changelog]: when counting docker stat in virtual machines, now containerd do not count steal time when calculating SystemCPUUsage, which causes that cpuusage value larger than its actua$
[Author]git
Change-Id: I2b62c9508cbdc444d514116f4bea5aad3d292af5
Signed-off-by: jingrui <jingrui@huawei.com>
---
sys/proc.go | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sys/proc.go b/sys/proc.go
index 496eb1f..82a6351 100644
--- a/sys/proc.go
+++ b/sys/proc.go
@@ -61,11 +61,11 @@ func GetSystemCPUUsage() (uint64, error) {
parts := strings.Fields(line)
switch parts[0] {
case "cpu":
- if len(parts) < 8 {
+ if len(parts) < 9 {
return 0, fmt.Errorf("bad format of cpu stats")
}
var totalClockTicks uint64
- for _, i := range parts[1:8] {
+ for _, i := range parts[1:9] {
v, err := strconv.ParseUint(i, 10, 64)
if err != nil {
return 0, fmt.Errorf("error parsing cpu stats")
--
2.7.4.3

51
patch/0003-oci-oci-add-files-cgroups-support.patch
View File

@ -1,51 +0,0 @@
From c9cc468949d80c663524f5b764e2c661af13bca2 Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Sat, 22 Dec 2018 16:25:07 +0800
Subject: [PATCH 03/27] oci: oci: add files cgroups support
reason: Add file fds limit
cherry-pick from containerd-0.2.8
29b822599b86f823d5a9f94df1cdceea485e0b19
Add file fds limit
With the patch(https://lwn.net/Articles/604129/),we can limit the
num of open files in container.
Change-Id: I72b45430dd7535727c4af9e190bbb345ba8ee316
Signed-off-by: jingrui <jingrui@huawei.com>
---
vendor/github.com/opencontainers/runtime-spec/specs-go/config.go | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
index f32698c..ac24cde 100644
--- a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
+++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
@@ -314,6 +314,12 @@ type LinuxPids struct {
Limit int64 `json:"limit"`
}
+// Files for Linux cgroup 'files' resource management (https://lwn.net/Articles/604129/)
+type Files struct {
+ // Maximum number of open files".
+ Limit *int64 `json:"limit,omitempty"`
+}
+
// LinuxNetwork identification and priority configuration
type LinuxNetwork struct {
// Set class identifier for container's network packets
@@ -340,6 +346,8 @@ type LinuxResources struct {
CPU *LinuxCPU `json:"cpu,omitempty"`
// Task resource restriction configuration.
Pids *LinuxPids `json:"pids,omitempty"`
+ // Files resource restriction configuration.
+ Files *Files `json:"files,omitempty"`
// BlockIO restriction configuration
BlockIO *LinuxBlockIO `json:"blockIO,omitempty"`
// Hugetlb limit (in bytes)
--
2.7.4.3

63
patch/0004-runv-vendor-runv-compatibility.patch
View File

@ -1,63 +0,0 @@
From 5fa863a6ea74ed24cfcc0c16eaa5e5a4e77387ec Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Wed, 26 Dec 2018 12:08:20 +0800
Subject: [PATCH 04/27] runv: vendor: runv compatibility
reason: fix manslaughter of runtime delete process
cherry-pick from containerd-0.2.8
reference:
7906753998667b5a9fa9a996f4a0e41d4736d5c1
contaierd-17: fix manslaughter of runtime delete process
fix manslaughter of runtime delete process
f82956a89ca7d7cea3bdd5fcd4d4fd70c313f378
containerd-17: fix qemu remaining when dockerd restart
fix qemu remaining when dockerd restart and container start concurrency
Change-Id: Id23456e90961041194c946a289ae790327b874c8
Signed-off-by: jingrui <jingrui@huawei.com>
---
vendor/github.com/containerd/go-runc/command_linux.go | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/vendor/github.com/containerd/go-runc/command_linux.go b/vendor/github.com/containerd/go-runc/command_linux.go
index 71b52f9..6ad27be 100644
--- a/vendor/github.com/containerd/go-runc/command_linux.go
+++ b/vendor/github.com/containerd/go-runc/command_linux.go
@@ -20,9 +20,17 @@ import (
"context"
"os"
"os/exec"
+ "strings"
"syscall"
)
+func (r *Runc) isrunv() bool {
+ if strings.Contains(r.Command, "runv") {
+ return true
+ }
+ return false
+}
+
func (r *Runc) command(context context.Context, args ...string) *exec.Cmd {
command := r.Command
if command == "" {
@@ -33,7 +41,7 @@ func (r *Runc) command(context context.Context, args ...string) *exec.Cmd {
Setpgid: r.Setpgid,
}
cmd.Env = os.Environ()
- if r.PdeathSignal != 0 {
+ if r.PdeathSignal != 0 && !r.isrunv() {
cmd.SysProcAttr.Pdeathsig = r.PdeathSignal
}
--
2.7.4.3

69
patch/0005-containerd-add-spec-for-build.patch
View File

@ -1,69 +0,0 @@
From 8e46f370733951e6decec6dd36b0c13308ced2c2 Mon Sep 17 00:00:00 2001
From: caihaomin <caihaomin@huawei.com>
Date: Mon, 21 Jan 2019 22:31:05 +0800
Subject: [PATCH 05/27] containerd: add spec for build
reason:add spec for build
Change-Id: I42d9d32e4898c006194df1ead4735155b4785584
Signed-off-by: caihaomin <caihaomin@huawei.com>
---
hack/containerd.spec | 46 ++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 46 insertions(+)
create mode 100644 hack/containerd.spec
diff --git a/hack/containerd.spec b/hack/containerd.spec
new file mode 100644
index 0000000..f53c37b
--- /dev/null
+++ b/hack/containerd.spec
@@ -0,0 +1,46 @@
+%global goipath github.com/containerd/containerd
+%global debug_package %{nil}
+Version: 1.2.0
+
+Name: containerd
+Release: 1%{?dist}
+Summary: An industry-standard container runtime
+License: ASL 2.0
+URL: https://containerd.io
+Source0: containerd-1.2.0.tar.gz
+
+BuildRequires: golang glibc-static make
+BuildRequires: btrfs-progs-devel
+
+
+%description
+containerd is an industry-standard container runtime with an emphasis on
+simplicity, robustness and portability. It is available as a daemon for Linux
+and Windows, which can manage the complete container lifecycle of its host
+system: image transfer and storage, container execution and supervision,
+low-level storage and network attachments, etc.
+
+
+%prep
+%setup -c -n containerd
+
+%build
+GO_BUILD_PATH=$PWD/_build
+install -m 0755 -vd $(dirname $GO_BUILD_PATH/src/%{goipath})
+ln -fs $PWD $GO_BUILD_PATH/src/%{goipath}
+cd $GO_BUILD_PATH/src/%{goipath}
+export GOPATH=$GO_BUILD_PATH:%{gopath}
+export BUILDTAGS="no_btrfs no_cri"
+make
+
+%install
+install -d $RPM_BUILD_ROOT/%{_bindir}
+install -p -m 755 bin/containerd $RPM_BUILD_ROOT/%{_bindir}/containerd
+install -p -m 755 bin/containerd-shim $RPM_BUILD_ROOT/%{_bindir}/containerd-shim
+
+%files
+%{_bindir}/containerd
+%{_bindir}/containerd-shim
+
+
+%changelog
--
2.7.4.3

320
patch/0006-shim-optimize-shim-lock-in-runtime-v1.patch
View File

@ -1,320 +0,0 @@
From 31621148229d56835575189c71e80339fba9f1fc Mon Sep 17 00:00:00 2001
From: lujingxiao <lujingxiao@huawei.com>
Date: Wed, 23 Jan 2019 14:55:27 +0800
Subject: [PATCH 06/27] shim: optimize shim lock in runtime v1
reason: apply lock only around process map of shim service,
avoid lock affect other procs operations.
Cherry-pick from upstream c206da795
Change-Id: I33f0f6b3537673533fdb60afb7a0295ac9665f11
Signed-off-by: Ace-Tang <aceapril@126.com>
Signed-off-by: lujingxiao <lujingxiao@huawei.com>
---
runtime/v1/shim/service.go | 144 +++++++++++++++++++++++----------------------
1 file changed, 75 insertions(+), 69 deletions(-)
diff --git a/runtime/v1/shim/service.go b/runtime/v1/shim/service.go
index d76d580..679982a 100644
--- a/runtime/v1/shim/service.go
+++ b/runtime/v1/shim/service.go
@@ -114,9 +114,6 @@ type Service struct {
// Create a new initial process and container with the underlying OCI runtime
func (s *Service) Create(ctx context.Context, r *shimapi.CreateTaskRequest) (_ *shimapi.CreateTaskResponse, err error) {
- s.mu.Lock()
- defer s.mu.Unlock()
-
var mounts []proc.Mount
for _, m := range r.Rootfs {
mounts = append(mounts, proc.Mount{
@@ -158,6 +155,10 @@ func (s *Service) Create(ctx context.Context, r *shimapi.CreateTaskRequest) (_ *
return nil, errors.Wrapf(err, "failed to mount rootfs component %v", m)
}
}
+
+ s.mu.Lock()
+ defer s.mu.Unlock()
+
process, err := newInit(
ctx,
s.config.Path,
@@ -187,11 +188,9 @@ func (s *Service) Create(ctx context.Context, r *shimapi.CreateTaskRequest) (_ *
// Start a process
func (s *Service) Start(ctx context.Context, r *shimapi.StartRequest) (*shimapi.StartResponse, error) {
- s.mu.Lock()
- defer s.mu.Unlock()
- p := s.processes[r.ID]
- if p == nil {
- return nil, errdefs.ToGRPCf(errdefs.ErrNotFound, "process %s", r.ID)
+ p, err := s.getExecProcess(r.ID)
+ if err != nil {
+ return nil, err
}
if err := p.Start(ctx); err != nil {
return nil, err
@@ -204,16 +203,16 @@ func (s *Service) Start(ctx context.Context, r *shimapi.StartRequest) (*shimapi.
// Delete the initial process and container
func (s *Service) Delete(ctx context.Context, r *ptypes.Empty) (*shimapi.DeleteResponse, error) {
- s.mu.Lock()
- defer s.mu.Unlock()
- p := s.processes[s.id]
- if p == nil {
- return nil, errdefs.ToGRPCf(errdefs.ErrFailedPrecondition, "container must be created")
+ p, err := s.getInitProcess()
+ if err != nil {
+ return nil, err
}
if err := p.Delete(ctx); err != nil {
return nil, err
}
+ s.mu.Lock()
delete(s.processes, s.id)
+ s.mu.Unlock()
s.platform.Close()
return &shimapi.DeleteResponse{
ExitStatus: uint32(p.ExitStatus()),
@@ -227,11 +226,9 @@ func (s *Service) DeleteProcess(ctx context.Context, r *shimapi.DeleteProcessReq
if r.ID == s.id {
return nil, status.Errorf(codes.InvalidArgument, "cannot delete init process with DeleteProcess")
}
- s.mu.Lock()
- p := s.processes[r.ID]
- s.mu.Unlock()
- if p == nil {
- return nil, errors.Wrapf(errdefs.ErrNotFound, "process %s", r.ID)
+ p, err := s.getExecProcess(r.ID)
+ if err != nil {
+ return nil, err
}
if err := p.Delete(ctx); err != nil {
return nil, err
@@ -249,13 +246,14 @@ func (s *Service) DeleteProcess(ctx context.Context, r *shimapi.DeleteProcessReq
// Exec an additional process inside the container
func (s *Service) Exec(ctx context.Context, r *shimapi.ExecProcessRequest) (*ptypes.Empty, error) {
s.mu.Lock()
- defer s.mu.Unlock()
if p := s.processes[r.ID]; p != nil {
+ s.mu.Unlock()
return nil, errdefs.ToGRPCf(errdefs.ErrAlreadyExists, "id %s", r.ID)
}
p := s.processes[s.id]
+ s.mu.Unlock()
if p == nil {
return nil, errdefs.ToGRPCf(errdefs.ErrFailedPrecondition, "container must be created")
}
@@ -271,14 +269,14 @@ func (s *Service) Exec(ctx context.Context, r *shimapi.ExecProcessRequest) (*pty
if err != nil {
return nil, errdefs.ToGRPC(err)
}
+ s.mu.Lock()
s.processes[r.ID] = process
+ s.mu.Unlock()
return empty, nil
}
// ResizePty of a process
func (s *Service) ResizePty(ctx context.Context, r *shimapi.ResizePtyRequest) (*ptypes.Empty, error) {
- s.mu.Lock()
- defer s.mu.Unlock()
if r.ID == "" {
return nil, errdefs.ToGRPCf(errdefs.ErrInvalidArgument, "id not provided")
}
@@ -286,7 +284,9 @@ func (s *Service) ResizePty(ctx context.Context, r *shimapi.ResizePtyRequest) (*
Width: uint16(r.Width),
Height: uint16(r.Height),
}
+ s.mu.Lock()
p := s.processes[r.ID]
+ s.mu.Unlock()
if p == nil {
return nil, errors.Errorf("process does not exist %s", r.ID)
}
@@ -298,11 +298,9 @@ func (s *Service) ResizePty(ctx context.Context, r *shimapi.ResizePtyRequest) (*
// State returns runtime state information for a process
func (s *Service) State(ctx context.Context, r *shimapi.StateRequest) (*shimapi.StateResponse, error) {
- s.mu.Lock()
- defer s.mu.Unlock()
- p := s.processes[r.ID]
- if p == nil {
- return nil, errdefs.ToGRPCf(errdefs.ErrNotFound, "process id %s", r.ID)
+ p, err := s.getExecProcess(r.ID)
+ if err != nil {
+ return nil, err
}
st, err := p.Status(ctx)
if err != nil {
@@ -338,11 +336,9 @@ func (s *Service) State(ctx context.Context, r *shimapi.StateRequest) (*shimapi.
// Pause the container
func (s *Service) Pause(ctx context.Context, r *ptypes.Empty) (*ptypes.Empty, error) {
- s.mu.Lock()
- defer s.mu.Unlock()
- p := s.processes[s.id]
- if p == nil {
- return nil, errdefs.ToGRPCf(errdefs.ErrFailedPrecondition, "container must be created")
+ p, err := s.getInitProcess()
+ if err != nil {
+ return nil, err
}
if err := p.(*proc.Init).Pause(ctx); err != nil {
return nil, err
@@ -352,11 +348,9 @@ func (s *Service) Pause(ctx context.Context, r *ptypes.Empty) (*ptypes.Empty, er
// Resume the container
func (s *Service) Resume(ctx context.Context, r *ptypes.Empty) (*ptypes.Empty, error) {
- s.mu.Lock()
- defer s.mu.Unlock()
- p := s.processes[s.id]
- if p == nil {
- return nil, errdefs.ToGRPCf(errdefs.ErrFailedPrecondition, "container must be created")
+ p, err := s.getInitProcess()
+ if err != nil {
+ return nil, err
}
if err := p.(*proc.Init).Resume(ctx); err != nil {
return nil, err
@@ -366,12 +360,10 @@ func (s *Service) Resume(ctx context.Context, r *ptypes.Empty) (*ptypes.Empty, e
// Kill a process with the provided signal
func (s *Service) Kill(ctx context.Context, r *shimapi.KillRequest) (*ptypes.Empty, error) {
- s.mu.Lock()
- defer s.mu.Unlock()
if r.ID == "" {
- p := s.processes[s.id]
- if p == nil {
- return nil, errdefs.ToGRPCf(errdefs.ErrFailedPrecondition, "container must be created")
+ p, err := s.getInitProcess()
+ if err != nil {
+ return nil, err
}
if err := p.Kill(ctx, r.Signal, r.All); err != nil {
return nil, errdefs.ToGRPC(err)
@@ -379,9 +371,9 @@ func (s *Service) Kill(ctx context.Context, r *shimapi.KillRequest) (*ptypes.Emp
return empty, nil
}
- p := s.processes[r.ID]
- if p == nil {
- return nil, errdefs.ToGRPCf(errdefs.ErrNotFound, "process id %s not found", r.ID)
+ p, err := s.getExecProcess(r.ID)
+ if err != nil {
+ return nil, err
}
if err := p.Kill(ctx, r.Signal, r.All); err != nil {
return nil, errdefs.ToGRPC(err)
@@ -422,11 +414,9 @@ func (s *Service) ListPids(ctx context.Context, r *shimapi.ListPidsRequest) (*sh
// CloseIO of a process
func (s *Service) CloseIO(ctx context.Context, r *shimapi.CloseIORequest) (*ptypes.Empty, error) {
- s.mu.Lock()
- defer s.mu.Unlock()
- p := s.processes[r.ID]
- if p == nil {
- return nil, errdefs.ToGRPCf(errdefs.ErrNotFound, "process does not exist %s", r.ID)
+ p, err := s.getExecProcess(r.ID)
+ if err != nil {
+ return nil, err
}
if stdin := p.Stdin(); stdin != nil {
if err := stdin.Close(); err != nil {
@@ -438,11 +428,9 @@ func (s *Service) CloseIO(ctx context.Context, r *shimapi.CloseIORequest) (*ptyp
// Checkpoint the container
func (s *Service) Checkpoint(ctx context.Context, r *shimapi.CheckpointTaskRequest) (*ptypes.Empty, error) {
- s.mu.Lock()
- defer s.mu.Unlock()
- p := s.processes[s.id]
- if p == nil {
- return nil, errdefs.ToGRPCf(errdefs.ErrFailedPrecondition, "container must be created")
+ p, err := s.getInitProcess()
+ if err != nil {
+ return nil, err
}
var options runctypes.CheckpointOptions
if r.Options != nil {
@@ -475,11 +463,9 @@ func (s *Service) ShimInfo(ctx context.Context, r *ptypes.Empty) (*shimapi.ShimI
// Update a running container
func (s *Service) Update(ctx context.Context, r *shimapi.UpdateTaskRequest) (*ptypes.Empty, error) {
- s.mu.Lock()
- defer s.mu.Unlock()
- p := s.processes[s.id]
- if p == nil {
- return nil, errdefs.ToGRPCf(errdefs.ErrFailedPrecondition, "container must be created")
+ p, err := s.getInitProcess()
+ if err != nil {
+ return nil, err
}
if err := p.(*proc.Init).Update(ctx, r.Resources); err != nil {
return nil, errdefs.ToGRPC(err)
@@ -489,11 +475,9 @@ func (s *Service) Update(ctx context.Context, r *shimapi.UpdateTaskRequest) (*pt
// Wait for a process to exit
func (s *Service) Wait(ctx context.Context, r *shimapi.WaitRequest) (*shimapi.WaitResponse, error) {
- s.mu.Lock()
- p := s.processes[r.ID]
- s.mu.Unlock()
- if p == nil {
- return nil, errdefs.ToGRPCf(errdefs.ErrFailedPrecondition, "container must be created")
+ p, err := s.getExecProcess(r.ID)
+ if err != nil {
+ return nil, err
}
p.Wait()
@@ -563,11 +547,9 @@ func shouldKillAllOnExit(bundlePath string) (bool, error) {
}
func (s *Service) getContainerPids(ctx context.Context, id string) ([]uint32, error) {
- s.mu.Lock()
- defer s.mu.Unlock()
- p := s.processes[s.id]
- if p == nil {
- return nil, errors.Wrapf(errdefs.ErrFailedPrecondition, "container must be created")
+ p, err := s.getInitProcess()
+ if err != nil {
+ return nil, err
}
ps, err := p.(*proc.Init).Runtime().Ps(ctx, id)
@@ -589,6 +571,30 @@ func (s *Service) forward(publisher events.Publisher) {
}
}
+// getInitProcess returns initial process
+func (s *Service) getInitProcess() (rproc.Process, error) {
+ s.mu.Lock()
+ defer s.mu.Unlock()
+
+ p := s.processes[s.id]
+ if p == nil {
+ return nil, errdefs.ToGRPCf(errdefs.ErrFailedPrecondition, "container must be created")
+ }
+ return p, nil
+}
+
+// getExecProcess returns exec process
+func (s *Service) getExecProcess(id string) (rproc.Process, error) {
+ s.mu.Lock()
+ defer s.mu.Unlock()
+
+ p := s.processes[id]
+ if p == nil {
+ return nil, errdefs.ToGRPCf(errdefs.ErrNotFound, "process %s does not exist", id)
+ }
+ return p, nil
+}
+
func getTopic(ctx context.Context, e interface{}) string {
switch e.(type) {
case *eventstypes.TaskCreate:
--
2.7.4.3

109
patch/0007-shim-Increase-reaper-buffer-size-and-non-bl.patch
View File

@ -1,109 +0,0 @@
From 2e143a25ff02800afb569352c407cf71a9c0312b Mon Sep 17 00:00:00 2001
From: lujingxiao <lujingxiao@huawei.com>
Date: Wed, 23 Jan 2019 14:56:19 +0800
Subject: [PATCH 07/27] shim: Increase reaper buffer size and
non-blocking send
reason: Fixes #2709
This increases the buffer size for process exit subscribers. It also
implements a non-blocking send on the subscriber channel. It is better
to drop an exit even than it is to block a shim for one slow subscriber.
Cherry-pick from upstream 232a063496
Change-Id: Ibf9f06cc82945a8592fb02a87816d69d5dac2b6b
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Signed-off-by: lujingxiao <lujingxiao@huawei.com>
---
runtime/v1/shim/reaper.go | 14 +++++++++++---
runtime/v2/shim/reaper_unix.go | 14 +++++++++++---
2 files changed, 22 insertions(+), 6 deletions(-)
diff --git a/runtime/v1/shim/reaper.go b/runtime/v1/shim/reaper.go
index 2937f1a..10d5c30 100644
--- a/runtime/v1/shim/reaper.go
+++ b/runtime/v1/shim/reaper.go
@@ -26,12 +26,13 @@ import (
"github.com/containerd/containerd/sys"
runc "github.com/containerd/go-runc"
"github.com/pkg/errors"
+ "github.com/sirupsen/logrus"
)
// ErrNoSuchProcess is returned when the process no longer exists
var ErrNoSuchProcess = errors.New("no such process")
-const bufferSize = 32
+const bufferSize = 2048
// Reap should be called when the process receives an SIGCHLD. Reap will reap
// all exited processes and close their wait channels
@@ -41,13 +42,20 @@ func Reap() error {
Default.Lock()
for c := range Default.subscribers {
for _, e := range exits {
- c <- runc.Exit{
+ select {
+ case c <- runc.Exit{
Timestamp: now,
Pid: e.Pid,
Status: e.Status,
+ }:
+ default:
+ logrus.WithFields(logrus.Fields{
+ "subscriber": c,
+ "pid": e.Pid,
+ "status": e.Status,
+ }).Warn("failed to send exit to subscriber")
}
}
-
}
Default.Unlock()
return err
diff --git a/runtime/v2/shim/reaper_unix.go b/runtime/v2/shim/reaper_unix.go
index 2937f1a..10d5c30 100644
--- a/runtime/v2/shim/reaper_unix.go
+++ b/runtime/v2/shim/reaper_unix.go
@@ -26,12 +26,13 @@ import (
"github.com/containerd/containerd/sys"
runc "github.com/containerd/go-runc"
"github.com/pkg/errors"
+ "github.com/sirupsen/logrus"
)
// ErrNoSuchProcess is returned when the process no longer exists
var ErrNoSuchProcess = errors.New("no such process")
-const bufferSize = 32
+const bufferSize = 2048
// Reap should be called when the process receives an SIGCHLD. Reap will reap
// all exited processes and close their wait channels
@@ -41,13 +42,20 @@ func Reap() error {
Default.Lock()
for c := range Default.subscribers {
for _, e := range exits {
- c <- runc.Exit{
+ select {
+ case c <- runc.Exit{
Timestamp: now,
Pid: e.Pid,
Status: e.Status,
+ }:
+ default:
+ logrus.WithFields(logrus.Fields{
+ "subscriber": c,
+ "pid": e.Pid,
+ "status": e.Status,
+ }).Warn("failed to send exit to subscriber")
}
}
-
}
Default.Unlock()
return err
--
2.7.4.3

578
patch/0008-runtime-Use-named-pipes-for-shim-logs.patch
View File

@ -1,578 +0,0 @@
From 9bdd5d485c6796c44356ae9482df8de467463feb Mon Sep 17 00:00:00 2001
From: lujingxiao <lujingxiao@huawei.com>
Date: Wed, 23 Jan 2019 14:57:41 +0800
Subject: [PATCH 08/27] runtime: Use named pipes for shim logs
reason: TestDaemonRestart hangs if shim_debug is enabled
Relating to issue [#2606](https://github.com/containerd/containerd/issues/2606)
Co-authored-by: Oliver Stenbom <ostenbom@pivotal.io>
Co-authored-by: Georgi Sabev <georgethebeatle@gmail.com>
Co-authored-by: Giuseppe Capizzi <gcapizzi@pivotal.io>
Co-authored-by: Danail Branekov <danailster@gmail.com>
Cherry-pick from upstream 1d4105cacf
Change-Id: I0038401dda88c234750e8d1378a4dd97230400b0
Signed-off-by: Oliver Stenbom <ostenbom@pivotal.io>
Signed-off-by: Georgi Sabev <georgethebeatle@gmail.com>
Signed-off-by: Giuseppe Capizzi <gcapizzi@pivotal.io>
Signed-off-by: Danail Branekov <danailster@gmail.com>
Signed-off-by: lujingxiao <lujingxiao@huawei.com>
---
client_test.go | 49 +++++++--
cmd/containerd-shim/main_unix.go | 28 ++++++
container_linux_test.go | 209 +++++++++++++++++++++++++++++++++++++++
runtime/v1/linux/runtime.go | 26 +++++
runtime/v1/shim.go | 38 +++++++
runtime/v1/shim/client/client.go | 34 +++++--
6 files changed, 370 insertions(+), 14 deletions(-)
create mode 100644 runtime/v1/shim.go
diff --git a/client_test.go b/client_test.go
index a6b1d59..1a4cf39 100644
--- a/client_test.go
+++ b/client_test.go
@@ -21,6 +21,8 @@ import (
"context"
"flag"
"fmt"
+ "io"
+ "io/ioutil"
"os"
"os/exec"
"testing"
@@ -36,11 +38,12 @@ import (
)
var (
- address string
- noDaemon bool
- noCriu bool
- supportsCriu bool
- testNamespace = "testing"
+ address string
+ noDaemon bool
+ noCriu bool
+ supportsCriu bool
+ testNamespace = "testing"
+ ctrdStdioFilePath string
ctrd = &daemon{}
)
@@ -76,13 +79,26 @@ func TestMain(m *testing.M) {
if !noDaemon {
sys.ForceRemoveAll(defaultRoot)
- err := ctrd.start("containerd", address, []string{
+ stdioFile, err := ioutil.TempFile("", "")
+ if err != nil {
+ fmt.Fprintf(os.Stderr, "could not create a new stdio temp file: %s\n", err)
+ os.Exit(1)
+ }
+ defer func() {
+ stdioFile.Close()
+ os.Remove(stdioFile.Name())
+ }()
+ ctrdStdioFilePath = stdioFile.Name()
+ stdioWriter := io.MultiWriter(stdioFile, buf)
+
+ err = ctrd.start("containerd", address, []string{
"--root", defaultRoot,
"--state", defaultState,
"--log-level", "debug",
- }, buf, buf)
+ "--config", createShimDebugConfig(),
+ }, stdioWriter, stdioWriter)
if err != nil {
- fmt.Fprintf(os.Stderr, "%s: %s", err, buf.String())
+ fmt.Fprintf(os.Stderr, "%s: %s\n", err, buf.String())
os.Exit(1)
}
}
@@ -137,6 +153,7 @@ func TestMain(m *testing.M) {
fmt.Fprintln(os.Stderr, "failed to wait for containerd", err)
}
}
+
if err := sys.ForceRemoveAll(defaultRoot); err != nil {
fmt.Fprintln(os.Stderr, "failed to remove test root dir", err)
os.Exit(1)
@@ -343,3 +360,19 @@ func TestClientReconnect(t *testing.T) {
t.Errorf("client closed returned error %v", err)
}
}
+
+func createShimDebugConfig() string {
+ f, err := ioutil.TempFile("", "containerd-config-")
+ if err != nil {
+ fmt.Fprintf(os.Stderr, "Failed to create config file: %s\n", err)
+ os.Exit(1)
+ }
+ defer f.Close()
+
+ if _, err := f.WriteString("[plugins.linux]\n\tshim_debug = true\n"); err != nil {
+ fmt.Fprintf(os.Stderr, "Failed to write to config file %s: %s\n", f.Name(), err)
+ os.Exit(1)
+ }
+
+ return f.Name()
+}
diff --git a/cmd/containerd-shim/main_unix.go b/cmd/containerd-shim/main_unix.go
index ca0a90a..6c59cd1 100644
--- a/cmd/containerd-shim/main_unix.go
+++ b/cmd/containerd-shim/main_unix.go
@@ -23,6 +23,7 @@ import (
"context"
"flag"
"fmt"
+ "io"
"net"
"os"
"os/exec"
@@ -36,6 +37,7 @@ import (
"github.com/containerd/containerd/events"
"github.com/containerd/containerd/namespaces"
+ shimlog "github.com/containerd/containerd/runtime/v1"
"github.com/containerd/containerd/runtime/v1/linux/proc"
"github.com/containerd/containerd/runtime/v1/shim"
shimapi "github.com/containerd/containerd/runtime/v1/shim/v1"
@@ -92,12 +94,38 @@ func main() {
runtime.GOMAXPROCS(2)
}
+ stdout, stderr, err := openStdioKeepAlivePipes(workdirFlag)
+ if err != nil {
+ fmt.Fprintf(os.Stderr, "containerd-shim: %s\n", err)
+ os.Exit(1)
+ }
+ defer func() {
+ stdout.Close()
+ stderr.Close()
+ }()
+
if err := executeShim(); err != nil {
fmt.Fprintf(os.Stderr, "containerd-shim: %s\n", err)
os.Exit(1)
}
}
+// If containerd server process dies, we need the shim to keep stdout/err reader
+// FDs so that Linux does not SIGPIPE the shim process if it tries to use its end of
+// these pipes.
+func openStdioKeepAlivePipes(dir string) (io.ReadCloser, io.ReadCloser, error) {
+ background := context.Background()
+ keepStdoutAlive, err := shimlog.OpenShimStdoutLog(background, dir)
+ if err != nil {
+ return nil, nil, err
+ }
+ keepStderrAlive, err := shimlog.OpenShimStderrLog(background, dir)
+ if err != nil {
+ return nil, nil, err
+ }
+ return keepStdoutAlive, keepStderrAlive, nil
+}
+
func executeShim() error {
// start handling signals as soon as possible so that things are properly reaped
// or if runtime exits before we hit the handler
diff --git a/container_linux_test.go b/container_linux_test.go
index 60b0336..fa764d7 100644
--- a/container_linux_test.go
+++ b/container_linux_test.go
@@ -24,7 +24,9 @@ import (
"fmt"
"io"
"io/ioutil"
+ "os"
"os/exec"
+ "path/filepath"
"runtime"
"strings"
"sync"
@@ -258,6 +260,213 @@ func TestDaemonRestart(t *testing.T) {
<-statusC
}
+func TestShimDoesNotLeakPipes(t *testing.T) {
+ containerdPid := ctrd.cmd.Process.Pid
+ initialPipes, err := numPipes(containerdPid)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ client, err := newClient(t, address)
+ if err != nil {
+ t.Fatal(err)
+ }
+ defer client.Close()
+
+ var (
+ image Image
+ ctx, cancel = testContext()
+ id = t.Name()
+ )
+ defer cancel()
+
+ image, err = client.GetImage(ctx, testImage)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ container, err := client.NewContainer(ctx, id, WithNewSnapshot(id, image), WithNewSpec(oci.WithImageConfig(image), withProcessArgs("sleep", "30")))
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ task, err := container.NewTask(ctx, empty())
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ exitChannel, err := task.Wait(ctx)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ if err := task.Start(ctx); err != nil {
+ t.Fatal(err)
+ }
+
+ if err := task.Kill(ctx, syscall.SIGKILL); err != nil {
+ t.Fatal(err)
+ }
+
+ <-exitChannel
+
+ if _, err := task.Delete(ctx); err != nil {
+ t.Fatal(err)
+ }
+
+ if err := container.Delete(ctx, WithSnapshotCleanup); err != nil {
+ t.Fatal(err)
+ }
+
+ currentPipes, err := numPipes(containerdPid)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ if initialPipes != currentPipes {
+ t.Errorf("Pipes have leaked after container has been deleted. Initially there were %d pipes, after container deletion there were %d pipes", initialPipes, currentPipes)
+ }
+}
+
+func numPipes(pid int) (int, error) {
+ cmd := exec.Command("sh", "-c", fmt.Sprintf("lsof -p %d | grep pipe", pid))
+
+ var stdout bytes.Buffer
+ cmd.Stdout = &stdout
+ if err := cmd.Run(); err != nil {
+ return 0, err
+ }
+ return strings.Count(stdout.String(), "\n"), nil
+}
+
+func TestDaemonReconnectsToShimIOPipesOnRestart(t *testing.T) {
+ client, err := newClient(t, address)
+ if err != nil {
+ t.Fatal(err)
+ }
+ defer client.Close()
+
+ var (
+ image Image
+ ctx, cancel = testContext()
+ id = t.Name()
+ )
+ defer cancel()
+
+ image, err = client.GetImage(ctx, testImage)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ container, err := client.NewContainer(ctx, id, WithNewSnapshot(id, image), WithNewSpec(oci.WithImageConfig(image), withProcessArgs("sleep", "30")))
+ if err != nil {
+ t.Fatal(err)
+ }
+ defer container.Delete(ctx, WithSnapshotCleanup)
+
+ task, err := container.NewTask(ctx, empty())
+ if err != nil {
+ t.Fatal(err)
+ }
+ defer task.Delete(ctx)
+
+ _, err = task.Wait(ctx)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ if err := task.Start(ctx); err != nil {
+ t.Fatal(err)
+ }
+
+ if err := ctrd.Restart(nil); err != nil {
+ t.Fatal(err)
+ }
+
+ waitCtx, waitCancel := context.WithTimeout(ctx, 2*time.Second)
+ serving, err := client.IsServing(waitCtx)
+ waitCancel()
+ if !serving {
+ t.Fatalf("containerd did not start within 2s: %v", err)
+ }
+
+ // After we restared containerd we write some messages to the log pipes, simulating shim writing stuff there.
+ // Then we make sure that these messages are available on the containerd log thus proving that the server reconnected to the log pipes
+ runtimeVersion := getRuntimeVersion()
+ logDirPath := getLogDirPath(runtimeVersion, id)
+
+ switch runtimeVersion {
+ case "v1":
+ writeToFile(t, filepath.Join(logDirPath, "shim.stdout.log"), fmt.Sprintf("%s writing to stdout\n", id))
+ writeToFile(t, filepath.Join(logDirPath, "shim.stderr.log"), fmt.Sprintf("%s writing to stderr\n", id))
+ case "v2":
+ writeToFile(t, filepath.Join(logDirPath, "log"), fmt.Sprintf("%s writing to log\n", id))
+ }
+
+ statusC, err := task.Wait(ctx)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ if err := task.Kill(ctx, syscall.SIGKILL); err != nil {
+ t.Fatal(err)
+ }
+
+ <-statusC
+
+ stdioContents, err := ioutil.ReadFile(ctrdStdioFilePath)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ switch runtimeVersion {
+ case "v1":
+ if !strings.Contains(string(stdioContents), fmt.Sprintf("%s writing to stdout", id)) {
+ t.Fatal("containerd did not connect to the shim stdout pipe")
+ }
+ if !strings.Contains(string(stdioContents), fmt.Sprintf("%s writing to stderr", id)) {
+ t.Fatal("containerd did not connect to the shim stderr pipe")
+ }
+ case "v2":
+ if !strings.Contains(string(stdioContents), fmt.Sprintf("%s writing to log", id)) {
+ t.Fatal("containerd did not connect to the shim log pipe")
+ }
+ }
+}
+
+func writeToFile(t *testing.T, filePath, message string) {
+ writer, err := os.OpenFile(filePath, os.O_WRONLY, 0600)
+ if err != nil {
+ t.Fatal(err)
+ }
+ if _, err := writer.WriteString(message); err != nil {
+ t.Fatal(err)
+ }
+ if err := writer.Close(); err != nil {
+ t.Fatal(err)
+ }
+}
+
+func getLogDirPath(runtimeVersion, id string) string {
+ switch runtimeVersion {
+ case "v1":
+ return filepath.Join(defaultRoot, "io.containerd.runtime.v1.linux", testNamespace, id)
+ case "v2":
+ return filepath.Join(defaultState, "io.containerd.runtime.v2.task", testNamespace, id)
+ default:
+ panic(fmt.Errorf("Unsupported runtime version %s", runtimeVersion))
+ }
+}
+
+func getRuntimeVersion() string {
+ switch rt := os.Getenv("TEST_RUNTIME"); rt {
+ case "io.containerd.runc.v1":
+ return "v2"
+ default:
+ return "v1"
+ }
+}
+
func TestContainerPTY(t *testing.T) {
t.Parallel()
diff --git a/runtime/v1/linux/runtime.go b/runtime/v1/linux/runtime.go
index d19b8e5..e1b3cac 100644
--- a/runtime/v1/linux/runtime.go
+++ b/runtime/v1/linux/runtime.go
@@ -21,6 +21,7 @@ package linux
import (
"context"
"fmt"
+ "io"
"io/ioutil"
"os"
"path/filepath"
@@ -40,6 +41,7 @@ import (
"github.com/containerd/containerd/plugin"
"github.com/containerd/containerd/runtime"
"github.com/containerd/containerd/runtime/linux/runctypes"
+ "github.com/containerd/containerd/runtime/v1"
"github.com/containerd/containerd/runtime/v1/linux/proc"
shim "github.com/containerd/containerd/runtime/v1/shim/v1"
runc "github.com/containerd/go-runc"
@@ -341,6 +343,30 @@ func (r *Runtime) loadTasks(ctx context.Context, ns string) ([]*Task, error) {
continue
}
+ logDirPath := filepath.Join(r.root, ns, id)
+
+ shimStdoutLog, err := v1.OpenShimStdoutLog(ctx, logDirPath)
+ if err != nil {
+ log.G(ctx).WithError(err).WithFields(logrus.Fields{
+ "id": id,
+ "namespace": ns,
+ "logDirPath": logDirPath,
+ }).Error("opening shim stdout log pipe")
+ continue
+ }
+ go io.Copy(os.Stdout, shimStdoutLog)
+
+ shimStderrLog, err := v1.OpenShimStderrLog(ctx, logDirPath)
+ if err != nil {
+ log.G(ctx).WithError(err).WithFields(logrus.Fields{
+ "id": id,
+ "namespace": ns,
+ "logDirPath": logDirPath,
+ }).Error("opening shim stderr log pipe")
+ continue
+ }
+ go io.Copy(os.Stderr, shimStderrLog)
+
t, err := newTask(id, ns, pid, s, r.events, r.tasks, bundle)
if err != nil {
log.G(ctx).WithError(err).Error("loading task type")
diff --git a/runtime/v1/shim.go b/runtime/v1/shim.go
new file mode 100644
index 0000000..3942968
--- /dev/null
+++ b/runtime/v1/shim.go
@@ -0,0 +1,38 @@
+// +build !windows
+
+/*
+ Copyright The containerd Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/
+
+package v1
+
+import (
+ "context"
+ "io"
+ "path/filepath"
+
+ "github.com/containerd/fifo"
+ "golang.org/x/sys/unix"
+)
+
+// OpenShimStdoutLog opens the shim log for reading
+func OpenShimStdoutLog(ctx context.Context, logDirPath string) (io.ReadWriteCloser, error) {
+ return fifo.OpenFifo(ctx, filepath.Join(logDirPath, "shim.stdout.log"), unix.O_RDWR|unix.O_CREAT|unix.O_NONBLOCK, 0700)
+}
+
+// OpenShimStderrLog opens the shim log
+func OpenShimStderrLog(ctx context.Context, logDirPath string) (io.ReadWriteCloser, error) {
+ return fifo.OpenFifo(ctx, filepath.Join(logDirPath, "shim.stderr.log"), unix.O_RDWR|unix.O_CREAT|unix.O_NONBLOCK, 0700)
+}
diff --git a/runtime/v1/shim/client/client.go b/runtime/v1/shim/client/client.go
index 015d88c..ef74030 100644
--- a/runtime/v1/shim/client/client.go
+++ b/runtime/v1/shim/client/client.go
@@ -37,6 +37,7 @@ import (
"github.com/containerd/containerd/events"
"github.com/containerd/containerd/log"
+ v1 "github.com/containerd/containerd/runtime/v1"
"github.com/containerd/containerd/runtime/v1/shim"
shimapi "github.com/containerd/containerd/runtime/v1/shim/v1"
"github.com/containerd/containerd/sys"
@@ -62,7 +63,24 @@ func WithStart(binary, address, daemonAddress, cgroup string, debug bool, exitHa
}
defer f.Close()
- cmd, err := newCommand(binary, daemonAddress, debug, config, f)
+ var stdoutLog io.ReadWriteCloser
+ var stderrLog io.ReadWriteCloser
+ if debug {
+ stdoutLog, err = v1.OpenShimStdoutLog(ctx, config.WorkDir)
+ if err != nil {
+ return nil, nil, errors.Wrapf(err, "failed to create stdout log")
+ }
+
+ stderrLog, err = v1.OpenShimStderrLog(ctx, config.WorkDir)
+ if err != nil {
+ return nil, nil, errors.Wrapf(err, "failed to create stderr log")
+ }
+
+ go io.Copy(os.Stdout, stdoutLog)
+ go io.Copy(os.Stderr, stderrLog)
+ }
+
+ cmd, err := newCommand(binary, daemonAddress, debug, config, f, stdoutLog, stderrLog)
if err != nil {
return nil, nil, err
}
@@ -77,6 +95,12 @@ func WithStart(binary, address, daemonAddress, cgroup string, debug bool, exitHa
go func() {
cmd.Wait()
exitHandler()
+ if stdoutLog != nil {
+ stderrLog.Close()
+ }
+ if stdoutLog != nil {
+ stderrLog.Close()
+ }
}()
log.G(ctx).WithFields(logrus.Fields{
"pid": cmd.Process.Pid,
@@ -104,7 +128,7 @@ func WithStart(binary, address, daemonAddress, cgroup string, debug bool, exitHa
}
}
-func newCommand(binary, daemonAddress string, debug bool, config shim.Config, socket *os.File) (*exec.Cmd, error) {
+func newCommand(binary, daemonAddress string, debug bool, config shim.Config, socket *os.File, stdout, stderr io.Writer) (*exec.Cmd, error) {
selfExe, err := os.Executable()
if err != nil {
return nil, err
@@ -137,10 +161,8 @@ func newCommand(binary, daemonAddress string, debug bool, config shim.Config, so
cmd.SysProcAttr = getSysProcAttr()
cmd.ExtraFiles = append(cmd.ExtraFiles, socket)
cmd.Env = append(os.Environ(), "GOMAXPROCS=2")
- if debug {
- cmd.Stdout = os.Stdout
- cmd.Stderr = os.Stderr
- }
+ cmd.Stdout = stdout
+ cmd.Stderr = stderr
return cmd, nil
}
--
2.7.4.3

38
patch/0009-runtime-fix-pipe-in-broken-may-cause-shim-l.patch
View File

@ -1,38 +0,0 @@
From 77b025a48d9dc89666ef7c03709ef1fc2a4d0b34 Mon Sep 17 00:00:00 2001
From: lujingxiao <lujingxiao@huawei.com>
Date: Wed, 23 Jan 2019 15:00:12 +0800
Subject: [PATCH 09/27] runtime: fix pipe in broken may cause shim
lock forever for runtime v2
reason: fix pipe in broken may cause shim lock forever for runtime v2
Cherry-pick from upstream b3438f7a6f
Change-Id: I3c324050531a1e68a5c3a688a51408a121a3f9f1
Signed-off-by: Lifubang <lifubang@acmcoder.com>
Signed-off-by: lujingxiao <lujingxiao@huawei.com>
---
runtime/v2/runc/service_linux.go | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/runtime/v2/runc/service_linux.go b/runtime/v2/runc/service_linux.go
index 5e30cfc..19d1fec 100644
--- a/runtime/v2/runc/service_linux.go
+++ b/runtime/v2/runc/service_linux.go
@@ -49,9 +49,10 @@ func (p *linuxPlatform) CopyConsole(ctx context.Context, console console.Console
cwg.Add(1)
go func() {
cwg.Done()
- p := bufPool.Get().(*[]byte)
- defer bufPool.Put(p)
- io.CopyBuffer(epollConsole, in, *p)
+ bp := bufPool.Get().(*[]byte)
+ defer bufPool.Put(bp)
+ io.CopyBuffer(epollConsole, in, *bp)
+ epollConsole.Shutdown(p.epoller.CloseConsole)
}()
}
--
2.7.4.3

52
patch/0010-runtime-fix-pipe-in-broken-may-cause-shim-l.patch
View File

@ -1,52 +0,0 @@
From d0e57aafce7c98b3c9b3004c862d5a15180df86c Mon Sep 17 00:00:00 2001
From: lujingxiao <lujingxiao@huawei.com>
Date: Wed, 23 Jan 2019 15:03:08 +0800
Subject: [PATCH 10/27] runtime: fix pipe in broken may cause shim
lock forever for runtime v1
reason: fix pipe in broken may cause shim lock forever for runtime v1
Cherry-pick from upstream e76a8879eb
Change-Id: Ie603b36f92c4a6cc41777a9cd1e6a19b8584eaf1
Signed-off-by: Lifubang <lifubang@acmcoder.com>
Signed-off-by: lujingxiao <lujingxiao@huawei.com>
---
runtime/v1/shim/service_linux.go | 8 +++++---
runtime/v2/runc/service_linux.go | 1 +
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/runtime/v1/shim/service_linux.go b/runtime/v1/shim/service_linux.go
index 18ae650..307e20d 100644
--- a/runtime/v1/shim/service_linux.go
+++ b/runtime/v1/shim/service_linux.go
@@ -49,9 +49,11 @@ func (p *linuxPlatform) CopyConsole(ctx context.Context, console console.Console
cwg.Add(1)
go func() {
cwg.Done()
- p := bufPool.Get().(*[]byte)
- defer bufPool.Put(p)
- io.CopyBuffer(epollConsole, in, *p)
+ bp := bufPool.Get().(*[]byte)
+ defer bufPool.Put(bp)
+ io.CopyBuffer(epollConsole, in, *bp)
+ // we need to shutdown epollConsole when pipe broken
+ epollConsole.Shutdown(p.epoller.CloseConsole)
}()
}
diff --git a/runtime/v2/runc/service_linux.go b/runtime/v2/runc/service_linux.go
index 19d1fec..1161673 100644
--- a/runtime/v2/runc/service_linux.go
+++ b/runtime/v2/runc/service_linux.go
@@ -52,6 +52,7 @@ func (p *linuxPlatform) CopyConsole(ctx context.Context, console console.Console
bp := bufPool.Get().(*[]byte)
defer bufPool.Put(bp)
io.CopyBuffer(epollConsole, in, *bp)
+ // we need to shutdown epollConsole when pipe broken
epollConsole.Shutdown(p.epoller.CloseConsole)
}()
}
--
2.7.4.3

95
patch/0011-runtime-Add-timeout-and-cancel-to-shim-fifo.patch
View File

@ -1,95 +0,0 @@
From 8eb1ab31006f3079d1bf95b4ab089e049a4f45f2 Mon Sep 17 00:00:00 2001
From: lujingxiao <lujingxiao@huawei.com>
Date: Wed, 23 Jan 2019 15:04:03 +0800
Subject: [PATCH 11/27] runtime: Add timeout and cancel to shim fifo
open
reason: Add timeout and cancel to shim fifo open
There is still a special case where the client side fails to open or
load causes things to be slow and the shim can lock up when this
happens. This adds a timeout to the context for this case to abort fifo
creation.
Cherry-pick from upstream 18f57e20b0
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
(cherry picked from commit a2a4241979f615eb0a1084c7638c21f830f48ac5)
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
Signed-off-by: lujingxiao <lujingxiao@huawei.com>
Change-Id: Ic7f285b149f97f4d6526b3f2c28b6ac6790332b0
---
runtime/v1/linux/proc/exec.go | 5 +++++
runtime/v1/linux/proc/init.go | 5 +++++
2 files changed, 10 insertions(+)
diff --git a/runtime/v1/linux/proc/exec.go b/runtime/v1/linux/proc/exec.go
index 96c425d..715a977 100644
--- a/runtime/v1/linux/proc/exec.go
+++ b/runtime/v1/linux/proc/exec.go
@@ -172,22 +172,27 @@ func (e *execProcess) start(ctx context.Context) (err error) {
e.stdin = sc
}
var copyWaitGroup sync.WaitGroup
+ ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
if socket != nil {
console, err := socket.ReceiveMaster()
if err != nil {
+ cancel()
return errors.Wrap(err, "failed to retrieve console master")
}
if e.console, err = e.parent.Platform.CopyConsole(ctx, console, e.stdio.Stdin, e.stdio.Stdout, e.stdio.Stderr, &e.wg, &copyWaitGroup); err != nil {
+ cancel()
return errors.Wrap(err, "failed to start console copy")
}
} else if !e.stdio.IsNull() {
if err := copyPipes(ctx, e.io, e.stdio.Stdin, e.stdio.Stdout, e.stdio.Stderr, &e.wg, &copyWaitGroup); err != nil {
+ cancel()
return errors.Wrap(err, "failed to start io pipe copy")
}
}
copyWaitGroup.Wait()
pid, err := runc.ReadPidFile(opts.PidFile)
if err != nil {
+ cancel()
return errors.Wrap(err, "failed to retrieve OCI runtime exec pid")
}
e.pid = pid
diff --git a/runtime/v1/linux/proc/init.go b/runtime/v1/linux/proc/init.go
index 5bf5f83..5b23671 100644
--- a/runtime/v1/linux/proc/init.go
+++ b/runtime/v1/linux/proc/init.go
@@ -168,18 +168,22 @@ func (p *Init) Create(ctx context.Context, r *CreateConfig) error {
p.closers = append(p.closers, sc)
}
var copyWaitGroup sync.WaitGroup
+ ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
if socket != nil {
console, err := socket.ReceiveMaster()
if err != nil {
+ cancel()
return errors.Wrap(err, "failed to retrieve console master")
}
console, err = p.Platform.CopyConsole(ctx, console, r.Stdin, r.Stdout, r.Stderr, &p.wg, &copyWaitGroup)
if err != nil {
+ cancel()
return errors.Wrap(err, "failed to start console copy")
}
p.console = console
} else if !hasNoIO(r) {
if err := copyPipes(ctx, p.io, r.Stdin, r.Stdout, r.Stderr, &p.wg, &copyWaitGroup); err != nil {
+ cancel()
return errors.Wrap(err, "failed to start io pipe copy")
}
}
@@ -187,6 +191,7 @@ func (p *Init) Create(ctx context.Context, r *CreateConfig) error {
copyWaitGroup.Wait()
pid, err := runc.ReadPidFile(pidFile)
if err != nil {
+ cancel()
return errors.Wrap(err, "failed to retrieve OCI runtime container pid")
}
p.pid = pid
--
2.7.4.3

36
patch/0012-bump-bump-containerd-to-1.2.0.2.patch
View File

@ -1,36 +0,0 @@
From ea92cca7c1d4dfbd6a563588a6ea9b56a764fc39 Mon Sep 17 00:00:00 2001
From: lujingxiao <lujingxiao@huawei.com>
Date: Wed, 23 Jan 2019 15:31:56 +0800
Subject: [PATCH 12/27] bump: bump containerd to 1.2.0.2
reason: bump containerd to 1.2.0.2 after cherry-picked patches from
upstream:
- runtime: Add timeout and cancel to shim fifo open
- runtime: fix pipe in broken may cause shim lock forever for runtime v1
- runtime: fix pipe in broken may cause shim lock forever for runtime v2
- runtime: Use named pipes for shim logs
- shim: Increase reaper buffer size and non-blocking send
- shim: optimize shim lock in runtime v1
Change-Id: Ibd7574e2ab18a2f783c694931101e1459bc779ad
Signed-off-by: lujingxiao <lujingxiao@huawei.com>
---
hack/containerd.spec | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hack/containerd.spec b/hack/containerd.spec
index f53c37b..c7d358d 100644
--- a/hack/containerd.spec
+++ b/hack/containerd.spec
@@ -3,7 +3,7 @@
Version: 1.2.0
Name: containerd
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: An industry-standard container runtime
License: ASL 2.0
URL: https://containerd.io
--
2.7.4.3

50
patch/0013-log-support-log-init-pid-to-start-event-log.patch
View File

@ -1,50 +0,0 @@
From d4d3f8a239f4b4afd009d954453e585704ddb112 Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Thu, 24 Jan 2019 11:55:10 +0800
Subject: [PATCH 13/27] log: support log init pid to start event log
reason: DFX support start event with init pid
Change-Id: I8ae9c7a9652f694680979965829682416aed4055
Signed-off-by: jingrui <jingrui@huawei.com>
---
hack/containerd.spec | 2 +-
runtime/v1/linux/task.go | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/hack/containerd.spec b/hack/containerd.spec
index c7d358d..462d35e 100644
--- a/hack/containerd.spec
+++ b/hack/containerd.spec
@@ -3,7 +3,7 @@
Version: 1.2.0
Name: containerd
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: An industry-standard container runtime
License: ASL 2.0
URL: https://containerd.io
diff --git a/runtime/v1/linux/task.go b/runtime/v1/linux/task.go
index 38da35c..1c650c4 100644
--- a/runtime/v1/linux/task.go
+++ b/runtime/v1/linux/task.go
@@ -36,6 +36,7 @@ import (
"github.com/containerd/typeurl"
"github.com/gogo/protobuf/types"
"github.com/pkg/errors"
+ "github.com/sirupsen/logrus"
)
// Task on a linux based system
@@ -131,6 +132,7 @@ func (t *Task) Start(ctx context.Context) error {
t.cg = cg
t.mu.Unlock()
}
+ logrus.Infof("publish event %s for container %s with pid %d", runtime.TaskStartEventTopic, t.id, t.pid)
t.events.Publish(ctx, runtime.TaskStartEventTopic, &eventstypes.TaskStart{
ContainerID: t.id,
Pid: uint32(t.pid),
--
2.7.4.3

84
patch/0014-event-resend-exit-event-when-detect-container.patch
View File

@ -1,84 +0,0 @@
From 200ae6f4b733f8a869aac36a730da90e79213387 Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Sun, 10 Feb 2019 18:40:59 +0800
Subject: [PATCH 14/27] event: resend exit event when detect
containerd restarted
reason: testCE_docker_containerd_ABN.026.sh
fix docker stop no effect.
Change-Id: I024b2f6a03d74fcbb5623c696212dcbfb624b285
Signed-off-by: jingrui <jingrui@huawei.com>
---
cmd/containerd-shim/main_unix.go | 38 +++++++++++++++++++++++++++++++++++++-
1 file changed, 37 insertions(+), 1 deletion(-)
diff --git a/cmd/containerd-shim/main_unix.go b/cmd/containerd-shim/main_unix.go
index 6c59cd1..d1f41b0 100644
--- a/cmd/containerd-shim/main_unix.go
+++ b/cmd/containerd-shim/main_unix.go
@@ -24,12 +24,14 @@ import (
"flag"
"fmt"
"io"
+ "io/ioutil"
"net"
"os"
"os/exec"
"os/signal"
"runtime"
"runtime/debug"
+ "strconv"
"strings"
"sync"
"syscall"
@@ -263,7 +265,7 @@ type remoteEventsPublisher struct {
address string
}
-func (l *remoteEventsPublisher) Publish(ctx context.Context, topic string, event events.Event) error {
+func (l *remoteEventsPublisher) doPublish(ctx context.Context, topic string, event events.Event) error {
ns, _ := namespaces.Namespace(ctx)
encoded, err := typeurl.MarshalAny(event)
if err != nil {
@@ -288,3 +290,37 @@ func (l *remoteEventsPublisher) Publish(ctx context.Context, topic string, event
}
return nil
}
+
+func getContainerdPid() int {
+ pidFile := "/var/run/docker/containerd/containerd.pid"
+ data, err := ioutil.ReadFile(pidFile)
+ if err != nil {
+ return -1
+ }
+ pid, err := strconv.Atoi(string(data))
+ if err != nil {
+ return -1
+ }
+ return pid
+}
+
+func (l *remoteEventsPublisher) Publish(ctx context.Context, topic string, event events.Event) error {
+ old := getContainerdPid()
+ for i := 1; i <= 10; i++ {
+ err := l.doPublish(ctx, topic, event)
+ logrus.Infof("try publish event(%d) %s %v %v", i, topic, event, err)
+ if err == nil {
+ new := getContainerdPid()
+ if old == new {
+ return nil
+ }
+ logrus.Warnf("containerd pid %d changed to %d", old, new)
+ old = new
+ }
+ if i == 10 {
+ return err
+ }
+ time.Sleep(time.Duration(i) * time.Second)
+ }
+ return nil
+}
--
2.7.4.3

122
patch/0015-restore-cleanup-container-pid-1.patch
View File

@ -1,122 +0,0 @@
From fd1c8dda8cc02b9aef28f1e3e4e51ab216338e2b Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Sun, 10 Feb 2019 15:40:52 +0800
Subject: [PATCH 15/27] restore: cleanup container pid=-1
reason: fix testCE_docker_hook_spec_ABN.050.sh
when containerd killed during task create, see Runtime.Create(). the
defer function will not execute, so shim residual. cleanup shim for
container pid=-1
Change-Id: Ie9a7f6dff5f8a922cc97c5fcf44664ab60ac1a7a
Signed-off-by: jingrui <jingrui@huawei.com>
---
runtime/v1/linux/runtime.go | 10 +++++++---
runtime/v1/linux/task.go | 26 ++++++++++++++++++++++++--
2 files changed, 31 insertions(+), 5 deletions(-)
diff --git a/runtime/v1/linux/runtime.go b/runtime/v1/linux/runtime.go
index e1b3cac..3b66304 100644
--- a/runtime/v1/linux/runtime.go
+++ b/runtime/v1/linux/runtime.go
@@ -316,6 +316,7 @@ func (r *Runtime) loadTasks(ctx context.Context, ns string) ([]*Task, error) {
continue
}
id := path.Name()
+ log.G(ctx).Infof("load-task %s", id)
bundle := loadBundle(
id,
filepath.Join(r.state, ns, id),
@@ -372,6 +373,12 @@ func (r *Runtime) loadTasks(ctx context.Context, ns string) ([]*Task, error) {
log.G(ctx).WithError(err).Error("loading task type")
continue
}
+ if pid == -1 {
+ _, err := t.DeleteForce(ctx)
+ log.G(ctx).Warnf("delete force %s Pid=-1 error=%v", id, err)
+ continue
+ }
+ log.G(ctx).Infof("load-task %s Pid=%d done", id, pid)
o = append(o, t)
}
return o, nil
@@ -380,9 +387,6 @@ func (r *Runtime) loadTasks(ctx context.Context, ns string) ([]*Task, error) {
func (r *Runtime) cleanupAfterDeadShim(ctx context.Context, bundle *bundle, ns, id string, pid int) error {
ctx = namespaces.WithNamespace(ctx, ns)
if err := r.terminate(ctx, bundle, ns, id); err != nil {
- if r.config.ShimDebug {
- return errors.Wrap(err, "failed to terminate task, leaving bundle for debugging")
- }
log.G(ctx).WithError(err).Warn("failed to terminate task")
}
diff --git a/runtime/v1/linux/task.go b/runtime/v1/linux/task.go
index 1c650c4..6995156 100644
--- a/runtime/v1/linux/task.go
+++ b/runtime/v1/linux/task.go
@@ -21,6 +21,7 @@ package linux
import (
"context"
"sync"
+ "time"
"github.com/containerd/cgroups"
eventstypes "github.com/containerd/containerd/api/events"
@@ -37,6 +38,7 @@ import (
"github.com/gogo/protobuf/types"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
+ "golang.org/x/sys/unix"
)
// Task on a linux based system
@@ -86,10 +88,13 @@ func (t *Task) Namespace() string {
}
// Delete the task and return the exit status
-func (t *Task) Delete(ctx context.Context) (*runtime.Exit, error) {
+func (t *Task) delete(ctx context.Context, force bool) (*runtime.Exit, error) {
rsp, err := t.shim.Delete(ctx, empty)
if err != nil {
- return nil, errdefs.FromGRPC(err)
+ log.G(ctx).WithError(err).Error("failed to delete container, force=%t", force)
+ if !force {
+ return nil, errdefs.FromGRPC(err)
+ }
}
t.tasks.Delete(ctx, t.id)
if err := t.shim.KillShim(ctx); err != nil {
@@ -98,6 +103,14 @@ func (t *Task) Delete(ctx context.Context) (*runtime.Exit, error) {
if err := t.bundle.Delete(); err != nil {
log.G(ctx).WithError(err).Error("failed to delete bundle")
}
+
+ if rsp == nil {
+ rsp = &shim.DeleteResponse{}
+ rsp.ExitStatus = 128 + uint32(unix.SIGKILL)
+ rsp.ExitedAt = time.Now().UTC()
+ rsp.Pid = 0
+ }
+
t.events.Publish(ctx, runtime.TaskDeleteEventTopic, &eventstypes.TaskDelete{
ContainerID: t.id,
ExitStatus: rsp.ExitStatus,
@@ -111,6 +124,15 @@ func (t *Task) Delete(ctx context.Context) (*runtime.Exit, error) {
}, nil
}
+// Delete the task and return the exit status
+func (t *Task) Delete(ctx context.Context) (*runtime.Exit, error) {
+ return t.delete(ctx, false)
+}
+
+func (t *Task) DeleteForce(ctx context.Context) (*runtime.Exit, error) {
+ return t.delete(ctx, true)
+}
+
// Start the task
func (t *Task) Start(ctx context.Context) error {
t.mu.Lock()
--
2.7.4.3

31
patch/0016-create-runc-delete-force-before-create.patch
View File

@ -1,31 +0,0 @@
From e7827a737c42861afd6b41e2e7dc953c249278fc Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Mon, 11 Feb 2019 17:40:31 +0800
Subject: [PATCH 16/27] create: runc delete force before create
reason: testCE_docker_hook_spec_ABN.051.sh
kill -9 shim will generate residual runc files, cleanup runc files using
runc delete before create.
Change-Id: I3efa3c4d0989ba8d688bcb6f35ba543b6ab91b2d
Signed-off-by: jingrui <jingrui@huawei.com>
---
vendor/github.com/containerd/go-runc/runc.go | 2 ++
1 file changed, 2 insertions(+)
diff --git a/vendor/github.com/containerd/go-runc/runc.go b/vendor/github.com/containerd/go-runc/runc.go
index 96262af..e688881 100644
--- a/vendor/github.com/containerd/go-runc/runc.go
+++ b/vendor/github.com/containerd/go-runc/runc.go
@@ -138,6 +138,8 @@ func (o *CreateOpts) args() (out []string, err error) {
// Create creates a new container and returns its pid if it was created successfully
func (r *Runc) Create(context context.Context, id, bundle string, opts *CreateOpts) error {
+ r.Delete(context, id, &DeleteOpts{Force: true})
+
args := []string{"create", "--bundle", bundle}
if opts != nil {
oargs, err := opts.args()
--
2.7.4.3

65
patch/0017-exit-using-init.exit-indicate-container-is-ex.patch
View File

@ -1,65 +0,0 @@
From f83e391aef03283b30431a960b66f720cf0d9dd3 Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Mon, 11 Feb 2019 20:12:15 +0800
Subject: [PATCH 17/27] exit: using init.exit indicate container is
exiting
reason: testCE_docker_hook_spec_ABN.053.sh
kill dockerd during docker stop in post-stophook, containerd will load
task and treat as ok when shim response client. add init.exit to forbid
load exiting task.
Change-Id: I8f03cd51088d43d4fb457b32981f3eebd8558f84
Signed-off-by: jingrui <jingrui@huawei.com>
---
runtime/v1/linux/proc/init.go | 1 +
runtime/v1/linux/runtime.go | 5 +++++
runtime/v1/shim/service.go | 4 +++-
3 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/runtime/v1/linux/proc/init.go b/runtime/v1/linux/proc/init.go
index 5b23671..caa31c3 100644
--- a/runtime/v1/linux/proc/init.go
+++ b/runtime/v1/linux/proc/init.go
@@ -43,6 +43,7 @@ import (
// InitPidFile name of the file that contains the init pid
const InitPidFile = "init.pid"
+const InitExit = "init.exit"
// Init represents an initial process for a container
type Init struct {
diff --git a/runtime/v1/linux/runtime.go b/runtime/v1/linux/runtime.go
index 3b66304..123d675 100644
--- a/runtime/v1/linux/runtime.go
+++ b/runtime/v1/linux/runtime.go
@@ -378,6 +378,11 @@ func (r *Runtime) loadTasks(ctx context.Context, ns string) ([]*Task, error) {
log.G(ctx).Warnf("delete force %s Pid=-1 error=%v", id, err)
continue
}
+ if _, err := os.Stat(filepath.Join(bundle.path, proc.InitExit)); err == nil {
+ _, err := t.DeleteForce(ctx)
+ log.G(ctx).Warnf("delete force %s Pid=%d(exiting) error=%v", id, pid, err)
+ continue
+ }
log.G(ctx).Infof("load-task %s Pid=%d done", id, pid)
o = append(o, t)
}
diff --git a/runtime/v1/shim/service.go b/runtime/v1/shim/service.go
index 679982a..8c7984f 100644
--- a/runtime/v1/shim/service.go
+++ b/runtime/v1/shim/service.go
@@ -504,7 +504,9 @@ func (s *Service) checkProcesses(e runc.Exit) {
for _, p := range s.processes {
if p.Pid() == e.Pid {
-
+ if ip, ok := p.(*proc.Init); ok {
+ ioutil.WriteFile(filepath.Join(ip.Bundle, proc.InitExit), []byte(fmt.Sprintf("%d", e.Pid)), 0600)
+ }
if shouldKillAll {
if ip, ok := p.(*proc.Init); ok {
// Ensure all children are killed
--
2.7.4.3

42
patch/0018-containerd-shim-Dump-log-to-file-when-docker-.patch
View File

@ -1,42 +0,0 @@
From 7f483b7d5a6bd88ea35f5dcf1a5fea5d165044fe Mon Sep 17 00:00:00 2001
From: lixiang172 <lixiang172@huawei.com>
Date: Tue, 12 Feb 2019 15:22:06 +0800
Subject: [PATCH 18/27] containerd-shim: Dump log to file when docker
received signal
reason: Dump stack log to file when docker received "kill -SIGUSR1
PID" signal
The name of log files is "shim-stack-[time].log".
The log file can be found at:
/run/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/container-id/shim-stack-[time].log
Change-Id: I6d7e03c9a0fd36e9a76f1dd45cfd5312985d03f8
Signed-off-by: lixiang172 <lixiang172@huawei.com>
---
cmd/containerd-shim/main_unix.go | 3 +++
1 file changed, 3 insertions(+)
diff --git a/cmd/containerd-shim/main_unix.go b/cmd/containerd-shim/main_unix.go
index d1f41b0..38b3eb4 100644
--- a/cmd/containerd-shim/main_unix.go
+++ b/cmd/containerd-shim/main_unix.go
@@ -246,6 +246,8 @@ func handleSignals(logger *logrus.Entry, signals chan os.Signal, server *ttrpc.S
}
}
+const stacksLogNameTemplate = "shim-stacks-%s.log"
+
func dumpStacks(logger *logrus.Entry) {
var (
buf []byte
@@ -258,6 +260,7 @@ func dumpStacks(logger *logrus.Entry) {
bufferLen *= 2
}
buf = buf[:stackSize]
+ ioutil.WriteFile(fmt.Sprintf(stacksLogNameTemplate, strings.Replace(time.Now().Format(time.RFC3339), ":", "", -1)), buf, 0600)
logger.Infof("=== BEGIN goroutine stack dump ===\n%s\n=== END goroutine stack dump ===", buf)
}
--
2.7.4.3

47
patch/0019-restore-check-shim-alive-when-containerd-is-r.patch
View File

@ -1,47 +0,0 @@
From 112c2ef89b1085e95959285ce5328af5d74ba8db Mon Sep 17 00:00:00 2001
From: xueshaojia <xueshaojia@huawei.com>
Date: Thu, 14 Feb 2019 10:48:14 +0800
Subject: [PATCH 19/27] restore: check shim alive when containerd is
restarted
reason: fix docker_containerd-shim:testCE_docker_containerd_shim_ABN.021.sh
When containerd is restarted, it will load all tasks.In some cases, the
containerd-shim is killed and the sock file will exist for a while.
Containerd should check the containerd-shim is available using the sock file.
If the containerd-shim server not responses, do r.cleanupAfterDeadShim
Change-Id: I448c8caefa8c1252bd5cdcff79deb8eff1005903
Signed-off-by: xueshaojia <xueshaojia@huawei.com>
---
runtime/v1/linux/runtime.go | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/runtime/v1/linux/runtime.go b/runtime/v1/linux/runtime.go
index 123d675..477cda0 100644
--- a/runtime/v1/linux/runtime.go
+++ b/runtime/v1/linux/runtime.go
@@ -343,6 +343,21 @@ func (r *Runtime) loadTasks(ctx context.Context, ns string) ([]*Task, error) {
}
continue
}
+ ctxContact, cancel := context.WithTimeout(ctx, 5*time.Second)
+ defer cancel()
+ alive, err := s.IsAlive(ctxContact)
+ if !alive {
+ log.G(ctx).WithError(err).WithFields(logrus.Fields{
+ "id": id,
+ "namespace": ns,
+ }).Error("contacting to shim")
+ err := r.cleanupAfterDeadShim(ctx, bundle, ns, id, pid)
+ if err != nil {
+ log.G(ctx).WithError(err).WithField("bundle", bundle.path).
+ Error("cleaning up after dead shim")
+ }
+ continue
+ }
logDirPath := filepath.Join(r.root, ns, id)
--
2.7.4.3

357
patch/0020-events-resend-pending-exit-events-on-restore.patch
View File

@ -1,357 +0,0 @@
From 27762e8d75c00c8898c725873c17a23105ba5b7c Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Tue, 12 Feb 2019 17:03:11 +0800
Subject: [PATCH 20/27] events: resend pending exit events on restore
reason: fix exit event may lost.
testCE_docker_containerd_ABN.026.sh
Change-Id: I5bcdf06ad4ee7b8a0ca782e610186f52e3d79bbd
Signed-off-by: jingrui <jingrui@huawei.com>
---
events/events.go | 13 +++++
events/exchange/exchange.go | 12 +++++
events/exit.go | 79 +++++++++++++++++++++++++++++
runtime/v1/linux/runtime.go | 56 +++++++++++++++++---
runtime/v1/linux/task.go | 10 ++--
runtime/v1/shim/service.go | 2 +
vendor/github.com/docker/go-events/queue.go | 8 +++
7 files changed, 167 insertions(+), 13 deletions(-)
create mode 100644 events/exit.go
diff --git a/events/events.go b/events/events.go
index b7eb86f..aa07236 100644
--- a/events/events.go
+++ b/events/events.go
@@ -22,6 +22,7 @@ import (
"github.com/containerd/typeurl"
"github.com/gogo/protobuf/types"
+ apievents "github.com/containerd/containerd/api/events"
)
// Envelope provides the packaging for an event.
@@ -32,6 +33,18 @@ type Envelope struct {
Event *types.Any
}
+func (e *Envelope) ExitFile() string {
+ decoded, err := typeurl.UnmarshalAny(e.Event)
+ if err != nil {
+ return ""
+ }
+
+ if e, ok := decoded.(*apievents.TaskExit); ok {
+ return ExitFile(e.ContainerID, e.Pid, e.ExitStatus)
+ }
+
+ return ""
+}
// Field returns the value for the given fieldpath as a string, if defined.
// If the value is not defined, the second value will be false.
func (e *Envelope) Field(fieldpath []string) (string, bool) {
diff --git a/events/exchange/exchange.go b/events/exchange/exchange.go
index 95d21b7..540f180 100644
--- a/events/exchange/exchange.go
+++ b/events/exchange/exchange.go
@@ -49,6 +49,11 @@ func NewExchange() *Exchange {
var _ events.Publisher = &Exchange{}
var _ events.Forwarder = &Exchange{}
var _ events.Subscriber = &Exchange{}
+var mobySubcribed = false
+
+func MobySubscribed() bool {
+ return mobySubcribed
+}
// Forward accepts an envelope to be direcly distributed on the exchange.
//
@@ -161,6 +166,13 @@ func (e *Exchange) Subscribe(ctx context.Context, fs ...string) (ch <-chan *even
}
e.broadcaster.Add(dst)
+ logrus.Infof("subscribe ctx=%v fs=%v", ctx, fs)
+ for _, s := range fs {
+ if !MobySubscribed() && s == "namespace==moby,topic~=|^/tasks/|" {
+ queue.Namespace = "moby"
+ mobySubcribed = true
+ }
+ }
go func() {
defer closeAll()
diff --git a/events/exit.go b/events/exit.go
new file mode 100644
index 0000000..e1ce089
--- /dev/null
+++ b/events/exit.go
@@ -0,0 +1,79 @@
+package events
+
+import (
+ "fmt"
+ "io/ioutil"
+ "os"
+ "path/filepath"
+ "strconv"
+ "strings"
+ "github.com/sirupsen/logrus"
+)
+
+const ExitDir = "/var/run/docker/containerd/exit"
+const ExitStatusDefault = 137
+
+func ExitFile(cid string, pid uint32, status uint32) string {
+ return fmt.Sprintf("%s.%d.%d", cid, pid, status)
+}
+
+func ExitInfo(ef string) (string, uint32, uint32) {
+ s := strings.Split(ef, ".")
+ if len(s) != 3 {
+ return "", 0, 0
+ }
+
+ cid := s[0]
+ pid, err := strconv.ParseUint(s[1], 10, 32)
+ if err != nil {
+ return "", 0, 0
+ }
+ status, err := strconv.ParseUint(s[2], 10, 32)
+ if err != nil {
+ return "", 0, 0
+ }
+
+ return cid, uint32(pid), uint32(status)
+}
+
+func ExitAddFile(ns string, ef string, reason string) {
+ os.MkdirAll(filepath.Join(ExitDir, ns), 0700)
+ err := ioutil.WriteFile(filepath.Join(ExitDir, ns, ef), []byte{}, 0600)
+ logrus.Infof("exit-add %s/%s [reason: %s] error=%v", ns, ef, reason, err)
+}
+
+func ExitDelFile(ns string, ef string) {
+ err := os.RemoveAll(filepath.Join(ExitDir, ns, ef))
+ logrus.Infof("exit-del %s/%s error=%v", ns, ef, err)
+}
+
+func ExitGetFile(ns string, cid string, pid uint32, status uint32) string {
+ ef := ExitFile(cid, pid, status)
+ if _, err := os.Stat(filepath.Join(ExitDir, ns, ef)); err == nil {
+ return ef
+ }
+ return ""
+}
+
+func ExitGetFiles(ns string) []string {
+ files, err := ioutil.ReadDir(filepath.Join(ExitDir, ns))
+ if err != nil {
+ return []string{}
+ }
+
+ names := []string{}
+ for _, f := range files {
+ names = append(names, f.Name())
+ }
+
+ return names
+}
+
+func ExitPending(ns string, cid string, pid uint32) bool {
+ for _, ef := range ExitGetFiles(ns) {
+ if strings.Contains(ef, fmt.Sprintf("%s.%d", cid, pid)) {
+ return true
+ }
+ }
+ return false
+}
diff --git a/runtime/v1/linux/runtime.go b/runtime/v1/linux/runtime.go
index 477cda0..add4d52 100644
--- a/runtime/v1/linux/runtime.go
+++ b/runtime/v1/linux/runtime.go
@@ -31,6 +31,7 @@ import (
"github.com/containerd/containerd/api/types"
"github.com/containerd/containerd/containers"
"github.com/containerd/containerd/errdefs"
+ "github.com/containerd/containerd/events"
"github.com/containerd/containerd/events/exchange"
"github.com/containerd/containerd/identifiers"
"github.com/containerd/containerd/log"
@@ -129,6 +130,7 @@ func New(ic *plugin.InitContext) (interface{}, error) {
return nil, err
}
}
+ go r.resendExitEvents(ic.Context, "moby")
return r, nil
}
@@ -175,7 +177,8 @@ func (r *Runtime) Create(ctx context.Context, id string, opts runtime.CreateOpts
}
defer func() {
if err != nil {
- bundle.Delete()
+ errd := bundle.Delete()
+ log.G(ctx).WithError(err).Errorf("revert: delete bundle error=%v", errd)
}
}()
@@ -218,9 +221,8 @@ func (r *Runtime) Create(ctx context.Context, id string, opts runtime.CreateOpts
}
defer func() {
if err != nil {
- if kerr := s.KillShim(ctx); kerr != nil {
- log.G(ctx).WithError(err).Error("failed to kill shim")
- }
+ kerr := s.KillShim(ctx)
+ log.G(ctx).WithError(err).Errorf("revert: kill shim error=%v", kerr)
}
}()
@@ -305,6 +307,41 @@ func (r *Runtime) Get(ctx context.Context, id string) (runtime.Task, error) {
return r.tasks.Get(ctx, id)
}
+func (r *Runtime) resendExitEvents(ctx context.Context, ns string) {
+ for {
+ time.Sleep(time.Second)
+ efs := events.ExitGetFiles(ns)
+ if len(efs) == 0 {
+ break
+ }
+
+ if !exchange.MobySubscribed() {
+ logrus.Infof("waiting moby event stream ...")
+ continue
+ }
+ time.Sleep(time.Second)
+
+ for _, ef := range efs {
+ cid, pid, status := events.ExitInfo(ef)
+ if cid == "" {
+ continue
+ }
+
+ e := &eventstypes.TaskExit{
+ ContainerID: cid,
+ ID: cid,
+ ExitStatus: status,
+ ExitedAt: time.Now().UTC(),
+ Pid: uint32(pid),
+ }
+
+ ctx := namespaces.WithNamespace(context.Background(), ns)
+ err := r.events.Publish(ctx, runtime.TaskExitEventTopic, e)
+ logrus.Infof("resend exit event %v error=%v", e, err)
+ }
+ }
+}
+
func (r *Runtime) loadTasks(ctx context.Context, ns string) ([]*Task, error) {
dir, err := ioutil.ReadDir(filepath.Join(r.state, ns))
if err != nil {
@@ -388,13 +425,16 @@ func (r *Runtime) loadTasks(ctx context.Context, ns string) ([]*Task, error) {
log.G(ctx).WithError(err).Error("loading task type")
continue
}
- if pid == -1 {
- _, err := t.DeleteForce(ctx)
- log.G(ctx).Warnf("delete force %s Pid=-1 error=%v", id, err)
+ if pid <= 0 {
+ _, err := t.DeleteForce(ctx, 0)
+ log.G(ctx).Warnf("delete force %s Pid=%d error=%v", id, pid, err)
continue
}
if _, err := os.Stat(filepath.Join(bundle.path, proc.InitExit)); err == nil {
- _, err := t.DeleteForce(ctx)
+ if !events.ExitPending(ns, t.id, uint32(pid)) {
+ events.ExitAddFile(ns, events.ExitFile(t.id, uint32(pid), uint32(events.ExitStatusDefault)), "cleanup dirty task")
+ }
+ _, err := t.DeleteForce(ctx, uint32(pid))
log.G(ctx).Warnf("delete force %s Pid=%d(exiting) error=%v", id, pid, err)
continue
}
diff --git a/runtime/v1/linux/task.go b/runtime/v1/linux/task.go
index 6995156..b692ae7 100644
--- a/runtime/v1/linux/task.go
+++ b/runtime/v1/linux/task.go
@@ -88,7 +88,7 @@ func (t *Task) Namespace() string {
}
// Delete the task and return the exit status
-func (t *Task) delete(ctx context.Context, force bool) (*runtime.Exit, error) {
+func (t *Task) delete(ctx context.Context, force bool, pid uint32) (*runtime.Exit, error) {
rsp, err := t.shim.Delete(ctx, empty)
if err != nil {
log.G(ctx).WithError(err).Error("failed to delete container, force=%t", force)
@@ -108,7 +108,7 @@ func (t *Task) delete(ctx context.Context, force bool) (*runtime.Exit, error) {
rsp = &shim.DeleteResponse{}
rsp.ExitStatus = 128 + uint32(unix.SIGKILL)
rsp.ExitedAt = time.Now().UTC()
- rsp.Pid = 0
+ rsp.Pid = pid
}
t.events.Publish(ctx, runtime.TaskDeleteEventTopic, &eventstypes.TaskDelete{
@@ -126,11 +126,11 @@ func (t *Task) delete(ctx context.Context, force bool) (*runtime.Exit, error) {
// Delete the task and return the exit status
func (t *Task) Delete(ctx context.Context) (*runtime.Exit, error) {
- return t.delete(ctx, false)
+ return t.delete(ctx, false, 0)
}
-func (t *Task) DeleteForce(ctx context.Context) (*runtime.Exit, error) {
- return t.delete(ctx, true)
+func (t *Task) DeleteForce(ctx context.Context, pid uint32) (*runtime.Exit, error) {
+ return t.delete(ctx, true, pid)
}
// Start the task
diff --git a/runtime/v1/shim/service.go b/runtime/v1/shim/service.go
index 8c7984f..a2eb35b 100644
--- a/runtime/v1/shim/service.go
+++ b/runtime/v1/shim/service.go
@@ -505,6 +505,8 @@ func (s *Service) checkProcesses(e runc.Exit) {
for _, p := range s.processes {
if p.Pid() == e.Pid {
if ip, ok := p.(*proc.Init); ok {
+ ns := filepath.Base(filepath.Dir(ip.Bundle))
+ events.ExitAddFile(ns, events.ExitFile(s.id, uint32(e.Pid), uint32(e.Status)), "init exited")
ioutil.WriteFile(filepath.Join(ip.Bundle, proc.InitExit), []byte(fmt.Sprintf("%d", e.Pid)), 0600)
}
if shouldKillAll {
diff --git a/vendor/github.com/docker/go-events/queue.go b/vendor/github.com/docker/go-events/queue.go
index 4bb770a..0608e7e 100644
--- a/vendor/github.com/docker/go-events/queue.go
+++ b/vendor/github.com/docker/go-events/queue.go
@@ -5,12 +5,14 @@ import (
"sync"
"github.com/sirupsen/logrus"
+ topevents "github.com/containerd/containerd/events"
)
// Queue accepts all messages into a queue for asynchronous consumption
// by a sink. It is unbounded and thread safe but the sink must be reliable or
// events will be dropped.
type Queue struct {
+ Namespace string
dst Sink
events *list.List
cond *sync.Cond
@@ -83,6 +85,12 @@ func (eq *Queue) run() {
"event": event,
"sink": eq.dst,
}).WithError(err).Debug("eventqueue: dropped event")
+ } else {
+ if e, ok := event.(*topevents.Envelope); ok {
+ if ef := e.ExitFile(); ef != "" {
+ topevents.ExitDelFile(eq.Namespace, ef)
+ }
+ }
}
}
}
--
2.7.4.3

59
patch/0021-containerd-Update-the-version-info-of-contain.patch
View File

@ -1,59 +0,0 @@
From 818ef5fe43d3b9b4c53301800d545ce4c775afff Mon Sep 17 00:00:00 2001
From: lixiang172 <lixiang172@huawei.com>
Date: Tue, 12 Feb 2019 11:37:37 +0800
Subject: [PATCH 21/27] containerd: Update the version info of
containerd
reason: Update the version info after type "containerd -v"
The version info now is defined by "containerd.spec" rather than
"version.go"
Change-Id: I04c6b78737e09f93a3e84a100c88be19294a5c4f
Signed-off-by: lixiang172 <lixiang172@huawei.com>
---
Makefile | 8 ++++----
version/version.go | 2 +-
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/Makefile b/Makefile
index 35021fd..e38dfb3 100644
--- a/Makefile
+++ b/Makefile
@@ -20,8 +20,8 @@ ROOTDIR=$(dir $(abspath $(lastword $(MAKEFILE_LIST))))
DESTDIR=/usr/local
# Used to populate variables in version package.
-VERSION=$(shell git describe --match 'v[0-9]*' --dirty='.m' --always)
-REVISION=$(shell git rev-parse HEAD)$(shell if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi)
+VERSION=$(shell echo version:)$(shell grep '^Version' ${ROOTDIR}/hack/containerd.spec | sed 's/[^0-9.]*\([0-9.]*\).*/\1/').$(shell grep '^Release:' ${ROOTDIR}/hack/containerd.spec | sed 's/[^0-9.]*\([0-9.]*\).*/\1/')
+REVISION=$(shell echo commit:)$(shell git rev-parse HEAD)$(shell if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi)
ifneq "$(strip $(shell command -v go 2>/dev/null))" ""
GOOS ?= $(shell go env GOOS)
@@ -77,8 +77,8 @@ MANPAGES=ctr.1 containerd.1 containerd-config.1 containerd-config.toml.5
# Build tags seccomp and apparmor are needed by CRI plugin.
BUILDTAGS ?= seccomp apparmor
GO_TAGS=$(if $(BUILDTAGS),-tags "$(BUILDTAGS)",)
-GO_LDFLAGS=-ldflags '-s -w -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PKG) $(EXTRA_LDFLAGS)'
-SHIM_GO_LDFLAGS=-ldflags '-s -w -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PKG) -extldflags "-static"'
+GO_LDFLAGS=-ldflags '-s -w -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) $(EXTRA_LDFLAGS)'
+SHIM_GO_LDFLAGS=-ldflags '-s -w -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -extldflags "-static"'
#Replaces ":" (*nix), ";" (windows) with newline for easy parsing
GOPATHS=$(shell echo ${GOPATH} | tr ":" "\n" | tr ";" "\n")
diff --git a/version/version.go b/version/version.go
index b2874bf..04b7097 100644
--- a/version/version.go
+++ b/version/version.go
@@ -18,7 +18,7 @@ package version
var (
// Package is filled at linking time
- Package = "github.com/containerd/containerd"
+ Package = ""
// Version holds the complete version number. Filled in at linking time.
Version = "1.2.0+unknown"
--
2.7.4.3

29
patch/0022-containerd-bump-version-1.2.0.4.patch
View File

@ -1,29 +0,0 @@
From bea413085725db89439817284b63bb4061e62753 Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Wed, 13 Feb 2019 22:03:08 +0800
Subject: [PATCH 22/27] containerd: bump version 1.2.0.4
reason: bump version
Change-Id: Iee2348e931a723929ccfe63b3539c812514acc90
Signed-off-by: jingrui <jingrui@huawei.com>
---
hack/containerd.spec | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hack/containerd.spec b/hack/containerd.spec
index 462d35e..f8d9084 100644
--- a/hack/containerd.spec
+++ b/hack/containerd.spec
@@ -3,7 +3,7 @@
Version: 1.2.0
Name: containerd
-Release: 3%{?dist}
+Release: 4%{?dist}
Summary: An industry-standard container runtime
License: ASL 2.0
URL: https://containerd.io
--
2.7.4.3

218
patch/0023-containerd-set-create-and-exec-timeout.patch
View File

@ -1,218 +0,0 @@
From 006bc6d0a9e0c233d0d14de53de0b18799c67081 Mon Sep 17 00:00:00 2001
From: xiadanni <xiadanni@huawei.com>
Date: Fri, 15 Feb 2019 06:00:52 +0800
Subject: [PATCH 23/27] containerd: set create and exec timeout
reason:set create and exec timeout to avild block when command failed
Change-Id: I6bc55f4ccc953bdc1d926ab940f0900811d68760
Signed-off-by: xiadanni <xiadanni@huawei.com>
---
hack/containerd.spec | 2 +-
runtime/v1/shim/reaper.go | 50 +++++++++++++++++++++++++
runtime/v2/shim/reaper_unix.go | 4 ++
vendor/github.com/containerd/go-runc/monitor.go | 6 +++
vendor/github.com/containerd/go-runc/runc.go | 31 +++++++++++++--
5 files changed, 88 insertions(+), 5 deletions(-)
diff --git a/hack/containerd.spec b/hack/containerd.spec
index f8d9084..f39c57a 100644
--- a/hack/containerd.spec
+++ b/hack/containerd.spec
@@ -3,7 +3,7 @@
Version: 1.2.0
Name: containerd
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: An industry-standard container runtime
License: ASL 2.0
URL: https://containerd.io
diff --git a/runtime/v1/shim/reaper.go b/runtime/v1/shim/reaper.go
index 10d5c30..a2b90fe 100644
--- a/runtime/v1/shim/reaper.go
+++ b/runtime/v1/shim/reaper.go
@@ -19,8 +19,13 @@
package shim
import (
+ "io/ioutil"
"os/exec"
+ "path/filepath"
+ "strconv"
+ "strings"
"sync"
+ "syscall"
"time"
"github.com/containerd/containerd/sys"
@@ -100,6 +105,34 @@ func (m *Monitor) Wait(c *exec.Cmd, ec chan runc.Exit) (int, error) {
return -1, ErrNoSuchProcess
}
+// WaitTimeout is used to skip the blocked command and kill the left process.
+func (m *Monitor) WaitTimeout(c *exec.Cmd, ec chan runc.Exit, sec int64) (int, error) {
+ sch := make(chan int)
+ ech := make(chan error)
+ go func() {
+ for e := range ec {
+ if e.Pid == c.Process.Pid {
+ // make sure we flush all IO
+ c.Wait()
+ m.Unsubscribe(ec)
+ sch <- e.Status
+ return
+ }
+ }
+ }()
+ select {
+ case <-time.After(time.Duration(sec) * time.Second):
+ if SameProcess(c, c.Process.Pid) {
+ syscall.Kill(c.Process.Pid, syscall.SIGKILL)
+ }
+ return 0, errors.Errorf("timeout %ds for cmd(pid= %d): %s, %s", sec, c.Process.Pid, c.Path, c.Args)
+ case status := <-sch:
+ return status, nil
+ case err := <-ech:
+ return -1, err
+ }
+}
+
// Subscribe to process exit changes
func (m *Monitor) Subscribe() chan runc.Exit {
c := make(chan runc.Exit, bufferSize)
@@ -116,3 +149,20 @@ func (m *Monitor) Unsubscribe(c chan runc.Exit) {
close(c)
m.Unlock()
}
+
+func SameProcess(cmd *exec.Cmd, pid int) bool {
+ bytes, err := ioutil.ReadFile(filepath.Join("/proc", strconv.Itoa(pid), "cmdline"))
+ if err != nil {
+ return false
+ }
+ for i := range bytes {
+ if bytes[i] == 0 {
+ bytes[i] = 32
+ }
+ }
+ cmdline := string(bytes)
+ if strings.EqualFold(cmdline, strings.Join(cmd.Args, " ")+" ") {
+ return true
+ }
+ return false
+}
diff --git a/runtime/v2/shim/reaper_unix.go b/runtime/v2/shim/reaper_unix.go
index 10d5c30..8bd7dd1 100644
--- a/runtime/v2/shim/reaper_unix.go
+++ b/runtime/v2/shim/reaper_unix.go
@@ -100,6 +100,10 @@ func (m *Monitor) Wait(c *exec.Cmd, ec chan runc.Exit) (int, error) {
return -1, ErrNoSuchProcess
}
+func (m *Monitor) WaitTimeout(c *exec.Cmd, ec chan runc.Exit, sec int64) (int, error) {
+ return m.Wait(c, ec)
+}
+
// Subscribe to process exit changes
func (m *Monitor) Subscribe() chan runc.Exit {
c := make(chan runc.Exit, bufferSize)
diff --git a/vendor/github.com/containerd/go-runc/monitor.go b/vendor/github.com/containerd/go-runc/monitor.go
index ff06a3f..2c184d2 100644
--- a/vendor/github.com/containerd/go-runc/monitor.go
+++ b/vendor/github.com/containerd/go-runc/monitor.go
@@ -40,6 +40,7 @@ type Exit struct {
type ProcessMonitor interface {
Start(*exec.Cmd) (chan Exit, error)
Wait(*exec.Cmd, chan Exit) (int, error)
+ WaitTimeout(*exec.Cmd, chan Exit, int64) (int, error)
}
type defaultMonitor struct {
@@ -74,3 +75,8 @@ func (m *defaultMonitor) Wait(c *exec.Cmd, ec chan Exit) (int, error) {
e := <-ec
return e.Status, nil
}
+
+func (m *defaultMonitor) WaitTimeout(c *exec.Cmd, ec chan Exit, sec int64) (int, error) {
+ e := <-ec
+ return e.Status, nil
+}
\ No newline at end of file
diff --git a/vendor/github.com/containerd/go-runc/runc.go b/vendor/github.com/containerd/go-runc/runc.go
index e688881..fc64e8a 100644
--- a/vendor/github.com/containerd/go-runc/runc.go
+++ b/vendor/github.com/containerd/go-runc/runc.go
@@ -52,6 +52,8 @@ const (
Text Format = "text"
// DefaultCommand is the default command for Runc
DefaultCommand = "runc"
+ execTimeout = 30
+ createTimeout = 120
)
// Runc is the client to the runc cli
@@ -155,7 +157,7 @@ func (r *Runc) Create(context context.Context, id, bundle string, opts *CreateOp
cmd.ExtraFiles = opts.ExtraFiles
if cmd.Stdout == nil && cmd.Stderr == nil {
- data, err := cmdOutput(cmd, true)
+ data, err := cmdOutputTimeout(cmd, true, createTimeout)
if err != nil {
return fmt.Errorf("%s: %s", err, data)
}
@@ -172,7 +174,7 @@ func (r *Runc) Create(context context.Context, id, bundle string, opts *CreateOp
}
}
}
- status, err := Monitor.Wait(cmd, ec)
+ status, err := Monitor.WaitTimeout(cmd, ec, createTimeout)
if err == nil && status != 0 {
err = fmt.Errorf("%s did not terminate sucessfully", cmd.Args[0])
}
@@ -234,7 +236,7 @@ func (r *Runc) Exec(context context.Context, id string, spec specs.Process, opts
opts.Set(cmd)
}
if cmd.Stdout == nil && cmd.Stderr == nil {
- data, err := cmdOutput(cmd, true)
+ data, err := cmdOutputTimeout(cmd, true, execTimeout)
if err != nil {
return fmt.Errorf("%s: %s", err, data)
}
@@ -251,7 +253,7 @@ func (r *Runc) Exec(context context.Context, id string, spec specs.Process, opts
}
}
}
- status, err := Monitor.Wait(cmd, ec)
+ status, err := Monitor.WaitTimeout(cmd, ec, execTimeout)
if err == nil && status != 0 {
err = fmt.Errorf("%s did not terminate sucessfully", cmd.Args[0])
}
@@ -707,3 +709,24 @@ func cmdOutput(cmd *exec.Cmd, combined bool) ([]byte, error) {
return b.Bytes(), err
}
+
+func cmdOutputTimeout(cmd *exec.Cmd, combined bool, timeout int64) ([]byte, error) {
+ b := getBuf()
+ defer putBuf(b)
+
+ cmd.Stdout = b
+ if combined {
+ cmd.Stderr = b
+ }
+ ec, err := Monitor.Start(cmd)
+ if err != nil {
+ return nil, err
+ }
+
+ status, err := Monitor.WaitTimeout(cmd, ec, timeout)
+ if err == nil && status != 0 {
+ err = fmt.Errorf("%s did not terminate sucessfully", cmd.Args[0])
+ }
+
+ return b.Bytes(), err
+}
--
2.7.4.3

54
patch/0024-create-cleanup-runc-dirty-files-on-start.patch
View File

@ -1,54 +0,0 @@
From f96039fcd94c5bc75dcec297668418811d60e785 Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Tue, 19 Feb 2019 11:53:41 +0800
Subject: [PATCH 24/27] create: cleanup runc dirty files on start
reason: add check before cleanup runtime dirty files.
Change-Id: I6f218fd8d19ed65d8b13ae1ea744b80574279f83
Signed-off-by: jingrui <jingrui@huawei.com>
---
hack/containerd.spec | 2 +-
vendor/github.com/containerd/go-runc/runc.go | 6 +++++-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/hack/containerd.spec b/hack/containerd.spec
index f39c57a..869012a 100644
--- a/hack/containerd.spec
+++ b/hack/containerd.spec
@@ -3,7 +3,7 @@
Version: 1.2.0
Name: containerd
-Release: 5%{?dist}
+Release: 6%{?dist}
Summary: An industry-standard container runtime
License: ASL 2.0
URL: https://containerd.io
diff --git a/vendor/github.com/containerd/go-runc/runc.go b/vendor/github.com/containerd/go-runc/runc.go
index fc64e8a..e66ea5b 100644
--- a/vendor/github.com/containerd/go-runc/runc.go
+++ b/vendor/github.com/containerd/go-runc/runc.go
@@ -30,6 +30,7 @@ import (
"strings"
"syscall"
"time"
+ "github.com/sirupsen/logrus"
specs "github.com/opencontainers/runtime-spec/specs-go"
)
@@ -140,7 +141,10 @@ func (o *CreateOpts) args() (out []string, err error) {
// Create creates a new container and returns its pid if it was created successfully
func (r *Runc) Create(context context.Context, id, bundle string, opts *CreateOpts) error {
- r.Delete(context, id, &DeleteOpts{Force: true})
+ if _, err := os.Stat(filepath.Join(r.Root, id)); err == nil {
+ logrus.Warnf("cleanup residue runtime with bundle %s root=%s", bundle, r.Root)
+ r.Delete(context, id, &DeleteOpts{Force: true})
+ }
args := []string{"create", "--bundle", bundle}
if opts != nil {
--
2.7.4.3

74
patch/0025-restore-skip-load-task-in-creating.patch
View File

@ -1,74 +0,0 @@
From 869ceecb455640da5e90f7827f75275665e93e95 Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Sat, 23 Feb 2019 15:51:24 +0800
Subject: [PATCH 25/27] restore: skip load task in creating
load task in creating will stuck containerd restore process.
Change-Id: I2f8b77a88d78597ef2be5122708fc8ab16fad956
Signed-off-by: jingrui <jingrui@huawei.com>
---
runtime/v1/linux/runtime.go | 5 ++---
runtime/v1/shim/service.go | 6 ++++++
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/runtime/v1/linux/runtime.go b/runtime/v1/linux/runtime.go
index add4d52..5647f94 100644
--- a/runtime/v1/linux/runtime.go
+++ b/runtime/v1/linux/runtime.go
@@ -353,7 +353,6 @@ func (r *Runtime) loadTasks(ctx context.Context, ns string) ([]*Task, error) {
continue
}
id := path.Name()
- log.G(ctx).Infof("load-task %s", id)
bundle := loadBundle(
id,
filepath.Join(r.state, ns, id),
@@ -361,6 +360,7 @@ func (r *Runtime) loadTasks(ctx context.Context, ns string) ([]*Task, error) {
)
ctx = namespaces.WithNamespace(ctx, ns)
pid, _ := runc.ReadPidFile(filepath.Join(bundle.path, proc.InitPidFile))
+ log.G(ctx).Infof("load-task %s/%s/%s Pid=%d", r.state, ns, id, pid)
s, err := bundle.NewShimClient(ctx, ns, ShimConnect(r.config, func() {
err := r.cleanupAfterDeadShim(ctx, bundle, ns, id, pid)
if err != nil {
@@ -426,8 +426,7 @@ func (r *Runtime) loadTasks(ctx context.Context, ns string) ([]*Task, error) {
continue
}
if pid <= 0 {
- _, err := t.DeleteForce(ctx, 0)
- log.G(ctx).Warnf("delete force %s Pid=%d error=%v", id, pid, err)
+ log.G(ctx).Warnf("skip load task in creating %s", id)
continue
}
if _, err := os.Stat(filepath.Join(bundle.path, proc.InitExit)); err == nil {
diff --git a/runtime/v1/shim/service.go b/runtime/v1/shim/service.go
index a2eb35b..d7fdcaf 100644
--- a/runtime/v1/shim/service.go
+++ b/runtime/v1/shim/service.go
@@ -26,6 +26,7 @@ import (
"os"
"path/filepath"
"sync"
+ "time"
"github.com/containerd/console"
eventstypes "github.com/containerd/containerd/api/events"
@@ -140,9 +141,14 @@ func (s *Service) Create(ctx context.Context, r *shimapi.CreateTaskRequest) (_ *
rootfs := filepath.Join(r.Bundle, "rootfs")
defer func() {
if err != nil {
+ logrus.Errorf("create init %s failed error=%v", r.ID, err)
if err2 := mount.UnmountAll(rootfs, 0); err2 != nil {
log.G(ctx).WithError(err2).Warn("Failed to cleanup rootfs mount")
}
+ go func() {
+ time.Sleep(10*time.Second)
+ os.Exit(0)
+ }()
}
}()
for _, rm := range mounts {
--
2.7.4.3

96
patch/0026-exit-optimize-init.exit-record.patch
View File

@ -1,96 +0,0 @@
From c26316153098e72a9b30668befc36fcfcba3b76f Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Sat, 23 Feb 2019 15:55:21 +0800
Subject: [PATCH 26/27] exit: optimize init.exit record
Change-Id: If1319f7d87defed16d1113337957f36b7320e9b9
Signed-off-by: jingrui <jingrui@huawei.com>
---
events/exit.go | 21 +++++++++++++++++++++
runtime/v1/linux/proc/init.go | 1 -
runtime/v1/linux/runtime.go | 2 +-
runtime/v1/shim/service.go | 2 +-
4 files changed, 23 insertions(+), 3 deletions(-)
diff --git a/events/exit.go b/events/exit.go
index e1ce089..772dc24 100644
--- a/events/exit.go
+++ b/events/exit.go
@@ -7,11 +7,13 @@ import (
"path/filepath"
"strconv"
"strings"
+
"github.com/sirupsen/logrus"
)
const ExitDir = "/var/run/docker/containerd/exit"
const ExitStatusDefault = 137
+const InitExit = "init.exit"
func ExitFile(cid string, pid uint32, status uint32) string {
return fmt.Sprintf("%s.%d.%d", cid, pid, status)
@@ -77,3 +79,22 @@ func ExitPending(ns string, cid string, pid uint32) bool {
}
return false
}
+
+func InitExitWrite(bundle string, pid int) {
+ if _, err := os.Stat(bundle); err != nil {
+ logrus.Infof("skip write init.exit %s error=%v", bundle, err)
+ return
+ }
+ err := ioutil.WriteFile(filepath.Join(bundle, InitExit), []byte(fmt.Sprintf("%d", pid)), 0600)
+ if err != nil {
+ logrus.Infof("failed write init.exit error=%s", bundle, err)
+ }
+}
+
+func InitExitExist(bundle string) bool {
+ if _, err := os.Stat(filepath.Join(bundle, InitExit)); err == nil {
+ return true
+ }
+ return false
+}
+
diff --git a/runtime/v1/linux/proc/init.go b/runtime/v1/linux/proc/init.go
index caa31c3..5b23671 100644
--- a/runtime/v1/linux/proc/init.go
+++ b/runtime/v1/linux/proc/init.go
@@ -43,7 +43,6 @@ import (
// InitPidFile name of the file that contains the init pid
const InitPidFile = "init.pid"
-const InitExit = "init.exit"
// Init represents an initial process for a container
type Init struct {
diff --git a/runtime/v1/linux/runtime.go b/runtime/v1/linux/runtime.go
index 5647f94..e92904e 100644
--- a/runtime/v1/linux/runtime.go
+++ b/runtime/v1/linux/runtime.go
@@ -429,7 +429,7 @@ func (r *Runtime) loadTasks(ctx context.Context, ns string) ([]*Task, error) {
log.G(ctx).Warnf("skip load task in creating %s", id)
continue
}
- if _, err := os.Stat(filepath.Join(bundle.path, proc.InitExit)); err == nil {
+ if events.InitExitExist(bundle.path) {
if !events.ExitPending(ns, t.id, uint32(pid)) {
events.ExitAddFile(ns, events.ExitFile(t.id, uint32(pid), uint32(events.ExitStatusDefault)), "cleanup dirty task")
}
diff --git a/runtime/v1/shim/service.go b/runtime/v1/shim/service.go
index d7fdcaf..f421fde 100644
--- a/runtime/v1/shim/service.go
+++ b/runtime/v1/shim/service.go
@@ -513,7 +513,7 @@ func (s *Service) checkProcesses(e runc.Exit) {
if ip, ok := p.(*proc.Init); ok {
ns := filepath.Base(filepath.Dir(ip.Bundle))
events.ExitAddFile(ns, events.ExitFile(s.id, uint32(e.Pid), uint32(e.Status)), "init exited")
- ioutil.WriteFile(filepath.Join(ip.Bundle, proc.InitExit), []byte(fmt.Sprintf("%d", e.Pid)), 0600)
+ events.InitExitWrite(ip.Bundle, e.Pid)
}
if shouldKillAll {
if ip, ok := p.(*proc.Init); ok {
--
2.7.4.3

48
patch/0027-log-make-tester-happy.patch
View File

@ -1,48 +0,0 @@
From a275b359b2e85d8f353eab12d538a94609171918 Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Sat, 23 Feb 2019 18:32:00 +0800
Subject: [PATCH 27/27] log: make tester happy
reason: make tester happy
+ check_docker_error /tmp/tmp_11955/log2 b3357887148bc59212d30dba46d3eea9490cfe94594fa00aa7706c7addb92d91
+ grep docker /tmp/tmp_11955/log2
+ grep error
+ grep b3357887148bc59212d30dba46d3eea9490cfe94594fa00aa7706c7addb92d91
+ grep -w 'container did not start before the specified timeout'
Change-Id: Iddd40bd42212bf09f52c17f28119a6b5364f4de7
Signed-off-by: jingrui <jingrui@huawei.com>
---
hack/containerd.spec | 2 +-
runtime/v1/shim/reaper.go | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/hack/containerd.spec b/hack/containerd.spec
index 869012a..05f68c7 100644
--- a/hack/containerd.spec
+++ b/hack/containerd.spec
@@ -3,7 +3,7 @@
Version: 1.2.0
Name: containerd
-Release: 6%{?dist}
+Release: 7%{?dist}
Summary: An industry-standard container runtime
License: ASL 2.0
URL: https://containerd.io
diff --git a/runtime/v1/shim/reaper.go b/runtime/v1/shim/reaper.go
index a2b90fe..529a533 100644
--- a/runtime/v1/shim/reaper.go
+++ b/runtime/v1/shim/reaper.go
@@ -125,7 +125,7 @@ func (m *Monitor) WaitTimeout(c *exec.Cmd, ec chan runc.Exit, sec int64) (int, e
if SameProcess(c, c.Process.Pid) {
syscall.Kill(c.Process.Pid, syscall.SIGKILL)
}
- return 0, errors.Errorf("timeout %ds for cmd(pid= %d): %s, %s", sec, c.Process.Pid, c.Path, c.Args)
+ return 0, errors.Errorf("container did not start before the specified timeout %ds for cmd(pid=%d): %s, %s", sec, c.Process.Pid, c.Path, c.Args)
case status := <-sch:
return status, nil
case err := <-ech:
--
2.7.4.3

33
patch/0028-restore-delete-task-in-containerd-restoring.patch
View File

@ -1,33 +0,0 @@
From 1130a0bc101c3f59c99eb850b24d0799c216d677 Mon Sep 17 00:00:00 2001
From: xiadanni1 <xiadanni1@huawei.com>
Date: Fri, 22 Mar 2019 21:22:08 +0800
Subject: [PATCH] restore: delete task in containerd restoring
reason: delete task quickly when containerd is restoring to avoid container restart fail.
Change-Id: Ide5e8c9bbd873addc6c35b9604e4cda03ca78b5e
Signed-off-by: xiadanni1 <xiadanni1@huawei.com>
---
runtime/v1/linux/runtime.go | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/runtime/v1/linux/runtime.go b/runtime/v1/linux/runtime.go
index e92904e..2a45aaa 100644
--- a/runtime/v1/linux/runtime.go
+++ b/runtime/v1/linux/runtime.go
@@ -426,7 +426,11 @@ func (r *Runtime) loadTasks(ctx context.Context, ns string) ([]*Task, error) {
continue
}
if pid <= 0 {
- log.G(ctx).Warnf("skip load task in creating %s", id)
+ go func() {
+ log.G(ctx).Infof("del task in creating %s", id)
+ t.DeleteForce(ctx, uint32(pid))
+ log.G(ctx).Infof("del task in creating %s done", id)
+ }()
continue
}
if events.InitExitExist(bundle.path) {
--
1.8.3.1

35
patch/0029-restore-delete-task-asynchronously.patch
View File

@ -1,35 +0,0 @@
From de14f9d00033a9596823e0ea953437f5f244cb74 Mon Sep 17 00:00:00 2001
From: xiadanni1 <xiadanni1@huawei.com>
Date: Sat, 23 Mar 2019 07:18:57 +0800
Subject: [PATCH] restore: delete task asynchronously
reason: set delete task to asynchronous to avoid containerd be killed when delete is blocking.
testCE_docker_hook_spec_ABN.059.sh
Change-Id: I5fae8e60987b9617a835ea07710ca3c842efab14
Signed-off-by: xiadanni1 <xiadanni1@huawei.com>
---
runtime/v1/linux/runtime.go | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/runtime/v1/linux/runtime.go b/runtime/v1/linux/runtime.go
index 2a45aaa..cca72fe 100644
--- a/runtime/v1/linux/runtime.go
+++ b/runtime/v1/linux/runtime.go
@@ -437,8 +437,11 @@ func (r *Runtime) loadTasks(ctx context.Context, ns string) ([]*Task, error) {
if !events.ExitPending(ns, t.id, uint32(pid)) {
events.ExitAddFile(ns, events.ExitFile(t.id, uint32(pid), uint32(events.ExitStatusDefault)), "cleanup dirty task")
}
- _, err := t.DeleteForce(ctx, uint32(pid))
- log.G(ctx).Warnf("delete force %s Pid=%d(exiting) error=%v", id, pid, err)
+ go func(){
+ log.G(ctx).Infof("delete force %s start, Pid=%d(exiting)", id, pid)
+ _, err := t.DeleteForce(ctx, uint32(pid))
+ log.G(ctx).Infof("delete force %s done, Pid=%d(exiting) error=%v", id, pid, err)
+ }()
continue
}
log.G(ctx).Infof("load-task %s Pid=%d done", id, pid)
--
1.8.3.1

45
patch/0030-event-fix-events-lost-when-loadTask-failed.patch
View File

@ -1,45 +0,0 @@
From 375689497320d105aa2ed026710e20d9b0bd2a72 Mon Sep 17 00:00:00 2001
From: jiangpengfei9 <jiangpengfei9@huawei.com>
Date: Mon, 1 Apr 2019 13:08:50 -0400
Subject: [PATCH] event: fix events lost when loadTask failed
reason: If containerd-shim and containerd process is killed, container will exit,
however containerd exit event which generates when containerd restart to reload
tasks can not publish to dockerd, because at the time of loading tasks the connection
between dockerd and containerd isn't established.
So we add this unpublish exit event to file and resend this event after grpc connection
is established.
Signed-off-by: jiangpengfei9 <jiangpengfei9@huawei.com>
---
runtime/v1/linux/runtime.go | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/runtime/v1/linux/runtime.go b/runtime/v1/linux/runtime.go
index cca72fe..af823b2 100644
--- a/runtime/v1/linux/runtime.go
+++ b/runtime/v1/linux/runtime.go
@@ -373,6 +373,9 @@ func (r *Runtime) loadTasks(ctx context.Context, ns string) ([]*Task, error) {
"id": id,
"namespace": ns,
}).Error("connecting to shim")
+ if !events.ExitPending(ns, id, uint32(pid)) {
+ events.ExitAddFile(ns, events.ExitFile(id, uint32(pid), uint32(events.ExitStatusDefault)), "cleanup dirty task")
+ }
err := r.cleanupAfterDeadShim(ctx, bundle, ns, id, pid)
if err != nil {
log.G(ctx).WithError(err).WithField("bundle", bundle.path).
@@ -388,6 +391,9 @@ func (r *Runtime) loadTasks(ctx context.Context, ns string) ([]*Task, error) {
"id": id,
"namespace": ns,
}).Error("contacting to shim")
+ if !events.ExitPending(ns, id, uint32(pid)) {
+ events.ExitAddFile(ns, events.ExitFile(id, uint32(pid), uint32(events.ExitStatusDefault)), "cleanup dirty task")
+ }
err := r.cleanupAfterDeadShim(ctx, bundle, ns, id, pid)
if err != nil {
log.G(ctx).WithError(err).WithField("bundle", bundle.path).
--
1.8.3.1

28
patch/0031-containerd-enable-relro-flags.patch
View File

@ -1,28 +0,0 @@
From 2db6e4cda2e042fab327493c0fa095723d7c0352 Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Mon, 15 Apr 2019 10:58:07 +0800
Subject: [PATCH] containerd: enable relro flags
Change-Id: I5f32e7bf794842a14e1644f7aa3115a65b1bc698
Signed-off-by: jingrui <jingrui@huawei.com>
---
Makefile | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index e38dfb38..921b2d50 100644
--- a/Makefile
+++ b/Makefile
@@ -77,7 +77,8 @@ MANPAGES=ctr.1 containerd.1 containerd-config.1 containerd-config.toml.5
# Build tags seccomp and apparmor are needed by CRI plugin.
BUILDTAGS ?= seccomp apparmor
GO_TAGS=$(if $(BUILDTAGS),-tags "$(BUILDTAGS)",)
-GO_LDFLAGS=-ldflags '-s -w -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) $(EXTRA_LDFLAGS)'
+GO_LDFLAGS=-ldflags '-s -w -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) $(EXTRA_LDFLAGS)' \
+ -ldflags=-extldflags=-zrelro -ldflags=-extldflags=-znow
SHIM_GO_LDFLAGS=-ldflags '-s -w -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -extldflags "-static"'
#Replaces ":" (*nix), ";" (windows) with newline for easy parsing
--
2.17.1

45
patch/0032-containerd-enable-bep-ldflags.patch
View File

@ -1,45 +0,0 @@
From da6ea77f9f47c740fe85e7e4d34889e131135b81 Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Mon, 15 Apr 2019 23:44:55 +0800
Subject: [PATCH] containerd: enable bep ldflags
Change-Id: I820b100aa1420fc399878a905de14fb6a25ca1a4
Signed-off-by: jingrui <jingrui@huawei.com>
---
Makefile | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/Makefile b/Makefile
index 921b2d50..612330b4 100644
--- a/Makefile
+++ b/Makefile
@@ -77,9 +77,12 @@ MANPAGES=ctr.1 containerd.1 containerd-config.1 containerd-config.toml.5
# Build tags seccomp and apparmor are needed by CRI plugin.
BUILDTAGS ?= seccomp apparmor
GO_TAGS=$(if $(BUILDTAGS),-tags "$(BUILDTAGS)",)
-GO_LDFLAGS=-ldflags '-s -w -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) $(EXTRA_LDFLAGS)' \
- -ldflags=-extldflags=-zrelro -ldflags=-extldflags=-znow
-SHIM_GO_LDFLAGS=-ldflags '-s -w -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -extldflags "-static"'
+
+BEP_DIR=/tmp/containerd-build-bep
+BEP_FLAGS=-tmpdir=/tmp/containerd-build-bep
+
+GO_LDFLAGS=-ldflags '-s -w -extldflags=-zrelro -extldflags=-znow $(BEP_FLAGS) -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) $(EXTRA_LDFLAGS)'
+SHIM_GO_LDFLAGS=-ldflags '-s -w $(BEP_FLAGS) -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -extldflags "-static"'
#Replaces ":" (*nix), ";" (windows) with newline for easy parsing
GOPATHS=$(shell echo ${GOPATH} | tr ":" "\n" | tr ";" "\n")
@@ -166,8 +169,9 @@ FORCE:
# Build a binary from a cmd.
bin/%: cmd/% FORCE
+ mkdir -p $(BEP_DIR)
@echo "$(WHALE) $@${BINARY_SUFFIX}"
- @go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} ${GO_LDFLAGS} ${GO_TAGS} ./$<
+ go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} ${GO_LDFLAGS} ${GO_TAGS} ./$<
bin/containerd-shim: cmd/containerd-shim FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220
@echo "$(WHALE) bin/containerd-shim"
--
2.17.1

28
patch/0033-containerd-fix-opened-file-not-close.patch
View File

@ -1,28 +0,0 @@
From b5806942e2938d4800298df276f1a095b859bacb Mon Sep 17 00:00:00 2001
From: xiadanni1 <xiadanni1@huawei.com>
Date: Fri, 19 Apr 2019 22:05:18 +0800
Subject: [PATCH] containerd: fix opened file not close
reason: fix opened file not close
Change-Id: I69f53255eabd3dd2e87a61ba963fa8027870e014
Signed-off-by: xiadanni1 <xiadanni1@huawei.com>
---
runtime/v1/linux/proc/utils.go | 1 +
1 file changed, 1 insertion(+)
diff --git a/runtime/v1/linux/proc/utils.go b/runtime/v1/linux/proc/utils.go
index 3d0334c..ab9f5fa 100644
--- a/runtime/v1/linux/proc/utils.go
+++ b/runtime/v1/linux/proc/utils.go
@@ -41,6 +41,7 @@ func getLastRuntimeError(r *runc.Runc) (string, error) {
if err != nil {
return "", err
}
+ defer f.Close()
var (
errMsg string
--
1.8.3.1

28
patch/0034-containerd-add-buildid-in-Makefile.patch
View File

@ -1,28 +0,0 @@
From e61f2c1664c91b5c8a8cb48641002c7c471c1d45 Mon Sep 17 00:00:00 2001
From: zhangyu235 <zhangyu235@huawei.com>
Date: Tue, 23 Apr 2019 12:24:50 +0800
Subject: [PATCH] containerd: add buildid in Makefile
Change-Id: I1c2ff035db2a02d125139b9ff170f91e81181541
---
Makefile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Makefile b/Makefile
index 612330b..a400899 100644
--- a/Makefile
+++ b/Makefile
@@ -81,8 +81,8 @@ GO_TAGS=$(if $(BUILDTAGS),-tags "$(BUILDTAGS)",)
BEP_DIR=/tmp/containerd-build-bep
BEP_FLAGS=-tmpdir=/tmp/containerd-build-bep
-GO_LDFLAGS=-ldflags '-s -w -extldflags=-zrelro -extldflags=-znow $(BEP_FLAGS) -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) $(EXTRA_LDFLAGS)'
-SHIM_GO_LDFLAGS=-ldflags '-s -w $(BEP_FLAGS) -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -extldflags "-static"'
+GO_LDFLAGS=-ldflags '-s -w -buildid=IdByIsula -extldflags=-zrelro -extldflags=-znow $(BEP_FLAGS) -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) $(EXTRA_LDFLAGS)'
+SHIM_GO_LDFLAGS=-ldflags '-s -w -buildid=IdByIsula $(BEP_FLAGS) -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -extldflags "-static"'
#Replaces ":" (*nix), ";" (windows) with newline for easy parsing
GOPATHS=$(shell echo ${GOPATH} | tr ":" "\n" | tr ";" "\n")
--
2.7.4.3

82
patch/0035-containerd-fix-the-path-of-containerd.spec-in.patch
View File

@ -1,82 +0,0 @@
From 8f97c7a7353c05a8b64ef9ee522ee62fba66a608 Mon Sep 17 00:00:00 2001
From: zhangyu235 <zhangyu235@huawei.com>
Date: Sun, 5 May 2019 19:50:56 +0800
Subject: [PATCH] containerd: fix the path of containerd.spec in
Makefile
Change-Id: I4ec87e5ddf256574513f977e53e4bdf050e0169c
Signed-off-by: zhangyu235 <zhangyu235@huawei.com>
---
Makefile | 2 +-
hack/containerd.spec | 46 ----------------------------------------------
2 files changed, 1 insertion(+), 47 deletions(-)
delete mode 100644 hack/containerd.spec
diff --git a/Makefile b/Makefile
index a400899..5de5cf7 100644
--- a/Makefile
+++ b/Makefile
@@ -20,7 +20,7 @@ ROOTDIR=$(dir $(abspath $(lastword $(MAKEFILE_LIST))))
DESTDIR=/usr/local
# Used to populate variables in version package.
-VERSION=$(shell echo version:)$(shell grep '^Version' ${ROOTDIR}/hack/containerd.spec | sed 's/[^0-9.]*\([0-9.]*\).*/\1/').$(shell grep '^Release:' ${ROOTDIR}/hack/containerd.spec | sed 's/[^0-9.]*\([0-9.]*\).*/\1/')
+VERSION=$(shell echo version:)$(shell grep '^Version' ${ROOTDIR}/containerd.spec | sed 's/[^0-9.]*\([0-9.]*\).*/\1/').$(shell grep '^Release:' ${ROOTDIR}/containerd.spec | sed 's/[^0-9.]*\([0-9.]*\).*/\1/')
REVISION=$(shell echo commit:)$(shell git rev-parse HEAD)$(shell if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi)
ifneq "$(strip $(shell command -v go 2>/dev/null))" ""
diff --git a/hack/containerd.spec b/hack/containerd.spec
deleted file mode 100644
index 05f68c7..0000000
--- a/hack/containerd.spec
+++ /dev/null
@@ -1,46 +0,0 @@
-%global goipath github.com/containerd/containerd
-%global debug_package %{nil}
-Version: 1.2.0
-
-Name: containerd
-Release: 7%{?dist}
-Summary: An industry-standard container runtime
-License: ASL 2.0
-URL: https://containerd.io
-Source0: containerd-1.2.0.tar.gz
-
-BuildRequires: golang glibc-static make
-BuildRequires: btrfs-progs-devel
-
-
-%description
-containerd is an industry-standard container runtime with an emphasis on
-simplicity, robustness and portability. It is available as a daemon for Linux
-and Windows, which can manage the complete container lifecycle of its host
-system: image transfer and storage, container execution and supervision,
-low-level storage and network attachments, etc.
-
-
-%prep
-%setup -c -n containerd
-
-%build
-GO_BUILD_PATH=$PWD/_build
-install -m 0755 -vd $(dirname $GO_BUILD_PATH/src/%{goipath})
-ln -fs $PWD $GO_BUILD_PATH/src/%{goipath}
-cd $GO_BUILD_PATH/src/%{goipath}
-export GOPATH=$GO_BUILD_PATH:%{gopath}
-export BUILDTAGS="no_btrfs no_cri"
-make
-
-%install
-install -d $RPM_BUILD_ROOT/%{_bindir}
-install -p -m 755 bin/containerd $RPM_BUILD_ROOT/%{_bindir}/containerd
-install -p -m 755 bin/containerd-shim $RPM_BUILD_ROOT/%{_bindir}/containerd-shim
-
-%files
-%{_bindir}/containerd
-%{_bindir}/containerd-shim
-
-
-%changelog
--
2.7.4.3

69
patch/0036-containerd-support-container-start-timeout-se.patch
View File

@ -1,69 +0,0 @@
From 1980e34108cf2fab407c4e0b45cb07fc06e15642 Mon Sep 17 00:00:00 2001
From: lixiang172 <lixiang172@huawei.com>
Date: Thu, 9 May 2019 21:36:56 +0800
Subject: [PATCH] containerd: support container start timeout setting
Change-Id: I8c958a1c16ed6c7a86e4c6299ad1ef81c7476120
Signed-off-by: lixiang172 <lixiang172@huawei.com>
---
vendor/github.com/containerd/go-runc/runc.go | 24 ++++++++++++++++++++++--
1 file changed, 22 insertions(+), 2 deletions(-)
diff --git a/vendor/github.com/containerd/go-runc/runc.go b/vendor/github.com/containerd/go-runc/runc.go
index e66ea5b..6323bf2 100644
--- a/vendor/github.com/containerd/go-runc/runc.go
+++ b/vendor/github.com/containerd/go-runc/runc.go
@@ -30,9 +30,9 @@ import (
"strings"
"syscall"
"time"
- "github.com/sirupsen/logrus"
specs "github.com/opencontainers/runtime-spec/specs-go"
+ "github.com/sirupsen/logrus"
)
// Format is the type of log formatting options avaliable
@@ -54,7 +54,10 @@ const (
// DefaultCommand is the default command for Runc
DefaultCommand = "runc"
execTimeout = 30
- createTimeout = 120
+)
+
+var (
+ createTimeout int64 = 120
)
// Runc is the client to the runc cli
@@ -72,6 +75,15 @@ type Runc struct {
Rootless *bool // nil stands for "auto"
}
+func init() {
+ runtimeTimeout, err := convertTime(os.Getenv("DOCKER_RUNTIME_START_TIMEOUT"))
+ if err != nil {
+ logrus.Warnf("init error, wrong runtimeTimeout format: %v", err)
+ } else {
+ createTimeout = runtimeTimeout
+ }
+}
+
// List returns all containers created inside the provided runc root directory
func (r *Runc) List(context context.Context) ([]*Container, error) {
data, err := cmdOutput(r.command(context, "list", "--format=json"), false)
@@ -734,3 +746,11 @@ func cmdOutputTimeout(cmd *exec.Cmd, combined bool, timeout int64) ([]byte, erro
return b.Bytes(), err
}
+
+func convertTime(timeout string) (int64, error) {
+ timeDura, err := time.ParseDuration(timeout)
+ if err != nil {
+ return 0, err
+ }
+ return timeDura.Nanoseconds() / 1e9, nil
+}
--
1.8.3.1

55
patch/0037-containerd-Fix-fd-leak-of-shim-log.patch
View File

@ -1,55 +0,0 @@
From 26c6307f1cab31105583ef22c2da8fe44a8d45e4 Mon Sep 17 00:00:00 2001
From: zhangyu235 <zhangyu235@huawei.com>
Date: Fri, 17 May 2019 16:52:06 +0800
Subject: [PATCH] containerd: Fix fd leak of shim log
reason:Open shim v2 log with the flag `O_RDWR` will cause the `Read()` block
forever even if the pipe has been closed on the shim side. Then the
`io.Copy()` would never return and lead to a fd leak.
Fix typo when closing shim v1 log which causes the `stdouLog` leak.
Update `numPipes` function in test case to get the opened FIFO
correctly.
Cherry-pick from upstream cf6e00854
Reference from https://github.com/containerd/containerd/pull/3266
Change-Id: If83a4ca9b9ec0079ac0f0015d1f6768581571030
Signed-off-by: Li Yuxuan <liyuxuan04@baidu.com>
Signed-off-by: zhangyu235 <zhangyu235@huawei.com>
---
container_linux_test.go | 2 +-
runtime/v1/shim/client/client.go | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/container_linux_test.go b/container_linux_test.go
index fa764d7..fdf6349 100644
--- a/container_linux_test.go
+++ b/container_linux_test.go
@@ -329,7 +329,7 @@ func TestShimDoesNotLeakPipes(t *testing.T) {
}
func numPipes(pid int) (int, error) {
- cmd := exec.Command("sh", "-c", fmt.Sprintf("lsof -p %d | grep pipe", pid))
+ cmd := exec.Command("sh", "-c", fmt.Sprintf("lsof -p %d | grep FIFO", pid))
var stdout bytes.Buffer
cmd.Stdout = &stdout
diff --git a/runtime/v1/shim/client/client.go b/runtime/v1/shim/client/client.go
index ef74030..a819be6 100644
--- a/runtime/v1/shim/client/client.go
+++ b/runtime/v1/shim/client/client.go
@@ -96,9 +96,9 @@ func WithStart(binary, address, daemonAddress, cgroup string, debug bool, exitHa
cmd.Wait()
exitHandler()
if stdoutLog != nil {
- stderrLog.Close()
+ stdoutLog.Close()
}
- if stdoutLog != nil {
+ if stderrLog != nil {
stderrLog.Close()
}
}()
--
2.7.4.3

59
patch/0037-containerd-fix-shim-std-logs-not-close-after-.patch
View File

@ -1,59 +0,0 @@
From d13733a390a987006bd5febb7d28a2d1c7873af2 Mon Sep 17 00:00:00 2001
From: zhangyu235 <zhangyu235@huawei.com>
Date: Thu, 30 May 2019 09:27:00 +0800
Subject: [PATCH] containerd: fix shim std logs not close after shim
exit
reason:fix shim std logs not close after shim exit
Change-Id: I980fb17b1d46de099b81529ea46681cf9f4bf09c
Signed-off-by: zhangyu235 <zhangyu235@huawei.com>
---
runtime/v1/linux/runtime.go | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/runtime/v1/linux/runtime.go b/runtime/v1/linux/runtime.go
index af823b2..66914fe 100644
--- a/runtime/v1/linux/runtime.go
+++ b/runtime/v1/linux/runtime.go
@@ -361,7 +361,9 @@ func (r *Runtime) loadTasks(ctx context.Context, ns string) ([]*Task, error) {
ctx = namespaces.WithNamespace(ctx, ns)
pid, _ := runc.ReadPidFile(filepath.Join(bundle.path, proc.InitPidFile))
log.G(ctx).Infof("load-task %s/%s/%s Pid=%d", r.state, ns, id, pid)
+ shimExit := make(chan struct{})
s, err := bundle.NewShimClient(ctx, ns, ShimConnect(r.config, func() {
+ close(shimExit)
err := r.cleanupAfterDeadShim(ctx, bundle, ns, id, pid)
if err != nil {
log.G(ctx).WithError(err).WithField("bundle", bundle.path).
@@ -426,6 +428,18 @@ func (r *Runtime) loadTasks(ctx context.Context, ns string) ([]*Task, error) {
}
go io.Copy(os.Stderr, shimStderrLog)
+ go func() {
+ select {
+ case <-shimExit:
+ if shimStdoutLog != nil {
+ shimStdoutLog.Close()
+ }
+ if shimStderrLog != nil {
+ shimStderrLog.Close()
+ }
+ }
+ }()
+
t, err := newTask(id, ns, pid, s, r.events, r.tasks, bundle)
if err != nil {
log.G(ctx).WithError(err).Error("loading task type")
@@ -443,7 +457,7 @@ func (r *Runtime) loadTasks(ctx context.Context, ns string) ([]*Task, error) {
if !events.ExitPending(ns, t.id, uint32(pid)) {
events.ExitAddFile(ns, events.ExitFile(t.id, uint32(pid), uint32(events.ExitStatusDefault)), "cleanup dirty task")
}
- go func(){
+ go func() {
log.G(ctx).Infof("delete force %s start, Pid=%d(exiting)", id, pid)
_, err := t.DeleteForce(ctx, uint32(pid))
log.G(ctx).Infof("delete force %s done, Pid=%d(exiting) error=%v", id, pid, err)
--
2.7.4.3

89
patch/0038-containerd-add-timeout-for-I-O-waitgroups.patch
View File

@ -1,89 +0,0 @@
From d886f6c03cca051b45fd77cc77d0cc870aed1aed Mon Sep 17 00:00:00 2001
From: build <build@obs.com>
Date: Wed, 4 Sep 2019 05:21:06 -0400
Subject: [PATCH] containerd: add timeout for I/O waitgroups
reason: This and a combination of a couple Docker changes are needed to fully
resolve the issue on the Docker side. However, this ensures that after
processes exit, we still leave some time for the I/O to fully flush
before closing. Without this timeout, the delete methods would block
forever.
Cherry-pick from upstream 245052243d
Reference from https://github.com/containerd/containerd/pull/3361
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
---
runtime/v1/linux/proc/exec.go | 2 +-
runtime/v1/linux/proc/init.go | 2 +-
runtime/v1/linux/proc/utils.go | 20 ++++++++++++++++++++
3 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/runtime/v1/linux/proc/exec.go b/runtime/v1/linux/proc/exec.go
index 715a977..08c581f 100644
--- a/runtime/v1/linux/proc/exec.go
+++ b/runtime/v1/linux/proc/exec.go
@@ -94,7 +94,7 @@ func (e *execProcess) setExited(status int) {
}
func (e *execProcess) delete(ctx context.Context) error {
- e.wg.Wait()
+ waitTimeout(ctx, &e.wg, 2*time.Second)
if e.io != nil {
for _, c := range e.closers {
c.Close()
diff --git a/runtime/v1/linux/proc/init.go b/runtime/v1/linux/proc/init.go
index 44d3f58..49fa8ec 100644
--- a/runtime/v1/linux/proc/init.go
+++ b/runtime/v1/linux/proc/init.go
@@ -263,7 +263,7 @@ func (p *Init) setExited(status int) {
}
func (p *Init) delete(context context.Context) error {
- p.wg.Wait()
+ waitTimeout(context, &p.wg, 2*time.Second)
err := p.runtime.Delete(context, p.id, nil)
// ignore errors if a runtime has already deleted the process
// but we still hold metadata and pipes
diff --git a/runtime/v1/linux/proc/utils.go b/runtime/v1/linux/proc/utils.go
index ab9f5fa..d6f047c 100644
--- a/runtime/v1/linux/proc/utils.go
+++ b/runtime/v1/linux/proc/utils.go
@@ -19,10 +19,12 @@
package proc
import (
+ "context"
"encoding/json"
"io"
"os"
"strings"
+ "sync"
"time"
"github.com/containerd/containerd/errdefs"
@@ -103,3 +105,21 @@ func checkKillError(err error) error {
func hasNoIO(r *CreateConfig) bool {
return r.Stdin == "" && r.Stdout == "" && r.Stderr == ""
}
+
+// waitTimeout handles waiting on a waitgroup with a specified timeout.
+// this is commonly used for waiting on IO to finish after a process has exited
+func waitTimeout(ctx context.Context, wg *sync.WaitGroup, timeout time.Duration) error {
+ ctx, cancel := context.WithTimeout(ctx, timeout)
+ defer cancel()
+ done := make(chan struct{}, 1)
+ go func() {
+ wg.Wait()
+ close(done)
+ }()
+ select {
+ case <-done:
+ return nil
+ case <-ctx.Done():
+ return ctx.Err()
+ }
+}
--
2.20.1

65
patch/0038-containerd-support-kill-D-state-container.patch
View File

@ -1,65 +0,0 @@
From 8ab02b5aecb0fa04ad747988d838e1c4de535222 Mon Sep 17 00:00:00 2001
From: Jing Rui <jingrui@huawei.com>
Date: Tue, 18 Jun 2019 00:12:41 +0800
Subject: [PATCH] containerd: support kill D state container
Change-Id: I057553f2b8d3f57b71e5ea79930067bb7071e524
Signed-off-by: Jing Rui <jingrui@huawei.com>
---
runtime/v1/shim/service.go | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/runtime/v1/shim/service.go b/runtime/v1/shim/service.go
index f421fdef..8adaf35b 100644
--- a/runtime/v1/shim/service.go
+++ b/runtime/v1/shim/service.go
@@ -26,6 +26,7 @@ import (
"os"
"path/filepath"
"sync"
+ "syscall"
"time"
"github.com/containerd/console"
@@ -366,11 +367,30 @@ func (s *Service) Resume(ctx context.Context, r *ptypes.Empty) (*ptypes.Empty, e
// Kill a process with the provided signal
func (s *Service) Kill(ctx context.Context, r *shimapi.KillRequest) (*ptypes.Empty, error) {
+ delayKill := func(p rproc.Process) {
+ if s.id != p.ID() || r.Signal != uint32(syscall.SIGKILL) {
+ return
+ }
+
+ for i := 1; i < 5; i++ {
+ time.Sleep(10 * time.Second)
+ err := p.Kill(ctx, r.Signal, r.All)
+ logrus.Infof("delay kill %s retry %d error=%v", s.id, i, err)
+ }
+
+ logrus.Infof("force exit shim %s ...", s.id)
+ p.SetExited(137)
+ err := p.Delete(ctx)
+ logrus.Infof("force exit shim %s error=%v", s.id, err)
+ os.Exit(0)
+ }
+
if r.ID == "" {
p, err := s.getInitProcess()
if err != nil {
return nil, err
}
+ go delayKill(p)
if err := p.Kill(ctx, r.Signal, r.All); err != nil {
return nil, errdefs.ToGRPC(err)
}
@@ -381,6 +401,7 @@ func (s *Service) Kill(ctx context.Context, r *shimapi.KillRequest) (*ptypes.Emp
if err != nil {
return nil, err
}
+ go delayKill(p)
if err := p.Kill(ctx, r.Signal, r.All); err != nil {
return nil, errdefs.ToGRPC(err)
}
--
2.17.1

43
patch/0039-containerd-fix-shouldKillAllOnExit-check.patch
View File

@ -1,43 +0,0 @@
From 7741b1a960799b1724e92d23c6b2d9473ca71fee Mon Sep 17 00:00:00 2001
From: liuzekun <liuzekun@huawei.com>
Date: Thu, 31 Oct 2019 23:25:40 -0400
Subject: [PATCH] containerd: fix shouldKillAllOnExit check
reason: fix shouldKillAllOnExit check
v1 https://github.com/containerd/containerd/commit/fa5f744a790356472d4649b9ad1d955e36d0c7c0
v2 https://github.com/containerd/containerd/commit/872296642ac395acbc4344f529fcf4c6fddb5de2
Signed-off-by: Lifubang <lifubang@acmcoder.com>
---
runtime/v1/shim/service.go | 2 +-
runtime/v2/runc/service.go | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/runtime/v1/shim/service.go b/runtime/v1/shim/service.go
index ac545ea..88f7e0d 100644
--- a/runtime/v1/shim/service.go
+++ b/runtime/v1/shim/service.go
@@ -578,7 +578,7 @@ func shouldKillAllOnExit(bundlePath string) (bool, error) {
if bundleSpec.Linux != nil {
for _, ns := range bundleSpec.Linux.Namespaces {
- if ns.Type == specs.PIDNamespace {
+ if ns.Type == specs.PIDNamespace && ns.Path == "" {
return false, nil
}
}
diff --git a/runtime/v2/runc/service.go b/runtime/v2/runc/service.go
index e37fb29..82beb8d 100644
--- a/runtime/v2/runc/service.go
+++ b/runtime/v2/runc/service.go
@@ -680,7 +680,7 @@ func shouldKillAllOnExit(bundlePath string) (bool, error) {
if bundleSpec.Linux != nil {
for _, ns := range bundleSpec.Linux.Namespaces {
- if ns.Type == specs.PIDNamespace {
+ if ns.Type == specs.PIDNamespace && ns.Path == "" {
return false, nil
}
}
--
2.20.1

51
patch/0039-containerd-modify-containerd-shim-to-ad.patch
View File

@ -1,51 +0,0 @@
From 5eef82c3c41eabb532cd7520acf7e8587b76d8b5 Mon Sep 17 00:00:00 2001
From: jiangpengfei <jiangpengfei9@huawei.com>
Date: Wed, 10 Jul 2019 15:07:46 -0400
Subject: [PATCH] containerd: modify containerd-shim to adapt runv
runtime
reason: containerd-shim pass a too long runtime root path to runv runtime, which cause hyperstartgrpc.sock
file absolute path exceed the max length of Unix Socket(max length is 108).
Signed-off-by: jiangpengfei <jiangpengfei9@huawei.com>
---
runtime/v1/linux/proc/init.go | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/runtime/v1/linux/proc/init.go b/runtime/v1/linux/proc/init.go
index 5b23671..d464147 100644
--- a/runtime/v1/linux/proc/init.go
+++ b/runtime/v1/linux/proc/init.go
@@ -44,6 +44,9 @@ import (
// InitPidFile name of the file that contains the init pid
const InitPidFile = "init.pid"
+// Default runv runtime root dir
+const defaultRunvRoot = "/run/runv"
+
// Init represents an initial process for a container
type Init struct {
wg sync.WaitGroup
@@ -83,12 +86,18 @@ func NewRunc(root, path, namespace, runtime, criu string, systemd bool) *runc.Ru
if root == "" {
root = RuncRoot
}
+
+ rootPath := filepath.Join(root, namespace)
+ if strings.Contains(runtime, "runv") {
+ rootPath = defaultRunvRoot
+ }
+
return &runc.Runc{
Command: runtime,
Log: filepath.Join(path, "log.json"),
LogFormat: runc.JSON,
PdeathSignal: syscall.SIGKILL,
- Root: filepath.Join(root, namespace),
+ Root: rootPath,
Criu: criu,
SystemdCgroup: systemd,
}
--
1.8.3.1

47
patch/0040-containerd-add-shim-exit-when-bundle-dir-does.patch
View File

@ -1,47 +0,0 @@
From 07605707cce769e4f4c79b700586b5c59ec0b15a Mon Sep 17 00:00:00 2001
From: xiadanni1 <xiadanni1@huawei.com>
Date: Sat, 13 Jul 2019 06:32:54 +0800
Subject: [PATCH] containerd: add shim exit when bundle dir does not
exist
reason: when bundle dir is deleted, containerd-shim should exit to avoid
shim.sock is occupied when container restart next time.
Change-Id: I956412598e17d15f25b91afe1cbb9e24463f04be
Signed-off-by: xiadanni1 <xiadanni1@huawei.com>
---
runtime/v1/shim/service.go | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/runtime/v1/shim/service.go b/runtime/v1/shim/service.go
index 8adaf35..ac545ea 100644
--- a/runtime/v1/shim/service.go
+++ b/runtime/v1/shim/service.go
@@ -141,13 +141,23 @@ func (s *Service) Create(ctx context.Context, r *shimapi.CreateTaskRequest) (_ *
}
rootfs := filepath.Join(r.Bundle, "rootfs")
defer func() {
+ go func() {
+ for i := 0; i < 60; i++ {
+ time.Sleep(time.Second)
+ _, err := os.Stat(r.Bundle)
+ if os.IsNotExist(err) {
+ logrus.Errorf("bundle dir: %v does not exist, containerd-shim exit", r.Bundle)
+ os.Exit(0)
+ }
+ }
+ }()
if err != nil {
logrus.Errorf("create init %s failed error=%v", r.ID, err)
if err2 := mount.UnmountAll(rootfs, 0); err2 != nil {
log.G(ctx).WithError(err2).Warn("Failed to cleanup rootfs mount")
}
go func() {
- time.Sleep(10*time.Second)
+ time.Sleep(10 * time.Second)
os.Exit(0)
}()
}
--
1.8.3.1

80
patch/0041-containerd-fix-containerd-call-runv-delete-directly.patch
View File

@ -1,80 +0,0 @@
From be9c04e9a90be92437c12ce90c8ff6d4ec1d83b3 Mon Sep 17 00:00:00 2001
From: jiangpengfei <jiangpengfei9@huawei.com>
Date: Thu, 18 Jul 2019 07:57:52 -0400
Subject: [PATCH] containerd: fix containerd call runv delete directly
use wrong --root parameters
reason: When containerd-shim process is killed abnormaly, containerd will exec runv
delete command directly, however it will use the wrong --root parameters which is not
compatible with runv runtime.
Signed-off-by: jiangpengfei <jiangpengfei9@huawei.com>
---
runtime/v1/linux/proc/init.go | 4 ++--
runtime/v1/linux/runtime.go | 10 +++++++++-
2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/runtime/v1/linux/proc/init.go b/runtime/v1/linux/proc/init.go
index d464147..44d3f58 100644
--- a/runtime/v1/linux/proc/init.go
+++ b/runtime/v1/linux/proc/init.go
@@ -45,7 +45,7 @@ import (
const InitPidFile = "init.pid"
// Default runv runtime root dir
-const defaultRunvRoot = "/run/runv"
+const DefaultRunvRoot = "/run/runv"
// Init represents an initial process for a container
type Init struct {
@@ -89,7 +89,7 @@ func NewRunc(root, path, namespace, runtime, criu string, systemd bool) *runc.Ru
rootPath := filepath.Join(root, namespace)
if strings.Contains(runtime, "runv") {
- rootPath = defaultRunvRoot
+ rootPath = DefaultRunvRoot
}
return &runc.Runc{
diff --git a/runtime/v1/linux/runtime.go b/runtime/v1/linux/runtime.go
index 66914fe..f8e3074 100644
--- a/runtime/v1/linux/runtime.go
+++ b/runtime/v1/linux/runtime.go
@@ -25,6 +25,7 @@ import (
"io/ioutil"
"os"
"path/filepath"
+ "strings"
"time"
eventstypes "github.com/containerd/containerd/api/events"
@@ -506,6 +507,7 @@ func (r *Runtime) terminate(ctx context.Context, bundle *bundle, ns, id string)
if err != nil {
return err
}
+
if err := rt.Delete(ctx, id, &runc.DeleteOpts{
Force: true,
}); err != nil {
@@ -539,11 +541,17 @@ func (r *Runtime) getRuntime(ctx context.Context, ns, id string) (*runc.Runc, er
}
}
+ rootPath := filepath.Join(root, ns)
+
+ if strings.Contains(cmd, "runv") {
+ rootPath = proc.DefaultRunvRoot
+ }
+
return &runc.Runc{
Command: cmd,
LogFormat: runc.JSON,
PdeathSignal: unix.SIGKILL,
- Root: filepath.Join(root, ns),
+ Root: rootPath,
Debug: r.config.ShimDebug,
}, nil
}
--
1.8.3.1

34
patch/0042-containerd-close-inherit-shim.sock-fd-to-adap.patch
View File

@ -1,34 +0,0 @@
From dcef6fcbdc78f7e9c14bdcd58e79d3eac8bc1c1b Mon Sep 17 00:00:00 2001
From: jiangpengfei <jiangpengfei9@huawei.com>
Date: Thu, 18 Jul 2019 15:44:12 -0400
Subject: [PATCH] containerd: close inherit shim.sock fd to adapt runv
reason: runv create prcess is created by containerd-shim process and will
inherit the abstract unix socket shim.sock fd from containerd-shim.
If pause container restart, qemu and runv-proxy process are still running,
and shim.sock fd doesn't close, so pause container can not reuse the shim.sock
path and restart failed!
Signed-off-by: jiangpengfei <jiangpengfei9@huawei.com>
---
cmd/containerd-shim/main_unix.go | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/cmd/containerd-shim/main_unix.go b/cmd/containerd-shim/main_unix.go
index 38b3eb4..89f6be9 100644
--- a/cmd/containerd-shim/main_unix.go
+++ b/cmd/containerd-shim/main_unix.go
@@ -189,6 +189,10 @@ func serve(ctx context.Context, server *ttrpc.Server, path string) error {
)
if path == "" {
l, err = net.FileListener(os.NewFile(3, "socket"))
+ _, _, errnoValue := unix.Syscall(unix.SYS_FCNTL, 3, uintptr(unix.F_SETFD), unix.FD_CLOEXEC)
+ if errnoValue != 0 {
+ logrus.Errorf("SYS_FCNTL set fd 3 FD_CLOEXEC flag failed: %v", errnoValue)
+ }
path = "[inherited from parent]"
} else {
if len(path) > 106 {
--
1.8.3.1

77
patch/0043-containerd-run-state-with-timeout-10s.patch
View File

@ -1,77 +0,0 @@
From 7b9e8a793fa6c0ec67effac0bc53d55c275e13be Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Thu, 25 Jul 2019 19:29:50 +0800
Subject: [PATCH] containerd: run state with timeout 10s
Change-Id: Idf55f750c2e7c6a9268318f519f1c8bc1595e09e
Signed-off-by: jingrui <jingrui@huawei.com>
---
Makefile | 4 ++--
runtime/v1/linux/task.go | 3 ---
services/tasks/local.go | 11 +++++++++++
3 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/Makefile b/Makefile
index 5de5cf75..9e7f3ae3 100644
--- a/Makefile
+++ b/Makefile
@@ -81,8 +81,8 @@ GO_TAGS=$(if $(BUILDTAGS),-tags "$(BUILDTAGS)",)
BEP_DIR=/tmp/containerd-build-bep
BEP_FLAGS=-tmpdir=/tmp/containerd-build-bep
-GO_LDFLAGS=-ldflags '-s -w -buildid=IdByIsula -extldflags=-zrelro -extldflags=-znow $(BEP_FLAGS) -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) $(EXTRA_LDFLAGS)'
-SHIM_GO_LDFLAGS=-ldflags '-s -w -buildid=IdByIsula $(BEP_FLAGS) -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -extldflags "-static"'
+GO_LDFLAGS=-ldflags ' -buildid=IdByIsula -extldflags=-zrelro -extldflags=-znow $(BEP_FLAGS) -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) $(EXTRA_LDFLAGS)'
+SHIM_GO_LDFLAGS=-ldflags ' -buildid=IdByIsula $(BEP_FLAGS) -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -extldflags "-static"'
#Replaces ":" (*nix), ";" (windows) with newline for easy parsing
GOPATHS=$(shell echo ${GOPATH} | tr ":" "\n" | tr ";" "\n")
diff --git a/runtime/v1/linux/task.go b/runtime/v1/linux/task.go
index b692ae78..d2bbb764 100644
--- a/runtime/v1/linux/task.go
+++ b/runtime/v1/linux/task.go
@@ -92,9 +92,6 @@ func (t *Task) delete(ctx context.Context, force bool, pid uint32) (*runtime.Exi
rsp, err := t.shim.Delete(ctx, empty)
if err != nil {
log.G(ctx).WithError(err).Error("failed to delete container, force=%t", force)
- if !force {
- return nil, errdefs.FromGRPC(err)
- }
}
t.tasks.Delete(ctx, t.id)
if err := t.shim.KillShim(ctx); err != nil {
diff --git a/services/tasks/local.go b/services/tasks/local.go
index ce9ee59d..990e8411 100644
--- a/services/tasks/local.go
+++ b/services/tasks/local.go
@@ -47,6 +47,7 @@ import (
ptypes "github.com/gogo/protobuf/types"
ocispec "github.com/opencontainers/image-spec/specs-go/v1"
"github.com/pkg/errors"
+ "github.com/sirupsen/logrus"
bolt "go.etcd.io/bbolt"
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
@@ -185,9 +186,19 @@ func (l *local) Create(ctx context.Context, r *api.CreateTaskRequest, _ ...grpc.
if err := l.monitor.Monitor(c); err != nil {
return nil, errors.Wrap(err, "monitor task")
}
+
+ ctx, cancel := context.WithTimeout(ctx, 20*time.Second)
+ defer cancel()
+
state, err := c.State(ctx)
if err != nil {
log.G(ctx).Error(err)
+ go func() {
+ ctx, cancel := context.WithTimeout(context.Background(), time.Second)
+ defer cancel()
+ _, err := c.Delete(ctx)
+ logrus.Errorf("failed get pid, delete force error=%v", err)
+ }()
}
return &api.CreateTaskResponse{
ContainerID: r.ContainerID,
--
2.17.1

38
patch/0044-containerd-add-copyright.patch
View File

@ -1,38 +0,0 @@
From 80972f7d142540b886068d67a49794aaa7232fb5 Mon Sep 17 00:00:00 2001
From: lixiang <lixiang172@huawei.com>
Date: Fri, 6 Sep 2019 15:16:21 +0800
Subject: [PATCH] containerd: add copyright
reason: add copyright
Change-Id: I93ef565c6bf10d6f8cb66d956dddbfbd14477138
Signed-off-by: lixiang <lixiang172@huawei.com>
---
events/exit.go | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/events/exit.go b/events/exit.go
index 772dc24..d3b3027 100644
--- a/events/exit.go
+++ b/events/exit.go
@@ -1,3 +1,12 @@
+/*
+Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved.
+Use of this source code is governed by Apache-2.0
+license that can be found in the LICENSE file
+Description: common functions
+Author: jingrui
+Create: 2019-02-12
+*/
+
package events
import (
@@ -97,4 +106,3 @@ func InitExitExist(bundle string) bool {
}
return false
}
-
--
1.8.3.1

29
patch/0044-containerd-change-tmpfile-directory-when-exec.patch
View File

@ -1,29 +0,0 @@
From 8f3291f805c641a6fcf043eb8c4e1a2f4174b579 Mon Sep 17 00:00:00 2001
From: wujibin <wujibin@huawei.com>
Date: Wed, 14 Aug 2019 17:18:24 +0800
Subject: [PATCH] containerd: change tmpfile directory when exec
reason: tmp file stored /tmp before change, if mountain of containers
are runing, the diretory will exist too many tmp file
Change-Id: I1879ba9d09dca41a7571131d7447bf67356ea79c
---
vendor/github.com/containerd/go-runc/runc.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/vendor/github.com/containerd/go-runc/runc.go b/vendor/github.com/containerd/go-runc/runc.go
index 6323bf21..7a2a8c4d 100644
--- a/vendor/github.com/containerd/go-runc/runc.go
+++ b/vendor/github.com/containerd/go-runc/runc.go
@@ -229,7 +229,7 @@ func (o *ExecOpts) args() (out []string, err error) {
// Exec executres and additional process inside the container based on a full
// OCI Process specification
func (r *Runc) Exec(context context.Context, id string, spec specs.Process, opts *ExecOpts) error {
- f, err := ioutil.TempFile(os.Getenv("XDG_RUNTIME_DIR"), "runc-process")
+ f, err := ioutil.TempFile(".", "runc-process")
if err != nil {
return err
}
--
2.19.0

53
patch/0045-containerd-shim-disable-fast-gc-on-arm.patch
View File

@ -1,53 +0,0 @@
From 4a8367ce3a9a8321ceeffbf2934380b139a74f90 Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Fri, 18 Oct 2019 14:49:47 +0800
Subject: [PATCH] containerd: stw gc sweep for arm64
Change-Id: I855c13a21c72bf0e91563db7c11e1348a1a78d55
Signed-off-by: jingrui <jingrui@huawei.com>
---
cmd/containerd-shim/main_unix.go | 5 -----
runtime/v1/shim/client/client.go | 4 ++++
2 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/cmd/containerd-shim/main_unix.go b/cmd/containerd-shim/main_unix.go
index 89f6be91..22283626 100644
--- a/cmd/containerd-shim/main_unix.go
+++ b/cmd/containerd-shim/main_unix.go
@@ -80,11 +80,6 @@ func init() {
func main() {
debug.SetGCPercent(40)
- go func() {
- for range time.Tick(30 * time.Second) {
- debug.FreeOSMemory()
- }
- }()
if debugFlag {
logrus.SetLevel(logrus.DebugLevel)
diff --git a/runtime/v1/shim/client/client.go b/runtime/v1/shim/client/client.go
index a819be6c..a4669d33 100644
--- a/runtime/v1/shim/client/client.go
+++ b/runtime/v1/shim/client/client.go
@@ -24,6 +24,7 @@ import (
"net"
"os"
"os/exec"
+ "runtime"
"strings"
"sync"
"syscall"
@@ -161,6 +162,9 @@ func newCommand(binary, daemonAddress string, debug bool, config shim.Config, so
cmd.SysProcAttr = getSysProcAttr()
cmd.ExtraFiles = append(cmd.ExtraFiles, socket)
cmd.Env = append(os.Environ(), "GOMAXPROCS=2")
+ if runtime.GOARCH == "arm64" {
+ cmd.Env = append(cmd.Env, "GODEBUG=gcstoptheworld=2")
+ }
cmd.Stdout = stdout
cmd.Stderr = stderr
return cmd, nil
--
2.17.1

630
patch/0046-containerd-support-hot-upgrade.patch
View File

@ -1,630 +0,0 @@
From 4656fbac6e4a23cf4e2fcb332777fb17895e67ca Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Wed, 14 Aug 2019 10:51:19 +0800
Subject: [PATCH] containerd: hot-upgrade support from
containerd-0.2.8
This patch support hot-upgrade from containerd-0.2.8. When restore
tasks, it will find containers started by containerd-0.2.8, then start
fake task create, the fake create will run a new shim process, the shim
process will manage the container created by runc.
After restore legacy created tasks, each task will has 2 shim
process. So it support down-grade to docker-1.11.2 with container still
running.
Change-Id: I94cd48cbf8ceb408dbc8849fe6916e0ec3d889b0
Signed-off-by: jingrui <jingrui@huawei.com>
---
legacy/legacy.go | 145 ++++++++++++++++++++
runtime/v1/linux/leruntime.go | 243 ++++++++++++++++++++++++++++++++++
runtime/v1/linux/proc/init.go | 27 +++-
runtime/v1/linux/proc/io.go | 11 +-
runtime/v1/linux/runtime.go | 5 +
runtime/v1/shim/service.go | 10 +-
services/containers/local.go | 19 ++-
7 files changed, 452 insertions(+), 8 deletions(-)
create mode 100644 legacy/legacy.go
create mode 100644 runtime/v1/linux/leruntime.go
diff --git a/legacy/legacy.go b/legacy/legacy.go
new file mode 100644
index 00000000..fde9f709
--- /dev/null
+++ b/legacy/legacy.go
@@ -0,0 +1,145 @@
+/*
+Copyright (c) Huawei Technologies Co., Ltd. 2019-2019. All rights reserved.
+Description: support containerd hot-upgrade from 0.2.8
+Author: jingrui jingrui@huawei.com
+Create: 2019-09-20
+*/
+
+package legacy
+
+import (
+ "encoding/json"
+ "fmt"
+ "io"
+ "io/ioutil"
+ "os"
+ "path/filepath"
+ "runtime"
+ "strings"
+
+ "github.com/sirupsen/logrus"
+ "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+const (
+ LegacyFile = "legacy"
+ Config120 = "/var/run/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/"
+ Stdio120 = "/var/run/docker/containerd/"
+ Config028 = "/var/run/docker/libcontainerd/"
+ State028 = "/var/run/docker/libcontainerd/containerd/"
+ Runtime = "io.containerd.runtime.v1"
+)
+
+// IsLegacy is used to check if im legacy.
+func IsLegacy(id string) bool {
+ lf := Config120 + id + "/" + LegacyFile
+ if _, err := os.Stat(lf); err == nil {
+ caller := "??"
+ if pc, file, line, ok := runtime.Caller(1); ok {
+ caller = fmt.Sprintf("%s:%d:%s()", file, line, runtime.FuncForPC(pc).Name())
+ }
+ logrus.Infof("shim pretend to be 0.2.8 in %s", caller)
+ return true
+ }
+ return false
+}
+
+// IsRunning is used to detect whether legacy container is running.
+func IsRunning(id string) bool {
+ path := State028 + id + "/init/pid"
+ bpid, err := ioutil.ReadFile(path)
+ if err != nil {
+ return false
+ }
+
+ path = State028 + id + "/init/starttime"
+ btime, err := ioutil.ReadFile(path)
+ if err != nil {
+ return false
+ }
+
+ path = fmt.Sprintf("/proc/%s/stat", string(bpid))
+ bstat, err := ioutil.ReadFile(path)
+ if err != nil {
+ return false
+ }
+
+ if !strings.Contains(string(bstat), string(btime)) {
+ return false
+ }
+
+ return true
+}
+
+// CopyFile used to copy a file.
+func CopyFile(dstName, srcName string) (written int64, err error) {
+ src, err := os.Open(srcName)
+ if err != nil {
+ return
+ }
+ defer src.Close()
+
+ dst, err := os.OpenFile(dstName, os.O_WRONLY|os.O_CREATE, 0644)
+ if err != nil {
+ return
+ }
+ defer dst.Close()
+
+ return io.Copy(dst, src)
+}
+
+// InitBundle will copy files from 0.2.8 dirs to 1.2.0 dirs.
+func InitBundle(root string, id string) error {
+ err := os.MkdirAll(Config120+id, 0711)
+ if err != nil {
+ return err
+ }
+ err = os.MkdirAll(Stdio120+id, 0711)
+ if err != nil {
+ return err
+ }
+ err = os.MkdirAll(filepath.Join(root, "moby", id), 0711)
+ if err != nil {
+ return err
+ }
+
+ err = ioutil.WriteFile(Config120+id+"/"+LegacyFile, []byte{}, 0644)
+ if err != nil {
+ return err
+ }
+ CopyFile(Config120+id+"/config.json", Config028+id+"/config.json")
+ CopyFile(Config120+id+"/init.pid", State028+id+"/init/pid")
+ return nil
+}
+
+// DeleteBundle will delete unused legacy bundle files.
+func DeleteBundle(id string) error {
+ err1 := os.RemoveAll(Config120 + id)
+ err2 := os.RemoveAll(Stdio120 + id)
+ if err1 != nil {
+ return err1
+ }
+ if err2 != nil {
+ return err2
+ }
+
+ return nil
+}
+
+// LoadSpec load config.json into spec.
+func LoadSpec(id string) (*specs.Spec, error) {
+ f, err := os.OpenFile(Config120+id+"/config.json", os.O_RDONLY, 0400)
+ if err != nil {
+ return nil, err
+ }
+ defer f.Close()
+
+ spec := specs.Spec{}
+ dec := json.NewDecoder(f)
+ err = dec.Decode(&spec)
+ if err != nil {
+ return nil, err
+ }
+
+ return &spec, nil
+}
diff --git a/runtime/v1/linux/leruntime.go b/runtime/v1/linux/leruntime.go
new file mode 100644
index 00000000..5b887935
--- /dev/null
+++ b/runtime/v1/linux/leruntime.go
@@ -0,0 +1,243 @@
+/*
+Copyright (c) Huawei Technologies Co., Ltd. 2019-2019. All rights reserved.
+Description: support containerd hot-upgrade from 0.2.8
+Author: jingrui jingrui@huawei.com
+Create: 2019-09-20
+*/
+
+package linux
+
+import (
+ "context"
+ "fmt"
+ "io/ioutil"
+ goruntime "runtime"
+
+ "github.com/containerd/containerd/api/types"
+ "github.com/containerd/containerd/containers"
+ "github.com/containerd/containerd/errdefs"
+ "github.com/containerd/containerd/legacy"
+ "github.com/containerd/containerd/log"
+ "github.com/containerd/containerd/namespaces"
+ "github.com/containerd/containerd/runtime"
+ "github.com/containerd/containerd/runtime/linux/runctypes"
+ shim "github.com/containerd/containerd/runtime/v1/shim/v1"
+ scontainers "github.com/containerd/containerd/services/containers"
+ "github.com/containerd/typeurl"
+ "github.com/sirupsen/logrus"
+)
+
+func taskIsExist(tasks []*Task, id string) bool {
+ for _, t := range tasks {
+ if t.id == id {
+ return true
+ }
+ }
+ return false
+}
+
+func loadCreateOpts(id string) runtime.CreateOpts {
+ opts := runtime.CreateOpts{
+ IO: runtime.IO{
+ Stdin: fmt.Sprintf("/var/run/docker/libcontainerd/%s/init-stdin", id),
+ Stdout: fmt.Sprintf("/var/run/docker/libcontainerd/%s/init-stdout", id),
+ },
+ }
+
+ return opts
+}
+
+func (r *Runtime) legacyCreateMeta(ctx context.Context, id string) {
+ spec, err := legacy.LoadSpec(id)
+ if err != nil {
+ logrus.Errorf("load spec for %s failed %v", id, err)
+ return
+ }
+
+ s, err := typeurl.MarshalAny(spec)
+ if err != nil {
+ logrus.Errorf("marshal-any for %s failed %v", id, err)
+ return
+ }
+
+ c := containers.Container{
+ ID: id,
+ Runtime: containers.RuntimeInfo{
+ Name: fmt.Sprintf("%s.%s", legacy.Runtime, goruntime.GOOS),
+ },
+ Spec: s,
+ }
+
+ err = scontainers.CreateMeta(ctx, c)
+ if err != nil {
+ logrus.Infof("create meta for %s failed %v", c.ID, err)
+ }
+}
+
+func (r *Runtime) legacyCreate(ctx context.Context, id string, opts runtime.CreateOpts) (*Task, error) {
+ namespace, err := namespaces.NamespaceRequired(ctx)
+ if err != nil {
+ return nil, err
+ }
+ if namespace != "moby" {
+ return nil, fmt.Errorf("legacy not support ns=%s", namespace)
+ }
+
+ ropts := &runctypes.RuncOptions{}
+ bundle := loadBundle(id,
+ legacy.Config120+id,
+ legacy.Config120+id)
+
+ defer func() {
+ if err != nil {
+ errd := bundle.Delete()
+ log.G(ctx).WithError(err).Errorf("revert: delete bundle error=%v", errd)
+ }
+ }()
+
+ shimopt := ShimLocal(r.config, r.events)
+
+ var cgroup string
+ if opts.TaskOptions != nil {
+ v, err := typeurl.UnmarshalAny(opts.TaskOptions)
+ if err != nil {
+ return nil, err
+ }
+ cgroup = v.(*runctypes.CreateOptions).ShimCgroup
+ }
+ exitHandler := func() {
+ log.G(ctx).WithField("id", id).Info("shim reaped")
+ t, err := r.tasks.Get(ctx, id)
+ if err != nil {
+ // Task was never started or was already successfully deleted
+ return
+ }
+ lc := t.(*Task)
+
+ log.G(ctx).WithFields(logrus.Fields{
+ "id": id,
+ "namespace": namespace,
+ }).Warn("cleaning up after killed shim")
+ if err = r.cleanupAfterDeadShim(context.Background(), bundle, namespace, id, lc.pid); err != nil {
+ log.G(ctx).WithError(err).WithFields(logrus.Fields{
+ "id": id,
+ "namespace": namespace,
+ }).Warn("failed to clean up after killed shim")
+ }
+ }
+ shimopt = ShimRemote(r.config, r.address, cgroup, exitHandler)
+
+ s, err := bundle.NewShimClient(ctx, namespace, shimopt, ropts)
+ if err != nil {
+ return nil, err
+ }
+
+ defer func() {
+ if err != nil {
+ kerr := s.KillShim(ctx)
+ log.G(ctx).WithError(err).Errorf("revert: kill shim error=%v", kerr)
+ }
+ }()
+
+ rt := r.config.Runtime
+ if ropts != nil && ropts.Runtime != "" {
+ rt = ropts.Runtime
+ }
+ sopts := &shim.CreateTaskRequest{
+ ID: id,
+ Bundle: bundle.path,
+ Runtime: rt,
+ Stdin: opts.IO.Stdin,
+ Stdout: opts.IO.Stdout,
+ Stderr: opts.IO.Stderr,
+ Terminal: opts.IO.Terminal,
+ Checkpoint: opts.Checkpoint,
+ Options: opts.TaskOptions,
+ }
+ for _, m := range opts.Rootfs {
+ sopts.Rootfs = append(sopts.Rootfs, &types.Mount{
+ Type: m.Type,
+ Source: m.Source,
+ Options: m.Options,
+ })
+ }
+ cr, err := s.Create(ctx, sopts)
+ if err != nil {
+ return nil, errdefs.FromGRPC(err)
+ }
+ t, err := newTask(id, namespace, int(cr.Pid), s, r.events, r.tasks, bundle)
+ if err != nil {
+ return nil, err
+ }
+
+ // dont add task to tasklist, restoreTasks() will add it later.
+
+ return t, nil
+}
+
+func (r *Runtime) loadLegacyTask(id string) (*Task, error) {
+ logrus.Infof("load-letask id=%s", id)
+ err := legacy.InitBundle(r.root, id)
+ if err != nil {
+ logrus.Errorf("letask %s init bundle failed %s", id, err)
+ return nil, err
+ }
+
+ defer func() {
+ if err != nil {
+ err1 := legacy.DeleteBundle(id)
+ logrus.Errorf("letask %s failed %v, drop bundle error=%s", id, err, err1)
+ }
+ }()
+
+ ctx := namespaces.WithNamespace(context.Background(), "moby")
+ r.legacyCreateMeta(ctx, id)
+ task, err := r.legacyCreate(ctx, id, loadCreateOpts(id))
+ if err != nil {
+ logrus.Errorf("letask %s create failed %v", id, err)
+ return nil, err
+ }
+
+ return task, nil
+}
+
+func (r *Runtime) loadLegacyTasks(tasks []*Task, ctx context.Context, ns string) ([]*Task, error) {
+ var o []*Task
+
+ if ns != "moby" {
+ logrus.Infof("loadLegacyTasks ignore ns=%s", ns)
+ return o, nil
+ }
+
+ dir, err := ioutil.ReadDir(legacy.State028)
+ if err != nil {
+ logrus.Infof("loadLegacyTasks skipped, no legacy residual")
+ return o, nil
+ }
+
+ for _, path := range dir {
+ if !path.IsDir() {
+ continue
+ }
+
+ id := path.Name()
+ if taskIsExist(tasks, id) {
+ logrus.Infof("letask %s already loaded", id)
+ continue
+ }
+ if !legacy.IsRunning(id) {
+ logrus.Infof("letask %s not running", id)
+ continue
+ }
+
+ task, err := r.loadLegacyTask(id)
+ if err != nil {
+ logrus.Errorf("letask %s load failed %s", err)
+ continue
+ }
+
+ o = append(o, task)
+ logrus.Infof("letask id=%s load ok", id)
+ }
+ return o, nil
+}
diff --git a/runtime/v1/linux/proc/init.go b/runtime/v1/linux/proc/init.go
index 44d3f58b..ace98621 100644
--- a/runtime/v1/linux/proc/init.go
+++ b/runtime/v1/linux/proc/init.go
@@ -31,6 +31,7 @@ import (
"time"
"github.com/containerd/console"
+ "github.com/containerd/containerd/legacy"
"github.com/containerd/containerd/log"
"github.com/containerd/containerd/mount"
"github.com/containerd/containerd/runtime/proc"
@@ -39,6 +40,7 @@ import (
google_protobuf "github.com/gogo/protobuf/types"
specs "github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
+ "github.com/sirupsen/logrus"
)
// InitPidFile name of the file that contains the init pid
@@ -113,6 +115,19 @@ func New(id string, runtime *runc.Runc, stdio proc.Stdio) *Init {
waitBlock: make(chan struct{}),
}
p.initState = &createdState{p: p}
+ // legacy container is exist, set it running state directly.
+ if legacy.IsLegacy(id) {
+ p.initState = &runningState{p: p}
+ go func(id string) {
+ for {
+ time.Sleep(3 * time.Second)
+ if !legacy.IsRunning(id) {
+ logrus.Infof("legacy container %s exited", id)
+ os.Exit(0)
+ }
+ }
+ }(id)
+ }
return p
}
@@ -122,6 +137,17 @@ func (p *Init) Create(ctx context.Context, r *CreateConfig) error {
err error
socket *runc.Socket
)
+ pidFile := filepath.Join(p.Bundle, InitPidFile)
+
+ if legacy.IsLegacy(r.ID) {
+ pid, err := runc.ReadPidFile(pidFile)
+ if err != nil {
+ return errors.Wrap(err, "failed to retrieve OCI runtime container pid")
+ }
+ p.pid = pid
+ return nil
+ }
+
if r.Terminal {
if socket, err = runc.NewTempConsoleSocket(); err != nil {
return errors.Wrap(err, "failed to create OCI runtime console socket")
@@ -136,7 +162,6 @@ func (p *Init) Create(ctx context.Context, r *CreateConfig) error {
return errors.Wrap(err, "failed to create OCI runtime io pipes")
}
}
- pidFile := filepath.Join(p.Bundle, InitPidFile)
if r.Checkpoint != "" {
opts := &runc.RestoreOpts{
CheckpointOpts: runc.CheckpointOpts{
diff --git a/runtime/v1/linux/proc/io.go b/runtime/v1/linux/proc/io.go
index 71f6ee1b..36066270 100644
--- a/runtime/v1/linux/proc/io.go
+++ b/runtime/v1/linux/proc/io.go
@@ -79,6 +79,9 @@ func copyPipes(ctx context.Context, rio runc.IO, stdin, stdout, stderr string, w
},
},
} {
+ if i.name == "" {
+ continue
+ }
ok, err := isFifo(i.name)
if err != nil {
return err
@@ -89,10 +92,10 @@ func copyPipes(ctx context.Context, rio runc.IO, stdin, stdout, stderr string, w
)
if ok {
if fw, err = fifo.OpenFifo(ctx, i.name, syscall.O_WRONLY, 0); err != nil {
- return fmt.Errorf("containerd-shim: opening %s failed: %s", i.name, err)
+ return fmt.Errorf("containerd-shim syscall.O_WRONLY: opening %s failed: %s", i.name, err)
}
if fr, err = fifo.OpenFifo(ctx, i.name, syscall.O_RDONLY, 0); err != nil {
- return fmt.Errorf("containerd-shim: opening %s failed: %s", i.name, err)
+ return fmt.Errorf("containerd-shim syscall.O_RDONLY: opening %s failed: %s", i.name, err)
}
} else {
if sameFile != nil {
@@ -100,7 +103,7 @@ func copyPipes(ctx context.Context, rio runc.IO, stdin, stdout, stderr string, w
continue
}
if fw, err = os.OpenFile(i.name, syscall.O_WRONLY|syscall.O_APPEND, 0); err != nil {
- return fmt.Errorf("containerd-shim: opening %s failed: %s", i.name, err)
+ return fmt.Errorf("containerd-shim syscall.O_WRONLY|syscall.O_APPEND: opening %s failed: %s", i.name, err)
}
if stdout == stderr {
sameFile = fw
@@ -113,7 +116,7 @@ func copyPipes(ctx context.Context, rio runc.IO, stdin, stdout, stderr string, w
}
f, err := fifo.OpenFifo(ctx, stdin, syscall.O_RDONLY|syscall.O_NONBLOCK, 0)
if err != nil {
- return fmt.Errorf("containerd-shim: opening %s failed: %s", stdin, err)
+ return fmt.Errorf("containerd-shim syscall.O_RDONLY|syscall.O_NONBLOCK: opening %s failed: %s", stdin, err)
}
cwg.Add(1)
go func() {
diff --git a/runtime/v1/linux/runtime.go b/runtime/v1/linux/runtime.go
index f8e30742..1b763fbc 100644
--- a/runtime/v1/linux/runtime.go
+++ b/runtime/v1/linux/runtime.go
@@ -300,6 +300,11 @@ func (r *Runtime) restoreTasks(ctx context.Context) ([]*Task, error) {
}
o = append(o, tasks...)
}
+ lo, err := r.loadLegacyTasks(o, ctx, "moby")
+ if err != nil {
+ logrus.Errorf("load legacy with error %v", err)
+ }
+ o = append(o, lo...)
return o, nil
}
diff --git a/runtime/v1/shim/service.go b/runtime/v1/shim/service.go
index ac545ea4..6411fdd9 100644
--- a/runtime/v1/shim/service.go
+++ b/runtime/v1/shim/service.go
@@ -34,6 +34,7 @@ import (
"github.com/containerd/containerd/api/types/task"
"github.com/containerd/containerd/errdefs"
"github.com/containerd/containerd/events"
+ "github.com/containerd/containerd/legacy"
"github.com/containerd/containerd/log"
"github.com/containerd/containerd/mount"
"github.com/containerd/containerd/namespaces"
@@ -381,7 +382,9 @@ func (s *Service) Kill(ctx context.Context, r *shimapi.KillRequest) (*ptypes.Emp
if s.id != p.ID() || r.Signal != uint32(syscall.SIGKILL) {
return
}
-
+ if legacy.IsLegacy(s.id) {
+ return
+ }
for i := 1; i < 5; i++ {
time.Sleep(10 * time.Second)
err := p.Kill(ctx, r.Signal, r.All)
@@ -676,6 +679,11 @@ func newInit(ctx context.Context, path, workDir, runtimeRoot, namespace, criu st
rootfs := filepath.Join(path, "rootfs")
runtime := proc.NewRunc(runtimeRoot, path, namespace, r.Runtime, criu, systemdCgroup)
+ // legacy container using /run/runc as runc root.
+ if legacy.IsLegacy(r.ID) {
+ runtime.Root = "/run/runc"
+ }
+
p := proc.New(r.ID, runtime, rproc.Stdio{
Stdin: r.Stdin,
Stdout: r.Stdout,
diff --git a/services/containers/local.go b/services/containers/local.go
index 95a09872..5934d5ad 100644
--- a/services/containers/local.go
+++ b/services/containers/local.go
@@ -48,10 +48,11 @@ func init() {
if err != nil {
return nil, err
}
- return &local{
+ helperLocal = local{
db: m.(*metadata.DB),
publisher: ic.Events,
- }, nil
+ }
+ return &helperLocal, nil
},
})
}
@@ -243,3 +244,17 @@ func (s *localStream) SendMsg(m interface{}) error {
func (s *localStream) RecvMsg(m interface{}) error {
return nil
}
+
+var helperLocal local // used for create meta only.
+// CreateMeta used only by legacy module to create meta.
+func CreateMeta(ctx context.Context, c containers.Container) error {
+ l := &helperLocal
+ err := l.withStoreUpdate(ctx, func(ctx context.Context, store containers.Store) error {
+ _, err := store.Create(ctx, c)
+ if err != nil {
+ return err
+ }
+ return nil
+ })
+ return err
+}
--
2.17.1

30
patch/0047-containerd-shim-exit-initiative-after-3s.patch
View File

@ -1,30 +0,0 @@
From fe778eb160fc1e3a492b5304890af3843aa91f32 Mon Sep 17 00:00:00 2001
From: liuzekun <liuzekun@huawei.com>
Date: Tue, 5 Nov 2019 23:07:49 -0500
Subject: [PATCH] containerd: containerd-shim exit initiative after 3s
reason: containerd-shim exit initiative after 3s
Signed-off-by: liuzekun <liuzekun@huawei.com>
---
runtime/v1/shim/service.go | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/runtime/v1/shim/service.go b/runtime/v1/shim/service.go
index 326096c..3abaa99 100644
--- a/runtime/v1/shim/service.go
+++ b/runtime/v1/shim/service.go
@@ -548,6 +548,10 @@ func (s *Service) checkProcesses(e runc.Exit) {
ns := filepath.Base(filepath.Dir(ip.Bundle))
events.ExitAddFile(ns, events.ExitFile(s.id, uint32(e.Pid), uint32(e.Status)), "init exited")
events.InitExitWrite(ip.Bundle, e.Pid)
+ go func() {
+ time.Sleep(3 * time.Second)
+ os.Exit(0)
+ }()
}
if shouldKillAll {
if ip, ok := p.(*proc.Init); ok {
--
2.20.1

32
patch/0048-containerd-modify-shim-initiative-exit-time.patch
View File

@ -1,32 +0,0 @@
From 1735262dfdbc434c3e734c2a4b7e3c5407cd541f Mon Sep 17 00:00:00 2001
From: xiadanni1 <xiadanni1@huawei.com>
Date: Sat, 16 Nov 2019 02:28:31 +0800
Subject: [PATCH] containerd: modify shim initiative exit time
reason: We set shim exit initiative after 3s of container init process
exiting, but poststop hook will run abnormally if it needs more than 3s.
So we modify the exit time to 120s to avoid this case, as poststop hook
is suggested not more than 120s.
Change-Id: I3e78b6344fabb0687bc40c3b6da153f403a9f211
Signed-off-by: xiadanni1 <xiadanni1@huawei.com>
---
runtime/v1/shim/service.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/runtime/v1/shim/service.go b/runtime/v1/shim/service.go
index 3abaa99..9721660 100644
--- a/runtime/v1/shim/service.go
+++ b/runtime/v1/shim/service.go
@@ -549,7 +549,7 @@ func (s *Service) checkProcesses(e runc.Exit) {
events.ExitAddFile(ns, events.ExitFile(s.id, uint32(e.Pid), uint32(e.Status)), "init exited")
events.InitExitWrite(ip.Bundle, e.Pid)
go func() {
- time.Sleep(3 * time.Second)
+ time.Sleep(120 * time.Second)
os.Exit(0)
}()
}
--
1.8.3.1

84
patch/0049-contaienrd-modify-shim-initiative-exit-time-for-post-hook.patch
View File

@ -1,84 +0,0 @@
From d2e10b3f23adf3338ee451c926167d18e5ac02e1 Mon Sep 17 00:00:00 2001
From: liuzekun <liuzekun@huawei.com>
Date: Thu, 21 Nov 2019 08:23:35 -0500
Subject: [PATCH] contaienrd: modify shim initiative exit time for post hook
reason: Modify shim initiative exit time for post hook. In consideration
of each post hook has a execution time with timeout(default 120s), we
should ensure enough time to call all post hook.
Signed-off-by: liuzekun <liuzekun@huawei.com>
---
runtime/v1/shim/service.go | 29 ++++++++++++++++++++++-------
1 file changed, 22 insertions(+), 7 deletions(-)
diff --git a/runtime/v1/shim/service.go b/runtime/v1/shim/service.go
index 9721660..cfba225 100644
--- a/runtime/v1/shim/service.go
+++ b/runtime/v1/shim/service.go
@@ -537,7 +537,7 @@ func (s *Service) checkProcesses(e runc.Exit) {
s.mu.Lock()
defer s.mu.Unlock()
- shouldKillAll, err := shouldKillAllOnExit(s.bundle)
+ shouldKillAll, bundleSpec, err := shouldKillAllOnExit(s.bundle)
if err != nil {
log.G(s.context).WithError(err).Error("failed to check shouldKillAll")
}
@@ -549,8 +549,23 @@ func (s *Service) checkProcesses(e runc.Exit) {
events.ExitAddFile(ns, events.ExitFile(s.id, uint32(e.Pid), uint32(e.Status)), "init exited")
events.InitExitWrite(ip.Bundle, e.Pid)
go func() {
- time.Sleep(120 * time.Second)
- os.Exit(0)
+ t := 30
+ defer func() {
+ time.Sleep(time.Duration(t) * time.Second)
+ os.Exit(0)
+ }()
+ if bundleSpec.Hooks == nil {
+ return
+ }
+ postStopHooks := bundleSpec.Hooks.Poststop
+ for _, postStopHook := range postStopHooks {
+ hookTimeout := postStopHook.Timeout
+ if hookTimeout == nil {
+ t += 120
+ } else {
+ t += *hookTimeout
+ }
+ }
}()
}
if shouldKillAll {
@@ -575,23 +590,23 @@ func (s *Service) checkProcesses(e runc.Exit) {
}
}
-func shouldKillAllOnExit(bundlePath string) (bool, error) {
+func shouldKillAllOnExit(bundlePath string) (bool, specs.Spec, error) {
var bundleSpec specs.Spec
bundleConfigContents, err := ioutil.ReadFile(filepath.Join(bundlePath, "config.json"))
if err != nil {
- return false, err
+ return false, specs.Spec{}, err
}
json.Unmarshal(bundleConfigContents, &bundleSpec)
if bundleSpec.Linux != nil {
for _, ns := range bundleSpec.Linux.Namespaces {
if ns.Type == specs.PIDNamespace && ns.Path == "" {
- return false, nil
+ return false, bundleSpec, nil
}
}
}
- return true, nil
+ return true, bundleSpec, nil
}
func (s *Service) getContainerPids(ctx context.Context, id string) ([]uint32, error) {
--
2.20.1

170
patch/0050-containerd-warp-and-process-return-errors.patch
View File

@ -1,170 +0,0 @@
From 20cb595625dcfdf89fdf766028625a7864674dec Mon Sep 17 00:00:00 2001
From: liuzekun <liuzekun@huawei.com>
Date: Mon, 23 Dec 2019 03:10:49 -0500
Subject: [PATCH] containerd: wrap and process return errors
reason: wrap and process return errors
Signed-off-by: liuzekun <liuzekun@huawei.com>
---
cmd/containerd-shim/main_unix.go | 2 +-
events/exit.go | 4 ++--
legacy/legacy.go | 8 +++++---
runtime/v1/linux/leruntime.go | 5 ++++-
runtime/v1/linux/runtime.go | 7 +++++--
runtime/v1/shim/reaper.go | 4 ++--
runtime/v1/shim/service.go | 1 +
vendor/github.com/sirupsen/logrus/exported.go | 5 +++++
8 files changed, 25 insertions(+), 11 deletions(-)
diff --git a/cmd/containerd-shim/main_unix.go b/cmd/containerd-shim/main_unix.go
index 2228362..e9c1426 100644
--- a/cmd/containerd-shim/main_unix.go
+++ b/cmd/containerd-shim/main_unix.go
@@ -259,7 +259,7 @@ func dumpStacks(logger *logrus.Entry) {
bufferLen *= 2
}
buf = buf[:stackSize]
- ioutil.WriteFile(fmt.Sprintf(stacksLogNameTemplate, strings.Replace(time.Now().Format(time.RFC3339), ":", "", -1)), buf, 0600)
+ logrus.Devour(ioutil.WriteFile(fmt.Sprintf(stacksLogNameTemplate, strings.Replace(time.Now().Format(time.RFC3339), ":", "", -1)), buf, 0600))
logger.Infof("=== BEGIN goroutine stack dump ===\n%s\n=== END goroutine stack dump ===", buf)
}
diff --git a/events/exit.go b/events/exit.go
index 772dc24..c0a3583 100644
--- a/events/exit.go
+++ b/events/exit.go
@@ -48,13 +48,14 @@ func ExitInfo(ef string) (string, uint32, uint32) {
}
func ExitAddFile(ns string, ef string, reason string) {
- os.MkdirAll(filepath.Join(ExitDir, ns), 0700)
+ logrus.Devour(os.MkdirAll(filepath.Join(ExitDir, ns), 0700))
err := ioutil.WriteFile(filepath.Join(ExitDir, ns, ef), []byte{}, 0600)
logrus.Infof("exit-add %s/%s [reason: %s] error=%v", ns, ef, reason, err)
}
func ExitDelFile(ns string, ef string) {
err := os.RemoveAll(filepath.Join(ExitDir, ns, ef))
+ logrus.Devour(err)
logrus.Infof("exit-del %s/%s error=%v", ns, ef, err)
}
diff --git a/legacy/legacy.go b/legacy/legacy.go
index fde9f70..219508c 100644
--- a/legacy/legacy.go
+++ b/legacy/legacy.go
@@ -17,8 +17,8 @@ import (
"runtime"
"strings"
- "github.com/sirupsen/logrus"
"github.com/opencontainers/runtime-spec/specs-go"
+ "github.com/sirupsen/logrus"
)
const (
@@ -107,8 +107,10 @@ func InitBundle(root string, id string) error {
if err != nil {
return err
}
- CopyFile(Config120+id+"/config.json", Config028+id+"/config.json")
- CopyFile(Config120+id+"/init.pid", State028+id+"/init/pid")
+ _, err = CopyFile(Config120+id+"/config.json", Config028+id+"/config.json")
+ logrus.Devour(err)
+ _, err = CopyFile(Config120+id+"/init.pid", State028+id+"/init/pid")
+ logrus.Devour(err)
return nil
}
diff --git a/runtime/v1/linux/leruntime.go b/runtime/v1/linux/leruntime.go
index 9c793a5..e8fbe61 100644
--- a/runtime/v1/linux/leruntime.go
+++ b/runtime/v1/linux/leruntime.go
@@ -112,7 +112,10 @@ func (r *Runtime) legacyCreate(ctx context.Context, id string, opts runtime.Crea
// Task was never started or was already successfully deleted
return
}
- lc := t.(*Task)
+ lc, ok := t.(*Task)
+ if !ok {
+ log.G(ctx).WithField("id", id).Errorf("task t's type is %T, cannot convert to a *Task value", t)
+ }
log.G(ctx).WithFields(logrus.Fields{
"id": id,
diff --git a/runtime/v1/linux/runtime.go b/runtime/v1/linux/runtime.go
index 1b763fb..c334bf4 100644
--- a/runtime/v1/linux/runtime.go
+++ b/runtime/v1/linux/runtime.go
@@ -43,7 +43,7 @@ import (
"github.com/containerd/containerd/plugin"
"github.com/containerd/containerd/runtime"
"github.com/containerd/containerd/runtime/linux/runctypes"
- "github.com/containerd/containerd/runtime/v1"
+ v1 "github.com/containerd/containerd/runtime/v1"
"github.com/containerd/containerd/runtime/v1/linux/proc"
shim "github.com/containerd/containerd/runtime/v1/shim/v1"
runc "github.com/containerd/go-runc"
@@ -200,7 +200,10 @@ func (r *Runtime) Create(ctx context.Context, id string, opts runtime.CreateOpts
// Task was never started or was already successfully deleted
return
}
- lc := t.(*Task)
+ lc, ok := t.(*Task)
+ if !ok {
+ log.G(ctx).WithField("id", id).Errorf("task t's type is %T, cannot convert to a *Task value", t)
+ }
log.G(ctx).WithFields(logrus.Fields{
"id": id,
diff --git a/runtime/v1/shim/reaper.go b/runtime/v1/shim/reaper.go
index 2846152..c657397 100644
--- a/runtime/v1/shim/reaper.go
+++ b/runtime/v1/shim/reaper.go
@@ -95,7 +95,7 @@ func (m *Monitor) Wait(c *exec.Cmd, ec chan runc.Exit) (int, error) {
for e := range ec {
if e.Pid == c.Process.Pid {
// make sure we flush all IO
- c.Wait()
+ logrus.Devour(c.Wait())
m.Unsubscribe(ec)
return e.Status, nil
}
@@ -123,7 +123,7 @@ func (m *Monitor) WaitTimeout(c *exec.Cmd, ec chan runc.Exit, sec int64) (int, e
select {
case <-time.After(time.Duration(sec) * time.Second):
if SameProcess(c, c.Process.Pid) {
- syscall.Kill(c.Process.Pid, syscall.SIGKILL)
+ logrus.Devour(syscall.Kill(c.Process.Pid, syscall.SIGKILL))
}
return 0, errors.Errorf("container did not start before the specified timeout %ds for cmd(pid=%d): %s, %s", sec, c.Process.Pid, c.Path, c.Args)
case status := <-sch:
diff --git a/runtime/v1/shim/service.go b/runtime/v1/shim/service.go
index 4025a72..beb0ed8 100644
--- a/runtime/v1/shim/service.go
+++ b/runtime/v1/shim/service.go
@@ -146,6 +146,7 @@ func (s *Service) Create(ctx context.Context, r *shimapi.CreateTaskRequest) (_ *
for i := 0; i < 60; i++ {
time.Sleep(time.Second)
_, err := os.Stat(r.Bundle)
+ logrus.Devour(err)
if os.IsNotExist(err) {
logrus.Errorf("bundle dir: %v does not exist, containerd-shim exit", r.Bundle)
os.Exit(0)
diff --git a/vendor/github.com/sirupsen/logrus/exported.go b/vendor/github.com/sirupsen/logrus/exported.go
index 1aeaa90..46fa7f8 100644
--- a/vendor/github.com/sirupsen/logrus/exported.go
+++ b/vendor/github.com/sirupsen/logrus/exported.go
@@ -191,3 +191,8 @@ func Panicln(args ...interface{}) {
func Fatalln(args ...interface{}) {
std.Fatalln(args...)
}
+
+// Devour will do nothing and return directly
+func Devour(args ...interface{}) {
+ return
+}
--
2.20.1

134
patch/0051-containerd-add-timeout-for-containerd-shim.patch
View File

@ -1,134 +0,0 @@
From ea6e8c7b10fe1552d14fb9b0337d850a1f4a7178 Mon Sep 17 00:00:00 2001
From: xiadanni1 <xiadanni1@huawei.com>
Date: Fri, 3 Jan 2020 03:06:00 +0800
Subject: [PATCH] containerd: add timeout for containerd-shim
reason:add timeout for containerd-shim to avoid dead lock
Change-Id: I7886eb9e73dc1a3c8b837687c8ac8361d67f5e4f
Signed-off-by: xiadanni1 <xiadanni1@huawei.com>
---
runtime/v1/shim/reaper.go | 2 +-
vendor/github.com/containerd/go-runc/runc.go | 37 ++++++++++++++++++++++------
2 files changed, 30 insertions(+), 9 deletions(-)
diff --git a/runtime/v1/shim/reaper.go b/runtime/v1/shim/reaper.go
index c657397..d8e8274 100644
--- a/runtime/v1/shim/reaper.go
+++ b/runtime/v1/shim/reaper.go
@@ -125,7 +125,7 @@ func (m *Monitor) WaitTimeout(c *exec.Cmd, ec chan runc.Exit, sec int64) (int, e
if SameProcess(c, c.Process.Pid) {
logrus.Devour(syscall.Kill(c.Process.Pid, syscall.SIGKILL))
}
- return 0, errors.Errorf("container did not start before the specified timeout %ds for cmd(pid=%d): %s, %s", sec, c.Process.Pid, c.Path, c.Args)
+ return 0, errors.Errorf("timeout %ds for cmd(pid=%d): %s, %s", sec, c.Process.Pid, c.Path, c.Args)
case status := <-sch:
return status, nil
case err := <-ech:
diff --git a/vendor/github.com/containerd/go-runc/runc.go b/vendor/github.com/containerd/go-runc/runc.go
index 7a2a8c4..430648d 100644
--- a/vendor/github.com/containerd/go-runc/runc.go
+++ b/vendor/github.com/containerd/go-runc/runc.go
@@ -53,7 +53,9 @@ const (
Text Format = "text"
// DefaultCommand is the default command for Runc
DefaultCommand = "runc"
- execTimeout = 30
+ defaultTimeout = 30
+ startTimeout = 120
+ updateTimeout = 60
)
var (
@@ -99,7 +101,7 @@ func (r *Runc) List(context context.Context) ([]*Container, error) {
// State returns the state for the container provided by id
func (r *Runc) State(context context.Context, id string) (*Container, error) {
- data, err := cmdOutput(r.command(context, "state", id), true)
+ data, err := cmdOutputTimeout(r.command(context, "state", id), true, defaultTimeout)
if err != nil {
return nil, fmt.Errorf("%s: %s", err, data)
}
@@ -199,7 +201,7 @@ func (r *Runc) Create(context context.Context, id, bundle string, opts *CreateOp
// Start will start an already created container
func (r *Runc) Start(context context.Context, id string) error {
- return r.runOrError(r.command(context, "start", id))
+ return r.runOrErrorTimeout(r.command(context, "start", id), startTimeout)
}
type ExecOpts struct {
@@ -252,7 +254,7 @@ func (r *Runc) Exec(context context.Context, id string, spec specs.Process, opts
opts.Set(cmd)
}
if cmd.Stdout == nil && cmd.Stderr == nil {
- data, err := cmdOutputTimeout(cmd, true, execTimeout)
+ data, err := cmdOutputTimeout(cmd, true, defaultTimeout)
if err != nil {
return fmt.Errorf("%s: %s", err, data)
}
@@ -269,7 +271,7 @@ func (r *Runc) Exec(context context.Context, id string, spec specs.Process, opts
}
}
}
- status, err := Monitor.WaitTimeout(cmd, ec, execTimeout)
+ status, err := Monitor.WaitTimeout(cmd, ec, defaultTimeout)
if err == nil && status != 0 {
err = fmt.Errorf("%s did not terminate sucessfully", cmd.Args[0])
}
@@ -338,7 +340,7 @@ func (r *Runc) Kill(context context.Context, id string, sig int, opts *KillOpts)
if opts != nil {
args = append(args, opts.args()...)
}
- return r.runOrError(r.command(context, append(args, id, strconv.Itoa(sig))...))
+ return r.runOrErrorTimeout(r.command(context, append(args, id, strconv.Itoa(sig))...), defaultTimeout)
}
// Stats return the stats for a container like cpu, memory, and io
@@ -414,7 +416,7 @@ func (r *Runc) Resume(context context.Context, id string) error {
// Ps lists all the processes inside the container returning their pids
func (r *Runc) Ps(context context.Context, id string) ([]int, error) {
- data, err := cmdOutput(r.command(context, "ps", "--format", "json", id), true)
+ data, err := cmdOutputTimeout(r.command(context, "ps", "--format", "json", id), true, defaultTimeout)
if err != nil {
return nil, fmt.Errorf("%s: %s", err, data)
}
@@ -604,7 +606,7 @@ func (r *Runc) Update(context context.Context, id string, resources *specs.Linux
args := []string{"update", "--resources", "-", id}
cmd := r.command(context, args...)
cmd.Stdin = buf
- return r.runOrError(cmd)
+ return r.runOrErrorTimeout(cmd, updateTimeout)
}
var ErrParseRuncVersion = errors.New("unable to parse runc version")
@@ -705,6 +707,25 @@ func (r *Runc) runOrError(cmd *exec.Cmd) error {
return nil
}
+func (r *Runc) runOrErrorTimeout(cmd *exec.Cmd, runTimeout int64) error {
+ if cmd.Stdout != nil || cmd.Stderr != nil {
+ ec, err := Monitor.Start(cmd)
+ if err != nil {
+ return err
+ }
+ status, err := Monitor.WaitTimeout(cmd, ec, runTimeout)
+ if err == nil && status != 0 {
+ err = fmt.Errorf("%s did not terminate sucessfully", cmd.Args[0])
+ }
+ return err
+ }
+ data, err := cmdOutputTimeout(cmd, true, runTimeout)
+ if err != nil {
+ return fmt.Errorf("%s: %s", err, data)
+ }
+ return nil
+}
+
func cmdOutput(cmd *exec.Cmd, combined bool) ([]byte, error) {
b := getBuf()
defer putBuf(b)
--
1.8.3.1

266
patch/0052-containerd-modify-runtime-root-if-containe.patch
View File

@ -1,266 +0,0 @@
From 3ccf18b7d72ef484093e8a6f578ef9381418bc54 Mon Sep 17 00:00:00 2001
From: xiadanni1 <xiadanni1@huawei.com>
Date: Fri, 17 Jan 2020 07:07:34 +0800
Subject: [PATCH] containerd: modify runtime root if container is created by
1.11.2
reason:if container is created by 1.11.2, runtime root is /run/runc,
so we need to modify the root dir when this container stops first time.
Change-Id: If30e26a719ed61be0a08344860a066ab77b4cb40
Signed-off-by: xiadanni1 <xiadanni1@huawei.com>
---
runtime/v1/linux/runtime.go | 14 ++++---
.../github.com/containerd/go-runc/command_linux.go | 4 +-
.../github.com/containerd/go-runc/command_other.go | 2 +-
vendor/github.com/containerd/go-runc/runc.go | 45 ++++++++++++----------
4 files changed, 37 insertions(+), 28 deletions(-)
diff --git a/runtime/v1/linux/runtime.go b/runtime/v1/linux/runtime.go
index c334bf4..08e563d 100644
--- a/runtime/v1/linux/runtime.go
+++ b/runtime/v1/linux/runtime.go
@@ -35,6 +35,7 @@ import (
"github.com/containerd/containerd/events"
"github.com/containerd/containerd/events/exchange"
"github.com/containerd/containerd/identifiers"
+ "github.com/containerd/containerd/legacy"
"github.com/containerd/containerd/log"
"github.com/containerd/containerd/metadata"
"github.com/containerd/containerd/mount"
@@ -521,11 +522,14 @@ func (r *Runtime) terminate(ctx context.Context, bundle *bundle, ns, id string)
}); err != nil {
log.G(ctx).WithError(err).Warnf("delete runtime state %s", id)
}
- if err := mount.Unmount(filepath.Join(bundle.path, "rootfs"), 0); err != nil {
- log.G(ctx).WithError(err).WithFields(logrus.Fields{
- "path": bundle.path,
- "id": id,
- }).Warnf("unmount task rootfs")
+
+ if !legacy.IsLegacy(id) {
+ if err := mount.Unmount(filepath.Join(bundle.path, "rootfs"), 0); err != nil {
+ log.G(ctx).WithError(err).WithFields(logrus.Fields{
+ "path": bundle.path,
+ "id": id,
+ }).Warnf("unmount task rootfs")
+ }
}
return nil
}
diff --git a/vendor/github.com/containerd/go-runc/command_linux.go b/vendor/github.com/containerd/go-runc/command_linux.go
index 6ad27be..0aa6040 100644
--- a/vendor/github.com/containerd/go-runc/command_linux.go
+++ b/vendor/github.com/containerd/go-runc/command_linux.go
@@ -31,12 +31,12 @@ func (r *Runc) isrunv() bool {
return false
}
-func (r *Runc) command(context context.Context, args ...string) *exec.Cmd {
+func (r *Runc) command(id string, context context.Context, args ...string) *exec.Cmd {
command := r.Command
if command == "" {
command = DefaultCommand
}
- cmd := exec.CommandContext(context, command, append(r.args(), args...)...)
+ cmd := exec.CommandContext(context, command, append(r.args(id), args...)...)
cmd.SysProcAttr = &syscall.SysProcAttr{
Setpgid: r.Setpgid,
}
diff --git a/vendor/github.com/containerd/go-runc/command_other.go b/vendor/github.com/containerd/go-runc/command_other.go
index b8fd4b8..21bb699 100644
--- a/vendor/github.com/containerd/go-runc/command_other.go
+++ b/vendor/github.com/containerd/go-runc/command_other.go
@@ -29,7 +29,7 @@ func (r *Runc) command(context context.Context, args ...string) *exec.Cmd {
if command == "" {
command = DefaultCommand
}
- cmd := exec.CommandContext(context, command, append(r.args(), args...)...)
+ cmd := exec.CommandContext(context, command, append(r.args(""), args...)...)
cmd.Env = os.Environ()
return cmd
}
diff --git a/vendor/github.com/containerd/go-runc/runc.go b/vendor/github.com/containerd/go-runc/runc.go
index 430648d..c1748ff 100644
--- a/vendor/github.com/containerd/go-runc/runc.go
+++ b/vendor/github.com/containerd/go-runc/runc.go
@@ -31,6 +31,7 @@ import (
"syscall"
"time"
+ "github.com/containerd/containerd/legacy"
specs "github.com/opencontainers/runtime-spec/specs-go"
"github.com/sirupsen/logrus"
)
@@ -88,7 +89,7 @@ func init() {
// List returns all containers created inside the provided runc root directory
func (r *Runc) List(context context.Context) ([]*Container, error) {
- data, err := cmdOutput(r.command(context, "list", "--format=json"), false)
+ data, err := cmdOutput(r.command("", context, "list", "--format=json"), false)
if err != nil {
return nil, err
}
@@ -101,7 +102,7 @@ func (r *Runc) List(context context.Context) ([]*Container, error) {
// State returns the state for the container provided by id
func (r *Runc) State(context context.Context, id string) (*Container, error) {
- data, err := cmdOutputTimeout(r.command(context, "state", id), true, defaultTimeout)
+ data, err := cmdOutputTimeout(r.command(id, context, "state", id), true, defaultTimeout)
if err != nil {
return nil, fmt.Errorf("%s: %s", err, data)
}
@@ -168,7 +169,7 @@ func (r *Runc) Create(context context.Context, id, bundle string, opts *CreateOp
}
args = append(args, oargs...)
}
- cmd := r.command(context, append(args, id)...)
+ cmd := r.command(id, context, append(args, id)...)
if opts != nil && opts.IO != nil {
opts.Set(cmd)
}
@@ -201,7 +202,7 @@ func (r *Runc) Create(context context.Context, id, bundle string, opts *CreateOp
// Start will start an already created container
func (r *Runc) Start(context context.Context, id string) error {
- return r.runOrErrorTimeout(r.command(context, "start", id), startTimeout)
+ return r.runOrErrorTimeout(r.command(id, context, "start", id), startTimeout)
}
type ExecOpts struct {
@@ -249,7 +250,7 @@ func (r *Runc) Exec(context context.Context, id string, spec specs.Process, opts
}
args = append(args, oargs...)
}
- cmd := r.command(context, append(args, id)...)
+ cmd := r.command(id, context, append(args, id)...)
if opts != nil && opts.IO != nil {
opts.Set(cmd)
}
@@ -289,7 +290,7 @@ func (r *Runc) Run(context context.Context, id, bundle string, opts *CreateOpts)
}
args = append(args, oargs...)
}
- cmd := r.command(context, append(args, id)...)
+ cmd := r.command(id, context, append(args, id)...)
if opts != nil && opts.IO != nil {
opts.Set(cmd)
}
@@ -317,7 +318,7 @@ func (r *Runc) Delete(context context.Context, id string, opts *DeleteOpts) erro
if opts != nil {
args = append(args, opts.args()...)
}
- return r.runOrError(r.command(context, append(args, id)...))
+ return r.runOrError(r.command(id, context, append(args, id)...))
}
// KillOpts specifies options for killing a container and its processes
@@ -340,12 +341,12 @@ func (r *Runc) Kill(context context.Context, id string, sig int, opts *KillOpts)
if opts != nil {
args = append(args, opts.args()...)
}
- return r.runOrErrorTimeout(r.command(context, append(args, id, strconv.Itoa(sig))...), defaultTimeout)
+ return r.runOrErrorTimeout(r.command(id, context, append(args, id, strconv.Itoa(sig))...), defaultTimeout)
}
// Stats return the stats for a container like cpu, memory, and io
func (r *Runc) Stats(context context.Context, id string) (*Stats, error) {
- cmd := r.command(context, "events", "--stats", id)
+ cmd := r.command(id, context, "events", "--stats", id)
rd, err := cmd.StdoutPipe()
if err != nil {
return nil, err
@@ -367,7 +368,7 @@ func (r *Runc) Stats(context context.Context, id string) (*Stats, error) {
// Events returns an event stream from runc for a container with stats and OOM notifications
func (r *Runc) Events(context context.Context, id string, interval time.Duration) (chan *Event, error) {
- cmd := r.command(context, "events", fmt.Sprintf("--interval=%ds", int(interval.Seconds())), id)
+ cmd := r.command(id, context, "events", fmt.Sprintf("--interval=%ds", int(interval.Seconds())), id)
rd, err := cmd.StdoutPipe()
if err != nil {
return nil, err
@@ -406,17 +407,17 @@ func (r *Runc) Events(context context.Context, id string, interval time.Duration
// Pause the container with the provided id
func (r *Runc) Pause(context context.Context, id string) error {
- return r.runOrError(r.command(context, "pause", id))
+ return r.runOrError(r.command(id, context, "pause", id))
}
// Resume the container with the provided id
func (r *Runc) Resume(context context.Context, id string) error {
- return r.runOrError(r.command(context, "resume", id))
+ return r.runOrError(r.command(id, context, "resume", id))
}
// Ps lists all the processes inside the container returning their pids
func (r *Runc) Ps(context context.Context, id string) ([]int, error) {
- data, err := cmdOutputTimeout(r.command(context, "ps", "--format", "json", id), true, defaultTimeout)
+ data, err := cmdOutputTimeout(r.command(id, context, "ps", "--format", "json", id), true, defaultTimeout)
if err != nil {
return nil, fmt.Errorf("%s: %s", err, data)
}
@@ -429,7 +430,7 @@ func (r *Runc) Ps(context context.Context, id string) ([]int, error) {
// Top lists all the processes inside the container returning the full ps data
func (r *Runc) Top(context context.Context, id string, psOptions string) (*TopResults, error) {
- data, err := cmdOutput(r.command(context, "ps", "--format", "table", id, psOptions), true)
+ data, err := cmdOutput(r.command(id, context, "ps", "--format", "table", id, psOptions), true)
if err != nil {
return nil, fmt.Errorf("%s: %s", err, data)
}
@@ -528,7 +529,7 @@ func (r *Runc) Checkpoint(context context.Context, id string, opts *CheckpointOp
for _, a := range actions {
args = a(args)
}
- return r.runOrError(r.command(context, append(args, id)...))
+ return r.runOrError(r.command(id, context, append(args, id)...))
}
type RestoreOpts struct {
@@ -577,7 +578,7 @@ func (r *Runc) Restore(context context.Context, id, bundle string, opts *Restore
args = append(args, oargs...)
}
args = append(args, "--bundle", bundle)
- cmd := r.command(context, append(args, id)...)
+ cmd := r.command(id, context, append(args, id)...)
if opts != nil && opts.IO != nil {
opts.Set(cmd)
}
@@ -604,7 +605,7 @@ func (r *Runc) Update(context context.Context, id string, resources *specs.Linux
return err
}
args := []string{"update", "--resources", "-", id}
- cmd := r.command(context, args...)
+ cmd := r.command(id, context, args...)
cmd.Stdin = buf
return r.runOrErrorTimeout(cmd, updateTimeout)
}
@@ -619,7 +620,7 @@ type Version struct {
// Version returns the runc and runtime-spec versions
func (r *Runc) Version(context context.Context) (Version, error) {
- data, err := cmdOutput(r.command(context, "--version"), false)
+ data, err := cmdOutput(r.command("", context, "--version"), false)
if err != nil {
return Version{}, err
}
@@ -658,9 +659,13 @@ func parseVersion(data []byte) (Version, error) {
return v, nil
}
-func (r *Runc) args() (out []string) {
+func (r *Runc) args(id string) (out []string) {
if r.Root != "" {
- out = append(out, "--root", r.Root)
+ if id != "" && legacy.IsLegacy(id) {
+ out = append(out, "--root", "/run/runc")
+ } else {
+ out = append(out, "--root", r.Root)
+ }
}
if r.Debug {
out = append(out, "--debug")
--
1.8.3.1

81
patch/0053-containerd-add-pid-check-to-avoid-poststop-ho.patch
View File

@ -1,81 +0,0 @@
From 489f69209650aa743ffd6e53571b822ad0b63c2d Mon Sep 17 00:00:00 2001
From: xiadanni1 <xiadanni1@huawei.com>
Date: Sat, 18 Jan 2020 04:18:22 +0800
Subject: [PATCH] containerd: add pid check to avoid poststop hook
execute twice
reason:If start a container at docker 1.11.2, upgrade docker to 18.09,
downgrade to 1.11.2, stop/restart container, upgrade to 18.09 again,
poststop hook will execute again when containerd load task.
So we add pid check to avoid poststop hook execute twice.
Change-Id: I8b88b69bfa0a4141bd9595da8ad4e786666e114b
Signed-off-by: xiadanni1 <xiadanni1@huawei.com>
---
legacy/legacy.go | 21 +++++++++++++++++++++
runtime/v1/linux/runtime.go | 10 ++++++----
2 files changed, 27 insertions(+), 4 deletions(-)
diff --git a/legacy/legacy.go b/legacy/legacy.go
index 219508c..644f94a 100644
--- a/legacy/legacy.go
+++ b/legacy/legacy.go
@@ -44,6 +44,25 @@ func IsLegacy(id string) bool {
return false
}
+func IsSamePid(id string) bool {
+ pid120, err := ioutil.ReadFile(filepath.Join(Config120, id, "init.pid"))
+ if err != nil {
+ logrus.Infof("read 1.2.0 init.pid file error: %v", err)
+ return false
+ }
+ pid028, err := ioutil.ReadFile(filepath.Join(State028, id, "init", "pid"))
+ if err != nil {
+ logrus.Infof("read 0.2.8 pid file error: %v", err)
+ return false
+ }
+ logrus.Infof("pid1.2.0: %v, pid0.2.8: %v", string(pid120), string(pid028))
+ if string(pid120) != string(pid028) {
+ return false
+ }
+
+ return true
+}
+
// IsRunning is used to detect whether legacy container is running.
func IsRunning(id string) bool {
path := State028 + id + "/init/pid"
@@ -111,6 +130,8 @@ func InitBundle(root string, id string) error {
logrus.Devour(err)
_, err = CopyFile(Config120+id+"/init.pid", State028+id+"/init/pid")
logrus.Devour(err)
+ _, err = CopyFile(Config120+id+"/starttime", State028+id+"/init/starttime")
+ logrus.Devour(err)
return nil
}
diff --git a/runtime/v1/linux/runtime.go b/runtime/v1/linux/runtime.go
index 08e563d..96ad815 100644
--- a/runtime/v1/linux/runtime.go
+++ b/runtime/v1/linux/runtime.go
@@ -517,10 +517,12 @@ func (r *Runtime) terminate(ctx context.Context, bundle *bundle, ns, id string)
return err
}
- if err := rt.Delete(ctx, id, &runc.DeleteOpts{
- Force: true,
- }); err != nil {
- log.G(ctx).WithError(err).Warnf("delete runtime state %s", id)
+ if !legacy.IsLegacy(id) || legacy.IsSamePid(id) {
+ if err := rt.Delete(ctx, id, &runc.DeleteOpts{
+ Force: true,
+ }); err != nil {
+ log.G(ctx).WithError(err).Warnf("delete runtime state %s", id)
+ }
}
if !legacy.IsLegacy(id) {
--
1.8.3.1

100
patch/0054-containerd-clean-up-residual-container.patch
View File

@ -1,100 +0,0 @@
From a2310cbcff07f660b8d17584f687561b64bf27ad Mon Sep 17 00:00:00 2001
From: zhangtianyang <zhangtianyang2@huawei.com>
Date: Thu, 27 Feb 2020 16:51:59 +0800
Subject: [PATCH] containerd: clean up residual container after
shim abnormal exit
reason:from update/revert test an occasional failure has been found that
shim process has exited but container is still running, then following exec
call all report ttrpc close error.
the triggering condition is uncertain. this patch will make up the clean
work of the residual container after such failure occurred to avoid
subsequent call errors.
Change-Id: I0da9d4e46010cbe58f2fda21895caeb301936c47
Signed-off-by: zhangtianyang <zhangtianyang2@huawei.com>
---
runtime/v1/linux/runtime.go | 11 +++++++++++
services/tasks/local.go | 25 +++++++++++++++++++++++++
2 files changed, 36 insertions(+)
diff --git a/runtime/v1/linux/runtime.go b/runtime/v1/linux/runtime.go
index 96ad815..47a0cb6 100644
--- a/runtime/v1/linux/runtime.go
+++ b/runtime/v1/linux/runtime.go
@@ -511,6 +511,17 @@ func (r *Runtime) cleanupAfterDeadShim(ctx context.Context, bundle *bundle, ns,
return nil
}
+func (r *Runtime) CleanupAfterDeadShim(ctx context.Context, ns, id string) error {
+ bund := &bundle{id: id,
+ path: filepath.Join(r.state, ns, id),
+ workDir: filepath.Join(r.root, ns, id)}
+ pid, err := runc.ReadPidFile(filepath.Join(bund.path, proc.InitPidFile))
+ if err != nil {
+ return fmt.Errorf("failed to read pid from %s", proc.InitPidFile)
+ }
+ return r.cleanupAfterDeadShim(ctx, bund, ns, id, pid)
+}
+
func (r *Runtime) terminate(ctx context.Context, bundle *bundle, ns, id string) error {
rt, err := r.getRuntime(ctx, ns, id)
if err != nil {
diff --git a/services/tasks/local.go b/services/tasks/local.go
index 990e841..9818971 100644
--- a/services/tasks/local.go
+++ b/services/tasks/local.go
@@ -24,6 +24,7 @@ import (
"io/ioutil"
"os"
"path/filepath"
+ "strings"
"time"
api "github.com/containerd/containerd/api/services/tasks/v1"
@@ -41,6 +42,7 @@ import (
"github.com/containerd/containerd/mount"
"github.com/containerd/containerd/plugin"
"github.com/containerd/containerd/runtime"
+ "github.com/containerd/containerd/runtime/v1/linux"
"github.com/containerd/containerd/runtime/v2"
"github.com/containerd/containerd/services"
"github.com/containerd/typeurl"
@@ -383,11 +385,34 @@ func (l *local) Kill(ctx context.Context, r *api.KillRequest, _ ...grpc.CallOpti
}
}
if err := p.Kill(ctx, r.Signal, r.All); err != nil {
+ if (r.Signal == 9 || r.Signal == 15) && strings.Contains(err.Error(), "ttrpc: client shutting down") {
+ // not sure under what conditions will cause such ttrpc error. since the error has
+ // happened, we have to make up the clean up work to avoid container residue.
+ cleanErr := l.cleanupResidualContainer(ctx, r, t.Namespace())
+ log.G(ctx).WithField("clean error", cleanErr).Warnf(
+ "previous actions might encounter failure, try clean up the dead container.")
+ }
return nil, errdefs.ToGRPC(err)
}
return empty, nil
}
+func (l *local) cleanupResidualContainer(ctx context.Context, r *api.KillRequest, namespace string) error {
+ container, err := l.getContainer(ctx, r.ContainerID)
+ if err != nil {
+ return fmt.Errorf("failed to get container %s, %v", r.ContainerID, err)
+ }
+ rt, err := l.getRuntime(container.Runtime.Name)
+ if err != nil {
+ return fmt.Errorf("failed to get runtime %s, %v", container.Runtime.Name, err)
+ }
+ lRuntime, ok := rt.(*linux.Runtime)
+ if !ok {
+ return fmt.Errorf("no clean work for runtime other than linux ones")
+ }
+ return lRuntime.CleanupAfterDeadShim(ctx, namespace, r.ContainerID)
+}
+
func (l *local) ListPids(ctx context.Context, r *api.ListPidsRequest, _ ...grpc.CallOption) (*api.ListPidsResponse, error) {
t, err := l.getTask(ctx, r.ContainerID)
if err != nil {
--
1.8.3.1

115
patch/0055-containerd-add-LLT-for-containerd-shim-timeou.patch
View File

@ -1,115 +0,0 @@
From 47e981ebb8996e432968ed68f08e3fc108210cd4 Mon Sep 17 00:00:00 2001
From: xiadanni1 <xiadanni1@huawei.com>
Date: Tue, 3 Mar 2020 06:29:56 +0800
Subject: [PATCH 1/2] containerd:add LLT for containerd-shim timeout
requirement
reason:add LLT testcases for containerd-shim timeout requirement.
Change-Id: If422542b72f3550d86a6eba6b19d0cdea2d2a660
Signed-off-by: xiadanni1 <xiadanni1@huawei.com>
---
vendor/github.com/containerd/go-runc/runc_test.go | 90 +++++++++++++++++++++++
1 file changed, 90 insertions(+)
create mode 100644 vendor/github.com/containerd/go-runc/runc_test.go
diff --git a/vendor/github.com/containerd/go-runc/runc_test.go b/vendor/github.com/containerd/go-runc/runc_test.go
new file mode 100644
index 0000000..8f9212d
--- /dev/null
+++ b/vendor/github.com/containerd/go-runc/runc_test.go
@@ -0,0 +1,90 @@
+package runc
+
+import (
+ "context"
+ "os"
+ "os/exec"
+ "testing"
+
+ specs "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+func TestRuncCommandInvoke(t *testing.T) {
+ rc := &Runc{
+ Command: "/bin/true",
+ }
+ ctx := context.Background()
+ id := "containerid"
+ bundle := "bundlepath"
+
+ createOpts := CreateOpts{}
+ err := rc.Create(ctx, id, bundle, &createOpts)
+ if err != nil {
+ t.Errorf("Create command invoke error, %v", err)
+ }
+
+ err = rc.Start(ctx, id)
+ if err != nil {
+ t.Errorf("Start command invoke error, %v", err)
+ }
+
+ execSpec := specs.Process{}
+ nullIO, _ := NewNullIO()
+ execOpts := ExecOpts{IO: nullIO}
+ err = rc.Exec(ctx, id, execSpec, &execOpts)
+ if err != nil {
+ t.Errorf("Exec command invoke error, %v", err)
+ }
+
+ execOptsnil := ExecOpts{}
+ err = rc.Exec(ctx, id, execSpec, &execOptsnil)
+ if err != nil {
+ t.Errorf("Exec command invoke error, %v", err)
+ }
+
+ killOpts := KillOpts{}
+ err = rc.Kill(ctx, id, 9, &killOpts)
+ if err != nil {
+ t.Errorf("Kill command invoke error, %v", err)
+ }
+
+ resource := specs.LinuxResources{}
+ err = rc.Update(ctx, id, &resource)
+ if err != nil {
+ t.Errorf("Update command invoke error, %v", err)
+ }
+
+ _, err = rc.State(ctx, id)
+ if err == nil {
+ t.Errorf("State command invoke should return error")
+ }
+
+ _, err = rc.Ps(ctx, id)
+ if err == nil {
+ t.Errorf("Ps command invoke should return error")
+ }
+}
+
+func TestRunOrErrorTimeout(t *testing.T) {
+ rc := &Runc{}
+
+ cmd := exec.Cmd{Path: "/bin/bash2"}
+ cmd.Stdout = os.Stdout
+ err := rc.runOrErrorTimeout(&cmd, 10)
+ if err == nil {
+ t.Errorf("runOrErrorTimeout should return error")
+ }
+
+ cmd = exec.Cmd{Path: "/usr/bin/sleep", Args: []string{"2"}}
+ cmd.Stdout = os.Stdout
+ rc.runOrErrorTimeout(&cmd, 1)
+ if err == nil {
+ t.Errorf("runOrErrorTimeout should return error")
+ }
+
+ cmd = exec.Cmd{Path: "/usr/bin/sleep", Args: []string{"2"}}
+ rc.runOrErrorTimeout(&cmd, 1)
+ if err == nil {
+ t.Errorf("runOrErrorTimeout should return error")
+ }
+}
--
1.8.3.1

51
patch/0056-containerd-save-dumpstack-to-file.patch
View File

@ -1,51 +0,0 @@
From 7db93cf813023f2a5ac209617aaae5c3f5c202d5 Mon Sep 17 00:00:00 2001
From: xiadanni1 <xiadanni1@huawei.com>
Date: Tue, 3 Mar 2020 09:01:22 +0800
Subject: [PATCH] containerd:save dumpstack to file
Change-Id: I54a41a13b4523de279337a9ff208347859c0fb4d
Signed-off-by: xiadanni1 <xiadanni1@huawei.com>
---
cmd/containerd/command/main_unix.go | 5 +++++
runtime/v1/linux/runtime.go | 1 +
2 files changed, 6 insertions(+)
diff --git a/cmd/containerd/command/main_unix.go b/cmd/containerd/command/main_unix.go
index 12c1426..2f9398f 100644
--- a/cmd/containerd/command/main_unix.go
+++ b/cmd/containerd/command/main_unix.go
@@ -20,8 +20,12 @@ package command
import (
"context"
+ "fmt"
+ "io/ioutil"
"os"
"runtime"
+ "strings"
+ "time"
"github.com/containerd/containerd/log"
"github.com/containerd/containerd/services/server"
@@ -79,5 +83,6 @@ func dumpStacks() {
bufferLen *= 2
}
buf = buf[:stackSize]
+ logrus.Devour(ioutil.WriteFile(fmt.Sprintf("/var/run/docker/containerd/containerd-stacks-%s.log", strings.Replace(time.Now().Format(time.RFC3339), ":", "", -1)), buf, 0600))
logrus.Infof("=== BEGIN goroutine stack dump ===\n%s\n=== END goroutine stack dump ===", buf)
}
diff --git a/runtime/v1/linux/runtime.go b/runtime/v1/linux/runtime.go
index 47a0cb6..5be785d 100644
--- a/runtime/v1/linux/runtime.go
+++ b/runtime/v1/linux/runtime.go
@@ -481,6 +481,7 @@ func (r *Runtime) loadTasks(ctx context.Context, ns string) ([]*Task, error) {
}
func (r *Runtime) cleanupAfterDeadShim(ctx context.Context, bundle *bundle, ns, id string, pid int) error {
+ logrus.Infof("cleanup dead shim(legacy=%t): %s %d", legacy.IsLegacy(id), id, pid)
ctx = namespaces.WithNamespace(ctx, ns)
if err := r.terminate(ctx, bundle, ns, id); err != nil {
log.G(ctx).WithError(err).Warn("failed to terminate task")
--
1.8.3.1

150
patch/0057-containerd-add-timeout-for-delete-command.patch
View File

@ -1,150 +0,0 @@
From 313e7f972e887c715b8feaad332ffe505653c496 Mon Sep 17 00:00:00 2001
From: xiadanni1 <xiadanni1@huawei.com>
Date: Tue, 3 Mar 2020 06:31:18 +0800
Subject: [PATCH] containerd:add timeout for delete command
Change-Id: I620d2f19a8ac9086b5c83792a6fe49b0389da87d
Signed-off-by: xiadanni1 <xiadanni1@huawei.com>
---
runtime/v1/linux/task.go | 2 +-
runtime/v1/shim/reaper.go | 23 +--------------
vendor/github.com/containerd/go-runc/monitor.go | 37 +++++++++++++++++++++++--
vendor/github.com/containerd/go-runc/runc.go | 3 +-
4 files changed, 38 insertions(+), 27 deletions(-)
diff --git a/runtime/v1/linux/task.go b/runtime/v1/linux/task.go
index d2bbb76..d200e9d 100644
--- a/runtime/v1/linux/task.go
+++ b/runtime/v1/linux/task.go
@@ -91,7 +91,7 @@ func (t *Task) Namespace() string {
func (t *Task) delete(ctx context.Context, force bool, pid uint32) (*runtime.Exit, error) {
rsp, err := t.shim.Delete(ctx, empty)
if err != nil {
- log.G(ctx).WithError(err).Error("failed to delete container, force=%t", force)
+ log.G(ctx).WithError(err).Errorf("failed to delete container, force=%t", force)
}
t.tasks.Delete(ctx, t.id)
if err := t.shim.KillShim(ctx); err != nil {
diff --git a/runtime/v1/shim/reaper.go b/runtime/v1/shim/reaper.go
index d8e8274..f5f8096 100644
--- a/runtime/v1/shim/reaper.go
+++ b/runtime/v1/shim/reaper.go
@@ -19,11 +19,7 @@
package shim
import (
- "io/ioutil"
"os/exec"
- "path/filepath"
- "strconv"
- "strings"
"sync"
"syscall"
"time"
@@ -122,7 +118,7 @@ func (m *Monitor) WaitTimeout(c *exec.Cmd, ec chan runc.Exit, sec int64) (int, e
}()
select {
case <-time.After(time.Duration(sec) * time.Second):
- if SameProcess(c, c.Process.Pid) {
+ if runc.SameProcess(c, c.Process.Pid) {
logrus.Devour(syscall.Kill(c.Process.Pid, syscall.SIGKILL))
}
return 0, errors.Errorf("timeout %ds for cmd(pid=%d): %s, %s", sec, c.Process.Pid, c.Path, c.Args)
@@ -149,20 +145,3 @@ func (m *Monitor) Unsubscribe(c chan runc.Exit) {
close(c)
m.Unlock()
}
-
-func SameProcess(cmd *exec.Cmd, pid int) bool {
- bytes, err := ioutil.ReadFile(filepath.Join("/proc", strconv.Itoa(pid), "cmdline"))
- if err != nil {
- return false
- }
- for i := range bytes {
- if bytes[i] == 0 {
- bytes[i] = 32
- }
- }
- cmdline := string(bytes)
- if strings.EqualFold(cmdline, strings.Join(cmd.Args, " ")+" ") {
- return true
- }
- return false
-}
diff --git a/vendor/github.com/containerd/go-runc/monitor.go b/vendor/github.com/containerd/go-runc/monitor.go
index 2c184d2..bb8bbab 100644
--- a/vendor/github.com/containerd/go-runc/monitor.go
+++ b/vendor/github.com/containerd/go-runc/monitor.go
@@ -20,6 +20,13 @@ import (
"os/exec"
"syscall"
"time"
+ "io/ioutil"
+ "path/filepath"
+ "strconv"
+ "strings"
+
+ "github.com/pkg/errors"
+ "github.com/sirupsen/logrus"
)
var Monitor ProcessMonitor = &defaultMonitor{}
@@ -77,6 +84,30 @@ func (m *defaultMonitor) Wait(c *exec.Cmd, ec chan Exit) (int, error) {
}
func (m *defaultMonitor) WaitTimeout(c *exec.Cmd, ec chan Exit, sec int64) (int, error) {
- e := <-ec
- return e.Status, nil
-}
\ No newline at end of file
+ select {
+ case <-time.After(time.Duration(sec) * time.Second):
+ if SameProcess(c, c.Process.Pid) {
+ logrus.Devour(syscall.Kill(c.Process.Pid, syscall.SIGKILL))
+ }
+ return 0, errors.Errorf("timeout %ds for cmd(pid=%d): %s, %s", sec, c.Process.Pid, c.Path, c.Args)
+ case e := <-ec:
+ return e.Status, nil
+ }
+}
+
+func SameProcess(cmd *exec.Cmd, pid int) bool {
+ bytes, err := ioutil.ReadFile(filepath.Join("/proc", strconv.Itoa(pid), "cmdline"))
+ if err != nil {
+ return false
+ }
+ for i := range bytes {
+ if bytes[i] == 0 {
+ bytes[i] = 32
+ }
+ }
+ cmdline := string(bytes)
+ if strings.EqualFold(cmdline, strings.Join(cmd.Args, " ")+" ") {
+ return true
+ }
+ return false
+}
diff --git a/vendor/github.com/containerd/go-runc/runc.go b/vendor/github.com/containerd/go-runc/runc.go
index c1748ff..1c96317 100644
--- a/vendor/github.com/containerd/go-runc/runc.go
+++ b/vendor/github.com/containerd/go-runc/runc.go
@@ -57,6 +57,7 @@ const (
defaultTimeout = 30
startTimeout = 120
updateTimeout = 60
+ deleteTimeout = 120
)
var (
@@ -318,7 +319,7 @@ func (r *Runc) Delete(context context.Context, id string, opts *DeleteOpts) erro
if opts != nil {
args = append(args, opts.args()...)
}
- return r.runOrError(r.command(id, context, append(args, id)...))
+ return r.runOrErrorTimeout(r.command(id, context, append(args, id)...), deleteTimeout)
}
// KillOpts specifies options for killing a container and its processes
--
1.8.3.1

26
patch/0058-containerd-use-git-commit-to-store-commit-ID.patch
View File

@ -1,26 +0,0 @@
From fe8ce77e756f7f468ed65c8c42a9f91becabbf4e Mon Sep 17 00:00:00 2001
From: liuzekun <liuzekun@huawei.com>
Date: Wed, 10 Jun 2020 00:37:01 -0400
Subject: [PATCH] containerd: use git-commit to store commit ID
Signed-off-by: liuzekun <liuzekun@huawei.com>
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 9e7f3ae..6011aa1 100644
--- a/Makefile
+++ b/Makefile
@@ -21,7 +21,7 @@ DESTDIR=/usr/local
# Used to populate variables in version package.
VERSION=$(shell echo version:)$(shell grep '^Version' ${ROOTDIR}/containerd.spec | sed 's/[^0-9.]*\([0-9.]*\).*/\1/').$(shell grep '^Release:' ${ROOTDIR}/containerd.spec | sed 's/[^0-9.]*\([0-9.]*\).*/\1/')
-REVISION=$(shell echo commit:)$(shell git rev-parse HEAD)$(shell if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi)
+REVISION=$(shell cat ./git-commit | head -c 40)
ifneq "$(strip $(shell command -v go 2>/dev/null))" ""
GOOS ?= $(shell go env GOOS)
--
2.19.1

26
patch/0059-containerd-add-GO_GCFLAGS-to-containerd-shim-making.patch
View File

@ -1,26 +0,0 @@
From 44079d9ee81c215d39ed81e39eb2ae31cf0ad453 Mon Sep 17 00:00:00 2001
From: xiadanni1 <xiadanni1@huawei.com>
Date: Tue, 11 Aug 2020 05:55:59 +0800
Subject: [PATCH] add GO_GCFLAGS to containerd-shim making
Signed-off-by: xiadanni1 <xiadanni1@huawei.com>
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 6011aa1..ba512ef 100644
--- a/Makefile
+++ b/Makefile
@@ -175,7 +175,7 @@ bin/%: cmd/% FORCE
bin/containerd-shim: cmd/containerd-shim FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220
@echo "$(WHALE) bin/containerd-shim"
- @CGO_ENABLED=0 go build ${GO_BUILD_FLAGS} -o bin/containerd-shim ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim
+ @CGO_ENABLED=0 go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o bin/containerd-shim ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim
bin/containerd-shim-runc-v1: cmd/containerd-shim-runc-v1 FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220
@echo "$(WHALE) bin/containerd-shim-runc-v1"
--
1.8.3.1

28
patch/0060-containerd-do-not-disable-cgo-in-containerd-shim-mak.patch
View File

@ -1,28 +0,0 @@
From 6523d7e39a9bb45be632ff114c64329f43e1499a Mon Sep 17 00:00:00 2001
From: xiadanni1 <xiadanni1@huawei.com>
Date: Wed, 12 Aug 2020 01:52:16 +0800
Subject: [PATCH] containerd: do not disable cgo in containerd-shim making
reason: for debuginfo
Signed-off-by: xiadanni1 <xiadanni1@huawei.com>
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index ba512ef..f69559b 100644
--- a/Makefile
+++ b/Makefile
@@ -175,7 +175,7 @@ bin/%: cmd/% FORCE
bin/containerd-shim: cmd/containerd-shim FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220
@echo "$(WHALE) bin/containerd-shim"
- @CGO_ENABLED=0 go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o bin/containerd-shim ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim
+ go build ${GO_BUILD_FLAGS} -o bin/containerd-shim ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim
bin/containerd-shim-runc-v1: cmd/containerd-shim-runc-v1 FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220
@echo "$(WHALE) bin/containerd-shim-runc-v1"
--
1.8.3.1

66
patch/0061-containerd-check-if-bundle-exists-before-create-bund.patch
View File

@ -1,66 +0,0 @@
From c56df3dd08d709e8ee81675661527aac47a7cba2 Mon Sep 17 00:00:00 2001
From: xiadanni1 <xiadanni1@huawei.com>
Date: Fri, 6 Nov 2020 10:19:26 +0800
Subject: [PATCH] containerd: check if bundle exists before create bundle
reason: If container starts following tightly the last stop, bundle
directory may be deleted by the not yet completed stop, which may cause
container start fail. So we add bundle check during start to avoid this,
if bundle exists, wait for it to clean up.
Signed-off-by: xiadanni1 <xiadanni1@huawei.com>
---
runtime/v1/linux/bundle.go | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/runtime/v1/linux/bundle.go b/runtime/v1/linux/bundle.go
index d73866a..b4f7b4c 100644
--- a/runtime/v1/linux/bundle.go
+++ b/runtime/v1/linux/bundle.go
@@ -23,12 +23,14 @@ import (
"io/ioutil"
"os"
"path/filepath"
+ "time"
"github.com/containerd/containerd/events/exchange"
"github.com/containerd/containerd/runtime/linux/runctypes"
"github.com/containerd/containerd/runtime/v1/shim"
"github.com/containerd/containerd/runtime/v1/shim/client"
"github.com/pkg/errors"
+ "github.com/sirupsen/logrus"
)
// loadBundle loads an existing bundle from disk
@@ -46,6 +48,20 @@ func newBundle(id, path, workDir string, spec []byte) (b *bundle, err error) {
return nil, err
}
path = filepath.Join(path, id)
+ workDir = filepath.Join(workDir, id)
+
+ for waitTime := 10 * time.Millisecond; ; waitTime *= 2 {
+ if _, err = os.Stat(workDir); err != nil {
+ break
+ }
+ logrus.Debugf("bundle-check: wait time %v", waitTime)
+ if waitTime > 2*time.Second {
+ logrus.Warnf("bundle-check: waiting cleanup bundle timeout, start anyway")
+ break
+ }
+ time.Sleep(waitTime)
+ }
+
if err := os.Mkdir(path, 0711); err != nil {
return nil, err
}
@@ -54,7 +70,6 @@ func newBundle(id, path, workDir string, spec []byte) (b *bundle, err error) {
os.RemoveAll(path)
}
}()
- workDir = filepath.Join(workDir, id)
if err := os.MkdirAll(workDir, 0711); err != nil {
return nil, err
}
--
1.8.3.1

318
patch/0062-containerd-use-path-based-socket-for-shims.patch
View File

@ -1,318 +0,0 @@
From 4185b832a4f89e671e6ecf201d21b75d866a48e4 Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Sat, 14 Nov 2020 15:55:30 +0800
Subject: [PATCH] use path based socket for shims
Signed-off-by: jingrui <jingrui@huawei.com>
---
cmd/containerd-shim/main_unix.go | 16 +++--
cmd/ctr/commands/shim/shim.go | 2 +
runtime/v1/linux/bundle.go | 37 +++++++++-
runtime/v1/shim/client/client.go | 118 ++++++++++++++++++++++++++++---
4 files changed, 159 insertions(+), 14 deletions(-)
diff --git a/cmd/containerd-shim/main_unix.go b/cmd/containerd-shim/main_unix.go
index e9c14263b..3a5bb6170 100644
--- a/cmd/containerd-shim/main_unix.go
+++ b/cmd/containerd-shim/main_unix.go
@@ -66,7 +66,7 @@ var (
func init() {
flag.BoolVar(&debugFlag, "debug", false, "enable debug output in logs")
flag.StringVar(&namespaceFlag, "namespace", "", "namespace that owns the shim")
- flag.StringVar(&socketFlag, "socket", "", "abstract socket path to serve")
+ flag.StringVar(&socketFlag, "socket", "", "socket path to serve")
flag.StringVar(&addressFlag, "address", "", "grpc address back to main containerd")
flag.StringVar(&workdirFlag, "workdir", "", "path used to storge large temporary data")
flag.StringVar(&runtimeRootFlag, "runtime-root", proc.RuncRoot, "root directory for the runtime")
@@ -190,10 +190,18 @@ func serve(ctx context.Context, server *ttrpc.Server, path string) error {
}
path = "[inherited from parent]"
} else {
- if len(path) > 106 {
- return errors.Errorf("%q: unix socket path too long (> 106)", path)
+ const (
+ abstractSocketPrefix = "\x00"
+ socketPathLimit = 106
+ )
+ p := strings.TrimPrefix(path, "unix://")
+ if len(p) == len(path) {
+ p = abstractSocketPrefix + p
}
- l, err = net.Listen("unix", "\x00"+path)
+ if len(p) > socketPathLimit {
+ return errors.Errorf("%q: unix socket path too long (> %d)", p, socketPathLimit)
+ }
+ l, err = net.Listen("unix", p)
}
if err != nil {
return err
diff --git a/cmd/ctr/commands/shim/shim.go b/cmd/ctr/commands/shim/shim.go
index ec08cc68b..8ef068292 100644
--- a/cmd/ctr/commands/shim/shim.go
+++ b/cmd/ctr/commands/shim/shim.go
@@ -23,6 +23,7 @@ import (
"fmt"
"io/ioutil"
"net"
+ "strings"
"github.com/containerd/console"
"github.com/containerd/containerd/cmd/ctr/commands"
@@ -231,6 +232,7 @@ func getTaskService(context *cli.Context) (task.TaskService, error) {
return nil, errors.New("socket path must be specified")
}
+ bindSocket = strings.TrimPrefix(bindSocket, "unix://")
conn, err := net.Dial("unix", "\x00"+bindSocket)
if err != nil {
return nil, err
diff --git a/runtime/v1/linux/bundle.go b/runtime/v1/linux/bundle.go
index ef4200b29..0442246f9 100644
--- a/runtime/v1/linux/bundle.go
+++ b/runtime/v1/linux/bundle.go
@@ -20,6 +20,7 @@ package linux
import (
"context"
+ "fmt"
"io/ioutil"
"os"
"path/filepath"
@@ -117,7 +118,7 @@ func ShimLocal(c *Config, exchange *exchange.Exchange) ShimOpt {
// ShimConnect is a ShimOpt for connecting to an existing remote shim
func ShimConnect(c *Config, onClose func()) ShimOpt {
return func(b *bundle, ns string, ropts *runctypes.RuncOptions) (shim.Config, client.Opt) {
- return b.shimConfig(ns, c, ropts), client.WithConnect(b.shimAddress(ns), onClose)
+ return b.shimConfig(ns, c, ropts), client.WithConnect(b.decideShimAddress(ns), onClose)
}
}
@@ -129,6 +130,11 @@ func (b *bundle) NewShimClient(ctx context.Context, namespace string, getClientO
// Delete deletes the bundle from disk
func (b *bundle) Delete() error {
+ address, _ := b.loadAddress()
+ if address != "" {
+ // we don't care about errors here
+ client.RemoveSocket(address)
+ }
err := os.RemoveAll(b.path)
if err == nil {
return os.RemoveAll(b.workDir)
@@ -141,10 +147,37 @@ func (b *bundle) Delete() error {
return errors.Wrapf(err, "Failed to remove both bundle and workdir locations: %v", err2)
}
-func (b *bundle) shimAddress(namespace string) string {
+func (b *bundle) legacyShimAddress(namespace string) string {
return filepath.Join(string(filepath.Separator), "containerd-shim", namespace, b.id, "shim.sock")
}
+const socketRoot = "/run/containerd"
+
+func (b *bundle) shimAddress(namespace string) string {
+ return fmt.Sprintf("unix://%s", b.shimSock())
+}
+
+func (b *bundle) shimSock() string {
+ return filepath.Join(socketRoot, "s", b.id)
+}
+
+func (b *bundle) loadAddress() (string, error) {
+ addressPath := filepath.Join(b.path, "address")
+ data, err := ioutil.ReadFile(addressPath)
+ if err != nil {
+ return "", err
+ }
+ return string(data), nil
+}
+
+func (b *bundle) decideShimAddress(namespace string) string {
+ address, err := b.loadAddress()
+ if err != nil {
+ return b.legacyShimAddress(namespace)
+ }
+ return address
+}
+
func (b *bundle) shimConfig(namespace string, c *Config, runcOptions *runctypes.RuncOptions) shim.Config {
var (
criuPath string
diff --git a/runtime/v1/shim/client/client.go b/runtime/v1/shim/client/client.go
index a4669d33c..06453b35a 100644
--- a/runtime/v1/shim/client/client.go
+++ b/runtime/v1/shim/client/client.go
@@ -20,11 +20,14 @@ package client
import (
"context"
+ "fmt"
"io"
"net"
"os"
"os/exec"
+ "path/filepath"
"runtime"
+ "strconv"
"strings"
"sync"
"syscall"
@@ -55,9 +58,17 @@ func WithStart(binary, address, daemonAddress, cgroup string, debug bool, exitHa
return func(ctx context.Context, config shim.Config) (_ shimapi.ShimService, _ io.Closer, err error) {
socket, err := newSocket(address)
if err != nil {
- return nil, nil, err
+ if !eaddrinuse(err) {
+ return nil, nil, err
+ }
+ if err := RemoveSocket(address); err != nil {
+ return nil, nil, errors.Wrap(err, "remove already used socket")
+ }
+ if socket, err = newSocket(address); err != nil {
+ return nil, nil, err
+ }
}
- defer socket.Close()
+
f, err := socket.File()
if err != nil {
return nil, nil, errors.Wrapf(err, "failed to get fd for socket %s", address)
@@ -102,12 +113,22 @@ func WithStart(binary, address, daemonAddress, cgroup string, debug bool, exitHa
if stderrLog != nil {
stderrLog.Close()
}
+ socket.Close()
+ RemoveSocket(address)
}()
log.G(ctx).WithFields(logrus.Fields{
"pid": cmd.Process.Pid,
"address": address,
"debug": debug,
}).Infof("shim %s started", binary)
+
+ if err := writeFile(filepath.Join(config.Path, "address"), address); err != nil {
+ return nil, nil, err
+ }
+ if err := writeFile(filepath.Join(config.Path, "shim.pid"), strconv.Itoa(cmd.Process.Pid)); err != nil {
+ return nil, nil, err
+ }
+
// set shim in cgroup if it is provided
if cgroup != "" {
if err := setCgroup(cgroup, cmd); err != nil {
@@ -170,25 +191,106 @@ func newCommand(binary, daemonAddress string, debug bool, config shim.Config, so
return cmd, nil
}
+// writeFile writes a address file atomically
+func writeFile(path, address string) error {
+ path, err := filepath.Abs(path)
+ if err != nil {
+ return err
+ }
+ tempPath := filepath.Join(filepath.Dir(path), fmt.Sprintf(".%s", filepath.Base(path)))
+ f, err := os.OpenFile(tempPath, os.O_RDWR|os.O_CREATE|os.O_EXCL|os.O_SYNC, 0666)
+ if err != nil {
+ return err
+ }
+ _, err = f.WriteString(address)
+ f.Close()
+ if err != nil {
+ return err
+ }
+ return os.Rename(tempPath, path)
+}
+
+const (
+ abstractSocketPrefix = "\x00"
+ socketPathLimit = 106
+)
+
+func eaddrinuse(err error) bool {
+ cause := errors.Cause(err)
+ netErr, ok := cause.(*net.OpError)
+ if !ok {
+ return false
+ }
+ if netErr.Op != "listen" {
+ return false
+ }
+ syscallErr, ok := netErr.Err.(*os.SyscallError)
+ if !ok {
+ return false
+ }
+ errno, ok := syscallErr.Err.(syscall.Errno)
+ if !ok {
+ return false
+ }
+ return errno == syscall.EADDRINUSE
+}
+
+type socket string
+
+func (s socket) isAbstract() bool {
+ return !strings.HasPrefix(string(s), "unix://")
+}
+
+func (s socket) path() string {
+ path := strings.TrimPrefix(string(s), "unix://")
+ // if there was no trim performed, we assume an abstract socket
+ if len(path) == len(s) {
+ path = abstractSocketPrefix + path
+ }
+ return path
+}
+
func newSocket(address string) (*net.UnixListener, error) {
- if len(address) > 106 {
- return nil, errors.Errorf("%q: unix socket path too long (> 106)", address)
+ if len(address) > socketPathLimit {
+ return nil, errors.Errorf("%q: unix socket path too long (> %d)", address, socketPathLimit)
+ }
+ var (
+ sock = socket(address)
+ path = sock.path()
+ )
+ if !sock.isAbstract() {
+ if err := os.MkdirAll(filepath.Dir(path), 0600); err != nil {
+ return nil, errors.Wrapf(err, "%s", path)
+ }
}
- l, err := net.Listen("unix", "\x00"+address)
+ l, err := net.Listen("unix", path)
if err != nil {
- return nil, errors.Wrapf(err, "failed to listen to abstract unix socket %q", address)
+ return nil, errors.Wrapf(err, "failed to listen to unix socket %q (abstract: %t)", address, sock.isAbstract())
+ }
+ if err := os.Chmod(path, 0600); err != nil {
+ l.Close()
+ return nil, err
}
return l.(*net.UnixListener), nil
}
+// RemoveSocket removes the socket at the specified address if
+// it exists on the filesystem
+func RemoveSocket(address string) error {
+ sock := socket(address)
+ if !sock.isAbstract() {
+ return os.Remove(sock.path())
+ }
+ return nil
+}
+
func connect(address string, d func(string, time.Duration) (net.Conn, error)) (net.Conn, error) {
return d(address, 100*time.Second)
}
func annonDialer(address string, timeout time.Duration) (net.Conn, error) {
- address = strings.TrimPrefix(address, "unix://")
- return net.DialTimeout("unix", "\x00"+address, timeout)
+ return net.DialTimeout("unix", socket(address).path(), timeout)
}
// WithConnect connects to an existing shim
--
2.17.1

37
patch/0063-containerd-kill-init-directly-if-runtime-kill-failed.patch
View File

@ -1,37 +0,0 @@
From 3ec035244d33b4cb64adacb8133ae3e204cae55f Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Thu, 19 Nov 2020 15:49:53 +0800
Subject: [PATCH] containerd: kill init directly if runtime kill failed
Change-Id: I80a1c0c4f88530fe9732e6e9a2d1fb222ece118c
Signed-off-by: jingrui <jingrui@huawei.com>
---
runtime/v1/shim/service.go | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/runtime/v1/shim/service.go b/runtime/v1/shim/service.go
index beb0ed8d5..7e07ab011 100644
--- a/runtime/v1/shim/service.go
+++ b/runtime/v1/shim/service.go
@@ -49,6 +49,7 @@ import (
specs "github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
+ "golang.org/x/sys/unix"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
)
@@ -390,6 +391,10 @@ func (s *Service) Kill(ctx context.Context, r *shimapi.KillRequest) (*ptypes.Emp
time.Sleep(10 * time.Second)
err := p.Kill(ctx, r.Signal, r.All)
logrus.Infof("delay kill %s retry %d error=%v", s.id, i, err)
+ if err != nil {
+ err := unix.Kill(p.Pid(), syscall.SIGKILL)
+ logrus.Infof("delay kill-direct %s retry %d error=%v", s.id, i, err)
+ }
}
logrus.Infof("force exit shim %s ...", s.id)
--
2.17.1

7977
patch/0064-containerd-add-sys-symbol-to-support-riscv.patch
View File

File diff suppressed because it is too large Load Diff

30
patch/0064-containerd-check-task-list-to-avoid-unnecessary-clea.patch
View File

@ -1,30 +0,0 @@
From 53111d2f094b738a4b3a35bcec85f78324ca8509 Mon Sep 17 00:00:00 2001
From: xiadanni1 <xiadanni1@huawei.com>
Date: Tue, 24 Nov 2020 11:00:32 +0800
Subject: [PATCH] containerd: check task list to avoid unnecessary cleanup
Signed-off-by: Lantao Liu <lantaol@google.com>
Signed-off-by: xiadanni1 <xiadanni1@huawei.com>
---
runtime/v1/linux/runtime.go | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/runtime/v1/linux/runtime.go b/runtime/v1/linux/runtime.go
index 5be785d..0feb587 100644
--- a/runtime/v1/linux/runtime.go
+++ b/runtime/v1/linux/runtime.go
@@ -374,6 +374,11 @@ func (r *Runtime) loadTasks(ctx context.Context, ns string) ([]*Task, error) {
shimExit := make(chan struct{})
s, err := bundle.NewShimClient(ctx, ns, ShimConnect(r.config, func() {
close(shimExit)
+ if _, err := r.tasks.Get(ctx, id); err != nil {
+ // Task was never started or was already successfully deleted
+ return
+ }
+
err := r.cleanupAfterDeadShim(ctx, bundle, ns, id, pid)
if err != nil {
log.G(ctx).WithError(err).WithField("bundle", bundle.path).
--
1.8.3.1

31
patch/0065-containerd-add-blot-symbol-to-support-riscv.patch
View File

@ -1,31 +0,0 @@
From d03e4a480ba9f954ebe077981202c811e21640e9 Mon Sep 17 00:00:00 2001
From: yangyanchao <yangyanchao6@huawei.com>
Date: Tue, 15 Dec 2020 03:24:47 +0000
Subject: [PATCH 2/2] containerd-add-sys-symbol-to-support-riscv
---
vendor/go.etcd.io/bbolt/bolt_riscv64.go | 12 ++++++++++++
1 file changed, 12 insertions(+)
create mode 100644 vendor/go.etcd.io/bbolt/bolt_riscv64.go
diff --git a/vendor/go.etcd.io/bbolt/bolt_riscv64.go b/vendor/go.etcd.io/bbolt/bolt_riscv64.go
new file mode 100644
index 0000000..5f1c364
--- /dev/null
+++ b/vendor/go.etcd.io/bbolt/bolt_riscv64.go
@@ -0,0 +1,12 @@
+// +build riscv64
+
+package bbolt
+
+// maxMapSize represents the latgest mmap size supported by Bolt.
+const maxMapSize = 0xFFFFFFFFFFFF // 256TB
+
+// maxAllocSize is the size used when creating array pointers.
+const maxAllocSize = 0x7FFFFFFF
+
+// Are unaligned load/stores broken on this arch?
+var brokenUnaligned = false
--
2.23.0

37
patch/0065-containerd-fix-dead-loop.patch
View File

@ -1,37 +0,0 @@
From b315a85a6695dfbe67767f21713c3ccfc7cae73e Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Mon, 1 Feb 2021 09:48:07 +0800
Subject: [PATCH] containerd: fix dead loop
Change-Id: I6b2ce4456ca8fe197683692721d150f4e5d7e3fe
Signed-off-by: jingrui <jingrui@huawei.com>
---
runtime/v1/shim/client/client.go | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/runtime/v1/shim/client/client.go b/runtime/v1/shim/client/client.go
index 06453b35a..9e63af4ea 100644
--- a/runtime/v1/shim/client/client.go
+++ b/runtime/v1/shim/client/client.go
@@ -393,15 +393,15 @@ func (c *Client) signalShim(ctx context.Context, sig syscall.Signal) error {
func (c *Client) waitForExit(pid int) <-chan struct{} {
c.exitOnce.Do(func() {
- for {
+ for i := 0; i < 1000; i++ {
// use kill(pid, 0) here because the shim could have been reparented
// and we are no longer able to waitpid(pid, ...) on the shim
if err := unix.Kill(pid, 0); err == unix.ESRCH {
- close(c.exitCh)
- return
+ break
}
time.Sleep(10 * time.Millisecond)
}
+ close(c.exitCh)
})
return c.exitCh
}
--
2.17.1

41
patch/0066-containerd-cleanup-dangling-shim-by-brand-new-context.patch
View File

@ -1,41 +0,0 @@
From a530cb668134335d4e5d6595d5d5a9cb74e16428 Mon Sep 17 00:00:00 2001
From: xiadanni <xiadanni1@huawei.com>
Date: Tue, 19 Jan 2021 15:01:00 +0800
Subject: [PATCH] containerd: cleanup dangling shim by brand new context
Upstream:https://github.com/containerd/containerd/pull/4048
Signed-off-by: xiadanni <xiadanni1@huawei.com>
---
runtime/v1/linux/runtime.go | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/runtime/v1/linux/runtime.go b/runtime/v1/linux/runtime.go
index 0feb587..66f959d 100644
--- a/runtime/v1/linux/runtime.go
+++ b/runtime/v1/linux/runtime.go
@@ -66,6 +66,9 @@ const (
configFilename = "config.json"
defaultRuntime = "runc"
defaultShim = "containerd-shim"
+
+ // cleanupTimeout is default timeout for cleanup operations
+ cleanupTimeout = 1 * time.Minute
)
func init() {
@@ -226,7 +229,10 @@ func (r *Runtime) Create(ctx context.Context, id string, opts runtime.CreateOpts
}
defer func() {
if err != nil {
- kerr := s.KillShim(ctx)
+ deferCtx, deferCancel := context.WithTimeout(
+ namespaces.WithNamespace(context.TODO(), namespace), cleanupTimeout)
+ defer deferCancel()
+ kerr := s.KillShim(deferCtx)
log.G(ctx).WithError(err).Errorf("revert: kill shim error=%v", kerr)
}
}()
--
1.8.3.1

89
patch/0067-containerd-fix-potential-panic-for-task-in-unknown-state.patch
View File

@ -1,89 +0,0 @@
From 4c9ec5f1eece90929eb3b525c28f3713b7153d7d Mon Sep 17 00:00:00 2001
From: xiadanni <xiadanni1@huawei.com>
Date: Tue, 19 Jan 2021 20:34:45 +0800
Subject: [PATCH] containerd:fix potential panic for task in unknown state
Upstream:https://github.com/containerd/containerd/pull/3611
Signed-off-by: xiadanni <xiadanni1@huawei.com>
---
cio/io_unix.go | 22 ++++++++++++----------
container.go | 13 +++++++++++--
2 files changed, 23 insertions(+), 12 deletions(-)
diff --git a/cio/io_unix.go b/cio/io_unix.go
index 3ab2a30..53b6b2d 100644
--- a/cio/io_unix.go
+++ b/cio/io_unix.go
@@ -72,17 +72,19 @@ func copyIO(fifos *FIFOSet, ioset *Streams) (*cio, error) {
}
var wg = &sync.WaitGroup{}
- wg.Add(1)
- go func() {
- p := bufPool.Get().(*[]byte)
- defer bufPool.Put(p)
-
- io.CopyBuffer(ioset.Stdout, pipes.Stdout, *p)
- pipes.Stdout.Close()
- wg.Done()
- }()
+ if fifos.Stdout != "" {
+ wg.Add(1)
+ go func() {
+ p := bufPool.Get().(*[]byte)
+ defer bufPool.Put(p)
+
+ io.CopyBuffer(ioset.Stdout, pipes.Stdout, *p)
+ pipes.Stdout.Close()
+ wg.Done()
+ }()
+ }
- if !fifos.Terminal {
+ if !fifos.Terminal && fifos.Stderr != "" {
wg.Add(1)
go func() {
p := bufPool.Get().(*[]byte)
diff --git a/container.go b/container.go
index 3c09b2d..63b074a 100644
--- a/container.go
+++ b/container.go
@@ -25,6 +25,7 @@ import (
"github.com/containerd/containerd/api/services/tasks/v1"
"github.com/containerd/containerd/api/types"
+ tasktypes "github.com/containerd/containerd/api/types/task"
"github.com/containerd/containerd/cio"
"github.com/containerd/containerd/containers"
"github.com/containerd/containerd/errdefs"
@@ -32,6 +33,7 @@ import (
"github.com/containerd/typeurl"
prototypes "github.com/gogo/protobuf/types"
"github.com/pkg/errors"
+ "github.com/sirupsen/logrus"
)
// Container is a metadata object for container resources and task creation
@@ -284,9 +286,16 @@ func (c *container) loadTask(ctx context.Context, ioAttach cio.Attach) (Task, er
return nil, err
}
var i cio.IO
+
if ioAttach != nil {
- if i, err = attachExistingIO(response, ioAttach); err != nil {
- return nil, err
+ if response.Process.Status == tasktypes.StatusUnknown {
+ logrus.Warnf("container %v loadTask: task get returns process status unknown", c.id)
+ } else {
+ // Do not attach IO for task in unknown state, because there
+ // are no fifo paths anyway.
+ if i, err = attachExistingIO(response, ioAttach); err != nil {
+ return nil, err
+ }
}
}
t := &task{
--
1.8.3.1

49
patch/0068-containerd-compile-option-compliance.patch
View File

@ -1,49 +0,0 @@
From 0cda15b8d0241f9c15c0efe12d19877761f7b387 Mon Sep 17 00:00:00 2001
From: xiadanni <xiadanni1@huawei.com>
Date: Thu, 18 Mar 2021 10:29:02 +0800
Subject: [PATCH] containerd: compile option compliance
Signed-off-by: xiadanni <xiadanni1@huawei.com>
---
Makefile | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/Makefile b/Makefile
index f69559b..102db9f 100644
--- a/Makefile
+++ b/Makefile
@@ -82,7 +82,7 @@ BEP_DIR=/tmp/containerd-build-bep
BEP_FLAGS=-tmpdir=/tmp/containerd-build-bep
GO_LDFLAGS=-ldflags ' -buildid=IdByIsula -extldflags=-zrelro -extldflags=-znow $(BEP_FLAGS) -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) $(EXTRA_LDFLAGS)'
-SHIM_GO_LDFLAGS=-ldflags ' -buildid=IdByIsula $(BEP_FLAGS) -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -extldflags "-static"'
+SHIM_GO_LDFLAGS=-ldflags '-extldflags=-static' -ldflags '-buildid=IdByIsula $(BEP_FLAGS) -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -linkmode=external -extldflags=-Wl,-z,relro,-z,now'
#Replaces ":" (*nix), ";" (windows) with newline for easy parsing
GOPATHS=$(shell echo ${GOPATH} | tr ":" "\n" | tr ";" "\n")
@@ -171,11 +171,21 @@ FORCE:
bin/%: cmd/% FORCE
mkdir -p $(BEP_DIR)
@echo "$(WHALE) $@${BINARY_SUFFIX}"
+ CGO_ENABLED=1 \
+ CGO_CFLAGS="-fstack-protector-strong -fPIE" \
+ CGO_CPPFLAGS="-fstack-protector-strong -fPIE" \
+ CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
+ CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} ${GO_LDFLAGS} ${GO_TAGS} ./$<
bin/containerd-shim: cmd/containerd-shim FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220
@echo "$(WHALE) bin/containerd-shim"
- go build ${GO_BUILD_FLAGS} -o bin/containerd-shim ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim
+ CGO_ENABLED=1 \
+ CGO_CFLAGS="-fstack-protector-strong -fPIE" \
+ CGO_CPPFLAGS="-fstack-protector-strong -fPIE" \
+ CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
+ CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+ go build -buildmode=pie ${GO_BUILD_FLAGS} -o bin/containerd-shim ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim
bin/containerd-shim-runc-v1: cmd/containerd-shim-runc-v1 FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220
@echo "$(WHALE) bin/containerd-shim-runc-v1"
--
1.8.3.1

27
patch/0069-containerd-add-check-in-spec.patch
View File

@ -1,27 +0,0 @@
From 27be5a04fc8b28e14ff296f5b9356ace8feb39ce Mon Sep 17 00:00:00 2001
From: xiadanni <xiadanni1@huawei.com>
Date: Thu, 18 Feb 2021 20:28:52 +0800
Subject: [PATCH] containerd: add check in spec
Change-Id: I8ddf63ec1c4da479e90838678136237b5822d463
Signed-off-by: xiadanni <xiadanni1@huawei.com>
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 96c2370..511b6f2 100644
--- a/Makefile
+++ b/Makefile
@@ -151,7 +151,7 @@ build: ## build the go packages
test: ## run tests, except integration tests and tests that require root
@echo "$(WHALE) $@"
- @go test ${TESTFLAGS} $(filter-out ${INTEGRATION_PACKAGE},${PACKAGES})
+ @go test ${TESTFLAGS} ./gc
root-test: ## run tests, except integration tests
@echo "$(WHALE) $@"
--
1.8.3.1

105
patch/0070-containerd-kill-container-init-process-if-runc-start.patch
View File

@ -1,105 +0,0 @@
From 52d42e0b850cde3600028b00e19f5325a61ddad3 Mon Sep 17 00:00:00 2001
From: xiadanni <xiadanni1@huawei.com>
Date: Mon, 1 Feb 2021 19:36:53 +0800
Subject: [PATCH] containerd: kill container init process if runc start returns
error
Signed-off-by: xiadanni <xiadanni1@huawei.com>
---
runtime/v1/linux/proc/init.go | 4 +++
utils/utils.go | 61 +++++++++++++++++++++++++++++++++++++++++++
2 files changed, 65 insertions(+)
create mode 100644 utils/utils.go
diff --git a/runtime/v1/linux/proc/init.go b/runtime/v1/linux/proc/init.go
index de76682..669c108 100644
--- a/runtime/v1/linux/proc/init.go
+++ b/runtime/v1/linux/proc/init.go
@@ -35,6 +35,7 @@ import (
"github.com/containerd/containerd/log"
"github.com/containerd/containerd/mount"
"github.com/containerd/containerd/runtime/proc"
+ "github.com/containerd/containerd/utils"
"github.com/containerd/fifo"
runc "github.com/containerd/go-runc"
google_protobuf "github.com/gogo/protobuf/types"
@@ -277,6 +278,9 @@ func (p *Init) Status(ctx context.Context) (string, error) {
func (p *Init) start(context context.Context) error {
err := p.runtime.Start(context, p.id)
+ if err != nil {
+ utils.KillInitProcess(p.id, p.pid)
+ }
return p.runtimeError(err, "OCI runtime start failed")
}
diff --git a/utils/utils.go b/utils/utils.go
new file mode 100644
index 0000000..c57c6ca
--- /dev/null
+++ b/utils/utils.go
@@ -0,0 +1,61 @@
+/*
+Copyright (c) Huawei Technologies Co., Ltd. 2021. All rights reserved.
+Use of this source code is governed by Apache-2.0
+license that can be found in the LICENSE file.
+Description: common functions
+Author: Danni Xia
+Create: 2021-01-30
+*/
+
+package utils
+
+import (
+ "encoding/json"
+ "io/ioutil"
+ "path/filepath"
+ "strconv"
+ "strings"
+ "syscall"
+
+ "github.com/sirupsen/logrus"
+)
+
+type baseState struct {
+ InitProcessStartTime string `json:"init_process_start"`
+}
+
+func KillInitProcess(cid string, pid int) {
+ if IsInitProcess(cid, pid) {
+ syscall.Kill(pid, syscall.SIGKILL)
+ }
+}
+
+func IsInitProcess(cid string, pid int) bool {
+ stateBytes, err1 := ioutil.ReadFile(filepath.Join("/var/run/docker/runtime-runc/moby", cid, "state.json"))
+ statBytes, err2 := ioutil.ReadFile(filepath.Join("/proc", strconv.Itoa(pid), "stat"))
+ if err1 != nil || err2 != nil {
+ return true
+ }
+
+ s := strings.Split(string(statBytes), ")")
+ if len(s) < 1 {
+ return true
+ }
+
+ statFields := strings.Split(strings.TrimSpace(s[len(s)-1]), " ")
+ if len(statFields) < 20 {
+ return true
+ }
+
+ var baseState baseState
+ if err := json.Unmarshal(stateBytes, &baseState); err != nil {
+ return true
+ }
+
+ if baseState.InitProcessStartTime == statFields[19] {
+ return true
+ }
+
+ logrus.Warnf("process(pid:%d, start time:%s) is not container %s init process", pid, statFields[19], cid)
+ return false
+}
--
1.8.3.1

45
patch/0071-containerd-fix-containerd-shim-residual-when-kill-co.patch
View File

@ -1,45 +0,0 @@
From 5d72fe2c0d6774e94cad6feacec87db703104fe7 Mon Sep 17 00:00:00 2001
From: xiadanni <xiadanni1@huawei.com>
Date: Fri, 19 Feb 2021 16:37:48 +0800
Subject: [PATCH] containerd: fix containerd-shim residual when kill containerd
during starting container
after shim process started, containerd will write shim socket address
to address file, but if containerd is killed before write file, new
containerd process could not get shim socket address, and will not
kill it even if that shim could not work.
so we write address file ahead of starting shim process.
Signed-off-by: xiadanni <xiadanni1@huawei.com>
---
runtime/v1/shim/client/client.go | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/runtime/v1/shim/client/client.go b/runtime/v1/shim/client/client.go
index 9e63af4..bc9ac92 100644
--- a/runtime/v1/shim/client/client.go
+++ b/runtime/v1/shim/client/client.go
@@ -92,6 +92,10 @@ func WithStart(binary, address, daemonAddress, cgroup string, debug bool, exitHa
go io.Copy(os.Stderr, stderrLog)
}
+ if err := writeFile(filepath.Join(config.Path, "address"), address); err != nil {
+ return nil, nil, err
+ }
+
cmd, err := newCommand(binary, daemonAddress, debug, config, f, stdoutLog, stderrLog)
if err != nil {
return nil, nil, err
@@ -122,9 +126,6 @@ func WithStart(binary, address, daemonAddress, cgroup string, debug bool, exitHa
"debug": debug,
}).Infof("shim %s started", binary)
- if err := writeFile(filepath.Join(config.Path, "address"), address); err != nil {
- return nil, nil, err
- }
if err := writeFile(filepath.Join(config.Path, "shim.pid"), strconv.Itoa(cmd.Process.Pid)); err != nil {
return nil, nil, err
}
--
1.8.3.1

60
patch/0072-containerd-fix-deadlock-on-commit-error.patch
View File

@ -1,60 +0,0 @@
From 39183d7937d408afceb9456972ad3e42beb336c6 Mon Sep 17 00:00:00 2001
From: xiadanni <xiadanni1@huawei.com>
Date: Sat, 27 Feb 2021 11:19:22 +0800
Subject: [PATCH] containerd:fix deadlock on commit error
upstream:https://github.com/containerd/containerd/commit/5b9bd993a87008e06a34258f0672a78564adab13
Signed-off-by: xiadanni <xiadanni1@huawei.com>
---
content/local/writer.go | 5 +++--
diff/walking/differ.go | 5 +++--
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/content/local/writer.go b/content/local/writer.go
index 223b145..3a94744 100644
--- a/content/local/writer.go
+++ b/content/local/writer.go
@@ -74,6 +74,9 @@ func (w *writer) Write(p []byte) (n int, err error) {
}
func (w *writer) Commit(ctx context.Context, size int64, expected digest.Digest, opts ...content.Opt) error {
+ // Ensure even on error the writer is fully closed
+ defer unlock(w.ref)
+
var base content.Info
for _, opt := range opts {
if err := opt(&base); err != nil {
@@ -81,8 +84,6 @@ func (w *writer) Commit(ctx context.Context, size int64, expected digest.Digest,
}
}
- // Ensure even on error the writer is fully closed
- defer unlock(w.ref)
fp := w.fp
w.fp = nil
diff --git a/diff/walking/differ.go b/diff/walking/differ.go
index a45a563..1c82860 100644
--- a/diff/walking/differ.go
+++ b/diff/walking/differ.go
@@ -106,14 +106,15 @@ func (s *walkingDiff) Compare(ctx context.Context, lower, upper []mount.Mount, o
}
}()
if !newReference {
- if err := cw.Truncate(0); err != nil {
+ if err = cw.Truncate(0); err != nil {
return err
}
}
if isCompressed {
dgstr := digest.SHA256.Digester()
- compressed, err := compression.CompressStream(cw, compression.Gzip)
+ var compressed io.WriteCloser
+ compressed, err = compression.CompressStream(cw, compression.Gzip)
if err != nil {
return errors.Wrap(err, "failed to get compressed stream")
}
--
1.8.3.1

1212
patch/0073-containerd-backport-upstream-patches.patch
View File

File diff suppressed because it is too large Load Diff

71
patch/0074-containerd-fix-exec-event-missing-due-to-pid-reuse.patch
View File

@ -1,71 +0,0 @@
From dded5a0253fbfd3c75c6d73a890049c832374545 Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Sat, 20 Feb 2021 09:06:22 +0800
Subject: [PATCH] containerd: fix exec event missing due to pid reuse
When many exec request exit at nearly sametime, the Exit can match with
wrong process and return directly, the event for right process will lost
in this case.
time="2021-02-19T21:10:12.250841280+08:00" level=info msg=event Pid=11623 containerID=a32a1b7923db55ebdc7483e2b9cd986e5efc750b989ad3507eb866835e8e37f4 execID=0b412ecaed98f9ea71168599a9363b8aa3b047187eadaa74973bb6c63a66118d module=libcontainerd namespace=moby topic=/tasks/exec-started
time="2021-02-19T21:10:12+08:00" level=info msg="try publish event(1) /tasks/exit &TaskExit{ContainerID:a32a1b7923db55ebdc7483e2b9cd986e5efc750b989ad3507eb866835e8e37f4,ID:0b412ecaed98f9ea71168599a9363b8aa3b047187eadaa74973bb6c63a66118d,Pid:11623,ExitStatus:0,ExitedAt:2021-02-19 21:10:12.27697416 +0800 CST m=+1893.164673481,} <nil>"
time="2021-02-19T21:11:02.944643980+08:00" level=debug msg="starting exec command 64cd335311e9b3c1c11e7360a374e3218efeb02e6578d7bc0811bad3f1820e16 in container a32a1b7923db55ebdc7483e2b9cd986e5efc750b989ad3507eb866835e8e37f4"
time="2021-02-19T21:11:06.201162360+08:00" level=debug msg="event published" ns=moby topic="/tasks/exec-started" type=containerd.events.TaskExecStarted
time="2021-02-19T21:11:57.961615320+08:00" level=warning msg="Ignoring Exit Event, no such exec command found" container=a32a1b7923db55ebdc7483e2b9cd986e5efc750b989ad3507eb866835e8e37f4 exec-id=0b412ecaed98f9ea71168599a9363b8aa3b047187eadaa74973bb6c63a66118d exec-pid=11623
From logs above, execID=0b412ecae with Pid=11623 exit and event
published, but new exec execID=64cd335 command reuse the Pid, but Exit
event still match previous execID=0b412ecae. so exit event for
execID=64cd335 will lost.
Change-Id: If591a282a1cc0305758130a936ee8b92c88acc6c
Signed-off-by: jingrui <jingrui@huawei.com>
---
runtime/v1/linux/proc/exec.go | 4 ++++
runtime/v1/shim/service.go | 6 +++++-
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/runtime/v1/linux/proc/exec.go b/runtime/v1/linux/proc/exec.go
index ea40cb5b8..a5f40bd63 100644
--- a/runtime/v1/linux/proc/exec.go
+++ b/runtime/v1/linux/proc/exec.go
@@ -86,6 +86,10 @@ func (e *execProcess) ExitedAt() time.Time {
}
func (e *execProcess) SetExited(status int) {
+ e.pid.Lock()
+ e.pid.pid = -1
+ e.pid.Unlock()
+
e.mu.Lock()
defer e.mu.Unlock()
diff --git a/runtime/v1/shim/service.go b/runtime/v1/shim/service.go
index 7e07ab011..7d7327cd8 100644
--- a/runtime/v1/shim/service.go
+++ b/runtime/v1/shim/service.go
@@ -548,8 +548,13 @@ func (s *Service) checkProcesses(e runc.Exit) {
log.G(s.context).WithError(err).Error("failed to check shouldKillAll")
}
+ match := 0
for _, p := range s.processes {
if p.Pid() == e.Pid {
+ match++
+ if match > 1 {
+ logrus.Warnf("exit for pid=%d match %d processes", e.Pid, match)
+ }
if ip, ok := p.(*proc.Init); ok {
ns := filepath.Base(filepath.Dir(ip.Bundle))
events.ExitAddFile(ns, events.ExitFile(s.id, uint32(e.Pid), uint32(e.Status)), "init exited")
@@ -591,7 +596,6 @@ func (s *Service) checkProcesses(e runc.Exit) {
ExitStatus: uint32(e.Status),
ExitedAt: p.ExitedAt(),
}
- return
}
}
}
--
2.17.1

36
patch/0075-containerd-fix-dm-left-when-pause-contaienr-and-kill-shim.patch
View File

@ -1,36 +0,0 @@
From c10041fa37568bca00a25c055ee844d38e91fa95 Mon Sep 17 00:00:00 2001
From: chenjiankun <chenjiankun1@huawei.com>
Date: Mon, 19 Apr 2021 17:08:09 +0800
Subject: [PATCH] docker: fix dm left when pause contaienr and kill shim
when shim process be killed, we will delete the runtime, but if the
status is paused, it can't be delete. So we need to resume the shim
process before delete it.
---
runtime/v1/linux/runtime.go | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/runtime/v1/linux/runtime.go b/runtime/v1/linux/runtime.go
index 66f959d..ca36748 100644
--- a/runtime/v1/linux/runtime.go
+++ b/runtime/v1/linux/runtime.go
@@ -541,6 +541,16 @@ func (r *Runtime) terminate(ctx context.Context, bundle *bundle, ns, id string)
}
if !legacy.IsLegacy(id) || legacy.IsSamePid(id) {
+
+ state, err := rt.State(ctx, id)
+ if err == nil && state.Status == "paused" {
+ logrus.Warnf("container %s status is paused, try to resume before delete", id)
+ err := rt.Resume(ctx, id)
+ if err != nil {
+ log.G(ctx).WithError(err).Errorf("runtime resume %s error", id)
+ }
+ }
+
if err := rt.Delete(ctx, id, &runc.DeleteOpts{
Force: true,
}); err != nil {
--
2.23.0

34
patch/0076-containerd-fix-start-container-failed-with-id-exists.patch
View File

@ -1,34 +0,0 @@
From 6936dda1f72b328cacfc29b52da780a29ef45385 Mon Sep 17 00:00:00 2001
From: xiadanni <xiadanni1@huawei.com>
Date: Thu, 8 Jul 2021 14:37:56 +0800
Subject: [PATCH] containerd: fix start container failed with id exists
reason: If container root path already exists when call runtime.Create,
we try to call runtime.Delete to cleanup it. But in case runtime.Delete
failed, root path will still exists which causes Create failed with error
"container with id exists". So remove path directly if Delete failed.
Signed-off-by: xiadanni <xiadanni1@huawei.com>
---
vendor/github.com/containerd/go-runc/runc.go | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/vendor/github.com/containerd/go-runc/runc.go b/vendor/github.com/containerd/go-runc/runc.go
index 1c96317..c089381 100644
--- a/vendor/github.com/containerd/go-runc/runc.go
+++ b/vendor/github.com/containerd/go-runc/runc.go
@@ -159,7 +159,10 @@ func (o *CreateOpts) args() (out []string, err error) {
func (r *Runc) Create(context context.Context, id, bundle string, opts *CreateOpts) error {
if _, err := os.Stat(filepath.Join(r.Root, id)); err == nil {
logrus.Warnf("cleanup residue runtime with bundle %s root=%s", bundle, r.Root)
- r.Delete(context, id, &DeleteOpts{Force: true})
+ if dErr := r.Delete(context, id, &DeleteOpts{Force: true}); dErr != nil {
+ logrus.Errorf("runtime force delete return err: %v, remove container root err: %v",
+ dErr, os.RemoveAll(filepath.Join(r.Root, id)))
+ }
}
args := []string{"create", "--bundle", bundle}
--
2.27.0

25
patch/0077-containerd-drop-opt-package.patch
View File

@ -1,25 +0,0 @@
From 81d14714bb90455964eac557f9b2172d7bc3e522 Mon Sep 17 00:00:00 2001
From: xiadanni <xiadanni1@huawei.com>
Date: Thu, 5 Aug 2021 15:24:21 +0800
Subject: [PATCH] [Huawei]containerd: drop opt package
Signed-off-by: xiadanni <xiadanni1@huawei.com>
---
cmd/containerd/builtins.go | 1 -
1 file changed, 1 deletion(-)
diff --git a/cmd/containerd/builtins.go b/cmd/containerd/builtins.go
index b120b60..17fa9f6 100644
--- a/cmd/containerd/builtins.go
+++ b/cmd/containerd/builtins.go
@@ -30,7 +30,6 @@ import (
_ "github.com/containerd/containerd/services/introspection"
_ "github.com/containerd/containerd/services/leases"
_ "github.com/containerd/containerd/services/namespaces"
- _ "github.com/containerd/containerd/services/opt"
_ "github.com/containerd/containerd/services/snapshots"
_ "github.com/containerd/containerd/services/tasks"
_ "github.com/containerd/containerd/services/version"
--
2.27.0

149
patch/0078-containerd-bump-containerd-ttrpc-699c4e40d1.patch
View File

@ -1,149 +0,0 @@
From 1c8a3bb488eb68523a3ae112854fcdd7326686cb Mon Sep 17 00:00:00 2001
From: xiadanni <xiadanni1@huawei.com>
Date: Wed, 1 Sep 2021 07:23:17 +0800
Subject: [PATCH] [backport]containerd:bump containerd/ttrpc
699c4e40d1e7416e08bf7019c7ce2e9beced4636
full diff: https://github.com/containerd/ttrpc/compare/f02858b1457c5ca3aaec3a0803eb0d59f96e41d6...699c4e40d1e7416e08bf7019c7ce2e9beced4636
- containerd/ttrpc#33 Fix returns error message
- containerd/ttrpc#35 Make onclose an option
Conflict:vendor.conf
Reference:https://github.com/containerd/containerd/commit/8c5779c32b70a0c55e1c94eb45b305897f7cf3f1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: xiadanni <xiadanni1@huawei.com>
---
runtime/v1/shim/client/client.go | 3 +--
runtime/v2/binary.go | 3 +--
runtime/v2/shim.go | 3 +--
vendor.conf | 2 +-
vendor/github.com/containerd/ttrpc/client.go | 21 ++++++++++++-------
.../github.com/containerd/ttrpc/services.go | 2 +-
6 files changed, 19 insertions(+), 15 deletions(-)
diff --git a/runtime/v1/shim/client/client.go b/runtime/v1/shim/client/client.go
index 48d62e537..6861df081 100644
--- a/runtime/v1/shim/client/client.go
+++ b/runtime/v1/shim/client/client.go
@@ -299,8 +299,7 @@ func WithConnect(address string, onClose func()) Opt {
if err != nil {
return nil, nil, err
}
- client := ttrpc.NewClient(conn)
- client.OnClose(onClose)
+ client := ttrpc.NewClient(conn, ttrpc.WithOnClose(onClose))
return shimapi.NewShimClient(client), conn, nil
}
}
diff --git a/runtime/v2/binary.go b/runtime/v2/binary.go
index 41de0d3e0..223b85300 100644
--- a/runtime/v2/binary.go
+++ b/runtime/v2/binary.go
@@ -97,8 +97,7 @@ func (b *binary) Start(ctx context.Context) (_ *shim, err error) {
if err != nil {
return nil, err
}
- client := ttrpc.NewClient(conn)
- client.OnClose(func() { conn.Close() })
+ client := ttrpc.NewClient(conn, ttrpc.WithOnClose(func() { _ = conn.Close() }))
return &shim{
bundle: b.bundle,
client: client,
diff --git a/runtime/v2/shim.go b/runtime/v2/shim.go
index 982d1bb34..8e746712b 100644
--- a/runtime/v2/shim.go
+++ b/runtime/v2/shim.go
@@ -75,8 +75,7 @@ func loadShim(ctx context.Context, bundle *Bundle, events *exchange.Exchange, rt
}
}()
- client := ttrpc.NewClient(conn)
- client.OnClose(func() { conn.Close() })
+ client := ttrpc.NewClient(conn, ttrpc.WithOnClose(func() { _ = conn.Close() }))
s := &shim{
client: client,
task: task.NewTaskClient(client),
diff --git a/vendor.conf b/vendor.conf
index dbc3eecd9..0f76be3b0 100644
--- a/vendor.conf
+++ b/vendor.conf
@@ -36,7 +36,7 @@ github.com/Microsoft/go-winio v0.4.11
github.com/Microsoft/hcsshim v0.7.12
google.golang.org/genproto d80a6e20e776b0b17a324d0ba1ab50a39c8e8944
golang.org/x/text 19e51611da83d6be54ddafce4a4af510cb3e9ea4
-github.com/containerd/ttrpc 2a805f71863501300ae1976d29f0454ae003e85a
+github.com/containerd/ttrpc 699c4e40d1e7416e08bf7019c7ce2e9beced4636
github.com/syndtr/gocapability db04d3cc01c8b54962a58ec7e491717d06cfcc16
gotest.tools v2.1.0
github.com/google/go-cmp v0.1.0
diff --git a/vendor/github.com/containerd/ttrpc/client.go b/vendor/github.com/containerd/ttrpc/client.go
index e40592dd7..bc2bbde1b 100644
--- a/vendor/github.com/containerd/ttrpc/client.go
+++ b/vendor/github.com/containerd/ttrpc/client.go
@@ -48,7 +48,15 @@ type Client struct {
err error
}
-func NewClient(conn net.Conn) *Client {
+type ClientOpts func(c *Client)
+
+func WithOnClose(onClose func()) ClientOpts {
+ return func(c *Client) {
+ c.closeFunc = onClose
+ }
+}
+
+func NewClient(conn net.Conn, opts ...ClientOpts) *Client {
c := &Client{
codec: codec{},
conn: conn,
@@ -59,6 +67,10 @@ func NewClient(conn net.Conn) *Client {
closeFunc: func() {},
}
+ for _, o := range opts {
+ o(c)
+ }
+
go c.run()
return c
}
@@ -135,11 +147,6 @@ func (c *Client) Close() error {
return nil
}
-// OnClose allows a close func to be called when the server is closed
-func (c *Client) OnClose(closer func()) {
- c.closeFunc = closer
-}
-
type message struct {
messageHeader
p []byte
@@ -249,7 +256,7 @@ func (c *Client) recv(resp *Response, msg *message) error {
}
if msg.Type != messageTypeResponse {
- return errors.New("unkown message type received")
+ return errors.New("unknown message type received")
}
defer c.channel.putmbuf(msg.p)
diff --git a/vendor/github.com/containerd/ttrpc/services.go b/vendor/github.com/containerd/ttrpc/services.go
index e90963825..fe1cade5a 100644
--- a/vendor/github.com/containerd/ttrpc/services.go
+++ b/vendor/github.com/containerd/ttrpc/services.go
@@ -76,7 +76,7 @@ func (s *serviceSet) dispatch(ctx context.Context, serviceName, methodName strin
switch v := obj.(type) {
case proto.Message:
if err := proto.Unmarshal(p, v); err != nil {
- return status.Errorf(codes.Internal, "ttrpc: error unmarshaling payload: %v", err.Error())
+ return status.Errorf(codes.Internal, "ttrpc: error unmarshalling payload: %v", err.Error())
}
default:
return status.Errorf(codes.Internal, "ttrpc: error unsupported request type: %T", v)
--
2.27.0

47
patch/0079-containerd-fix-race-access-for-mobySubcribed.patch
View File

@ -1,47 +0,0 @@
From fe8f7f5acac4f0fcf75218e26c1f3f874a77bf44 Mon Sep 17 00:00:00 2001
From: xiadanni <xiadanni1@huawei.com>
Date: Wed, 1 Sep 2021 07:29:43 +0800
Subject: [PATCH] [Huawei]containerd:fix race access for mobySubcribed
Signed-off-by: xiadanni <xiadanni1@huawei.com>
---
events/exchange/exchange.go | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/events/exchange/exchange.go b/events/exchange/exchange.go
index 540f18054..ad642563a 100644
--- a/events/exchange/exchange.go
+++ b/events/exchange/exchange.go
@@ -19,6 +19,7 @@ package exchange
import (
"context"
"strings"
+ "sync/atomic"
"time"
"github.com/containerd/containerd/errdefs"
@@ -49,10 +50,10 @@ func NewExchange() *Exchange {
var _ events.Publisher = &Exchange{}
var _ events.Forwarder = &Exchange{}
var _ events.Subscriber = &Exchange{}
-var mobySubcribed = false
+var mobySubcribed = int32(0)
func MobySubscribed() bool {
- return mobySubcribed
+ return atomic.LoadInt32(&mobySubcribed) == 1
}
// Forward accepts an envelope to be direcly distributed on the exchange.
@@ -170,7 +171,7 @@ func (e *Exchange) Subscribe(ctx context.Context, fs ...string) (ch <-chan *even
for _, s := range fs {
if !MobySubscribed() && s == "namespace==moby,topic~=|^/tasks/|" {
queue.Namespace = "moby"
- mobySubcribed = true
+ atomic.StoreInt32(&mobySubcribed, 1)
}
}
--
2.27.0

137
patch/0080-containerd-improve-log-for-debugging.patch
View File

@ -1,137 +0,0 @@
From 003a26f92ccfd6f296910874ed9ad55d652413cc Mon Sep 17 00:00:00 2001
From: xiadanni <xiadanni1@huawei.com>
Date: Fri, 29 Oct 2021 16:37:28 +0800
Subject: [PATCH] containerd: improve log for debugging
add following logs for debugging
1. return event publish errors
2. redirect is used to make sure that containerd still can read the log
of shim after restart
Conflict:NA
Reference:
https://github.com/containerd/containerd/pull/3179/commits/74eb0dc81221bffc192a349cf8b14fe7947b7a73
https://github.com/containerd/containerd/pull/5293/commits/45df696bf3fe3eda15bbf0f2c00ddc2cfeddcdcc
https://github.com/containerd/containerd/commit/fbb80b9510db14a95b8ffa6c7842666ecf520489
Signed-off-by: xiadanni <xiadanni1@huawei.com>
---
cmd/containerd-shim/main_unix.go | 23 ++++++++++++++++++++---
runtime/v1/linux/runtime.go | 1 +
runtime/v1/shim/client/client.go | 22 ++++++++++------------
3 files changed, 31 insertions(+), 15 deletions(-)
diff --git a/cmd/containerd-shim/main_unix.go b/cmd/containerd-shim/main_unix.go
index 3a5bb6170..a07932cef 100644
--- a/cmd/containerd-shim/main_unix.go
+++ b/cmd/containerd-shim/main_unix.go
@@ -61,6 +61,12 @@ var (
criuFlag string
systemdCgroupFlag bool
containerdBinaryFlag string
+
+ bufPool = sync.Pool{
+ New: func() interface{} {
+ return bytes.NewBuffer(nil)
+ },
+ }
)
func init() {
@@ -101,6 +107,10 @@ func main() {
stderr.Close()
}()
+ // redirect the following output into fifo to make sure that containerd
+ // still can read the log after restart
+ logrus.SetOutput(stdout)
+
if err := executeShim(); err != nil {
fmt.Fprintf(os.Stderr, "containerd-shim: %s\n", err)
os.Exit(1)
@@ -110,7 +120,7 @@ func main() {
// If containerd server process dies, we need the shim to keep stdout/err reader
// FDs so that Linux does not SIGPIPE the shim process if it tries to use its end of
// these pipes.
-func openStdioKeepAlivePipes(dir string) (io.ReadCloser, io.ReadCloser, error) {
+func openStdioKeepAlivePipes(dir string) (io.ReadWriteCloser, io.ReadWriteCloser, error) {
background := context.Background()
keepStdoutAlive, err := shimlog.OpenShimStdoutLog(background, dir)
if err != nil {
@@ -287,16 +297,23 @@ func (l *remoteEventsPublisher) doPublish(ctx context.Context, topic string, eve
}
cmd := exec.CommandContext(ctx, containerdBinaryFlag, "--address", l.address, "publish", "--topic", topic, "--namespace", ns)
cmd.Stdin = bytes.NewReader(data)
+ b := bufPool.Get().(*bytes.Buffer)
+ defer func() {
+ b.Reset()
+ bufPool.Put(b)
+ }()
+ cmd.Stdout = b
+ cmd.Stderr = b
c, err := shim.Default.Start(cmd)
if err != nil {
return err
}
status, err := shim.Default.Wait(cmd, c)
if err != nil {
- return err
+ return errors.Wrapf(err, "failed to publish event: %s", b.String())
}
if status != 0 {
- return errors.New("failed to publish event")
+ return errors.Errorf("failed to publish event: %s", b.String())
}
return nil
}
diff --git a/runtime/v1/linux/runtime.go b/runtime/v1/linux/runtime.go
index ca3674808..eb3927305 100644
--- a/runtime/v1/linux/runtime.go
+++ b/runtime/v1/linux/runtime.go
@@ -379,6 +379,7 @@ func (r *Runtime) loadTasks(ctx context.Context, ns string) ([]*Task, error) {
log.G(ctx).Infof("load-task %s/%s/%s Pid=%d", r.state, ns, id, pid)
shimExit := make(chan struct{})
s, err := bundle.NewShimClient(ctx, ns, ShimConnect(r.config, func() {
+ log.G(ctx).WithField("id", id).Info("shim reaped")
close(shimExit)
if _, err := r.tasks.Get(ctx, id); err != nil {
// Task was never started or was already successfully deleted
diff --git a/runtime/v1/shim/client/client.go b/runtime/v1/shim/client/client.go
index eafb0d712..6861df081 100644
--- a/runtime/v1/shim/client/client.go
+++ b/runtime/v1/shim/client/client.go
@@ -77,21 +77,19 @@ func WithStart(binary, address, daemonAddress, cgroup string, debug bool, exitHa
var stdoutLog io.ReadWriteCloser
var stderrLog io.ReadWriteCloser
- if debug {
- stdoutLog, err = v1.OpenShimStdoutLog(ctx, config.WorkDir)
- if err != nil {
- return nil, nil, errors.Wrapf(err, "failed to create stdout log")
- }
-
- stderrLog, err = v1.OpenShimStderrLog(ctx, config.WorkDir)
- if err != nil {
- return nil, nil, errors.Wrapf(err, "failed to create stderr log")
- }
+ stdoutLog, err = v1.OpenShimStdoutLog(ctx, config.WorkDir)
+ if err != nil {
+ return nil, nil, errors.Wrapf(err, "failed to create stdout log")
+ }
- go io.Copy(os.Stdout, stdoutLog)
- go io.Copy(os.Stderr, stderrLog)
+ stderrLog, err = v1.OpenShimStderrLog(ctx, config.WorkDir)
+ if err != nil {
+ return nil, nil, errors.Wrapf(err, "failed to create stderr log")
}
+ go io.Copy(os.Stdout, stdoutLog)
+ go io.Copy(os.Stderr, stderrLog)
+
if err := writeFile(filepath.Join(config.Path, "address"), address); err != nil {
return nil, nil, err
}
--
2.27.0

138
patch/0081-containerd-reduce-permissions-for-bundle-di.patch
View File

@ -1,138 +0,0 @@
From fe70d9e0048502addcbeea5399f2da554a14bd78 Mon Sep 17 00:00:00 2001
From: xiadanni <xiadanni1@huawei.com>
Date: Tue, 9 Nov 2021 16:25:09 +0800
Subject: [PATCH] [Backport]containerd:reduce permissions for bundle dir to fix
CVE-2021-41103
reduce permissions for bundle dir
reduce permissions on plugin directories
fix CVE-2021-41103
Conflict:NA
Reference:https://github.com/containerd/containerd/commit/6886c6a2ec0c70dde1aa64e77b64a5ad47b983c3
https://github.com/containerd/containerd/commit/7c621e1fcc08bcf5a1a48b837342cc22eada1685
---
runtime/v1/linux/bundle.go | 56 +++++++++++++++++++++++++++++++++++++-
snapshots/btrfs/btrfs.go | 8 ++++--
2 files changed, 61 insertions(+), 3 deletions(-)
diff --git a/runtime/v1/linux/bundle.go b/runtime/v1/linux/bundle.go
index 0442246f9..90a10862e 100644
--- a/runtime/v1/linux/bundle.go
+++ b/runtime/v1/linux/bundle.go
@@ -20,6 +20,7 @@ package linux
import (
"context"
+ "encoding/json"
"fmt"
"io/ioutil"
"os"
@@ -30,6 +31,7 @@ import (
"github.com/containerd/containerd/runtime/linux/runctypes"
"github.com/containerd/containerd/runtime/v1/shim"
"github.com/containerd/containerd/runtime/v1/shim/client"
+ "github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
)
@@ -63,7 +65,7 @@ func newBundle(id, path, workDir string, spec []byte) (b *bundle, err error) {
time.Sleep(waitTime)
}
- if err := os.Mkdir(path, 0711); err != nil {
+ if err := os.Mkdir(path, 0700); err != nil {
return nil, err
}
defer func() {
@@ -71,6 +73,9 @@ func newBundle(id, path, workDir string, spec []byte) (b *bundle, err error) {
os.RemoveAll(path)
}
}()
+ if err := prepareBundleDirectoryPermissions(path, spec); err != nil {
+ return nil, err
+ }
if err := os.MkdirAll(workDir, 0711); err != nil {
return nil, err
}
@@ -90,6 +95,55 @@ func newBundle(id, path, workDir string, spec []byte) (b *bundle, err error) {
}, err
}
+// prepareBundleDirectoryPermissions prepares the permissions of the bundle
+// directory. When user namespaces are enabled, the permissions are modified
+// to allow the remapped root GID to access the bundle.
+func prepareBundleDirectoryPermissions(path string, spec []byte) error {
+ gid, err := remappedGID(spec)
+ if err != nil {
+ return err
+ }
+ if gid == 0 {
+ return nil
+ }
+ if err := os.Chown(path, -1, int(gid)); err != nil {
+ return err
+ }
+ return os.Chmod(path, 0710)
+}
+
+// ociSpecUserNS is a subset of specs.Spec used to reduce garbage during
+// unmarshal.
+type ociSpecUserNS struct {
+ Linux *linuxSpecUserNS
+}
+
+// linuxSpecUserNS is a subset of specs.Linux used to reduce garbage during
+// unmarshal.
+type linuxSpecUserNS struct {
+ GIDMappings []specs.LinuxIDMapping
+}
+
+// remappedGID reads the remapped GID 0 from the OCI spec, if it exists. If
+// there is no remapping, remappedGID returns 0. If the spec cannot be parsed,
+// remappedGID returns an error.
+func remappedGID(spec []byte) (uint32, error) {
+ var ociSpec ociSpecUserNS
+ err := json.Unmarshal(spec, &ociSpec)
+ if err != nil {
+ return 0, err
+ }
+ if ociSpec.Linux == nil || len(ociSpec.Linux.GIDMappings) == 0 {
+ return 0, nil
+ }
+ for _, mapping := range ociSpec.Linux.GIDMappings {
+ if mapping.ContainerID == 0 {
+ return mapping.HostID, nil
+ }
+ }
+ return 0, nil
+}
+
type bundle struct {
id string
path string
diff --git a/snapshots/btrfs/btrfs.go b/snapshots/btrfs/btrfs.go
index a89b55129..da6f8220e 100644
--- a/snapshots/btrfs/btrfs.go
+++ b/snapshots/btrfs/btrfs.go
@@ -63,11 +63,15 @@ type snapshotter struct {
// root needs to be a mount point of btrfs.
func NewSnapshotter(root string) (snapshots.Snapshotter, error) {
// If directory does not exist, create it
- if _, err := os.Stat(root); err != nil {
+ if st, err := os.Stat(root); err != nil {
if !os.IsNotExist(err) {
return nil, err
}
- if err := os.Mkdir(root, 0755); err != nil {
+ if err := os.Mkdir(root, 0700); err != nil {
+ return nil, err
+ }
+ } else if st.Mode()&os.ModePerm != 0700 {
+ if err := os.Chmod(root, 0700); err != nil {
return nil, err
}
}
--
2.27.0

25
patch/0082-containerd-fix-publish-command-wait-block-for.patch
View File

@ -1,25 +0,0 @@
From 31cd7bb5147c42384ffd28e9a64f0c5d5c4f7500 Mon Sep 17 00:00:00 2001
From: chenjiankun <chenjiankun1@huawei.com>
Date: Wed, 10 Nov 2021 16:10:37 +0800
Subject: [PATCH] containerd: fix publish command wait block forever
---
cmd/containerd-shim/main_unix.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cmd/containerd-shim/main_unix.go b/cmd/containerd-shim/main_unix.go
index a07932c..37b621e 100644
--- a/cmd/containerd-shim/main_unix.go
+++ b/cmd/containerd-shim/main_unix.go
@@ -308,7 +308,7 @@ func (l *remoteEventsPublisher) doPublish(ctx context.Context, topic string, eve
if err != nil {
return err
}
- status, err := shim.Default.Wait(cmd, c)
+ status, err := shim.Default.WaitTimeout(cmd, c, 30)
if err != nil {
return errors.Wrapf(err, "failed to publish event: %s", b.String())
}
--
2.27.0

34
patch/0083-containerd-optimize-cgo-compile-options.patch
View File

@ -1,34 +0,0 @@
From 4ae41b01ba2dfd05e8eae0adac6dc3d54c461117 Mon Sep 17 00:00:00 2001
From: songyanting <songyanting@huawei.com>
Date: Mon, 24 Jan 2022 11:08:44 +0800
Subject: [PATCH] [Huawei]containerd:optimize cgo compile options
offering:EulerOS Server
Type:bugfix
CVE:
DTS/AR:
reason:optimize cgo compile options
Signed-off-by: songyanting songyanting@huawei.com
---
Makefile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Makefile b/Makefile
index a7d0888..49a90e6 100644
--- a/Makefile
+++ b/Makefile
@@ -172,8 +172,8 @@ bin/%: cmd/% FORCE
mkdir -p $(BEP_DIR)
@echo "$(WHALE) $@${BINARY_SUFFIX}"
CGO_ENABLED=1 \
- CGO_CFLAGS="-fstack-protector-strong -fPIE" \
- CGO_CPPFLAGS="-fstack-protector-strong -fPIE" \
+ CGO_CFLAGS="-fstack-protector-strong" \
+ CGO_CPPFLAGS="-fstack-protector-strong" \
CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} ${GO_LDFLAGS} ${GO_TAGS} ./$<
--
2.23.0

40
patch/0084-containerd-Use-fs.RootPath-when-mounting-vo.patch
View File

@ -1,40 +0,0 @@
From 53c45a7abaea09e60e0175f192742c74d1be60e2 Mon Sep 17 00:00:00 2001
From: Vanient <xiadanni1@huawei.com>
Date: Thu, 31 Mar 2022 21:30:15 +0800
Subject: [PATCH] containerd:Use fs.RootPath when mounting volumes
fix CVE-2022-23648
upstream:https://github.com/containerd/containerd/commit/3406af86394c2426ce7f55d5f52be2b79f456211
Signed-off-by: Vanient <xiadanni1@huawei.com>
---
.../containerd/cri/pkg/containerd/opts/container.go | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go b/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go
index 7647c373c..2ea49b594 100644
--- a/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go
+++ b/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go
@@ -20,7 +20,6 @@ import (
"context"
"io/ioutil"
"os"
- "path/filepath"
"github.com/containerd/containerd"
"github.com/containerd/containerd/containers"
@@ -88,7 +87,10 @@ func WithVolumes(volumeMounts map[string]string) containerd.NewContainerOpts {
}()
for host, volume := range volumeMounts {
- src := filepath.Join(root, volume)
+ src, err := fs.RootPath(root, volume)
+ if err != nil {
+ return errors.Wrapf(err, "rootpath on root %s, volume %s", root, volume)
+ }
if _, err := os.Stat(src); err != nil {
if os.IsNotExist(err) {
// Skip copying directory if it does not exist.
--
2.27.0

37
patch/0085-containerd-put-get-pid-lock-after-set-process-exited-to-.patch
View File

@ -1,37 +0,0 @@
From a6c7265aa68fca3a5023ad2b399799db583fffeb Mon Sep 17 00:00:00 2001
From: zhangsong234 <zhangsong34@huawei.com>
Date: Tue, 14 Jun 2022 10:25:47 +0800
Subject: [PATCH] containerd: put get pid lock after set process exited to avoid
deadlock.
Signed-off-by: zhangsong234 <zhangsong34@huawei.com>
---
runtime/v1/linux/proc/exec.go | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/runtime/v1/linux/proc/exec.go b/runtime/v1/linux/proc/exec.go
index a5f40bd..ff967b5 100644
--- a/runtime/v1/linux/proc/exec.go
+++ b/runtime/v1/linux/proc/exec.go
@@ -86,14 +86,14 @@ func (e *execProcess) ExitedAt() time.Time {
}
func (e *execProcess) SetExited(status int) {
- e.pid.Lock()
- e.pid.pid = -1
- e.pid.Unlock()
-
e.mu.Lock()
defer e.mu.Unlock()
e.execState.SetExited(status)
+
+ e.pid.Lock()
+ e.pid.pid = -1
+ e.pid.Unlock()
}
func (e *execProcess) setExited(status int) {
--
2.27.0

133
patch/0086-containerd-Limit-the-response-size-of-ExecSync.patch
View File

@ -1,133 +0,0 @@
From cf3bde2b5a78d7ba8773eadcc3b28dfb0001aee0 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Mon, 4 Jul 2022 14:34:23 +0800
Subject: [PATCH] containerd: Limit the response size of ExecSync
fix CVE-2022-31030
upstream:https://github.com/containerd/containerd/commit/c1bcabb4541930f643aa36a2b38655e131346382
---
.../cri/pkg/server/container_execsync.go | 45 ++++++++++++++++-
.../cri/pkg/server/container_execsync_test.go | 49 +++++++++++++++++++
2 files changed, 92 insertions(+), 2 deletions(-)
create mode 100644 vendor/github.com/containerd/cri/pkg/server/container_execsync_test.go
diff --git a/vendor/github.com/containerd/cri/pkg/server/container_execsync.go b/vendor/github.com/containerd/cri/pkg/server/container_execsync.go
index fd54120..1ef93e5 100644
--- a/vendor/github.com/containerd/cri/pkg/server/container_execsync.go
+++ b/vendor/github.com/containerd/cri/pkg/server/container_execsync.go
@@ -37,14 +37,55 @@ import (
"github.com/containerd/cri/pkg/util"
)
+type cappedWriter struct {
+ w io.WriteCloser
+ remain int
+}
+
+func (cw *cappedWriter) Write(p []byte) (int, error) {
+ if cw.remain <= 0 {
+ return len(p), nil
+ }
+
+ end := cw.remain
+ if end > len(p) {
+ end = len(p)
+ }
+ written, err := cw.w.Write(p[0:end])
+ cw.remain -= written
+
+ if err != nil {
+ return written, err
+ }
+ return len(p), nil
+}
+
+func (cw *cappedWriter) Close() error {
+ return cw.w.Close()
+}
+
+func (cw *cappedWriter) isFull() bool {
+ return cw.remain <= 0
+}
+
// ExecSync executes a command in the container, and returns the stdout output.
// If command exits with a non-zero exit code, an error is returned.
func (c *criService) ExecSync(ctx context.Context, r *runtime.ExecSyncRequest) (*runtime.ExecSyncResponse, error) {
+ const maxStreamSize = 1024 * 1024 * 16
+
var stdout, stderr bytes.Buffer
+
+ // cappedWriter truncates the output. In that case, the size of
+ // the ExecSyncResponse will hit the CRI plugin's gRPC response limit.
+ // Thus the callers outside of the containerd process (e.g. Kubelet) never see
+ // the truncated output.
+ cout := &cappedWriter{w: cioutil.NewNopWriteCloser(&stdout), remain: maxStreamSize}
+ cerr := &cappedWriter{w: cioutil.NewNopWriteCloser(&stderr), remain: maxStreamSize}
+
exitCode, err := c.execInContainer(ctx, r.GetContainerId(), execOptions{
cmd: r.GetCmd(),
- stdout: cioutil.NewNopWriteCloser(&stdout),
- stderr: cioutil.NewNopWriteCloser(&stderr),
+ stdout: cout,
+ stderr: cerr,
timeout: time.Duration(r.GetTimeout()) * time.Second,
})
if err != nil {
diff --git a/vendor/github.com/containerd/cri/pkg/server/container_execsync_test.go b/vendor/github.com/containerd/cri/pkg/server/container_execsync_test.go
new file mode 100644
index 0000000..c8641d0
--- /dev/null
+++ b/vendor/github.com/containerd/cri/pkg/server/container_execsync_test.go
@@ -0,0 +1,49 @@
+/*
+ Copyright The containerd Authors.
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/
+
+package server
+
+import (
+ "bytes"
+ "testing"
+
+ cioutil "github.com/containerd/containerd/pkg/ioutil"
+ "github.com/stretchr/testify/assert"
+)
+
+func TestCWWrite(t *testing.T) {
+ var buf bytes.Buffer
+ cw := &cappedWriter{w: cioutil.NewNopWriteCloser(&buf), remain: 10}
+
+ n, err := cw.Write([]byte("hello"))
+ assert.NoError(t, err)
+ assert.Equal(t, 5, n)
+
+ n, err = cw.Write([]byte("helloworld"))
+ assert.NoError(t, err, "no errors even it hits the cap")
+ assert.Equal(t, 10, n, "no indication of partial write")
+ assert.True(t, cw.isFull())
+ assert.Equal(t, []byte("hellohello"), buf.Bytes(), "the underlying writer is capped")
+
+ _, err = cw.Write([]byte("world"))
+ assert.NoError(t, err)
+ assert.True(t, cw.isFull())
+ assert.Equal(t, []byte("hellohello"), buf.Bytes(), "the underlying writer is capped")
+}
+
+func TestCWClose(t *testing.T) {
+ var buf bytes.Buffer
+ cw := &cappedWriter{w: cioutil.NewNopWriteCloser(&buf), remain: 5}
+ err := cw.Close()
+ assert.NoError(t, err)
+}
--
2.30.0

65
patch/0087-containerd-treat-manifest-provided-URLs-differently.patch
View File

@ -1,65 +0,0 @@
From eb6ab2e84ab184321bd649b4def182f93e62b6df Mon Sep 17 00:00:00 2001
From: xiadanni <xiadanni1@huawei.com>
Date: Mon, 24 Jan 2022 19:03:30 +0800
Subject: [PATCH] [Backport]treat manifest provided URLs differently
fix CVE-2020-15157
Conflict:NA
Reference:https://github.com/containerd/containerd/commit/1ead8d9deb3b175bf40413b8c47b3d19c2262726
https://github.com/containerd/containerd/commit/abbb17959f55bbb9b7eb37f965d7dad2f4ea8744
Signed-off-by: xiadanni <xiadanni1@huawei.com>
---
remotes/docker/fetcher.go | 28 ++++++++++++++++++++--------
1 file changed, 20 insertions(+), 8 deletions(-)
diff --git a/remotes/docker/fetcher.go b/remotes/docker/fetcher.go
index 4a2ce3c39..00e7a47c6 100644
--- a/remotes/docker/fetcher.go
+++ b/remotes/docker/fetcher.go
@@ -56,6 +56,26 @@ func (r dockerFetcher) Fetch(ctx context.Context, desc ocispec.Descriptor) (io.R
}
return newHTTPReadSeeker(desc.Size, func(offset int64) (io.ReadCloser, error) {
+ if len(desc.URLs) > 0 {
+ db := *r.dockerBase
+ // Remove authorizer to avoid authentication when
+ // connecting to manifest provided URLs.
+ // Prevents https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c
+ db.auth = nil
+ nr := dockerFetcher{
+ dockerBase: &db,
+ }
+ for _, u := range desc.URLs {
+ log.G(ctx).WithField("url", u).Debug("trying alternative url")
+ rc, err := nr.open(ctx, u, desc.MediaType, offset)
+ if err != nil {
+ log.G(ctx).WithField("error", err).Debug("error trying url")
+ continue // try one of the other urls.
+ }
+
+ return rc, nil
+ }
+ }
for _, u := range urls {
rc, err := r.open(ctx, u, desc.MediaType, offset)
if err != nil {
@@ -142,14 +162,6 @@ func (r dockerFetcher) open(ctx context.Context, u, mediatype string, offset int
func (r *dockerFetcher) getV2URLPaths(ctx context.Context, desc ocispec.Descriptor) ([]string, error) {
var urls []string
- if len(desc.URLs) > 0 {
- // handle fetch via external urls.
- for _, u := range desc.URLs {
- log.G(ctx).WithField("url", u).Debug("adding alternative url")
- urls = append(urls, u)
- }
- }
-
switch desc.MediaType {
case images.MediaTypeDockerSchema2Manifest, images.MediaTypeDockerSchema2ManifestList,
images.MediaTypeDockerSchema1Manifest,
--
2.27.0

30
patch/0088-containerd-Use-chmod-path-for-checking-symlink.patch
View File

@ -1,30 +0,0 @@
From 90a3fd55136fb18641c8221792b013ee1dbc17f5 Mon Sep 17 00:00:00 2001
From: xiadanni <xiadanni1@huawei.com>
Date: Mon, 24 Jan 2022 19:15:14 +0800
Subject: [PATCH] [Backport]Use chmod path for checking symlink
fix CVE-2021-32760
Conflict:NA
Reference:https://github.com/containerd/containerd/commit/03aa748c11663e87a72fab92b7ab7c88c28bf13e
Signed-off-by: xiadanni <xiadanni1@huawei.com>
---
archive/tar_unix.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/archive/tar_unix.go b/archive/tar_unix.go
index 022dd6d4f..7f3857c7d 100644
--- a/archive/tar_unix.go
+++ b/archive/tar_unix.go
@@ -127,7 +127,7 @@ func handleTarTypeBlockCharFifo(hdr *tar.Header, path string) error {
func handleLChmod(hdr *tar.Header, path string, hdrInfo os.FileInfo) error {
if hdr.Typeflag == tar.TypeLink {
- if fi, err := os.Lstat(hdr.Linkname); err == nil && (fi.Mode()&os.ModeSymlink == 0) {
+ if fi, err := os.Lstat(path); err == nil && (fi.Mode()&os.ModeSymlink == 0) {
if err := os.Chmod(path, hdrInfo.Mode()); err != nil {
return err
}
--
2.27.0

31
patch/0089-containerd-Add-lock-for-ListPids.patch
View File

@ -1,31 +0,0 @@
From 9a92dd95046003cd661f8cd76429b2e424907a2a Mon Sep 17 00:00:00 2001
From: Vanient <xiadanni1@huawei.com>
Date: Mon, 21 Mar 2022 06:57:02 +0800
Subject: [PATCH] [Backport]containerd: Add lock for ListPids
Add the missing locks in ListPids
Conflict:NA
Reference:https://github.com/containerd/containerd/commit/fcf3b275fcd404ddf5fe75d5629d2168742ec0d3
Signed-off-by: Vanient <xiadanni1@huawei.com>
---
runtime/v1/shim/service.go | 3 +++
1 file changed, 3 insertions(+)
diff --git a/runtime/v1/shim/service.go b/runtime/v1/shim/service.go
index 7d7327cd8..435f02e3c 100644
--- a/runtime/v1/shim/service.go
+++ b/runtime/v1/shim/service.go
@@ -434,6 +434,9 @@ func (s *Service) ListPids(ctx context.Context, r *shimapi.ListPidsRequest) (*sh
return nil, errdefs.ToGRPC(err)
}
var processes []*task.ProcessInfo
+
+ s.mu.Lock()
+ defer s.mu.Unlock()
for _, pid := range pids {
pInfo := task.ProcessInfo{
Pid: pid,
--
2.27.0

117
patch/0090-images-validate-document-type-before-unmarshal.patch
View File

@ -1,117 +0,0 @@
From e3e70b398ff362182797e2d73372f8f654ba9383 Mon Sep 17 00:00:00 2001
From: Vanient <xiadanni1@huawei.com>
Date: Thu, 9 Jun 2022 10:45:47 +0800
Subject: [PATCH 1/2] images: validate document type before unmarshal
Conflict:NA
Reference:https://github.com/containerd/containerd/commit/eb9ba7ed8d46d48fb22362f9d91fff6fb837e37e
Signed-off-by: Vanient <xiadanni1@huawei.com>
---
images/image.go | 55 +++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 55 insertions(+)
diff --git a/images/image.go b/images/image.go
index f72684d82..ad12fe971 100644
--- a/images/image.go
+++ b/images/image.go
@@ -19,6 +19,7 @@ package images
import (
"context"
"encoding/json"
+ "fmt"
"sort"
"strings"
"time"
@@ -154,6 +155,10 @@ func Manifest(ctx context.Context, provider content.Provider, image ocispec.Desc
return nil, err
}
+ if err := validateMediaType(p, desc.MediaType); err != nil {
+ return nil, errors.Wrapf(err, "manifest: invalid desc %s", desc.Digest)
+ }
+
var manifest ocispec.Manifest
if err := json.Unmarshal(p, &manifest); err != nil {
return nil, err
@@ -194,6 +199,10 @@ func Manifest(ctx context.Context, provider content.Provider, image ocispec.Desc
return nil, err
}
+ if err := validateMediaType(p, desc.MediaType); err != nil {
+ return nil, errors.Wrapf(err, "manifest: invalid desc %s", desc.Digest)
+ }
+
var idx ocispec.Index
if err := json.Unmarshal(p, &idx); err != nil {
return nil, err
@@ -335,6 +344,10 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr
return nil, err
}
+ if err := validateMediaType(p, desc.MediaType); err != nil {
+ return nil, errors.Wrapf(err, "children: invalid desc %s", desc.Digest)
+ }
+
// TODO(stevvooe): We just assume oci manifest, for now. There may be
// subtle differences from the docker version.
var manifest ocispec.Manifest
@@ -350,6 +363,10 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr
return nil, err
}
+ if err := validateMediaType(p, desc.MediaType); err != nil {
+ return nil, errors.Wrapf(err, "children: invalid desc %s", desc.Digest)
+ }
+
var index ocispec.Index
if err := json.Unmarshal(p, &index); err != nil {
return nil, err
@@ -371,6 +388,44 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr
return descs, nil
}
+// unknownDocument represents a manifest, manifest list, or index that has not
+// yet been validated.
+type unknownDocument struct {
+ MediaType string `json:"mediaType,omitempty"`
+ Config json.RawMessage `json:"config,omitempty"`
+ Layers json.RawMessage `json:"layers,omitempty"`
+ Manifests json.RawMessage `json:"manifests,omitempty"`
+ FSLayers json.RawMessage `json:"fsLayers,omitempty"` // schema 1
+}
+
+// validateMediaType returns an error if the byte slice is invalid JSON or if
+// the media type identifies the blob as one format but it contains elements of
+// another format.
+func validateMediaType(b []byte, mt string) error {
+ var doc unknownDocument
+ if err := json.Unmarshal(b, &doc); err != nil {
+ return err
+ }
+ if len(doc.FSLayers) != 0 {
+ return fmt.Errorf("media-type: schema 1 not supported")
+ }
+ switch mt {
+ case MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest:
+ if len(doc.Manifests) != 0 ||
+ doc.MediaType == MediaTypeDockerSchema2ManifestList ||
+ doc.MediaType == ocispec.MediaTypeImageIndex {
+ return fmt.Errorf("media-type: expected manifest but found index (%s)", mt)
+ }
+ case MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex:
+ if len(doc.Config) != 0 || len(doc.Layers) != 0 ||
+ doc.MediaType == MediaTypeDockerSchema2Manifest ||
+ doc.MediaType == ocispec.MediaTypeImageManifest {
+ return fmt.Errorf("media-type: expected index but found manifest (%s)", mt)
+ }
+ }
+ return nil
+}
+
// RootFS returns the unpacked diffids that make up and images rootfs.
//
// These are used to verify that a set of layers unpacked to the expected
--
2.27.0

43
patch/0091-schema1-reject-ambiguous-documents.patch
View File

@ -1,43 +0,0 @@
From 7a294fa5d943401ed3cb9149f69f1d12f372c374 Mon Sep 17 00:00:00 2001
From: Vanient <xiadanni1@huawei.com>
Date: Thu, 9 Jun 2022 10:48:09 +0800
Subject: [PATCH 2/2] schema1: reject ambiguous documents
Conflict:NA
Reference:https://github.com/containerd/containerd/commit/70c88f507579277ab7af23b06666e3b57d4b4f2d
Signed-off-by: Vanient <xiadanni1@huawei.com>
---
remotes/docker/schema1/converter.go | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/remotes/docker/schema1/converter.go b/remotes/docker/schema1/converter.go
index 766c24a26..c618a33d5 100644
--- a/remotes/docker/schema1/converter.go
+++ b/remotes/docker/schema1/converter.go
@@ -250,6 +250,9 @@ func (c *Converter) fetchManifest(ctx context.Context, desc ocispec.Descriptor)
if err := json.Unmarshal(b, &m); err != nil {
return err
}
+ if len(m.Manifests) != 0 || len(m.Layers) != 0 {
+ return errors.New("converter: expected schema1 document but found extra keys")
+ }
c.pulledManifest = &m
return nil
@@ -466,8 +469,10 @@ type history struct {
}
type manifest struct {
- FSLayers []fsLayer `json:"fsLayers"`
- History []history `json:"history"`
+ FSLayers []fsLayer `json:"fsLayers"`
+ History []history `json:"history"`
+ Layers json.RawMessage `json:"layers,omitempty"` // OCI manifest
+ Manifests json.RawMessage `json:"manifests,omitempty"` // OCI index
}
type v1History struct {
--
2.27.0

38
patch/0092-containerd-add-CGO-sercurity-build-options.patch
View File

@ -1,38 +0,0 @@
From f7d5384097fde1e448649fcacde0dd05b7f2e967 Mon Sep 17 00:00:00 2001
From: zjw <zhongjiawei1@huawei.com>
Date: Mon, 20 Jun 2022 20:08:24 +0800
Subject: [PATCH] containerd: containerd and containerd-shim add CGO security build options
---
Makefile | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/Makefile b/Makefile
index 49a90e6..2bc5dd5 100644
--- a/Makefile
+++ b/Makefile
@@ -172,8 +172,8 @@ bin/%: cmd/% FORCE
mkdir -p $(BEP_DIR)
@echo "$(WHALE) $@${BINARY_SUFFIX}"
CGO_ENABLED=1 \
- CGO_CFLAGS="-fstack-protector-strong" \
- CGO_CPPFLAGS="-fstack-protector-strong" \
+ CGO_CFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2" \
+ CGO_CPPFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2" \
CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} ${GO_LDFLAGS} ${GO_TAGS} ./$<
@@ -181,8 +181,8 @@ bin/%: cmd/% FORCE
bin/containerd-shim: cmd/containerd-shim FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220
@echo "$(WHALE) bin/containerd-shim"
CGO_ENABLED=1 \
- CGO_CFLAGS="-fstack-protector-strong -fPIE" \
- CGO_CPPFLAGS="-fstack-protector-strong -fPIE" \
+ CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
+ CGO_CPPFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
go build -buildmode=pie ${GO_BUILD_FLAGS} -o bin/containerd-shim ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim
--
2.30.0

Some files were not shown because too many files have changed in this diff Show More