packages/iSulad
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!776 sync patches from upstream

Browse Source 
From: @jade_t 
Reviewed-by: @taotao-sauce 
Signed-off-by: @taotao-sauce
This commit is contained in:
openeuler-ci-bot 2025-05-16 02:33:27 +00:00 committed by Gitee
commit 80c9e1b77f
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
26 changed files with 5168 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

207
0176-add-registry-ut-test.patch Normal file
View File

@ -0,0 +1,207 @@
From cdb0e2b6431b4212b809ab1edf954d6b3a702a20 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=AD=A6=E7=A7=AF=E8=B6=85?= <wujichao1@huawei.com>
Date: Mon, 30 Dec 2024 17:28:23 +0800
Subject: [PATCH 176/198] add registry ut test
---
test/image/oci/registry/CMakeLists.txt | 1 +
test/image/oci/registry/registry_ut.cc | 123 +++++++++++++++++++++++++
2 files changed, 124 insertions(+)
diff --git a/test/image/oci/registry/CMakeLists.txt b/test/image/oci/registry/CMakeLists.txt
index 6166c2d0..d78bb7d3 100644
--- a/test/image/oci/registry/CMakeLists.txt
+++ b/test/image/oci/registry/CMakeLists.txt
@@ -71,5 +71,6 @@ target_include_directories(${EXE} PUBLIC
)
target_link_libraries(${EXE} ${GTEST_BOTH_LIBRARIES} ${GMOCK_LIBRARY} ${GMOCK_MAIN_LIBRARY} ${CMAKE_THREAD_LIBS_INIT} ${ISULA_LIBUTILS_LIBRARY} -lcrypto -lyajl -lz libhttpclient)
+set_target_properties(${EXE} PROPERTIES LINK_FLAGS "-Wl,--wrap,map_new -Wl,--wrap,util_common_calloc_s -Wl,--wrap,pthread_mutex_init -Wl,--wrap,pthread_cond_init")
add_test(NAME ${EXE} COMMAND ${EXE} --gtest_output=xml:${EXE}-Results.xml)
set_tests_properties(${EXE} PROPERTIES TIMEOUT 120)
diff --git a/test/image/oci/registry/registry_ut.cc b/test/image/oci/registry/registry_ut.cc
index 1503ee3b..4eacdb11 100644
--- a/test/image/oci/registry/registry_ut.cc
+++ b/test/image/oci/registry/registry_ut.cc
@@ -27,6 +27,7 @@
#include <gtest/gtest.h>
#include <gmock/gmock.h>
#include <curl/curl.h>
+#include <pthread.h>
#include "utils.h"
#include "utils_array.h"
@@ -45,6 +46,8 @@
#include "auths.h"
#include "oci_image_mock.h"
#include "isulad_config_mock.h"
+#include "map.h"
+#include "mock.h"
using ::testing::Args;
using ::testing::ByRef;
@@ -56,6 +59,55 @@ using ::testing::NotNull;
using ::testing::AtLeast;
using ::testing::Invoke;
+static int g_pthread_mutex_init_count = 0;
+static int g_pthread_mutex_init_match = 1;
+
+extern "C" {
+ DECLARE_WRAPPER_V(map_new, map_t *, (map_type_t kvtype, map_cmp_func comparator, map_kvfree_func kvfree));
+ DEFINE_WRAPPER_V(map_new, map_t *, (map_type_t kvtype, map_cmp_func comparator, map_kvfree_func kvfree), (kvtype, comparator, kvfree));
+ DECLARE_WRAPPER_V(pthread_mutex_init, int, (pthread_mutex_t *__mutex,const pthread_mutexattr_t *__mutexattr));
+ DEFINE_WRAPPER_V(pthread_mutex_init, int, (pthread_mutex_t *__mutex,const pthread_mutexattr_t *__mutexattr), (__mutex, __mutexattr));
+ DECLARE_WRAPPER_V(pthread_cond_init, int, (pthread_cond_t *__restrict __cond,const pthread_condattr_t *__restrict __cond_attr));
+ DEFINE_WRAPPER_V(pthread_cond_init, int, (pthread_cond_t *__restrict __cond,const pthread_condattr_t *__restrict __cond_attr), (__cond, __cond_attr));
+ DECLARE_WRAPPER_V(util_common_calloc_s, void *, (size_t size));
+ DEFINE_WRAPPER_V(util_common_calloc_s, void *, (size_t size), (size));
+}
+
+/*
+*Repeatedly calling the function executes the wrapper function and original function in the following order:
+*wrapper function; original function, wrapper function; original function, original function, wrapper function;...
+*Similar to regular queues (1 means wrapper, 0 means original): 1; 0 1; 0 0 1; 0 0 0 1; ...
+*It's used to MOCK a function that repeat permutation.
+*If you want a regular queue, the variables needs to be assigned back to the initial value.
+*/
+// extern int pthread_mutex_init (pthread_mutex_t *__mutex,const pthread_mutexattr_t *__mutexattr)
+static int failed_pthread_mutex_init(pthread_mutex_t *__mutex,const pthread_mutexattr_t *__mutexattr)
+{
+ g_pthread_mutex_init_count++;
+ if (g_pthread_mutex_init_count == g_pthread_mutex_init_match) {
+ g_pthread_mutex_init_match++;
+ g_pthread_mutex_init_count = 0;
+ return -1;
+ } else {
+ return __real_pthread_mutex_init(__mutex, __mutexattr);
+ }
+}
+
+void *util_common_calloc_s_fail(size_t size)
+{
+ return nullptr;
+}
+
+static int failed_pthread_cond_init(pthread_cond_t *__restrict __cond,const pthread_condattr_t *__restrict __cond_attr)
+{
+ return -1;
+}
+
+static map_t *map_new_return_null(map_type_t kvtype, map_cmp_func comparator, map_kvfree_func kvfree)
+{
+ return nullptr;
+}
+
std::string get_dir()
{
char abs_path[PATH_MAX] { 0x00 };
@@ -655,6 +707,25 @@ TEST_F(RegistryUnitTest, test_pull_v1_image)
ASSERT_EQ(util_mkdir_p(mirror_dir.c_str(), 0700), 0);
ASSERT_EQ(create_certs(mirror_dir), 0);
ASSERT_EQ(init_log(), 0);
+
+ // test utile common calloc fail
+ MOCK_SET_V(util_common_calloc_s, util_common_calloc_s_fail);
+ ASSERT_EQ(registry_init((char *)auths_dir.c_str(), (char *)certs_dir.c_str()), -1);
+ MOCK_CLEAR(util_common_calloc_s);
+ // test pthread mutex init fail
+ MOCK_SET_V(pthread_mutex_init, failed_pthread_mutex_init);
+ g_pthread_mutex_init_count = 0;
+ g_pthread_mutex_init_match = 1;
+ ASSERT_EQ(registry_init((char *)auths_dir.c_str(), (char *)certs_dir.c_str()), -1);
+ ASSERT_EQ(registry_init((char *)auths_dir.c_str(), (char *)certs_dir.c_str()), -1);
+ MOCK_CLEAR(pthread_mutex_init);
+ MOCK_SET_V(pthread_cond_init, failed_pthread_cond_init);
+ ASSERT_EQ(registry_init((char *)auths_dir.c_str(), (char *)certs_dir.c_str()), -1);
+ MOCK_CLEAR(pthread_cond_init);
+ MOCK_SET_V(map_new, map_new_return_null);
+ ASSERT_EQ(registry_init((char *)auths_dir.c_str(), (char *)certs_dir.c_str()), -1);
+ MOCK_CLEAR(map_new);
+
ASSERT_EQ(registry_init((char *)auths_dir.c_str(), (char *)certs_dir.c_str()), 0);
EXPECT_CALL(m_http_mock, HttpRequest(::testing::_, ::testing::_, ::testing::_, ::testing::_))
@@ -665,6 +736,30 @@ TEST_F(RegistryUnitTest, test_pull_v1_image)
ASSERT_EQ(registry_pull(&options), 0);
ASSERT_EQ(registry_pull(&options), 0);
+
+ // test empty options
+ ASSERT_EQ(registry_pull(nullptr), -1);
+
+ // test utile common calloc fail
+ MOCK_SET_V(util_common_calloc_s, util_common_calloc_s_fail);
+ ASSERT_EQ(registry_pull(&options), -1);
+ MOCK_CLEAR(util_common_calloc_s);
+
+ options.dest_image_name = nullptr;
+ ASSERT_EQ(registry_pull(&options), -1);
+ options.dest_image_name = (char *)"quay.io/coreos/etcd:v3.3.17-arm64";
+
+ options.image_name = nullptr;
+ ASSERT_EQ(registry_pull(&options), -1);
+ options.image_name = (char *)"quay.io/coreos/etcd:v3.3.17-arm64";
+
+ // test pthread mutex init fail
+ MOCK_SET_V(pthread_mutex_init, failed_pthread_mutex_init);
+ g_pthread_mutex_init_count = 0;
+ g_pthread_mutex_init_match = 1;
+ ASSERT_EQ(registry_pull(&options), -1);
+ ASSERT_EQ(registry_pull(&options), -1);
+ MOCK_CLEAR(pthread_mutex_init);
}
TEST_F(RegistryUnitTest, test_login)
@@ -690,6 +785,21 @@ TEST_F(RegistryUnitTest, test_login)
options.auth.username = (char *)"test3";
options.auth.password = (char *)"test3";
ASSERT_EQ(registry_login(&options), 0);
+
+ // test empty options
+ ASSERT_EQ(registry_login(nullptr), -1);
+
+ // test utile common calloc fail
+ MOCK_SET_V(util_common_calloc_s, util_common_calloc_s_fail);
+ ASSERT_EQ(registry_login(&options), -1);
+ MOCK_CLEAR(util_common_calloc_s);
+
+ // test pthread mutex init fail
+ MOCK_SET_V(pthread_mutex_init, failed_pthread_mutex_init);
+ g_pthread_mutex_init_count = 0;
+ g_pthread_mutex_init_match = 1;
+ ASSERT_EQ(registry_login(&options), -1);
+ MOCK_CLEAR(pthread_mutex_init);
}
TEST_F(RegistryUnitTest, test_logout)
@@ -699,6 +809,9 @@ TEST_F(RegistryUnitTest, test_logout)
ASSERT_EQ(registry_logout((char *)"test2.com"), 0);
+ // test empty host
+ ASSERT_EQ(registry_logout(nullptr), -1);
+
auth_data = util_read_text_file(auths_file.c_str());
ASSERT_NE(strstr(auth_data, "hub-mirror.c.163.com"), nullptr);
free(auth_data);
@@ -837,6 +950,16 @@ TEST_F(RegistryUnitTest, test_search_image)
ASSERT_EQ(result->results[0]->is_automated, false);
ASSERT_EQ(result->results[0]->is_official, true);
+ // test Invalid NULL param
+ options->search_name = nullptr;
+ ASSERT_EQ(registry_search(options, &result), -1);
+ options->search_name = util_strdup_s("index.docker.io/busybox");
+
+ // test utile common calloc fail
+ MOCK_SET_V(util_common_calloc_s, util_common_calloc_s_fail);
+ ASSERT_EQ(registry_search(options, &result), -1);
+ MOCK_CLEAR(util_common_calloc_s);
+
free_imagetool_search_result(result);
// test not found
--
2.34.1

39
0177-add-loongarch64-support.patch Normal file
View File

@ -0,0 +1,39 @@
From efefd9fb4137ecdf59973e55586a4bc50cff4ad3 Mon Sep 17 00:00:00 2001
From: qiangxuhui <qiangxuhui@loongson.cn>
Date: Mon, 6 Jan 2025 09:46:11 +0800
Subject: [PATCH 177/198] add loongarch64 support
---
src/daemon/modules/spec/specs_security.c | 1 +
src/utils/cutils/utils.c | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/daemon/modules/spec/specs_security.c b/src/daemon/modules/spec/specs_security.c
index b34aec7c..4a71a1b5 100644
--- a/src/daemon/modules/spec/specs_security.c
+++ b/src/daemon/modules/spec/specs_security.c
@@ -332,6 +332,7 @@ static char *seccomp_trans_arch_for_docker(const char *arch)
{ "SCMP_ARCH_PARISC", "parisc" },
{ "SCMP_ARCH_PARISC64", "parisc64" },
{ "SCMP_ARCH_RISCV64", "riscv64" },
+ { "SCMP_ARCH_LOONGARCH64", "loong64" },
{ "SCMP_ARCH_ALL", "all" }
};
for (i = 0; i < sizeof(arch_map) / sizeof(arch_map[0]); i++) {
diff --git a/src/utils/cutils/utils.c b/src/utils/cutils/utils.c
index cf207acc..4db7d9ac 100644
--- a/src/utils/cutils/utils.c
+++ b/src/utils/cutils/utils.c
@@ -1442,7 +1442,8 @@ static void normalized_host_arch(char **host_arch, struct utsname uts)
{ "armhf", "arm" },
{ "armel", "arm" },
{ "mips64le", "mips64le" },
- { "mips64el", "mips64le" }
+ { "mips64el", "mips64le" },
+ { "loongarch64", "loong64" }
};
size_t i = 0;
--
2.34.1

353
0178-add-storage-driver-ut.patch Normal file
View File

@ -0,0 +1,353 @@
From 7321614a1097d4527f5968d1e3c7c1a06f6a9cd4 Mon Sep 17 00:00:00 2001
From: wujichao <wujichao1@huawei.com>
Date: Thu, 9 Jan 2025 16:15:25 +0800
Subject: [PATCH 178/198] add storage driver ut
---
.../graphdriver/overlay2/driver_overlay2.c | 18 +-
test/image/oci/storage/layers/CMakeLists.txt | 2 +
.../oci/storage/layers/storage_driver_ut.cc | 174 ++++++++++++++++--
3 files changed, 169 insertions(+), 25 deletions(-)
diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c
index cc24909a..2b2e1eb3 100644
--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c
+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c
@@ -26,6 +26,8 @@
#include <stdio.h>
#include <strings.h>
+#include <isula_libutils/utils_macro.h>
+
#include "isula_libutils/log.h"
#ifdef ENABLE_USERNS_REMAP
#include "isulad_config.h"
@@ -828,7 +830,7 @@ out:
return ret;
}
-static int set_layer_quota(const char *dir, const json_map_string_string *opts, const struct graphdriver *driver)
+STATIC int set_layer_quota(const char *dir, const json_map_string_string *opts, const struct graphdriver *driver)
{
int ret = 0;
size_t i = 0;
@@ -875,7 +877,7 @@ out:
}
#ifdef ENABLE_REMOTE_LAYER_STORE
-static int do_create_remote_ro(const char *id, const char *parent, const struct graphdriver *driver,
+STATIC int do_create_remote_ro(const char *id, const char *parent, const struct graphdriver *driver,
const struct driver_create_opts *create_opts)
{
int ret = -1;
@@ -1021,7 +1023,7 @@ out:
return ret;
}
-static int append_default_quota_opts(struct driver_create_opts *ori_opts, uint64_t quota)
+STATIC int append_default_quota_opts(struct driver_create_opts *ori_opts, uint64_t quota)
{
int ret = 0;
int nret = 0;
@@ -1362,7 +1364,7 @@ out:
return ret;
}
-static char *get_mount_opt_data_with_custom_option(size_t cur_size, const char *cur_opts,
+STATIC char *get_mount_opt_data_with_custom_option(size_t cur_size, const char *cur_opts,
const struct driver_mount_opts *mount_opts)
{
int nret = 0;
@@ -1405,7 +1407,7 @@ out:
return mount_data;
}
-static char *get_mount_opt_data_with_driver_option(size_t cur_size, const char *cur_opts, const char *mount_opts)
+STATIC char *get_mount_opt_data_with_driver_option(size_t cur_size, const char *cur_opts, const char *mount_opts)
{
int nret = 0;
char *mount_data = NULL;
@@ -1523,7 +1525,7 @@ out:
return mount_data;
}
-static char *get_rel_mount_opt_data(const char *id, const char *rel_lower_dir, const struct graphdriver *driver,
+STATIC char *get_rel_mount_opt_data(const char *id, const char *rel_lower_dir, const struct graphdriver *driver,
const struct driver_mount_opts *mount_opts)
{
int nret = 0;
@@ -1663,7 +1665,7 @@ out:
return ret;
}
-static int rel_mount(const char *driver_home, const char *id, const char *mount_data)
+STATIC int rel_mount(const char *driver_home, const char *id, const char *mount_data)
{
int ret = 0;
char *mount_target = NULL;
@@ -2151,7 +2153,7 @@ out:
return ret;
}
-static int check_lower_valid(const char *driver_home, const char *lower)
+STATIC int check_lower_valid(const char *driver_home, const char *lower)
{
int ret = 0;
char *abs_path = NULL;
diff --git a/test/image/oci/storage/layers/CMakeLists.txt b/test/image/oci/storage/layers/CMakeLists.txt
index c4384e8f..eae67833 100644
--- a/test/image/oci/storage/layers/CMakeLists.txt
+++ b/test/image/oci/storage/layers/CMakeLists.txt
@@ -5,6 +5,8 @@ add_subdirectory(devmapper)
# storage_driver_ut
SET(DRIVER_EXE storage_driver_ut)
+add_definitions(-DUNIT_TEST=ON)
+
add_executable(${DRIVER_EXE}
${CMAKE_CURRENT_SOURCE_DIR}/../../../../../src/utils/cutils/utils.c
${CMAKE_CURRENT_SOURCE_DIR}/../../../../../src/utils/cutils/utils_regex.c
diff --git a/test/image/oci/storage/layers/storage_driver_ut.cc b/test/image/oci/storage/layers/storage_driver_ut.cc
index 943fa073..79b29b71 100644
--- a/test/image/oci/storage/layers/storage_driver_ut.cc
+++ b/test/image/oci/storage/layers/storage_driver_ut.cc
@@ -40,6 +40,20 @@ using ::testing::Invoke;
using ::testing::_;
using ::testing::FLAGS_gmock_catch_leaked_mocks;
+extern "C" {
+ int set_layer_quota(const char *dir, const json_map_string_string *opts, const struct graphdriver *driver);
+ int do_create_remote_ro(const char *id, const char *parent, const struct graphdriver *driver,
+ const struct driver_create_opts *create_opts);
+ int append_default_quota_opts(struct driver_create_opts *ori_opts, uint64_t quota);
+ char *get_mount_opt_data_with_custom_option(size_t cur_size, const char *cur_opts,
+ const struct driver_mount_opts *mount_opts);
+ char *get_mount_opt_data_with_driver_option(size_t cur_size, const char *cur_opts, const char *mount_opts);
+ char *get_rel_mount_opt_data(const char *id, const char *rel_lower_dir, const struct graphdriver *driver,
+ const struct driver_mount_opts *mount_opts);
+ int rel_mount(const char *driver_home, const char *id, const char *mount_data);
+ int check_lower_valid(const char *driver_home, const char *lower);
+}
+
std::string GetDirectory()
{
char abs_path[PATH_MAX] { 0x00 };
@@ -121,7 +135,7 @@ protected:
void SetUp() override
{
MockDriverQuota_SetMock(&m_driver_quota_mock);
- std::string isulad_dir { "/tmp/isulad/" };
+ std::string isulad_dir = "/opt/isulad_storege_driver_ut/";
mkdir(isulad_dir.c_str(), 0755);
std::string root_dir = isulad_dir + "data";
std::string run_dir = isulad_dir + "data/run";
@@ -146,15 +160,15 @@ protected:
struct storage_module_init_options *opts = (struct storage_module_init_options *)util_common_calloc_s(sizeof(
struct storage_module_init_options));
- opts->storage_root = strdup(root_dir.c_str());
- opts->storage_run_root = strdup(run_dir.c_str());
- opts->driver_name = strdup("overlay");
+ opts->storage_root = util_strdup_s(root_dir.c_str());
+ opts->storage_run_root = util_strdup_s(run_dir.c_str());
+ opts->driver_name = util_strdup_s("overlay");
opts->driver_opts = (char **)util_common_calloc_s(5 * sizeof(char *));
- opts->driver_opts[0] = strdup("overlay2.basesize=128M");
- opts->driver_opts[1] = strdup("overlay2.override_kernel_check=true");
- opts->driver_opts[2] = strdup("overlay2.skip_mount_home=false");
- opts->driver_opts[3] = strdup("overlay2.mountopt=rw");
- opts->driver_opts[4] = strdup("overlay2.skip_mount_home=true");
+ opts->driver_opts[0] = util_strdup_s("overlay2.basesize=128M");
+ opts->driver_opts[1] = util_strdup_s("overlay2.override_kernel_check=true");
+ opts->driver_opts[2] = util_strdup_s("overlay2.skip_mount_home=false");
+ opts->driver_opts[3] = util_strdup_s("overlay2.mountopt=rw");
+ opts->driver_opts[4] = util_strdup_s("overlay2.skip_mount_home=true");
opts->driver_opts_len = 4;
EXPECT_CALL(m_driver_quota_mock, QuotaCtl(_, _, _, _)).WillRepeatedly(Invoke(invokeQuotaCtl));
@@ -173,7 +187,7 @@ protected:
if (support_overlay) {
ASSERT_EQ(graphdriver_cleanup(), 0);
}
- std::string rm_command = "rm -rf /tmp/isulad/";
+ std::string rm_command = "rm -rf /opt/isulad_storege_driver_ut/";
ASSERT_EQ(system(rm_command.c_str()), 0);
}
@@ -195,6 +209,134 @@ TEST_F(StorageDriverUnitTest, test_graphdriver_layer_exists)
ASSERT_FALSE(graphdriver_layer_exists(incorrectId.c_str()));
}
+TEST_F(StorageDriverUnitTest, test_set_layer_quota)
+{
+ if (!support_overlay) {
+ return;
+ }
+
+ struct driver_create_opts *create_opts = (struct driver_create_opts *)util_common_calloc_s(sizeof(struct driver_create_opts));
+ ASSERT_NE(create_opts, nullptr);
+ create_opts->storage_opt = (json_map_string_string *)util_common_calloc_s(sizeof(json_map_string_string));
+ ASSERT_NE(create_opts->storage_opt, nullptr);
+ create_opts->storage_opt->keys = (char **)util_common_calloc_s(sizeof(char *));
+ create_opts->storage_opt->values = (char **)util_common_calloc_s(sizeof(char *));
+ create_opts->storage_opt->keys[0] = util_strdup_s("size");
+ create_opts->storage_opt->values[0] = util_strdup_s("");
+ create_opts->storage_opt->len = 1;
+ ASSERT_EQ(set_layer_quota("/opt/isulad_storege_driver_ut/", create_opts->storage_opt, nullptr), -1);
+ create_opts->storage_opt->keys[0] = util_strdup_s("notsize");
+ ASSERT_EQ(set_layer_quota("/opt/isulad_storege_driver_ut/", create_opts->storage_opt, nullptr), -1);
+ free_driver_create_opts(create_opts);
+}
+
+#ifdef ENABLE_REMOTE_LAYER_STORE
+TEST_F(StorageDriverUnitTest, test_do_create_remote_ro)
+{
+ if (!support_overlay) {
+ return;
+ }
+
+ struct graphdriver *graph_driver = (struct graphdriver *)util_common_calloc_s(sizeof(struct graphdriver));
+ ASSERT_NE(graph_driver, nullptr);
+ graph_driver->home = nullptr;
+ ASSERT_EQ(do_create_remote_ro(nullptr, nullptr, graph_driver, nullptr), -1);
+ graph_driver->home = "driver_home";
+ ASSERT_EQ(do_create_remote_ro(nullptr, nullptr, graph_driver, nullptr), -1);
+ free(graph_driver);
+}
+#endif
+
+TEST_F(StorageDriverUnitTest, test_append_default_quota_opts)
+{
+ if (!support_overlay) {
+ return;
+ }
+
+ struct driver_create_opts *create_opts = (struct driver_create_opts *)util_common_calloc_s(sizeof(struct driver_create_opts));
+ ASSERT_NE(create_opts, nullptr);
+ create_opts->storage_opt = (json_map_string_string *)util_common_calloc_s(sizeof(json_map_string_string));
+ ASSERT_NE(create_opts->storage_opt, nullptr);
+ create_opts->storage_opt->keys = (char **)util_common_calloc_s(sizeof(char *));
+ create_opts->storage_opt->values = (char **)util_common_calloc_s(sizeof(char *));
+ create_opts->storage_opt->keys[0] = util_strdup_s("size");
+ create_opts->storage_opt->values[0] = util_strdup_s("128M");
+ create_opts->storage_opt->len = 1;
+ ASSERT_EQ(append_default_quota_opts(nullptr, 0), 0);
+ ASSERT_EQ(append_default_quota_opts(create_opts, 134217728), 0); // 134217728 = 128*1024*1024
+ free_driver_create_opts(create_opts);
+}
+
+TEST_F(StorageDriverUnitTest, test_get_mount_opt_data_with_custom_option)
+{
+ if (!support_overlay) {
+ return;
+ }
+
+ struct driver_mount_opts * mount_opts = (struct driver_mount_opts *)util_common_calloc_s(sizeof(struct driver_mount_opts));
+ ASSERT_NE(mount_opts, nullptr);
+ mount_opts->options = (char **)util_common_calloc_s(1 * sizeof(char *));
+ mount_opts->options[0] = util_strdup_s("ro");
+ mount_opts->options_len = 1;
+ size_t cur_size = 0;
+ const char *cur_opts = "cur_opts";
+ ASSERT_EQ(get_mount_opt_data_with_custom_option(cur_size, cur_opts, mount_opts), nullptr);
+ free_driver_mount_opts(mount_opts);
+}
+
+TEST_F(StorageDriverUnitTest, test_get_mount_opt_data_with_driver_option)
+{
+ if (!support_overlay) {
+ return;
+ }
+ struct driver_mount_opts * mount_opts = (struct driver_mount_opts *)util_common_calloc_s(sizeof(struct driver_mount_opts));
+ ASSERT_NE(mount_opts, nullptr);
+ mount_opts->options = (char **)util_common_calloc_s(1 * sizeof(char *));
+ mount_opts->options[0] = util_strdup_s("ro");
+ size_t cur_size = 0;
+ const char *cur_opts = "cur_opts";
+ ASSERT_EQ(get_mount_opt_data_with_driver_option(cur_size, cur_opts, mount_opts->options[0]), nullptr);
+ free_driver_mount_opts(mount_opts);
+}
+
+TEST_F(StorageDriverUnitTest, test_get_rel_mount_opt_data)
+{
+ if (!support_overlay) {
+ return;
+ }
+ std::string id { "9c27e219663c25e0f28493790cc0b88bc973ba3b1686355f221c38a36978ac63" };
+ struct driver_mount_opts * mount_opts = (struct driver_mount_opts *)util_common_calloc_s(sizeof(struct driver_mount_opts));
+ ASSERT_NE(mount_opts, nullptr);
+ mount_opts->options = (char **)util_common_calloc_s(1 * sizeof(char *));
+ mount_opts->options[0] = util_strdup_s("ro");
+ mount_opts->options_len = 1;
+ const char *rel_lower_dir = "rel_lower_dir";
+ std::string res { "ro,lowerdir=rel_lower_dir,upperdir=9c27e219663c25e0f28493790cc0b88bc973ba3b1686355f221c38a36978ac63/diff,workdir=9c27e219663c25e0f28493790cc0b88bc973ba3b1686355f221c38a36978ac63/work" };
+ ASSERT_EQ(get_rel_mount_opt_data(id.c_str(), rel_lower_dir, nullptr, mount_opts), res);
+ free_driver_mount_opts(mount_opts);
+}
+
+TEST_F(StorageDriverUnitTest, test_rel_mount)
+{
+ if (!support_overlay) {
+ return;
+ }
+ const char *mount_data = "mount_data";
+ const char *driver_home = nullptr;
+ std::string id { "9c27e219663c25e0f28493790cc0b88bc973ba3b1686355f221c38a36978ac63" };
+ ASSERT_EQ(rel_mount(driver_home, id.c_str(), mount_data),-1);
+}
+
+TEST_F(StorageDriverUnitTest, test_check_lower_valid)
+{
+ if (!support_overlay) {
+ return;
+ }
+ const char *lower = "lower";
+ const char *driver_home = nullptr;
+ ASSERT_EQ(check_lower_valid(driver_home, lower), -1);
+}
+
TEST_F(StorageDriverUnitTest, test_graphdriver_create_rw)
{
if (!support_overlay) {
@@ -202,17 +344,15 @@ TEST_F(StorageDriverUnitTest, test_graphdriver_create_rw)
}
std::string id { "eb29745b8228e1e97c01b1d5c2554a319c00a94d8dd5746a3904222ad65a13f8" };
- struct driver_create_opts *create_opts;
-
- create_opts = (struct driver_create_opts *)util_common_calloc_s(sizeof(struct driver_create_opts));
+ struct driver_create_opts *create_opts = (struct driver_create_opts *)util_common_calloc_s(sizeof(struct driver_create_opts));
ASSERT_NE(create_opts, nullptr);
create_opts->storage_opt = (json_map_string_string *)util_common_calloc_s(sizeof(json_map_string_string));
ASSERT_NE(create_opts->storage_opt, nullptr);
create_opts->storage_opt->keys = (char **)util_common_calloc_s(sizeof(char *));
create_opts->storage_opt->values = (char **)util_common_calloc_s(sizeof(char *));
- create_opts->storage_opt->keys[0] = strdup("size");
- create_opts->storage_opt->values[0] = strdup("128M");
+ create_opts->storage_opt->keys[0] = util_strdup_s("size");
+ create_opts->storage_opt->values[0] = util_strdup_s("128M");
create_opts->storage_opt->len = 1;
EXPECT_CALL(m_driver_quota_mock, IOCtl(_, _)).WillRepeatedly(Invoke(invokeIOCtl));
@@ -231,7 +371,7 @@ TEST_F(StorageDriverUnitTest, test_graphdriver_mount_layer)
}
std::string id { "9c27e219663c25e0f28493790cc0b88bc973ba3b1686355f221c38a36978ac63" };
- std::string merged_dir = "/tmp/isulad/data/overlay/" + id + "/merged";
+ std::string merged_dir = "/opt/isulad_storege_driver_ut/data/overlay/" + id + "/merged";
struct driver_mount_opts *mount_opts = nullptr;
char* mount_dir = nullptr;
@@ -248,7 +388,7 @@ TEST_F(StorageDriverUnitTest, test_graphdriver_mount_layer)
mount_opts = (struct driver_mount_opts *)util_common_calloc_s(sizeof(struct driver_mount_opts));
ASSERT_NE(mount_opts, nullptr);
mount_opts->options = (char **)util_common_calloc_s(1 * sizeof(char *));
- mount_opts->options[0] = strdup("ro");
+ mount_opts->options[0] = util_strdup_s("ro");
mount_opts->options_len = 1;
FLAGS_gmock_catch_leaked_mocks = false;
--
2.34.1

63
0179-iSulad-support-shim-stats-cmd.patch Normal file
View File

@ -0,0 +1,63 @@
From ab9c9d71482e355e0015ac1c6331849f4ff98ee0 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Fri, 10 Jan 2025 11:51:52 +0800
Subject: [PATCH 179/198] iSulad: support shim stats cmd
---
src/daemon/modules/runtime/shim/shim_rt_ops.c | 32 +++++++++++++++++--
1 file changed, 29 insertions(+), 3 deletions(-)
diff --git a/src/daemon/modules/runtime/shim/shim_rt_ops.c b/src/daemon/modules/runtime/shim/shim_rt_ops.c
index fce18ade..30b5e442 100644
--- a/src/daemon/modules/runtime/shim/shim_rt_ops.c
+++ b/src/daemon/modules/runtime/shim/shim_rt_ops.c
@@ -779,11 +779,37 @@ int rt_shim_listpids(const char *id, const char *runtime, const rt_listpids_para
return 0;
}
+static void transform_stats_info_from_runtime(struct Stats *stats,
+ struct runtime_container_resources_stats_info *info)
+{
+ if (info == NULL) {
+ return;
+ }
+ info->pids_current = stats->pids_current;
+ info->cpu_use_nanos = stats->cpu_use_nanos;
+ info->cpu_system_use = stats->cpu_system_use;
+ info->mem_used = stats->mem_used;
+ info->mem_limit = stats->mem_limit;
+ info->rss_bytes = stats->rss_bytes;
+ info->inactive_file_total = stats->inactive_file_total;
+ info->page_faults = stats->page_faults;
+ info->major_page_faults = stats->major_page_faults;
+ info->swap_used = stats->swap_used;
+ info->swap_limit = stats->swap_limit;
+ info->blkio_read = stats->blkio_read;
+ info->blkio_write = stats->blkio_write;
+}
+
int rt_shim_resources_stats(const char *id, const char *runtime, const rt_stats_params_t *params,
struct runtime_container_resources_stats_info *rs_stats)
{
- ERROR("rt_shim_resources_stats not impl");
- return -1;
+ struct Stats ss = { 0 };
+ if (shim_v2_stats(id, &ss) != 0) {
+ ERROR("rt_shim_stats failed");
+ return -1;
+ }
+ transform_stats_info_from_runtime(&ss, rs_stats);
+ return 0;
}
int rt_shim_resize(const char *id, const char *runtime, const rt_resize_params_t *params)
@@ -820,4 +846,4 @@ int rt_shim_kill(const char *id, const char *runtime, const rt_kill_params_t *pa
int rt_shim_rebuild_config(const char *name, const char *runtime, const rt_rebuild_config_params_t *params)
{
return 0;
-}
\ No newline at end of file
+}
--
2.34.1

24
0180-fix-storage-driver-ut.patch Normal file
View File

@ -0,0 +1,24 @@
From 0c17c332565f32ea59f67dfc67bf32cda5660372 Mon Sep 17 00:00:00 2001
From: wujichao <wujichao1@huawei.com>
Date: Tue, 14 Jan 2025 14:33:11 +0800
Subject: [PATCH 180/198] fix storage driver ut
---
test/image/oci/storage/layers/storage_driver_ut.cc | 1 +
1 file changed, 1 insertion(+)
diff --git a/test/image/oci/storage/layers/storage_driver_ut.cc b/test/image/oci/storage/layers/storage_driver_ut.cc
index 79b29b71..3a530715 100644
--- a/test/image/oci/storage/layers/storage_driver_ut.cc
+++ b/test/image/oci/storage/layers/storage_driver_ut.cc
@@ -138,6 +138,7 @@ protected:
std::string isulad_dir = "/opt/isulad_storege_driver_ut/";
mkdir(isulad_dir.c_str(), 0755);
std::string root_dir = isulad_dir + "data";
+ mkdir(root_dir.c_str(), 0755);
std::string run_dir = isulad_dir + "data/run";
std::string data_dir = GetDirectory() + "/data";
--
2.34.1

25
0181-apply-patch-for-lib-shim-v2-install.patch Normal file
View File

@ -0,0 +1,25 @@
From 7d181ca89304b78d8db73c0f41eab0bb07488e2b Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Sun, 19 Jan 2025 18:09:59 +0800
Subject: [PATCH 181/198] apply patch for lib shim v2 install
Signed-off-by: zhongtao <zhongtao17@huawei.com>
---
CI/install_depends.sh | 1 +
1 file changed, 1 insertion(+)
diff --git a/CI/install_depends.sh b/CI/install_depends.sh
index ebeb79db..8b7c7201 100755
--- a/CI/install_depends.sh
+++ b/CI/install_depends.sh
@@ -161,6 +161,7 @@ cd lib-shim-v2
tar xf lib-shim-v2-*
dname=$(tar -tf lib-shim-v2-*.tar.gz | head -1)
cd $dname
+git apply ../0*
mkdir .cargo
cat >> ./.cargo/config << EOF
[source.crates-io]
--
2.34.1

262
0182-fix-error-macro-isolation-memory-leak-and-meanless-r.patch Normal file
View File

@ -0,0 +1,262 @@
From 98ae352fb43f3bf5aa1ac1ea2d3d6cee61cf856e Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Mon, 20 Jan 2025 22:44:56 +0800
Subject: [PATCH 182/198] fix error macro isolation/ memory leak and meanless
reply file in sandbox ut
Signed-off-by: zhongtao <zhongtao17@huawei.com>
---
test/sandbox/CMakeLists.txt | 2 +-
test/sandbox/controller/CMakeLists.txt | 7 ++++--
.../manager/controller_manager_ut.cc | 17 +++++++-------
.../sandboxer_controller_ut.cc | 1 +
.../controller/shim/shim_controller_ut.cc | 3 +++
test/sandbox/sandbox/CMakeLists.txt | 22 ++++++++++++++-----
test/sandbox/sandbox_manager/CMakeLists.txt | 12 ++++++++--
.../sandbox_manager/sandbox_manager_ut.cc | 2 ++
8 files changed, 48 insertions(+), 18 deletions(-)
diff --git a/test/sandbox/CMakeLists.txt b/test/sandbox/CMakeLists.txt
index 38d7ccb9..1a9fedf6 100644
--- a/test/sandbox/CMakeLists.txt
+++ b/test/sandbox/CMakeLists.txt
@@ -1,6 +1,6 @@
project(iSulad_UT)
-if (ENABLE_SANDBOXER)
+if (ENABLE_CRI_API_V1)
add_subdirectory(controller)
add_subdirectory(sandbox_manager)
add_subdirectory(sandbox)
diff --git a/test/sandbox/controller/CMakeLists.txt b/test/sandbox/controller/CMakeLists.txt
index d201872b..4273c2bd 100644
--- a/test/sandbox/controller/CMakeLists.txt
+++ b/test/sandbox/controller/CMakeLists.txt
@@ -2,6 +2,9 @@ project(iSulad_UT)
list(APPEND grpc_sandbox_type_srcs ${CMAKE_BINARY_DIR}/grpc/src/api/services/cri/v1/api_v1.pb.cc)
list(APPEND grpc_sandbox_type_srcs ${CMAKE_BINARY_DIR}/grpc/src/api/services/cri/gogo.pb.cc)
-add_subdirectory(sandboxer)
-add_subdirectory(manager)
+
+if (ENABLE_SANDBOXER)
+ add_subdirectory(sandboxer)
+ add_subdirectory(manager)
+endif()
add_subdirectory(shim)
diff --git a/test/sandbox/controller/manager/controller_manager_ut.cc b/test/sandbox/controller/manager/controller_manager_ut.cc
index 705baaca..c60f8818 100644
--- a/test/sandbox/controller/manager/controller_manager_ut.cc
+++ b/test/sandbox/controller/manager/controller_manager_ut.cc
@@ -16,12 +16,13 @@
#include <memory>
#include "gtest/gtest.h"
#include "sandboxer_controller.h"
-#include "grpc_sandboxer_client_mock.h"
#include "controller_manager.h"
#include "controller_common.h"
#include "utils.h"
#include "isulad_config_mock.h"
#include "shim_controller.h"
+#include "controller.h"
+#include "grpc_sandboxer_client_mock.h"
class ControllerManagerWrapper : public sandbox::ControllerManager {
public:
@@ -81,7 +82,7 @@ TEST_F(ControllerManagerTest, InitTestSucceed)
EXPECT_CALL(*isuladConfMock, ConfGetServerConf()).Times(1).WillOnce(testing::Return(args));
EXPECT_TRUE(ControllerManagerWrapper::GetInstance()->Init(err));
EXPECT_TRUE(err.Empty());
- EXPECT_NE(ControllerManagerWrapper::GetInstance()->GetController(SHIM_CONTROLLER_NAME), nullptr);
+ EXPECT_NE(ControllerManagerWrapper::GetInstance()->GetController(sandbox::SHIM_CONTROLLER_NAME), nullptr);
EXPECT_NE(ControllerManagerWrapper::GetInstance()->GetController("vmm"), nullptr);
FreeDummyServerconf(args);
}
@@ -96,7 +97,7 @@ TEST_F(ControllerManagerTest, InitTestSucceedWithEmptyConfig)
EXPECT_CALL(*isuladConfMock, ConfGetServerConf()).Times(1).WillOnce(testing::Return(args));
EXPECT_TRUE(ControllerManagerWrapper::GetInstance()->Init(err));
EXPECT_TRUE(err.Empty());
- EXPECT_NE(ControllerManagerWrapper::GetInstance()->GetController(SHIM_CONTROLLER_NAME), nullptr);
+ EXPECT_NE(ControllerManagerWrapper::GetInstance()->GetController(sandbox::SHIM_CONTROLLER_NAME), nullptr);
EXPECT_EQ(ControllerManagerWrapper::GetInstance()->GetController("vmm"), nullptr);
FreeDummyServerconf(args);
}
@@ -111,7 +112,7 @@ TEST_F(ControllerManagerTest, InitTestFailedWithEmptySandboxerConfig)
EXPECT_CALL(*isuladConfMock, ConfGetServerConf()).Times(1).WillOnce(testing::Return(args));
EXPECT_FALSE(ControllerManagerWrapper::GetInstance()->Init(err));
EXPECT_THAT(err.GetCMessage(), testing::HasSubstr("Failed to load sandboxer controllers config"));
- EXPECT_NE(ControllerManagerWrapper::GetInstance()->GetController(SHIM_CONTROLLER_NAME), nullptr);
+ EXPECT_NE(ControllerManagerWrapper::GetInstance()->GetController(sandbox::SHIM_CONTROLLER_NAME), nullptr);
EXPECT_EQ(ControllerManagerWrapper::GetInstance()->GetController("vmm"), nullptr);
FreeDummyServerconf(args);
}
@@ -126,7 +127,7 @@ TEST_F(ControllerManagerTest, InitTestSucceedWithNullConfig)
EXPECT_CALL(*isuladConfMock, ConfGetServerConf()).Times(1).WillOnce(testing::Return(args));
EXPECT_TRUE(ControllerManagerWrapper::GetInstance()->Init(err));
EXPECT_TRUE(err.Empty());
- EXPECT_NE(ControllerManagerWrapper::GetInstance()->GetController(SHIM_CONTROLLER_NAME), nullptr);
+ EXPECT_NE(ControllerManagerWrapper::GetInstance()->GetController(sandbox::SHIM_CONTROLLER_NAME), nullptr);
EXPECT_EQ(ControllerManagerWrapper::GetInstance()->GetController("vmm"), nullptr);
FreeDummyServerconf(args);
}
@@ -142,7 +143,7 @@ TEST_F(ControllerManagerTest, InitTestFailedWithDupShimConfig)
EXPECT_CALL(*isuladConfMock, ConfGetServerConf()).Times(1).WillOnce(testing::Return(args));
EXPECT_FALSE(ControllerManagerWrapper::GetInstance()->Init(err));
EXPECT_THAT(err.GetCMessage(), testing::HasSubstr("Sandboxer controller already registered, sandboxer:"));
- EXPECT_NE(ControllerManagerWrapper::GetInstance()->GetController(SHIM_CONTROLLER_NAME), nullptr);
+ EXPECT_NE(ControllerManagerWrapper::GetInstance()->GetController(sandbox::SHIM_CONTROLLER_NAME), nullptr);
FreeDummyServerconf(args);
}
@@ -191,7 +192,7 @@ TEST_F(ControllerManagerTest, InitTestFailedWithDupInit)
EXPECT_CALL(*isuladConfMock, ConfGetServerConf()).Times(2).WillRepeatedly(testing::Return(args));
EXPECT_TRUE(ControllerManagerWrapper::GetInstance()->Init(err));
EXPECT_TRUE(err.Empty());
- EXPECT_NE(ControllerManagerWrapper::GetInstance()->GetController(SHIM_CONTROLLER_NAME), nullptr);
+ EXPECT_NE(ControllerManagerWrapper::GetInstance()->GetController(sandbox::SHIM_CONTROLLER_NAME), nullptr);
EXPECT_NE(ControllerManagerWrapper::GetInstance()->GetController("vmm"), nullptr);
EXPECT_FALSE(ControllerManagerWrapper::GetInstance()->Init(err));
EXPECT_THAT(err.GetCMessage(), testing::HasSubstr("Sandboxer controller already registered,"));
@@ -211,6 +212,6 @@ TEST_F(ControllerManagerTest, InitTestFailedWithNullConf)
TEST_F(ControllerManagerTest, FindControllerTestFailedBeforeInit)
{
Errors err;
- EXPECT_EQ(ControllerManagerWrapper::GetInstance()->GetController(SHIM_CONTROLLER_NAME), nullptr);
+ EXPECT_EQ(ControllerManagerWrapper::GetInstance()->GetController(sandbox::SHIM_CONTROLLER_NAME), nullptr);
EXPECT_EQ(ControllerManagerWrapper::GetInstance()->GetController("vmm"), nullptr);
}
diff --git a/test/sandbox/controller/sandboxer/sandboxer_controller/sandboxer_controller_ut.cc b/test/sandbox/controller/sandboxer/sandboxer_controller/sandboxer_controller_ut.cc
index 726464e8..d31d5b95 100644
--- a/test/sandbox/controller/sandboxer/sandboxer_controller/sandboxer_controller_ut.cc
+++ b/test/sandbox/controller/sandboxer/sandboxer_controller/sandboxer_controller_ut.cc
@@ -32,6 +32,7 @@ protected:
void TearDown() override
{
m_contoller.reset(nullptr);
+ MockSandboxerClient_SetMock(nullptr);
}
std::string m_sandboxer = "sandboxer";
diff --git a/test/sandbox/controller/shim/shim_controller_ut.cc b/test/sandbox/controller/shim/shim_controller_ut.cc
index e43cc645..75a51797 100644
--- a/test/sandbox/controller/shim/shim_controller_ut.cc
+++ b/test/sandbox/controller/shim/shim_controller_ut.cc
@@ -41,6 +41,9 @@ protected:
void TearDown() override
{
m_contoller.reset(nullptr);
+ MockCallback_SetMock(nullptr);
+ MockServiceContainerApi_SetMock(nullptr);
+ MockImageApi_SetMock(nullptr);
}
std::string m_sandboxer = "shim";
diff --git a/test/sandbox/sandbox/CMakeLists.txt b/test/sandbox/sandbox/CMakeLists.txt
index 6dd6c3ee..d033c93f 100644
--- a/test/sandbox/sandbox/CMakeLists.txt
+++ b/test/sandbox/sandbox/CMakeLists.txt
@@ -4,8 +4,24 @@ SET(EXE sandbox_ut)
aux_source_directory(${CMAKE_BINARY_DIR}/grpc/src/api/services/sandbox/sandbox/types sandbox_type_srcs)
+if(ENABLE_SANDBOXER)
+ set(sandboxer_srcs
+ ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandboxer/controller/sandboxer_controller.cc
+ ${CMAKE_CURRENT_SOURCE_DIR}/../../../test/mocks/grpc_sandboxer_client_mock.cc
+ )
+ set(sandbox_dir
+ ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandboxer
+ ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandboxer/controller
+ ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandboxer/controller/client
+ )
+else()
+ set(sandboxer_srcs "")
+ set(sandbox_dir "")
+endif()
+
add_executable(${EXE}
${sandbox_type_srcs}
+ ${sandboxer_srcs}
${CMAKE_BINARY_DIR}/grpc/src/api/services/cri/v1/api_v1.pb.cc
${CMAKE_BINARY_DIR}/grpc/src/api/services/cri/gogo.pb.cc
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cpputils/errors.cc
@@ -15,12 +31,10 @@ add_executable(${EXE}
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandbox.cc
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandbox_task.cc
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/controller_manager.cc
- ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandboxer/controller/sandboxer_controller.cc
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/common/id_name_manager.c
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/config/isulad_config.c
${CMAKE_CURRENT_SOURCE_DIR}/../../../test/sandbox/controller/controller_common.cc
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/config/daemon_arguments.c
- ${CMAKE_CURRENT_SOURCE_DIR}/../../../test/mocks/grpc_sandboxer_client_mock.cc
${CMAKE_CURRENT_SOURCE_DIR}/../../../test/mocks/shim_controller_mock.cc
${CMAKE_CURRENT_SOURCE_DIR}/../../../test/mocks/mailbox_mock.cc
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/common/err_msg.c
@@ -28,6 +42,7 @@ add_executable(${EXE}
target_include_directories(${EXE} PUBLIC
${GTEST_INCLUDE_DIR}
+ ${sandbox_dir}
${CMAKE_CURRENT_SOURCE_DIR}/../../../test/mocks
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/common
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/config
@@ -37,9 +52,6 @@ target_include_directories(${EXE} PUBLIC
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/shim
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/shim/controller
- ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandboxer
- ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandboxer/controller
- ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandboxer/controller/client
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/common
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cpputils
diff --git a/test/sandbox/sandbox_manager/CMakeLists.txt b/test/sandbox/sandbox_manager/CMakeLists.txt
index a7dd8c9d..45c55300 100644
--- a/test/sandbox/sandbox_manager/CMakeLists.txt
+++ b/test/sandbox/sandbox_manager/CMakeLists.txt
@@ -4,8 +4,18 @@ SET(EXE sandbox_manager_ut)
aux_source_directory(${CMAKE_BINARY_DIR}/grpc/src/api/services/sandbox/sandbox/types sandbox_type_srcs)
+if(ENABLE_SANDBOXER)
+ set(sandboxer_srcs
+ ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandboxer/controller/sandboxer_controller.cc
+ ${CMAKE_CURRENT_SOURCE_DIR}/../../../test/mocks/grpc_sandboxer_client_mock.cc
+ )
+else()
+ set(sandboxer_srcs "")
+endif()
+
add_executable(${EXE}
${sandbox_type_srcs}
+ ${sandboxer_srcs}
${CMAKE_BINARY_DIR}/grpc/src/api/services/cri/v1/api_v1.pb.cc
${CMAKE_BINARY_DIR}/grpc/src/api/services/cri/gogo.pb.cc
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cpputils/errors.cc
@@ -19,8 +29,6 @@ add_executable(${EXE}
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/common/err_msg.c
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/config/daemon_arguments.c
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/controller_manager.cc
- ${CMAKE_CURRENT_SOURCE_DIR}/../../../test/mocks/grpc_sandboxer_client_mock.cc
- ${CMAKE_CURRENT_SOURCE_DIR}/../../../test/mocks/sandboxer_controller_mock.cc
${CMAKE_CURRENT_SOURCE_DIR}/../../../test/mocks/shim_controller_mock.cc
${CMAKE_CURRENT_SOURCE_DIR}/sandbox_manager_ut.cc)
diff --git a/test/sandbox/sandbox_manager/sandbox_manager_ut.cc b/test/sandbox/sandbox_manager/sandbox_manager_ut.cc
index 9e762039..276b6f4c 100644
--- a/test/sandbox/sandbox_manager/sandbox_manager_ut.cc
+++ b/test/sandbox/sandbox_manager/sandbox_manager_ut.cc
@@ -154,7 +154,9 @@ TEST_F(SandboxManagerTest, TestCreateSandbox)
"{\"cri-sandboxers\": {\"kuasar\": {\"name\": \"vmm\",\"address\": \"/run/vmm-sandboxer.sock\"}}}";
struct service_arguments *args = CreateDummyServerConf(daemonConfig);
ASSERT_NE(args, nullptr);
+#ifdef ENABLE_SANDBOXER
EXPECT_CALL(*isuladConfMock, ConfGetServerConf()).Times(1).WillOnce(testing::Return(args));
+#endif
EXPECT_TRUE(ControllerManager::GetInstance()->Init(error));
EXPECT_TRUE(error.Empty());
--
2.34.1

575
0183-add-dt-for-cri-v1.patch Normal file
View File

@ -0,0 +1,575 @@
From 262707f0d14e7c42554875cab38fdef985c21acc Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Sat, 11 Jan 2025 15:04:54 +0800
Subject: [PATCH 183/198] add dt for cri v1
Signed-off-by: zhongtao <zhongtao17@huawei.com>
---
CI/install_depends.sh | 5 +-
.../container_cases/cri_default_namespace.sh | 39 ++++++------
.../container_cases/cri_exec_sync.sh | 40 ++++++------
CI/test_cases/container_cases/cri_pod_ip.sh | 51 +++++++--------
CI/test_cases/container_cases/cri_stream.sh | 45 +++++++------
CI/test_cases/container_cases/cri_test.sh | 40 ++++++------
CI/test_cases/critest.sh | 52 +++++++++------
CI/test_cases/helpers.sh | 63 +++++++++++++++++++
8 files changed, 205 insertions(+), 130 deletions(-)
diff --git a/CI/install_depends.sh b/CI/install_depends.sh
index 8b7c7201..c7fb9563 100755
--- a/CI/install_depends.sh
+++ b/CI/install_depends.sh
@@ -44,9 +44,8 @@ function make_crictl()
git clone https://gitee.com/duguhaotian/cri-tools.git
go version
cd cri-tools
- # crictl v1.18 cannot recognise the SecurityProfile seccomp of LinuxSandboxSecurityContext
- # and the LinuxContainerSecurityContext.has_seccomp() always false
- git checkout v1.22.0
+ # update crictl to 1.25, used to test cri v1 alpha and cri v1.
+ git checkout v1.25.0
make -j $nproc
echo "make cri-tools: $?"
cp ./build/bin/crictl ${builddir}/bin/
diff --git a/CI/test_cases/container_cases/cri_default_namespace.sh b/CI/test_cases/container_cases/cri_default_namespace.sh
index d013c6fa..1f418947 100755
--- a/CI/test_cases/container_cases/cri_default_namespace.sh
+++ b/CI/test_cases/container_cases/cri_default_namespace.sh
@@ -18,17 +18,8 @@ function set_up()
msg_info "${test} starting..."
- cp /etc/isulad/daemon.json /etc/isulad/daemon.bak
- sed -i "s#\"pod-sandbox-image\": \"\"#\"pod-sandbox-image\": \"mirrorgooglecontainers/pause-amd64:3.0\"#g" /etc/isulad/daemon.json
-
- check_valgrind_log
- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to stop isulad" && return ${FAILURE}
-
- start_isulad_with_valgrind
- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to start isulad" && return ${FAILURE}
-
- isula load -i ${pause_img_path}/pause.tar
- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to load pause image" && return ${FAILURE}
+ init_cri_conf $1
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to init cri conf: ${1}" && return ${FAILURE}
crictl pull ${image}
[[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to pull image: ${image}" && return ${FAILURE}
@@ -92,20 +83,28 @@ function test_cri_default_namespace_in_pod_fun()
function tear_down()
{
- cp -f /etc/isulad/daemon.bak /etc/isulad/daemon.json
- check_valgrind_log
- start_isulad_with_valgrind
+ local ret=0
+ restore_cri_conf
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to restore cri conf" && ((ret++))
+ return $ret
}
declare -i ans=0
-set_up || ((ans++))
-
-for element in ${RUNTIME_LIST[@]};
+for version in ${CRI_LIST[@]};
do
- test_cri_default_namespace_in_pod_fun $element || ((ans++))
-done
+ test="test_cri_default_namespace_in_pod_fun, use cri version => (${version})"
+ msg_info "${test} starting..."
+
+ set_up $version || ((ans++))
-tear_down
+ for element in ${RUNTIME_LIST[@]};
+ do
+ test_cri_default_namespace_in_pod_fun $element || ((ans++))
+ done
+
+ tear_down || ((ans++))
+ msg_info "${test} finished with return ${ans}..."
+done
show_result ${ans} "${curr_path}/${0}"
diff --git a/CI/test_cases/container_cases/cri_exec_sync.sh b/CI/test_cases/container_cases/cri_exec_sync.sh
index 97ea01ca..62352be5 100755
--- a/CI/test_cases/container_cases/cri_exec_sync.sh
+++ b/CI/test_cases/container_cases/cri_exec_sync.sh
@@ -33,17 +33,8 @@ function do_pre()
msg_info "${test} starting..."
- cp /etc/isulad/daemon.json /etc/isulad/daemon.bak
- sed -i "s#\"pod-sandbox-image\": \"\"#\"pod-sandbox-image\": \"mirrorgooglecontainers/pause-amd64:3.0\"#g" /etc/isulad/daemon.json
-
- check_valgrind_log
- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to stop isulad" && return ${FAILURE}
-
- start_isulad_with_valgrind
- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to start isulad" && return ${FAILURE}
-
- isula load -i ${pause_img_path}/pause.tar
- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to load pause image" && return ${FAILURE}
+ init_cri_conf $1
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to init cri conf: ${1}" && return ${FAILURE}
crictl pull ${image}
[[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to pull image: ${image}" && return ${FAILURE}
@@ -116,10 +107,10 @@ function tear_down()
function do_post()
{
- cp -f /etc/isulad/daemon.bak /etc/isulad/daemon.json
-
- check_valgrind_log
- start_isulad_with_valgrind
+ local ret=0
+ restore_cri_conf
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to restore cri conf" && ((ret++))
+ return $ret
}
function do_test_t()
@@ -142,13 +133,20 @@ function do_test_t()
declare -i ans=0
-do_pre || ((ans++))
-
-for element in ${RUNTIME_LIST[@]};
+for version in ${CRI_LIST[@]};
do
- do_test_t $element || ((ans++))
-done
+ test="test_cri_exec_sync_fun, use cri version => (${version})"
+ msg_info "${test} starting..."
-do_post
+ do_pre $version || ((ans++))
+
+ for element in ${RUNTIME_LIST[@]};
+ do
+ do_test_t $element || ((ans++))
+ done
+
+ do_post || ((ans++))
+ msg_info "${test} finished with return ${ans}..."
+done
show_result ${ans} "${curr_path}/${0}"
diff --git a/CI/test_cases/container_cases/cri_pod_ip.sh b/CI/test_cases/container_cases/cri_pod_ip.sh
index 7bf7833b..01c644f4 100755
--- a/CI/test_cases/container_cases/cri_pod_ip.sh
+++ b/CI/test_cases/container_cases/cri_pod_ip.sh
@@ -12,8 +12,8 @@ source ../helpers.sh
function do_pre()
{
- cp /etc/isulad/daemon.json /etc/isulad/daemon.bak
- sed -i "s#\"pod-sandbox-image\": \"\"#\"pod-sandbox-image\": \"mirrorgooglecontainers/pause-amd64:3.0\"#g" /etc/isulad/daemon.json
+ init_cri_conf $1
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to init cri conf: ${1}" && return ${FAILURE}
init_cni_conf $data_path
if [ $? -ne 0 ]; then
@@ -21,21 +21,14 @@ function do_pre()
TC_RET_T=$(($TC_RET_T+1))
return $TC_RET_T
fi
-
- isula load -i ${pause_img_path}/pause.tar
- if [ $? -ne 0 ]; then
- msg_err "Failed to load pause image"
- TC_RET_T=$(($TC_RET_T+1))
- return $TC_RET_T
- fi
-
}
function do_post()
{
- cp -f /etc/isulad/daemon.bak /etc/isulad/daemon.json
- check_valgrind_log
- start_isulad_with_valgrind
+ local ret=0
+ restore_cri_conf
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to restore cri conf" && ((ret++))
+ return $ret
}
function do_test()
@@ -104,21 +97,29 @@ function do_test()
}
-ret=0
+ans=0
-do_pre
-if [ $? -ne 0 ];then
- let "ret=$ret + 1"
-fi
-
-for element in ${RUNTIME_LIST[@]};
+for version in ${CRI_LIST[@]};
do
- do_test $element
+ test="test_cri_default_namespace_fun, use cri version => (${version})"
+ msg_info "${test} starting..."
+
+ do_pre $version || ((ans++))
if [ $? -ne 0 ];then
- let "ret=$ret + 1"
+ let "ans=$ans + 1"
fi
-done
-do_post
+ for element in ${RUNTIME_LIST[@]};
+ do
+ do_test $element
+ if [ $? -ne 0 ];then
+ let "ans=$ans + 1"
+ fi
+ done
+
+ do_post || ((ans++))
+
+ msg_info "${test} finished with return ${ans}..."
+done
-show_result $ret "cni base test"
+show_result $ans "cni base test"
diff --git a/CI/test_cases/container_cases/cri_stream.sh b/CI/test_cases/container_cases/cri_stream.sh
index 43ed3891..e4918c23 100755
--- a/CI/test_cases/container_cases/cri_stream.sh
+++ b/CI/test_cases/container_cases/cri_stream.sh
@@ -39,17 +39,8 @@ function do_pre()
msg_info "${test} starting..."
- cp /etc/isulad/daemon.json /etc/isulad/daemon.bak
- sed -i "s#\"pod-sandbox-image\": \"\"#\"pod-sandbox-image\": \"mirrorgooglecontainers/pause-amd64:3.0\"#g" /etc/isulad/daemon.json
-
- check_valgrind_log
- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to stop isulad" && return ${FAILURE}
-
- start_isulad_without_valgrind
- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to start isulad" && return ${FAILURE}
-
- isula load -i ${pause_img_path}/pause.tar
- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to load pause image" && return ${FAILURE}
+ init_cri_conf $1 "without_valgrind"
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to init cri conf: ${1}" && return ${FAILURE}
crictl pull ${image}
[[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to pull image: ${image}" && return ${FAILURE}
@@ -130,13 +121,12 @@ function test_cri_attach
local test="test_cri_attach => (${FUNCNAME[@]})"
msg_info "${test} starting..."
- nohup cricli attach -i ${cid} &
+ nohup cricli attach -ti ${cid} &
pid=$!
sleep 2
ps -T -p $(cat /var/run/isulad.pid) | grep IoCopy
- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - residual IO copy thread in CRI attach operation" && ((ret++))
-
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - attach failed, no IOCopy thread" && ((ret++))
kill -9 $pid
sleep 2
@@ -169,10 +159,10 @@ function tear_down()
function do_post()
{
- cp -f /etc/isulad/daemon.bak /etc/isulad/daemon.json
-
- stop_isulad_without_valgrind
- start_isulad_with_valgrind
+ local ret=0
+ restore_cri_conf "without_valgrind"
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to restore cri conf" && ((ret++))
+ return $ret
}
function do_test_t()
@@ -198,13 +188,20 @@ function do_test_t()
declare -i ans=0
-do_pre || ((ans++))
-
-for element in ${RUNTIME_LIST[@]};
+for version in ${CRI_LIST[@]};
do
- do_test_t $element || ((ans++))
-done
+ test="test_cri_stream_fun, use cri version => (${version})"
+ msg_info "${test} starting..."
+
+ do_pre $version || ((ans++))
-do_post
+ for element in ${RUNTIME_LIST[@]};
+ do
+ do_test_t $element || ((ans++))
+ done
+
+ do_post || ((ans++))
+ msg_info "${test} finished with return ${ans}..."
+done
show_result ${ans} "${curr_path}/${0}"
diff --git a/CI/test_cases/container_cases/cri_test.sh b/CI/test_cases/container_cases/cri_test.sh
index 88420761..ed333a28 100755
--- a/CI/test_cases/container_cases/cri_test.sh
+++ b/CI/test_cases/container_cases/cri_test.sh
@@ -28,24 +28,21 @@ function do_pre()
{
sed -i "s#seccomp_localhost_ref#${data_path}/seccomp_localhost.json#g" ${data_path}/container-config-seccomp-localhost.json
- cp /etc/isulad/daemon.json /etc/isulad/daemon.bak
- sed -i "s#\"pod-sandbox-image\": \"\"#\"pod-sandbox-image\": \"mirrorgooglecontainers/pause-amd64:3.0\"#g" /etc/isulad/daemon.json
-
- check_valgrind_log
- start_isulad_with_valgrind
-
- isula load -i ${pause_img_path}/pause.tar
- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to load pause" && return ${FAILURE}
-
+ init_cri_conf $1 "without_valgrind"
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to init cri conf: ${1}" && return ${FAILURE}
+
isula pull busybox
[[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to pull busybox" && return ${FAILURE}
+
+ return 0
}
function do_post()
{
- cp -f /etc/isulad/daemon.bak /etc/isulad/daemon.json
- check_valgrind_log
- start_isulad_with_valgrind
+ local ret=0
+ restore_cri_conf "without_valgrind"
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to restore cri conf" && ((ret++))
+ return $ret
}
function test_cri_seccomp()
@@ -82,7 +79,7 @@ function test_cri_seccomp()
[[ $? -eq 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - chmod should fail as it's blocked by seccomp" && ((ret++))
fi
- isula rm -f `isula ps -a -q`
+ crictl rmp -f $(crictl pods -q)
msg_info "${test} finished with return ${ret}..."
return ${ret}
@@ -90,13 +87,20 @@ function test_cri_seccomp()
declare -i ans=0
-do_pre
+for version in ${CRI_LIST[@]};
+do
+ test="test_cri_test_fun, use cri version => (${version})"
+ msg_info "${test} starting..."
+
+ do_pre $version || ((ans++))
-test_cri_seccomp "default" || ((ans++))
-test_cri_seccomp "unconfined" || ((ans++))
-test_cri_seccomp "localhost" || ((ans++))
+ test_cri_seccomp "default" || ((ans++))
+ test_cri_seccomp "unconfined" || ((ans++))
+ test_cri_seccomp "localhost" || ((ans++))
-do_post
+ do_post || ((ans++))
+ msg_info "${test} finished with return ${ans}..."
+done
show_result ${ans} "${curr_path}/${0}"
diff --git a/CI/test_cases/critest.sh b/CI/test_cases/critest.sh
index f8d4975e..136594a0 100755
--- a/CI/test_cases/critest.sh
+++ b/CI/test_cases/critest.sh
@@ -62,8 +62,9 @@ function restore_selinux_environment() {
function pre_test() {
# build critest
- local VERSION="v1.22.0"
+ local VERSION="v1.25.0"
+ rm -rf cri-tools
git clone https://gitee.com/duguhaotian/cri-tools.git
go version
cd cri-tools
@@ -75,15 +76,8 @@ function pre_test() {
critest --version
# config pause
- cp /etc/isulad/daemon.json /etc/isulad/daemon.bak
- sed -i "s#\"pod-sandbox-image\": \"\"#\"pod-sandbox-image\": \"mirrorgooglecontainers/pause-amd64:3.0\"#g" /etc/isulad/daemon.json
-
- isula load -i ${pause_img_path}/pause.tar
- if [ $? -ne 0 ]; then
- msg_err "Failed to load pause image"
- TC_RET_T=$(($TC_RET_T + 1))
- return $TC_RET_T
- fi
+ init_cri_conf $1
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to init cri conf: ${1}" && return ${FAILURE}
# config cni
init_cni_conf $data_path
@@ -107,7 +101,9 @@ function post_test() {
restore_selinux_environment
rm -rf ./cri-tools
rm /usr/local/bin/critest
- cp -f /etc/isulad/daemon.bak /etc/isulad/daemon.json
+
+ restore_cri_conf
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to restore cri conf" && ((ret++))
# clear env
isula rm -f `isula ps -qa`
@@ -117,10 +113,8 @@ function post_test() {
do
isula pull ${image}
done
-
- stop_isulad_without_valgrind
- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - memory leak" && return ${FAILURE}
- start_isulad_with_valgrind
+
+ return ${ret}
}
function test_critest() {
@@ -158,12 +152,32 @@ function do_test_t() {
return $ret
}
-declare -i ans=0
+function do_critest_test_t()
+{
+ local cri_version=$1
+ local ret=0
+ local test="do_critest_test_t => (${cri_version})"
+ msg_info "${test} starting..."
+
+ pre_test $cri_version || (ret++)
-pre_test || (ans++)
+ do_test_t || ((ret++))
-do_test_t || ((ans++))
+ post_test || (ret++)
-post_test || (ans++)
+ msg_info "${test} finished with return ${ret}..."
+
+ return $ret
+}
+
+declare -i ans=0
+
+for version in ${CRI_LIST[@]};
+do
+ do_critest_test_t $version
+ if [ $? -ne 0 ];then
+ let "ans=$ans + 1"
+ fi
+done
show_result ${ans} "${curr_path}/${0}"
diff --git a/CI/test_cases/helpers.sh b/CI/test_cases/helpers.sh
index 0288b4ea..111058e3 100755
--- a/CI/test_cases/helpers.sh
+++ b/CI/test_cases/helpers.sh
@@ -31,6 +31,8 @@ RUNTIME_LIST=(lcr runc)
DEFAULT_RUNTIME=runc
+CRI_LIST=(v1alpha v1)
+
testcase_data="/tmp/testcases_data"
enable_native_network=0
@@ -321,4 +323,65 @@ function do_pretest() {
msg_info "#####################"
}
+function init_cri_conf() {
+ local ret=0
+ check_valgrind_log
+ if [ $? -ne 0 ]; then
+ echo "stop isulad failed"
+ ret=$(($ret+1))
+ fi
+
+ cp /etc/isulad/daemon.json /etc/isulad/daemon.bak
+ if [ "x$1" == "xv1" ]; then
+ echo "use cri v1"
+ sed -i '/"pod-sandbox-image": ""/i "enable-cri-v1": true,' /etc/isulad/daemon.json
+ fi
+ sed -i "s#\"pod-sandbox-image\": \"\"#\"pod-sandbox-image\": \"mirrorgooglecontainers/pause-amd64:3.0\"#g" /etc/isulad/daemon.json
+
+ if [ "x$2" == "xwithout_valgrind" ]; then
+ start_isulad_without_valgrind
+ else
+ echo "start with valgrind"
+ start_isulad_with_valgrind
+ fi
+ if [ $? -ne 0 ]; then
+ echo "start failed"
+ ret=$(($ret+1))
+ fi
+
+ isula load -i ${pause_img_path}/pause.tar
+ if [ $? -ne 0 ]; then
+ msg_err "Failed to load pause image"
+ ret=$(($ret + 1))
+ return $ret
+ fi
+
+ return $ret
+}
+
+function restore_cri_conf() {
+ local ret=0
+
+ if [ "x$1" == "xwithout_valgrind" ]; then
+ stop_isulad_without_valgrind
+ else
+ echo "stop with valgrind"
+ check_valgrind_log
+ fi
+ if [ $? -ne 0 ]; then
+ echo "stop isulad failed"
+ ret=$(($ret+1))
+ fi
+
+ cp /etc/isulad/daemon.bak /etc/isulad/daemon.json
+
+ start_isulad_with_valgrind
+ if [ $? -ne 0 ]; then
+ echo "start failed"
+ ret=$(($ret+1))
+ fi
+
+ return $ret
+}
+
do_pretest
--
2.34.1

454
0184-do-check-process-alive-read-pid-ppid-info-in-runtime.patch Normal file
View File

@ -0,0 +1,454 @@
From 02b51963a37da893cc52a35562dd32f772e9e497 Mon Sep 17 00:00:00 2001
From: jikai <jikai11@huawei.com>
Date: Fri, 24 Nov 2023 17:36:50 +0800
Subject: [PATCH 184/198] do check process alive read pid ppid info in runtime
Signed-off-by: jikai <jikai11@huawei.com>
---
src/daemon/modules/api/runtime_api.h | 17 ++++++++
.../container/container_gc/containers_gc.c | 19 +++++++--
.../modules/container/restore/restore.c | 29 ++++++++++---
.../modules/container/supervisor/supervisor.c | 17 +++++++-
.../modules/runtime/engines/lcr/lcr_rt_ops.c | 11 +++++
.../modules/runtime/engines/lcr/lcr_rt_ops.h | 4 ++
.../modules/runtime/isula/isula_rt_ops.c | 13 +++++-
.../modules/runtime/isula/isula_rt_ops.h | 3 ++
src/daemon/modules/runtime/runtime.c | 42 +++++++++++++++++++
src/daemon/modules/runtime/shim/shim_rt_ops.c | 22 ++++++++++
src/daemon/modules/runtime/shim/shim_rt_ops.h | 3 ++
.../modules/service/service_container.c | 1 +
12 files changed, 169 insertions(+), 12 deletions(-)
diff --git a/src/daemon/modules/api/runtime_api.h b/src/daemon/modules/api/runtime_api.h
index 1f23efe3..b0d70493 100644
--- a/src/daemon/modules/api/runtime_api.h
+++ b/src/daemon/modules/api/runtime_api.h
@@ -208,6 +208,15 @@ typedef struct _rt_runtime_rebuild_config_params_t {
const char *rootpath;
} rt_rebuild_config_params_t;
+typedef struct _rt_runtime_read_pid_ppid_info_params_t {
+ int pid;
+} rt_read_pid_ppid_info_params_t;
+
+typedef struct _rt_runtime_detect_process_params_t {
+ int pid;
+ uint64_t start_time;
+} rt_detect_process_params_t;
+
struct rt_ops {
/* detect whether runtime is of this runtime type */
bool (*detect)(const char *runtime);
@@ -245,6 +254,10 @@ struct rt_ops {
int (*rt_resize)(const char *name, const char *runtime, const rt_resize_params_t *params);
int (*rt_exec_resize)(const char *name, const char *runtime, const rt_exec_resize_params_t *params);
int (*rt_rebuild_config)(const char *name, const char *runtime, const rt_rebuild_config_params_t *params);
+
+ int (*rt_read_pid_ppid_info)(const char *name, const char *runtime, const rt_read_pid_ppid_info_params_t *params,
+ pid_ppid_info_t *pid_info);
+ int (*rt_detect_process)(const char *name, const char *runtime, const rt_detect_process_params_t *params);
};
int runtime_create(const char *name, const char *runtime, const rt_create_params_t *params);
@@ -269,6 +282,10 @@ int runtime_rebuild_config(const char *name, const char *runtime, const rt_rebui
void free_rt_listpids_out_t(rt_listpids_out_t *out);
int runtime_resize(const char *name, const char *runtime, const rt_resize_params_t *params);
int runtime_exec_resize(const char *name, const char *runtime, const rt_exec_resize_params_t *params);
+
+int runtime_read_pid_ppid_info(const char *name, const char *runtime, const rt_read_pid_ppid_info_params_t *params,
+ pid_ppid_info_t *pid_info);
+int runtime_detect_process(const char *name, const char *runtime, const rt_detect_process_params_t *params);
bool is_default_runtime(const char *name);
int runtime_init(void);
diff --git a/src/daemon/modules/container/container_gc/containers_gc.c b/src/daemon/modules/container/container_gc/containers_gc.c
index 2d16dee8..3f2473d5 100644
--- a/src/daemon/modules/container/container_gc/containers_gc.c
+++ b/src/daemon/modules/container/container_gc/containers_gc.c
@@ -386,6 +386,7 @@ static void gc_monitor_process(const char *id, pid_t pid, unsigned long long sta
{
INFO("Received garbage collector monitor of %s with pid %d", id, pid);
+ // for shim-v2, here is a ppid, which is always 0
if (util_process_alive(pid, start_time)) {
int ret = kill(pid, SIGKILL);
if (ret < 0 && errno != ESRCH) {
@@ -461,14 +462,16 @@ static void gc_container_process(struct linked_list *it)
char *runtime = NULL;
char *id = NULL;
container_garbage_config_gc_containers_element *gc_cont = NULL;
+ rt_detect_process_params_t detect_params = {
+ .pid = gc_cont->pid,
+ .start_time = gc_cont->start_time,
+ };
gc_cont = (container_garbage_config_gc_containers_element *)it->elem;
id = gc_cont->id;
runtime = gc_cont->runtime;
- pid = gc_cont->pid;
- start_time = gc_cont->start_time;
- if (util_process_alive(pid, start_time) == false) {
+ if (runtime_detect_process(id, runtime, &detect_params) < 0) {
ret = clean_container_resource(id, runtime, pid);
if (ret != 0) {
WARN("Failed to clean resources of container %s", id);
@@ -495,7 +498,15 @@ static void gc_container_process(struct linked_list *it)
free(it);
} else {
try_to_resume_container(id, runtime);
- ret = kill(pid, SIGKILL);
+
+ rt_kill_params_t kill_params = {
+ .signal = SIGKILL,
+ .stop_signal = SIGKILL,
+ .pid = pid,
+ .start_time = start_time,
+ };
+
+ ret = runtime_kill(id, runtime, &kill_params);
if (ret < 0 && errno != ESRCH) {
ERROR("Can not kill process (pid=%d) with SIGKILL for container %s", pid, id);
}
diff --git a/src/daemon/modules/container/restore/restore.c b/src/daemon/modules/container/restore/restore.c
index 44ed14df..48a3ae4b 100644
--- a/src/daemon/modules/container/restore/restore.c
+++ b/src/daemon/modules/container/restore/restore.c
@@ -58,7 +58,12 @@ static int restore_supervisor(const container_t *cont)
char *exit_fifo = NULL;
char *id = cont->common_config->id;
char *statepath = cont->state_path;
+ char *runtime = cont->runtime;
pid_ppid_info_t pid_info = { 0 };
+ rt_detect_process_params_t params = {
+ .pid = cont->state->state->pid,
+ .start_time = cont->state->state->start_time,
+ };
nret = snprintf(container_state, sizeof(container_state), "%s/%s", statepath, id);
if (nret < 0 || (size_t)nret >= sizeof(container_state)) {
@@ -81,7 +86,7 @@ static int restore_supervisor(const container_t *cont)
goto out;
}
- if (!util_process_alive(cont->state->state->pid, cont->state->state->start_time)) {
+ if (runtime_detect_process(id, runtime, &params) != 0) {
ERROR("Container %s pid %d already dead, skip add supervisor", id, cont->state->state->pid);
close(exit_fifo_fd);
ret = -1;
@@ -112,8 +117,10 @@ static int post_stopped_container_to_gc(const char *id, const char *runtime, con
{
int ret = 0;
pid_ppid_info_t pid_info = { 0 };
+ rt_read_pid_ppid_info_params_t params = { 0 };
+ params.pid = old_pid_info->pid;
- (void)util_read_pid_ppid_info(old_pid_info->pid, &pid_info);
+ (void)runtime_read_pid_ppid_info(id, runtime, &params, &pid_info);
if (pid_info.ppid == 0) {
pid_info.ppid = old_pid_info->ppid;
pid_info.pstart_time = old_pid_info->pstart_time;
@@ -180,9 +187,15 @@ static void restore_stopped_container(Container_Status status, const container_t
pid_ppid_info_t pid_info = { 0 };
if (status != CONTAINER_STATUS_STOPPED && status != CONTAINER_STATUS_CREATED) {
- if (util_process_alive(cont->state->state->pid, cont->state->state->start_time)) {
+ rt_detect_process_params_t params = {
+ .pid = cont->state->state->pid,
+ .start_time = cont->state->state->start_time,
+ };
+ if (runtime_detect_process(id, cont->runtime, &params) == 0) {
pid_info.pid = cont->state->state->pid;
+ pid_info.start_time = cont->state->state->start_time;
}
+
if (util_process_alive(cont->state->state->p_pid, cont->state->state->p_start_time)) {
pid_info.ppid = cont->state->state->p_pid;
pid_info.pstart_time = cont->state->state->p_start_time;
@@ -204,8 +217,11 @@ static void restore_running_container(Container_Status status, container_t *cont
int nret = 0;
const char *id = cont->common_config->id;
pid_ppid_info_t pid_info = { 0 };
+ rt_read_pid_ppid_info_params_t params = {
+ .pid = info->pid,
+ };
- nret = util_read_pid_ppid_info(info->pid, &pid_info);
+ nret = runtime_read_pid_ppid_info(id, cont->runtime, &params, &pid_info);
if (nret == 0) {
try_to_set_container_running(status, cont, &pid_info);
container_state_reset_has_been_manual_stopped(cont->state);
@@ -234,10 +250,13 @@ static void restore_paused_container(Container_Status status, container_t *cont,
int nret = 0;
const char *id = cont->common_config->id;
pid_ppid_info_t pid_info = { 0 };
+ rt_read_pid_ppid_info_params_t params = {
+ .pid = info->pid,
+ };
container_state_set_paused(cont->state);
- nret = util_read_pid_ppid_info(info->pid, &pid_info);
+ nret = runtime_read_pid_ppid_info(id, cont->runtime, &params, &pid_info);
if (nret == 0) {
try_to_set_paused_container_pid(status, cont, &pid_info);
container_state_reset_has_been_manual_stopped(cont->state);
diff --git a/src/daemon/modules/container/supervisor/supervisor.c b/src/daemon/modules/container/supervisor/supervisor.c
index f77f58d7..b5ff6166 100644
--- a/src/daemon/modules/container/supervisor/supervisor.c
+++ b/src/daemon/modules/container/supervisor/supervisor.c
@@ -46,6 +46,7 @@
#include "cgroup.h"
#include "specs_api.h"
#endif
+#include "runtime_api.h"
pthread_mutex_t g_supervisor_lock = PTHREAD_MUTEX_INITIALIZER;
struct epoll_descr g_supervisor_descr;
@@ -177,6 +178,17 @@ static void *clean_resources_thread(void *arg)
char *runtime = data->runtime;
unsigned long long start_time = data->pid_info.start_time;
pid_t pid = data->pid_info.pid;
+ rt_detect_process_params_t detect_params = {
+ .pid = pid,
+ .start_time = start_time,
+ };
+ rt_kill_params_t kill_params = {
+ .signal = SIGKILL,
+ .stop_signal = SIGKILL,
+ .pid = pid,
+ .start_time = start_time
+ };
+
int retry_count = 0;
int max_retry = 10;
#ifdef ENABLE_CRI_API_V1
@@ -192,7 +204,7 @@ static void *clean_resources_thread(void *arg)
prctl(PR_SET_NAME, "Clean resource");
retry:
- if (false == util_process_alive(pid, start_time)) {
+ if (runtime_detect_process(name, runtime, &detect_params) < 0) {
ret = clean_container_resource(name, runtime, pid);
// clean_container_resource failed, do not log error message,
// just add to gc to retry clean resource.
@@ -200,7 +212,7 @@ retry:
ERROR("Failed to clean resources of container %s", name);
}
} else {
- ret = kill(pid, SIGKILL);
+ ret = runtime_kill(name, runtime, &kill_params);
if (ret < 0 && errno != ESRCH) {
ERROR("Can not kill process (pid=%d) with SIGKILL for container %s", pid, name);
}
@@ -212,6 +224,7 @@ retry:
}
// get info of init process in container for debug problem of container
+ // but for shim-v2, this might be a misleading debug info
proc_t *c_proc = util_get_process_proc_info(pid);
if (c_proc != NULL) {
ERROR("Container %s into GC with process state: {cmd: %s, state: %c, pid: %d}", name, c_proc->cmd, c_proc->state,
diff --git a/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c b/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c
index 64a8adbc..eb3afb94 100644
--- a/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c
+++ b/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c
@@ -941,3 +941,14 @@ out:
free_oci_runtime_spec(oci_spec);
return ret;
}
+
+int rt_lcr_read_pid_ppid_info(const char *name, const char *runtime, const rt_read_pid_ppid_info_params_t *params,
+ pid_ppid_info_t *pid_info)
+{
+ return util_read_pid_ppid_info(params->pid, pid_info);
+}
+
+int rt_lcr_detect_process(const char *name, const char *runtime, const rt_detect_process_params_t *params)
+{
+ return util_process_alive(params->pid, params->start_time) ? 0 : -1;
+}
diff --git a/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.h b/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.h
index 7403544d..85ebe6f7 100644
--- a/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.h
+++ b/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.h
@@ -48,6 +48,10 @@ int rt_lcr_resize(const char *id, const char *runtime, const rt_resize_params_t
int rt_lcr_exec_resize(const char *id, const char *runtime, const rt_exec_resize_params_t *params);
int rt_lcr_kill(const char *id, const char *runtime, const rt_kill_params_t *params);
int rt_lcr_rebuild_config(const char *name, const char *runtime, const rt_rebuild_config_params_t *params);
+
+int rt_lcr_read_pid_ppid_info(const char *name, const char *runtime, const rt_read_pid_ppid_info_params_t *params,
+ pid_ppid_info_t *pid_info);
+int rt_lcr_detect_process(const char *name, const char *runtime, const rt_detect_process_params_t *params);
#ifdef __cplusplus
}
#endif
diff --git a/src/daemon/modules/runtime/isula/isula_rt_ops.c b/src/daemon/modules/runtime/isula/isula_rt_ops.c
index 0adb3858..35c09921 100644
--- a/src/daemon/modules/runtime/isula/isula_rt_ops.c
+++ b/src/daemon/modules/runtime/isula/isula_rt_ops.c
@@ -2173,4 +2173,15 @@ int rt_isula_kill(const char *id, const char *runtime, const rt_kill_params_t *p
int rt_isula_rebuild_config(const char *name, const char *runtime, const rt_rebuild_config_params_t *params)
{
return 0;
-}
\ No newline at end of file
+}
+
+int rt_isula_read_pid_ppid_info(const char *id, const char *runtime, const rt_read_pid_ppid_info_params_t *params,
+ pid_ppid_info_t *pid_info)
+{
+ return util_read_pid_ppid_info(params->pid, pid_info);
+}
+
+int rt_isula_detect_process(const char *id, const char *runtime, const rt_detect_process_params_t *params)
+{
+ return util_process_alive(params->pid, params->start_time) ? 0 : -1;
+}
diff --git a/src/daemon/modules/runtime/isula/isula_rt_ops.h b/src/daemon/modules/runtime/isula/isula_rt_ops.h
index 1e5e049a..88236a1e 100644
--- a/src/daemon/modules/runtime/isula/isula_rt_ops.h
+++ b/src/daemon/modules/runtime/isula/isula_rt_ops.h
@@ -48,6 +48,9 @@ int rt_isula_exec_resize(const char *id, const char *runtime, const rt_exec_resi
int rt_isula_kill(const char *id, const char *runtime, const rt_kill_params_t *params);
int rt_isula_rebuild_config(const char *name, const char *runtime, const rt_rebuild_config_params_t *params);
+int rt_isula_read_pid_ppid_info(const char *name, const char *runtime, const rt_read_pid_ppid_info_params_t *params,
+ pid_ppid_info_t *pid_info);
+int rt_isula_detect_process(const char *name, const char *runtime, const rt_detect_process_params_t *params);
#ifdef __cplusplus
}
#endif
diff --git a/src/daemon/modules/runtime/runtime.c b/src/daemon/modules/runtime/runtime.c
index 43b78bca..7be140dc 100644
--- a/src/daemon/modules/runtime/runtime.c
+++ b/src/daemon/modules/runtime/runtime.c
@@ -46,6 +46,8 @@ static const struct rt_ops g_lcr_rt_ops = {
.rt_exec_resize = rt_lcr_exec_resize,
.rt_kill = rt_lcr_kill,
.rt_rebuild_config = rt_lcr_rebuild_config,
+ .rt_read_pid_ppid_info = rt_lcr_read_pid_ppid_info,
+ .rt_detect_process = rt_lcr_detect_process,
};
static const struct rt_ops g_isula_rt_ops = {
@@ -67,6 +69,8 @@ static const struct rt_ops g_isula_rt_ops = {
.rt_exec_resize = rt_isula_exec_resize,
.rt_kill = rt_isula_kill,
.rt_rebuild_config = rt_isula_rebuild_config,
+ .rt_read_pid_ppid_info = rt_isula_read_pid_ppid_info,
+ .rt_detect_process = rt_isula_detect_process,
};
#ifdef ENABLE_SHIM_V2
@@ -89,6 +93,8 @@ static const struct rt_ops g_shim_rt_ops = {
.rt_exec_resize = rt_shim_exec_resize,
.rt_kill = rt_shim_kill,
.rt_rebuild_config = rt_shim_rebuild_config,
+ .rt_read_pid_ppid_info = rt_shim_read_pid_ppid_info,
+ .rt_detect_process = rt_shim_detect_process,
};
#endif
@@ -534,6 +540,42 @@ out:
return ret;
}
+int runtime_read_pid_ppid_info(const char *name, const char *runtime, const rt_read_pid_ppid_info_params_t *params,
+ pid_ppid_info_t *pid_info)
+{
+ const struct rt_ops *ops = NULL;
+
+ if (name == NULL || runtime == NULL || params == NULL) {
+ ERROR("Invalid arguments for runtime exec resize");
+ return -1;
+ }
+
+ ops = rt_ops_query(runtime);
+ if (ops == NULL) {
+ ERROR("Failed to get runtime ops");
+ return -1;
+ }
+
+ return ops->rt_read_pid_ppid_info(name, runtime, params, pid_info);
+}
+
+int runtime_detect_process(const char *name, const char *runtime, const rt_detect_process_params_t *params)
+{
+ const struct rt_ops *ops = NULL;
+
+ if (name == NULL || runtime == NULL || params == NULL) {
+ ERROR("Invalid arguments for runtime process alive");
+ return -1;
+ }
+
+ ops = rt_ops_query(runtime);
+ if (ops == NULL) {
+ return -1;
+ }
+
+ return ops->rt_detect_process(name, runtime, params);
+}
+
bool is_default_runtime(const char *name)
{
const char *runtimes[] = { "lcr", "runc", "kata-runtime" };
diff --git a/src/daemon/modules/runtime/shim/shim_rt_ops.c b/src/daemon/modules/runtime/shim/shim_rt_ops.c
index 30b5e442..268d66d9 100644
--- a/src/daemon/modules/runtime/shim/shim_rt_ops.c
+++ b/src/daemon/modules/runtime/shim/shim_rt_ops.c
@@ -847,3 +847,25 @@ int rt_shim_rebuild_config(const char *name, const char *runtime, const rt_rebui
{
return 0;
}
+
+int rt_shim_read_pid_ppid_info(const char *name, const char *runtime, const rt_read_pid_ppid_info_params_t *params,
+ pid_ppid_info_t *pid_info)
+{
+ if (pid_info == NULL) {
+ ERROR("Invalid input params");
+ return -1;
+ }
+
+ pid_info->pid = params->pid;
+ return 0;
+}
+
+int rt_shim_detect_process(const char *name, const char *runtime, const rt_detect_process_params_t *params)
+{
+ if (shim_v2_kill(name, NULL, 0, false) != 0) {
+ ERROR("%s: detect process failed", name);
+ return -1;
+ }
+
+ return 0;
+}
diff --git a/src/daemon/modules/runtime/shim/shim_rt_ops.h b/src/daemon/modules/runtime/shim/shim_rt_ops.h
index 2df34f4c..a3968cf5 100644
--- a/src/daemon/modules/runtime/shim/shim_rt_ops.h
+++ b/src/daemon/modules/runtime/shim/shim_rt_ops.h
@@ -64,6 +64,9 @@ bool is_valid_v2_runtime(const char* name);
int rt_shim_rebuild_config(const char *name, const char *runtime, const rt_rebuild_config_params_t *params);
+int rt_shim_read_pid_ppid_info(const char *id, const char *runtime, const rt_read_pid_ppid_info_params_t *params,
+ pid_ppid_info_t *pid_info);
+int rt_shim_detect_process(const char *id, const char *runtime, const rt_detect_process_params_t *params);
#ifdef __cplusplus
}
#endif
diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c
index 250e8299..dbf56776 100644
--- a/src/daemon/modules/service/service_container.c
+++ b/src/daemon/modules/service/service_container.c
@@ -1513,6 +1513,7 @@ out:
static int send_signal_to_process(pid_t pid, unsigned long long start_time, uint32_t stop_signal, uint32_t signal)
{
+ // for shim-v2, here is a ppid, which is always 0
if (util_process_alive(pid, start_time) == false) {
if (signal == stop_signal || signal == SIGKILL) {
WARN("Process %d is not alive", pid);
--
2.34.1

275
0185-sandbox-sandboxer-code-isolation.patch Normal file
View File

@ -0,0 +1,275 @@
From e36d01f2f3a91060b0fecd3ef4b2c0e09b1e5f23 Mon Sep 17 00:00:00 2001
From: liuxu <liuxu156@huawei.com>
Date: Fri, 7 Feb 2025 11:43:21 +0800
Subject: [PATCH 185/198] sandbox:sandboxer code isolation
Signed-off-by: liuxu <liuxu156@huawei.com>
---
.../modules/service/service_container.c | 37 ++++++++-----------
src/daemon/sandbox/sandbox.cc | 10 ++++-
src/daemon/sandbox/sandbox.h | 6 ++-
src/daemon/sandbox/sandbox_ops.cc | 2 +
src/daemon/sandbox/sandbox_ops.h | 2 +
.../sandbox/{ => sandboxer}/sandbox_task.cc | 0
.../sandbox/{ => sandboxer}/sandbox_task.h | 0
7 files changed, 33 insertions(+), 24 deletions(-)
rename src/daemon/sandbox/{ => sandboxer}/sandbox_task.cc (100%)
rename src/daemon/sandbox/{ => sandboxer}/sandbox_task.h (100%)
diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c
index 250e8299..18104781 100644
--- a/src/daemon/modules/service/service_container.c
+++ b/src/daemon/modules/service/service_container.c
@@ -780,6 +780,9 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo
oci_runtime_spec *oci_spec = NULL;
rt_create_params_t create_params = { 0 };
rt_start_params_t start_params = { 0 };
+#ifdef ENABLE_SANDBOXER
+ int prepare_container_ret = -1;
+#endif
nret = snprintf(bundle, sizeof(bundle), "%s/%s", cont->root_path, id);
if (nret < 0 || (size_t)nret >= sizeof(bundle)) {
@@ -904,7 +907,7 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo
}
#endif
-#ifdef ENABLE_CRI_API_V1
+#ifdef ENABLE_SANDBOXER
if (cont->common_config->sandbox_info != NULL &&
sandbox_prepare_container(cont->common_config,
oci_spec, console_fifos, tty) != 0) {
@@ -912,6 +915,7 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo
ret = -1;
goto close_exit_fd;
}
+ prepare_container_ret = 0;
#endif
create_params.bundle = bundle;
@@ -935,11 +939,7 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo
if (runtime_create(id, runtime, &create_params) != 0) {
ret = -1;
-#ifdef ENABLE_CRI_API_V1
- goto clean_prepare_container;
-#else
goto close_exit_fd;
-#endif
}
start_params.rootpath = cont->root_path;
@@ -962,32 +962,25 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo
if (do_post_start_on_success(cont, exit_fifo_fd, exit_fifo, pid_info) != 0) {
ERROR("Failed to do post start on runtime start success");
ret = -1;
-#ifdef ENABLE_CRI_API_V1
- goto clean_prepare_container;
-#else
goto close_exit_fd;
-#endif
}
} else {
// wait monitor cleanup cgroup and processes finished
wait_exit_fifo(id, exit_fifo_fd);
-#ifdef ENABLE_CRI_API_V1
- goto clean_prepare_container;
-#else
goto close_exit_fd;
-#endif
}
goto out;
-#ifdef ENABLE_CRI_API_V1
-clean_prepare_container:
- if (cont->common_config->sandbox_info != NULL &&
- sandbox_purge_container(cont->common_config) != 0) {
- ERROR("Failed to remove container %s from sandbox", id);
+close_exit_fd:
+#ifdef ENABLE_SANDBOXER
+ if (prepare_container_ret == 0) {
+ if (cont->common_config->sandbox_info != NULL &&
+ sandbox_purge_container(cont->common_config) != 0) {
+ ERROR("Failed to remove container %s from sandbox", id);
+ }
}
#endif
-close_exit_fd:
close(exit_fifo_fd);
clean_resources_on_failure(cont, engine_log_path, loglevel);
@@ -1689,7 +1682,7 @@ int stop_container(container_t *cont, int timeout, bool force, bool restart)
}
}
-#ifdef ENABLE_CRI_API_V1
+#ifdef ENABLE_SANDBOXER
if (cont->common_config->sandbox_info != NULL &&
sandbox_purge_container(cont->common_config) != 0) {
ERROR("Failed to remove container %s from sandbox", id);
@@ -2159,7 +2152,7 @@ static int do_exec_container(const container_t *cont, const char *runtime, char
goto out;
}
-#ifdef ENABLE_CRI_API_V1
+#ifdef ENABLE_SANDBOXER
if (cont->common_config->sandbox_info != NULL &&
sandbox_prepare_exec(cont->common_config, request->suffix,
process_spec, (const char **)console_fifos, request->tty) != 0) {
@@ -2283,7 +2276,7 @@ static void exec_container_end(container_exec_response *response, const containe
const char *exec_id, uint32_t cc,
int exit_code, int sync_fd, pthread_t thread_id)
{
-#ifdef ENABLE_CRI_API_V1
+#ifdef ENABLE_SANDBOXER
if (cont->common_config->sandbox_info != NULL &&
sandbox_purge_exec(cont->common_config, exec_id) != 0) {
ERROR("Failed to purge container for exec %s", exec_id);
diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc
index d105d71a..d5681d48 100644
--- a/src/daemon/sandbox/sandbox.cc
+++ b/src/daemon/sandbox/sandbox.cc
@@ -494,7 +494,9 @@ auto Sandbox::Load(Errors &error) -> bool
}
LoadNetworkSetting();
+#ifdef ENABLE_SANDBOXER
LoadSandboxTasks();
+#endif
// When the sandbox status acquisition fails or wait fails, the sandbox status is set to not ready,
// and the user decides whether to delete the sandbox.
@@ -583,9 +585,11 @@ void Sandbox::CleanupSandboxDirs()
ERROR("Failed to delete sandbox's root directory %s", m_rootdir.c_str());
}
+#ifdef ENABLE_SANDBOXER
if (util_recursive_rmdir(m_statedir.c_str(), 0) != 0) {
- ERROR("Failed to delete sandbox's state directory %s", m_rootdir.c_str());
+ ERROR("Failed to delete sandbox's state directory %s", m_statedir.c_str());
}
+#endif
}
void Sandbox::PrepareSandboxDirs(Errors &error)
@@ -615,12 +619,14 @@ void Sandbox::PrepareSandboxDirs(Errors &error)
goto out;
}
+#ifdef ENABLE_SANDBOXER
nret = util_mkdir_p(m_statedir.c_str(), TEMP_DIRECTORY_MODE);
if (nret < 0) {
error.Errorf("Unable to create sandbox state directory %s.", m_statedir.c_str());
ERROR("Unable to create sandbox state directory %s.", m_statedir.c_str());
goto out;
}
+#endif
umask(mask);
return;
@@ -1119,6 +1125,7 @@ void Sandbox::FillSandboxMetadata(sandbox_metadata* metadata, Errors &error)
metadata->sandbox_config_json = util_strdup_s(jsonStr.c_str());
}
+#ifdef ENABLE_SANDBOXER
void Sandbox::LoadSandboxTasks()
{
}
@@ -1145,5 +1152,6 @@ auto Sandbox::PurgeExec(const char *containerId, const char *execId) -> int
{
return 0;
}
+#endif
}
\ No newline at end of file
diff --git a/src/daemon/sandbox/sandbox.h b/src/daemon/sandbox/sandbox.h
index 58d60ecb..3a7b0736 100644
--- a/src/daemon/sandbox/sandbox.h
+++ b/src/daemon/sandbox/sandbox.h
@@ -23,6 +23,9 @@
#include <isula_libutils/container_network_settings.h>
#include <isula_libutils/sandbox_state.h>
#include <isula_libutils/sandbox_metadata.h>
+#ifdef ENABLE_SANDBOXER
+#include <isula_libutils/oci_runtime_spec.h>
+#endif
#include "api_v1.grpc.pb.h"
#include "errors.h"
@@ -30,7 +33,6 @@
#include "controller_manager.h"
#include "cstruct_wrapper.h"
#include "read_write_lock.h"
-#include "sandbox_task.h"
namespace sandbox {
@@ -140,6 +142,7 @@ public:
auto Remove(Errors &error) -> bool;
void Status(runtime::v1::PodSandboxStatus &status);
+#ifdef ENABLE_SANDBOXER
// for sandbox api update
virtual void LoadSandboxTasks();
virtual auto PrepareContainer(const char *containerId, const char *baseFs,
@@ -149,6 +152,7 @@ public:
defs_process *processSpec, const char *consoleFifos[]) -> int;
virtual auto PurgeContainer(const char *containerId) -> int;
virtual auto PurgeExec(const char *containerId, const char *execId) -> int;
+#endif
private:
auto SaveState(Errors &error) -> bool;
diff --git a/src/daemon/sandbox/sandbox_ops.cc b/src/daemon/sandbox/sandbox_ops.cc
index ae881933..cf88c1bd 100644
--- a/src/daemon/sandbox/sandbox_ops.cc
+++ b/src/daemon/sandbox/sandbox_ops.cc
@@ -25,6 +25,7 @@
#include "namespace.h"
#include "utils.h"
+#ifdef ENABLE_SANDBOXER
static inline bool validate_sandbox_info(const container_sandbox_info *sandbox)
{
return (sandbox != NULL && sandbox->sandboxer != NULL &&
@@ -110,6 +111,7 @@ int sandbox_purge_exec(const container_config_v2_common_config *config, const ch
return sandbox->PurgeExec(config->id, exec_id);
}
+#endif /* ENABLE_SANDBOXER */
int sandbox_on_sandbox_exit(const char *sandbox_id, int exit_code)
{
diff --git a/src/daemon/sandbox/sandbox_ops.h b/src/daemon/sandbox/sandbox_ops.h
index 8189efd6..e1309313 100644
--- a/src/daemon/sandbox/sandbox_ops.h
+++ b/src/daemon/sandbox/sandbox_ops.h
@@ -24,6 +24,7 @@
extern "C" {
#endif
+#ifdef ENABLE_SANDBOXER
int sandbox_prepare_container(const container_config_v2_common_config *config,
const oci_runtime_spec *oci_spec,
const char *console_fifos[], bool tty);
@@ -35,6 +36,7 @@ int sandbox_prepare_exec(const container_config_v2_common_config *config,
int sandbox_purge_container(const container_config_v2_common_config *config);
int sandbox_purge_exec(const container_config_v2_common_config *config, const char *exec_id);
+#endif
int sandbox_on_sandbox_exit(const char *sandbox_id, int exit_code);
diff --git a/src/daemon/sandbox/sandbox_task.cc b/src/daemon/sandbox/sandboxer/sandbox_task.cc
similarity index 100%
rename from src/daemon/sandbox/sandbox_task.cc
rename to src/daemon/sandbox/sandboxer/sandbox_task.cc
diff --git a/src/daemon/sandbox/sandbox_task.h b/src/daemon/sandbox/sandboxer/sandbox_task.h
similarity index 100%
rename from src/daemon/sandbox/sandbox_task.h
rename to src/daemon/sandbox/sandboxer/sandbox_task.h
--
2.34.1

111
0186-UT-sandboxer-code-isolation.patch Normal file
View File

@ -0,0 +1,111 @@
From 80de8ca6b9bdd56d0e53d73a631fefb2e170b3c3 Mon Sep 17 00:00:00 2001
From: liuxu <liuxu156@huawei.com>
Date: Fri, 7 Feb 2025 16:51:42 +0800
Subject: [PATCH 186/198] UT:sandboxer code isolation
Signed-off-by: liuxu <liuxu156@huawei.com>
---
test/mocks/sandbox_mock.cc | 2 ++
test/mocks/sandbox_mock.h | 2 ++
test/mocks/sandboxer_sandbox_mock.cc | 5 ++++-
test/mocks/sandboxer_sandbox_mock.h | 3 +++
test/sandbox/sandbox/CMakeLists.txt | 1 -
5 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/test/mocks/sandbox_mock.cc b/test/mocks/sandbox_mock.cc
index cce5a1b6..e14473bb 100644
--- a/test/mocks/sandbox_mock.cc
+++ b/test/mocks/sandbox_mock.cc
@@ -222,6 +222,7 @@ bool Sandbox::Remove(Errors &error)
return true;
}
+#ifdef ENABLE_SANDBOXER
void Sandbox::LoadSandboxTasks() {}
auto Sandbox::PrepareContainer(const char *containerId, const char *baseFs,
@@ -246,5 +247,6 @@ auto Sandbox::PurgeExec(const char *containerId, const char *execId) -> int
{
return 0;
}
+#endif
}
\ No newline at end of file
diff --git a/test/mocks/sandbox_mock.h b/test/mocks/sandbox_mock.h
index 4908bcd9..3c776f69 100644
--- a/test/mocks/sandbox_mock.h
+++ b/test/mocks/sandbox_mock.h
@@ -59,6 +59,7 @@ public:
MOCK_METHOD1(Remove, bool(Errors &error));
MOCK_METHOD1(Status, void(runtime::v1::PodSandboxStatus &status));
+#ifdef ENABLE_SANDBOXER
MOCK_METHOD0(LoadSandboxTasks, void());
MOCK_METHOD4(PrepareContainer, int(const char *containerId, const char *baseFs,
const oci_runtime_spec *ociSpec,
@@ -67,6 +68,7 @@ public:
defs_process *processSpec, const char *consoleFifos[]));
MOCK_METHOD1(PurgeContainer, int(const char *containerId));
MOCK_METHOD2(PurgeExec, int(const char *containerId, const char *execId));
+#endif
};
void MockSandbox_SetMock(MockSandbox *mock);
diff --git a/test/mocks/sandboxer_sandbox_mock.cc b/test/mocks/sandboxer_sandbox_mock.cc
index 6ebe2820..9366c738 100644
--- a/test/mocks/sandboxer_sandbox_mock.cc
+++ b/test/mocks/sandboxer_sandbox_mock.cc
@@ -13,6 +13,8 @@
* Description: provide sandbox mock
******************************************************************************/
+#ifdef ENABLE_SANDBOXER
+
#include <gmock/gmock.h>
#include "sandboxer_sandbox_mock.h"
@@ -68,4 +70,5 @@ auto SandboxerSandbox::PurgeExec(const char *containerId, const char *execId) ->
return 0;
}
-}
\ No newline at end of file
+}
+#endif
\ No newline at end of file
diff --git a/test/mocks/sandboxer_sandbox_mock.h b/test/mocks/sandboxer_sandbox_mock.h
index 020fe4d6..69bea078 100644
--- a/test/mocks/sandboxer_sandbox_mock.h
+++ b/test/mocks/sandboxer_sandbox_mock.h
@@ -16,6 +16,8 @@
#ifndef _ISULAD_TEST_MOCKS_SANDBOXER_SANDBOX_MOCK_H
#define _ISULAD_TEST_MOCKS_SANDBOXER_SANDBOX_MOCK_H
+#ifdef ENABLE_SANDBOXER
+
#include <gmock/gmock.h>
#include "sandbox_mock.h"
#include "sandboxer_sandbox.h"
@@ -40,5 +42,6 @@ public:
void MockSandboxerSandbox_SetMock(MockSandboxerSandbox *mock);
}
+#endif
#endif
diff --git a/test/sandbox/sandbox/CMakeLists.txt b/test/sandbox/sandbox/CMakeLists.txt
index d033c93f..358633dc 100644
--- a/test/sandbox/sandbox/CMakeLists.txt
+++ b/test/sandbox/sandbox/CMakeLists.txt
@@ -29,7 +29,6 @@ add_executable(${EXE}
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cpputils/transform.cc
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cpputils/cxxutils.cc
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandbox.cc
- ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandbox_task.cc
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/controller_manager.cc
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/common/id_name_manager.c
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/config/isulad_config.c
--
2.34.1

517
0187-remove-uncalled-functions-in-cri-v1.patch Normal file
View File

@ -0,0 +1,517 @@
From a883b34db2ca8d17261b0a2dd154f12487ddebfa Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Mon, 10 Feb 2025 09:37:26 +0800
Subject: [PATCH 187/198] remove uncalled functions in cri v1
Signed-off-by: zhongtao <zhongtao17@huawei.com>
---
src/daemon/common/cri/v1/v1_cri_helpers.cc | 67 -------------------
src/daemon/common/cri/v1/v1_cri_helpers.h | 8 ---
src/daemon/common/cri/v1/v1_naming.cc | 30 ---------
src/daemon/common/cri/v1/v1_naming.h | 3 -
.../v1/v1_cri_container_manager_service.cc | 27 --------
.../cri/v1/v1_cri_container_manager_service.h | 1 -
.../v1/v1_cri_pod_sandbox_manager_service.cc | 63 -----------------
.../v1/v1_cri_pod_sandbox_manager_service.h | 7 --
.../entry/cri/v1alpha/v1alpha_cri_helpers.cc | 21 ------
.../entry/cri/v1alpha/v1alpha_cri_helpers.h | 3 -
src/daemon/sandbox/controller_manager.cc | 5 --
src/daemon/sandbox/controller_manager.h | 1 -
src/daemon/sandbox/sandbox.cc | 5 --
src/daemon/sandbox/sandbox.h | 1 -
src/daemon/sandbox/sandbox_manager.cc | 6 --
src/daemon/sandbox/sandbox_manager.h | 1 -
16 files changed, 249 deletions(-)
diff --git a/src/daemon/common/cri/v1/v1_cri_helpers.cc b/src/daemon/common/cri/v1/v1_cri_helpers.cc
index dfe14ade..d71e3681 100644
--- a/src/daemon/common/cri/v1/v1_cri_helpers.cc
+++ b/src/daemon/common/cri/v1/v1_cri_helpers.cc
@@ -57,27 +57,6 @@ auto ContainerStatusToRuntime(Container_Status status) -> runtime::v1::Container
}
}
-auto CheckpointToSandbox(const std::string &id, const CRI::PodSandboxCheckpoint &checkpoint)
--> std::unique_ptr<runtime::v1::PodSandbox>
-{
- std::unique_ptr<runtime::v1::PodSandbox> result(new (std::nothrow) runtime::v1::PodSandbox);
- if (result == nullptr) {
- return nullptr;
- }
- runtime::v1::PodSandboxMetadata *metadata = new (std::nothrow) runtime::v1::PodSandboxMetadata;
- if (metadata == nullptr) {
- return nullptr;
- }
-
- metadata->set_name(checkpoint.GetName());
- metadata->set_namespace_(checkpoint.GetNamespace());
- result->set_allocated_metadata(metadata);
- result->set_id(id);
- result->set_state(runtime::v1::SANDBOX_NOTREADY);
-
- return result;
-}
-
void UpdateCreateConfig(container_config *createConfig, host_config *hc,
const runtime::v1::ContainerConfig &config, const std::string &podSandboxID,
Errors &error)
@@ -199,24 +178,6 @@ auto GenerateEnvList(const ::google::protobuf::RepeatedPtrField<::runtime::v1::K
return vect;
}
-auto ValidateCheckpointKey(const std::string &key, Errors &error) -> bool
-{
- const std::string PATTERN { "^([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]$" };
-
- if (key.empty()) {
- goto err_out;
- }
-
- if (key.size() <= CRIHelpers::Constants::MAX_CHECKPOINT_KEY_LEN &&
- util_reg_match(PATTERN.c_str(), key.c_str()) == 0) {
- return true;
- }
-
-err_out:
- error.Errorf("invalid key: %s", key.c_str());
- return false;
-}
-
auto ToIsuladContainerStatus(const runtime::v1::ContainerStateValue &state) -> std::string
{
if (state.state() == runtime::v1::CONTAINER_CREATED) {
@@ -362,34 +323,6 @@ void AddSecurityOptsToHostConfig(std::vector<std::string> &securityOpts, host_co
}
}
-void GetContainerSandboxID(const std::string &containerID, std::string &realContainerID, std::string &sandboxID,
- Errors &error)
-{
- std::string PodID;
- container_inspect *info = CRIHelpers::InspectContainer(containerID, error, false);
- if (error.NotEmpty()) {
- error.Errorf("Failed to inspect container %s: %s", containerID.c_str(), error.GetCMessage());
- return;
- }
-
- // TODO: Refactor after adding the ability to use sandbox manager for sandboxid query
- if (info->config != nullptr && info->config->labels != nullptr) {
- for (size_t j = 0; j < info->config->labels->len; j++) {
- if (strcmp(info->config->labels->keys[j], CRIHelpers::Constants::SANDBOX_ID_LABEL_KEY.c_str()) == 0
- && strcmp(info->config->labels->values[j], "") != 0) {
- PodID = info->config->labels->values[j];
- break;
- }
- }
- }
-
- if (PodID.empty()) {
- error.Errorf("Failed to get sandbox id for container %s", containerID.c_str());
- } else {
- sandboxID = PodID;
- }
- realContainerID = info->id;
-}
#ifdef ENABLE_SANDBOXER
std::string CRISandboxerConvert(const std::string &runtime)
diff --git a/src/daemon/common/cri/v1/v1_cri_helpers.h b/src/daemon/common/cri/v1/v1_cri_helpers.h
index 22cffd0d..6a848581 100644
--- a/src/daemon/common/cri/v1/v1_cri_helpers.h
+++ b/src/daemon/common/cri/v1/v1_cri_helpers.h
@@ -42,9 +42,6 @@ struct commonSecurityContext {
auto ContainerStatusToRuntime(Container_Status status) -> runtime::v1::ContainerState;
-auto CheckpointToSandbox(const std::string &id, const CRI::PodSandboxCheckpoint &checkpoint)
--> std::unique_ptr<runtime::v1::PodSandbox>;
-
void UpdateCreateConfig(container_config *createConfig, host_config *hc,
const runtime::v1::ContainerConfig &config, const std::string &podSandboxID,
Errors &error);
@@ -55,8 +52,6 @@ void GenerateMountBindings(const google::protobuf::RepeatedPtrField<runtime::v1:
auto GenerateEnvList(const ::google::protobuf::RepeatedPtrField<::runtime::v1::KeyValue> &envs)
-> std::vector<std::string>;
-auto ValidateCheckpointKey(const std::string &key, Errors &error) -> bool;
-
auto ToIsuladContainerStatus(const runtime::v1::ContainerStateValue &state) -> std::string;
auto GetSeccompSecurityOpts(const bool hasSeccomp, const ::runtime::v1::SecurityProfile &seccomp,
@@ -72,9 +67,6 @@ auto GetSecurityOpts(const commonSecurityContext &context, const char &separator
void AddSecurityOptsToHostConfig(std::vector<std::string> &securityOpts, host_config *hostconfig, Errors &error);
-void GetContainerSandboxID(const std::string &containerID, std::string &realContainerID, std::string &sandboxID,
- Errors &error);
-
std::string CRISandboxerConvert(const std::string &runtime);
void ApplySandboxSecurityContextToHostConfig(const runtime::v1::LinuxSandboxSecurityContext &context, host_config *hc,
diff --git a/src/daemon/common/cri/v1/v1_naming.cc b/src/daemon/common/cri/v1/v1_naming.cc
index 1a1ebb0d..2a5b972c 100644
--- a/src/daemon/common/cri/v1/v1_naming.cc
+++ b/src/daemon/common/cri/v1/v1_naming.cc
@@ -44,36 +44,6 @@ std::string MakeSandboxName(const runtime::v1::PodSandboxMetadata &metadata)
return sname;
}
-void ParseSandboxName(const google::protobuf::Map<std::string, std::string> &annotations,
- runtime::v1::PodSandboxMetadata &metadata, Errors &err)
-{
- if (annotations.count(CRIHelpers::Constants::SANDBOX_NAME_ANNOTATION_KEY) == 0) {
- err.Errorf("annotation don't contains the sandbox name, failed to parse it");
- return;
- }
-
- if (annotations.count(CRIHelpers::Constants::SANDBOX_NAMESPACE_ANNOTATION_KEY) == 0) {
- err.Errorf("annotation don't contains the sandbox namespace, failed to parse it");
- return;
- }
-
- if (annotations.count(CRIHelpers::Constants::SANDBOX_UID_ANNOTATION_KEY) == 0) {
- err.Errorf("annotation don't contains the sandbox uid, failed to parse it");
- return;
- }
-
- if (annotations.count(CRIHelpers::Constants::SANDBOX_ATTEMPT_ANNOTATION_KEY) == 0) {
- err.Errorf("annotation don't contains the sandbox attempt, failed to parse it");
- return;
- }
-
- metadata.set_name(annotations.at(CRIHelpers::Constants::SANDBOX_NAME_ANNOTATION_KEY));
- metadata.set_namespace_(annotations.at(CRIHelpers::Constants::SANDBOX_NAMESPACE_ANNOTATION_KEY));
- metadata.set_uid(annotations.at(CRIHelpers::Constants::SANDBOX_UID_ANNOTATION_KEY));
- auto sandboxAttempt = annotations.at(CRIHelpers::Constants::SANDBOX_ATTEMPT_ANNOTATION_KEY);
- metadata.set_attempt(static_cast<google::protobuf::uint32>(std::stoul(sandboxAttempt)));
-}
-
std::string MakeContainerName(const runtime::v1::PodSandboxConfig &s, const runtime::v1::ContainerConfig &c)
{
std::string sname;
diff --git a/src/daemon/common/cri/v1/v1_naming.h b/src/daemon/common/cri/v1/v1_naming.h
index d0862077..364f17c9 100644
--- a/src/daemon/common/cri/v1/v1_naming.h
+++ b/src/daemon/common/cri/v1/v1_naming.h
@@ -26,9 +26,6 @@ std::string MakeSandboxName(const runtime::v1::PodSandboxMetadata &metadata);
std::string MakeContainerName(const runtime::v1::PodSandboxConfig &s,
const runtime::v1::ContainerConfig &c);
-void ParseSandboxName(const google::protobuf::Map<std::string, std::string> &annotations,
- runtime::v1::PodSandboxMetadata &metadata, Errors &err);
-
void ParseContainerName(const google::protobuf::Map<std::string, std::string> &annotations,
runtime::v1::ContainerMetadata *metadata, Errors &err);
} // namespace CRINamingV1
diff --git a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc
index 1e84d14c..e8dcd699 100644
--- a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc
+++ b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc
@@ -33,33 +33,6 @@
#endif
namespace CRIV1 {
-auto ContainerManagerService::GetContainerOrSandboxRuntime(const std::string &realID, Errors &error) -> std::string
-{
- std::string runtime;
- if (m_cb == nullptr || m_cb->container.get_runtime == nullptr) {
- error.SetError("Unimplemented callback");
- return runtime;
- }
- container_get_runtime_response *response { nullptr };
-
- if (m_cb->container.get_runtime(realID.c_str(), &response) != 0) {
- if (response != nullptr && response->errmsg != nullptr) {
- error.SetError(response->errmsg);
- } else {
- error.SetError("Failed to call get id callback");
- }
- goto cleanup;
- }
-
- if (response->runtime != nullptr) {
- runtime = response->runtime;
- }
-
-cleanup:
- free_container_get_runtime_response(response);
- return runtime;
-}
-
auto ContainerManagerService::PackCreateContainerHostConfigDevices(
const runtime::v1::ContainerConfig &containerConfig, host_config *hostconfig, Errors &error) -> int
{
diff --git a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.h b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.h
index 50f5ed69..1153b79c 100644
--- a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.h
+++ b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.h
@@ -73,7 +73,6 @@ public:
void Attach(const runtime::v1::AttachRequest &req, runtime::v1::AttachResponse *resp, Errors &error);
private:
- auto GetContainerOrSandboxRuntime(const std::string &realID, Errors &error) -> std::string;
auto GenerateCreateContainerRequest(sandbox::Sandbox &sandbox,
const runtime::v1::ContainerConfig &containerConfig,
const runtime::v1::PodSandboxConfig &podSandboxConfig,
diff --git a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc
index a5f98619..43705853 100644
--- a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc
+++ b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc
@@ -491,17 +491,6 @@ void PodSandboxManagerService::ClearCniNetwork(const std::shared_ptr<sandbox::Sa
}
}
-auto PodSandboxManagerService::GetSandboxKey(const container_inspect *inspect_data) -> std::string
-{
- if (inspect_data == nullptr || inspect_data->network_settings == nullptr ||
- inspect_data->network_settings->sandbox_key == nullptr) {
- ERROR("Inspect data does not have network settings");
- return std::string("");
- }
-
- return std::string(inspect_data->network_settings->sandbox_key);
-}
-
auto PodSandboxManagerService::GetContainerListResponse(const std::string &readSandboxID,
std::vector<std::string> &errors) -> std::unique_ptr<CStructWrapper<container_list_response>>
{
@@ -589,21 +578,6 @@ auto PodSandboxManagerService::StopAllContainersInSandbox(const std::string &rea
return ret;
}
-auto PodSandboxManagerService::GetNetworkReady(const std::string &podSandboxID, Errors &error) -> bool
-{
- std::lock_guard<std::mutex> lockGuard(m_networkReadyLock);
-
- bool ready { false };
- auto iter = m_networkReady.find(podSandboxID);
- if (iter != m_networkReady.end()) {
- ready = iter->second;
- } else {
- error.Errorf("Do not find network: %s", podSandboxID.c_str());
- }
-
- return ready;
-}
-
void PodSandboxManagerService::StopPodSandbox(const std::string &podSandboxID, Errors &error)
{
if (m_cb == nullptr || m_cb->container.stop == nullptr) {
@@ -674,16 +648,6 @@ void PodSandboxManagerService::RemoveAllContainersInSandbox(const std::string &r
}
}
-void PodSandboxManagerService::ClearNetworkReady(const std::string &podSandboxID)
-{
- std::lock_guard<std::mutex> lockGuard(m_networkReadyLock);
-
- auto iter = m_networkReady.find(podSandboxID);
- if (iter != m_networkReady.end()) {
- m_networkReady.erase(iter);
- }
-}
-
void PodSandboxManagerService::RemovePodSandbox(const std::string &podSandboxID, Errors &error)
{
std::vector<std::string> errors;
@@ -766,33 +730,6 @@ void PodSandboxManagerService::RemovePodSandbox(const std::string &podSandboxID,
#endif
}
-auto PodSandboxManagerService::SharesHostNetwork(const container_inspect *inspect) -> runtime::v1::NamespaceMode
-{
- if (inspect != nullptr && inspect->host_config != nullptr && (inspect->host_config->network_mode != nullptr) &&
- std::string(inspect->host_config->network_mode) == CRI::Constants::namespaceModeHost) {
- return runtime::v1::NamespaceMode::NODE;
- }
- return runtime::v1::NamespaceMode::POD;
-}
-
-auto PodSandboxManagerService::SharesHostPid(const container_inspect *inspect) -> runtime::v1::NamespaceMode
-{
- if (inspect != nullptr && inspect->host_config != nullptr && (inspect->host_config->pid_mode != nullptr) &&
- std::string(inspect->host_config->pid_mode) == CRI::Constants::namespaceModeHost) {
- return runtime::v1::NamespaceMode::NODE;
- }
- return runtime::v1::NamespaceMode::CONTAINER;
-}
-
-auto PodSandboxManagerService::SharesHostIpc(const container_inspect *inspect) -> runtime::v1::NamespaceMode
-{
- if (inspect != nullptr && inspect->host_config != nullptr && (inspect->host_config->ipc_mode != nullptr) &&
- std::string(inspect->host_config->ipc_mode) == CRI::Constants::namespaceModeHost) {
- return runtime::v1::NamespaceMode::NODE;
- }
- return runtime::v1::NamespaceMode::POD;
-}
-
void PodSandboxManagerService::GetIPs(std::shared_ptr<sandbox::Sandbox> sandbox, std::vector<std::string> &ips)
{
const auto id = sandbox->GetId();
diff --git a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h
index d5c0cf91..b02216c0 100644
--- a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h
+++ b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h
@@ -93,12 +93,7 @@ private:
auto GetContainerListResponse(const std::string &readSandboxID,
std::vector<std::string> &errors) -> std::unique_ptr<CStructWrapper<container_list_response>>;
auto StopAllContainersInSandbox(const std::string &readSandboxID, Errors &error) -> int;
- auto GetNetworkReady(const std::string &podSandboxID, Errors &error) -> bool;
void RemoveAllContainersInSandbox(const std::string &readSandboxID, std::vector<std::string> &errors);
- void ClearNetworkReady(const std::string &podSandboxID);
- auto SharesHostNetwork(const container_inspect *inspect) -> runtime::v1::NamespaceMode;
- auto SharesHostPid(const container_inspect *inspect) -> runtime::v1::NamespaceMode;
- auto SharesHostIpc(const container_inspect *inspect) -> runtime::v1::NamespaceMode;
void SetSandboxStatusNetwork(std::shared_ptr<sandbox::Sandbox> sandbox,
std::unique_ptr<runtime::v1::PodSandboxStatus> &podStatus);
void GetIPs(std::shared_ptr<sandbox::Sandbox> sandbox, std::vector<std::string> &ips);
@@ -108,7 +103,6 @@ private:
auto GetAvailableBytes(const uint64_t &memoryLimit, const uint64_t &workingSetBytes) -> uint64_t;
void GetPodSandboxCgroupMetrics(const std::string &cgroupParent, cgroup_metrics_t &cgroupMetrics,
Errors &error);
- auto GetSandboxKey(const container_inspect *inspect_data) -> std::string;
void GetPodSandboxNetworkMetrics(const std::string &netnsPath,
std::map<std::string, std::string> &annotations,
std::vector<Network::NetworkInterfaceStats> &netMetrics, Errors &error);
@@ -138,7 +132,6 @@ private:
private:
std::string m_podSandboxImage;
std::mutex m_networkReadyLock;
- std::map<std::string, bool> m_networkReady;
service_executor_t *m_cb { nullptr };
std::shared_ptr<Network::PluginManager> m_pluginManager { nullptr };
bool m_enablePodEvents;
diff --git a/src/daemon/entry/cri/v1alpha/v1alpha_cri_helpers.cc b/src/daemon/entry/cri/v1alpha/v1alpha_cri_helpers.cc
index 0afea06a..3974add5 100644
--- a/src/daemon/entry/cri/v1alpha/v1alpha_cri_helpers.cc
+++ b/src/daemon/entry/cri/v1alpha/v1alpha_cri_helpers.cc
@@ -53,27 +53,6 @@ auto ContainerStatusToRuntime(Container_Status status) -> runtime::v1alpha2::Con
}
}
-auto CheckpointToSandbox(const std::string &id, const CRI::PodSandboxCheckpoint &checkpoint)
--> std::unique_ptr<runtime::v1alpha2::PodSandbox>
-{
- std::unique_ptr<runtime::v1alpha2::PodSandbox> result(new (std::nothrow) runtime::v1alpha2::PodSandbox);
- if (result == nullptr) {
- return nullptr;
- }
- runtime::v1alpha2::PodSandboxMetadata *metadata = new (std::nothrow) runtime::v1alpha2::PodSandboxMetadata;
- if (metadata == nullptr) {
- return nullptr;
- }
-
- metadata->set_name(checkpoint.GetName());
- metadata->set_namespace_(checkpoint.GetNamespace());
- result->set_allocated_metadata(metadata);
- result->set_id(id);
- result->set_state(runtime::v1alpha2::SANDBOX_NOTREADY);
-
- return result;
-}
-
void UpdateCreateConfig(container_config *createConfig, host_config *hc,
const runtime::v1alpha2::ContainerConfig &config, const std::string &podSandboxID,
Errors &error)
diff --git a/src/daemon/entry/cri/v1alpha/v1alpha_cri_helpers.h b/src/daemon/entry/cri/v1alpha/v1alpha_cri_helpers.h
index 6bca8169..f3331421 100644
--- a/src/daemon/entry/cri/v1alpha/v1alpha_cri_helpers.h
+++ b/src/daemon/entry/cri/v1alpha/v1alpha_cri_helpers.h
@@ -40,9 +40,6 @@ struct commonSecurityContext {
auto ContainerStatusToRuntime(Container_Status status) -> runtime::v1alpha2::ContainerState;
-auto CheckpointToSandbox(const std::string &id, const CRI::PodSandboxCheckpoint &checkpoint)
--> std::unique_ptr<runtime::v1alpha2::PodSandbox>;
-
void UpdateCreateConfig(container_config *createConfig, host_config *hc,
const runtime::v1alpha2::ContainerConfig &config, const std::string &podSandboxID,
Errors &error);
diff --git a/src/daemon/sandbox/controller_manager.cc b/src/daemon/sandbox/controller_manager.cc
index 947f2d19..ae01fefe 100644
--- a/src/daemon/sandbox/controller_manager.cc
+++ b/src/daemon/sandbox/controller_manager.cc
@@ -55,11 +55,6 @@ bool ControllerManager::Init(Errors &error)
return true;
}
-bool ControllerManager::Cleanup(Errors &error)
-{
- return true;
-}
-
auto ControllerManager::RegisterShimController(Errors &error) -> bool
{
if (m_controllers.find(SHIM_CONTROLLER_NAME) != m_controllers.end()) {
diff --git a/src/daemon/sandbox/controller_manager.h b/src/daemon/sandbox/controller_manager.h
index 3fd547cf..c8febffb 100644
--- a/src/daemon/sandbox/controller_manager.h
+++ b/src/daemon/sandbox/controller_manager.h
@@ -27,7 +27,6 @@ public:
static auto GetInstance() -> ControllerManager*;
auto Init(Errors &error) -> bool;
- auto Cleanup(Errors &error) -> bool;
auto GetController(const std::string &name) -> std::shared_ptr<Controller>;
private:
auto RegisterShimController(Errors &error) -> bool;
diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc
index d105d71a..0ddbb9ce 100644
--- a/src/daemon/sandbox/sandbox.cc
+++ b/src/daemon/sandbox/sandbox.cc
@@ -210,11 +210,6 @@ auto Sandbox::GetPid() -> uint32_t
return m_state.pid;
}
-auto Sandbox::GetImage() -> const std::string &
-{
- return m_image;
-}
-
void Sandbox::DoUpdateExitedStatus(const ControllerExitInfo &exitInfo)
{
WriteGuard<RWMutex> lock(m_stateMutex);
diff --git a/src/daemon/sandbox/sandbox.h b/src/daemon/sandbox/sandbox.h
index 58d60ecb..aa9071ac 100644
--- a/src/daemon/sandbox/sandbox.h
+++ b/src/daemon/sandbox/sandbox.h
@@ -106,7 +106,6 @@ public:
auto GetCreatedAt() -> uint64_t;
auto GetPid() -> uint32_t;
auto GetTaskAddress() const -> const std::string &;
- auto GetImage() -> const std::string &;
void SetNetMode(const std::string &mode);
void SetController(std::shared_ptr<Controller> controller);
void AddAnnotations(const std::string &key, const std::string &value);
diff --git a/src/daemon/sandbox/sandbox_manager.cc b/src/daemon/sandbox/sandbox_manager.cc
index a7908a60..d884902d 100644
--- a/src/daemon/sandbox/sandbox_manager.cc
+++ b/src/daemon/sandbox/sandbox_manager.cc
@@ -405,12 +405,6 @@ auto SandboxManager::NameIndexGet(const std::string &name) -> std::string
return std::string();
}
-auto SandboxManager::NameIndexGetAll(void) -> std::map<std::string, std::string>
-{
- ReadGuard<RWMutex> lock(m_indexRWMutex);
- return m_nameIndexMap;
-}
-
auto SandboxManager::GetSandboxRootpath() -> std::string
{
__isula_auto_free char *root_path = NULL;
diff --git a/src/daemon/sandbox/sandbox_manager.h b/src/daemon/sandbox/sandbox_manager.h
index b6007ad8..a5fb702f 100644
--- a/src/daemon/sandbox/sandbox_manager.h
+++ b/src/daemon/sandbox/sandbox_manager.h
@@ -62,7 +62,6 @@ private:
void NameIndexAdd(const std::string &name, const std::string &id);
void NameIndexRemove(const std::string &name);
auto NameIndexGet(const std::string &name) -> std::string;
- auto NameIndexGetAll(void) -> std::map<std::string, std::string>;
auto IDNameManagerRemoveEntry(const std::string &id, const std::string &name) -> bool;
auto IDNameManagerNewEntry(std::string &id, const std::string &name) -> bool;
--
2.34.1

71
0188-sandbox-fix-memory-leak-in-fill-sandbox-metadate.patch Normal file
View File

@ -0,0 +1,71 @@
From 012553d4c53bd8d1c73d22c18fd24bf441041d54 Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Sat, 8 Feb 2025 11:34:59 +0800
Subject: [PATCH 188/198] [sandbox] fix memory leak in fill sandbox metadate
Signed-off-by: zhongtao <zhongtao17@huawei.com>
---
src/daemon/sandbox/sandbox.cc | 26 +++++++++++++++++++++-----
1 file changed, 21 insertions(+), 5 deletions(-)
diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc
index 12693445..e2f42237 100644
--- a/src/daemon/sandbox/sandbox.cc
+++ b/src/daemon/sandbox/sandbox.cc
@@ -890,20 +890,24 @@ auto Sandbox::GenerateSandboxMetadataJson(sandbox_metadata *metadata) -> std::st
auto Sandbox::SaveMetadata(Errors &error) -> bool
{
- sandbox_metadata_runtime_info info = { 0 };
- sandbox_metadata metadata = { 0 };
int nret = -1;
const std::string path = GetMetadataJsonPath();
std::string metadataJson;
- metadata.runtime_info = &info;
+ sandbox_metadata *metadata = static_cast<sandbox_metadata *>(util_common_calloc_s(sizeof(sandbox_metadata)));
+ if (metadata == nullptr) {
+ error.SetError("Out of memory");
+ return false;
+ }
+
+ auto metadataWarpper = std::unique_ptr<CStructWrapper<sandbox_metadata>>(new CStructWrapper<sandbox_metadata>(metadata, free_sandbox_metadata));
- FillSandboxMetadata(&metadata, error);
+ FillSandboxMetadata(metadata, error);
if (!error.Empty()) {
return false;
}
- metadataJson = GenerateSandboxMetadataJson(&metadata);
+ metadataJson = GenerateSandboxMetadataJson(metadata);
if (metadataJson.length() == 0) {
error.Errorf("Failed to get sandbox metadata json for sandbox: '%s'", m_id.c_str());
return false;
@@ -1102,11 +1106,23 @@ auto Sandbox::GetNetworkSettingsPath() -> std::string
void Sandbox::FillSandboxMetadata(sandbox_metadata* metadata, Errors &error)
{
std::string jsonStr;
+ sandbox_metadata_runtime_info *info = nullptr;
+
metadata->id = util_strdup_s(m_id.c_str());
metadata->name = util_strdup_s(m_name.c_str());
+
+ info = static_cast<sandbox_metadata_runtime_info *>(util_common_calloc_s(sizeof(sandbox_metadata_runtime_info)));
+ if (info == NULL) {
+ error.SetError("Out of memory");
+ ERROR("Out of memory");
+ return;
+ }
+
+ metadata->runtime_info = info;
metadata->runtime_info->runtime = util_strdup_s(m_runtimeInfo.runtime.c_str());
metadata->runtime_info->sandboxer = util_strdup_s(m_runtimeInfo.sandboxer.c_str());
metadata->runtime_info->runtime_handler = util_strdup_s(m_runtimeInfo.runtimeHandler.c_str());
+
metadata->net_mode = util_strdup_s(m_netMode.c_str());
metadata->network_ready = m_networkReady;
metadata->task_address = util_strdup_s(m_taskAddress.c_str());
--
2.34.1

44
0189-add-sandbox-pid-init-and-verify-sandbox-ready-when-c.patch Normal file
View File

@ -0,0 +1,44 @@
From 317b853a0d70bab56d2c0f814e6d1c4203a48c5f Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Thu, 16 Jan 2025 01:16:42 +1400
Subject: [PATCH 189/198] add sandbox pid init and verify sandbox ready when
create container
Signed-off-by: zhongtao <zhongtao17@huawei.com>
---
src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc | 6 ++++++
src/daemon/sandbox/sandbox.cc | 1 +
2 files changed, 7 insertions(+)
diff --git a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc
index e8dcd699..abf60c0c 100644
--- a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc
+++ b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc
@@ -483,6 +483,12 @@ std::string ContainerManagerService::CreateContainer(const std::string &podSandb
return response_id;
}
+ // verify whether the sandbox is ready
+ if (!sandbox->IsReady()) {
+ error.Errorf("Failed to generate sandbox_info because the sandbox %s is not ready", sandbox->GetId().c_str());
+ return nullptr;
+ }
+
#ifdef ENABLE_NRI
Errors nriErr;
nri_container_adjustment *adjust = NULL;
diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc
index e2f42237..b97c0bc6 100644
--- a/src/daemon/sandbox/sandbox.cc
+++ b/src/daemon/sandbox/sandbox.cc
@@ -100,6 +100,7 @@ Sandbox::Sandbox(const std::string id, const std::string &rootdir, const std::st
const uint64_t defaultCreatedAt { 1 };
m_state.createdAt = defaultCreatedAt;
m_image = image;
+ m_state.pid = -1;
}
auto Sandbox::IsReady() -> bool
--
2.34.1

399
0190-modified-the-procedure-of-start-pod-and-set-up-netwo.patch Normal file
View File

@ -0,0 +1,399 @@
From 1d42d850b71e3a0e269f268411999c265a1a8f5b Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Mon, 10 Feb 2025 10:44:01 +0800
Subject: [PATCH 190/198] modified the procedure of start pod and set up
network in cri v1
Signed-off-by: zhongtao <zhongtao17@huawei.com>
---
.../v1/v1_cri_pod_sandbox_manager_service.cc | 276 +++++++++++++-----
.../v1/v1_cri_pod_sandbox_manager_service.h | 3 +
2 files changed, 206 insertions(+), 73 deletions(-)
diff --git a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc
index 43705853..62464acd 100644
--- a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc
+++ b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc
@@ -19,6 +19,7 @@
#include <isula_libutils/host_config.h>
#include <isula_libutils/container_config.h>
#include <isula_libutils/auto_cleanup.h>
+#include <isula_libutils/container_network_settings.h>
#include <algorithm>
#include "checkpoint_handler.h"
@@ -273,12 +274,6 @@ void PodSandboxManagerService::SetupSandboxNetwork(const std::shared_ptr<sandbox
std::map<std::string, std::string> networkOptions;
networkOptions["UID"] = config.metadata().uid();
- if (prepare_network_namespace(sandboxKey.c_str(), false, 0) != 0) {
- error.Errorf("Failed to prepare network namespace: %s", sandboxKey.c_str());
- ERROR("Failed to prepare network namespace: %s", sandboxKey.c_str());
- return;
- }
-
// Setup networking for the sandbox.
m_pluginManager->SetUpPod(config.metadata().namespace_(), config.metadata().name(),
Network::DEFAULT_NETWORK_INTERFACE_NAME, sandbox->GetId(), stdAnnos, networkOptions,
@@ -295,85 +290,137 @@ void PodSandboxManagerService::SetupSandboxNetwork(const std::shared_ptr<sandbox
DEBUG("set %s ready", sandbox->GetId().c_str());
}
-auto PodSandboxManagerService::RunPodSandbox(const runtime::v1::PodSandboxConfig &config,
- const std::string &runtimeHandler, Errors &error) -> std::string
+void PodSandboxManagerService::GenerateNetworkSetting(std::string &sandboxKey, std::string &network_setting_json, Errors &error)
+{
+ container_network_settings *settings = NULL;
+ __isula_auto_free char *jerr = NULL;
+ __isula_auto_free char *setting_json { nullptr };
+
+ settings = (container_network_settings *)util_common_calloc_s(sizeof(container_network_settings));
+ if (settings == NULL) {
+ ERROR("Out of memory");
+ error.Errorf("Out of memory");
+ return;
+ }
+
+ auto settingsWarpper = std::unique_ptr<CStructWrapper<container_network_settings>>(new CStructWrapper<container_network_settings>(settings, free_container_network_settings));
+
+ settings->sandbox_key = util_strdup_s(sandboxKey.c_str());
+ if (settings->sandbox_key == NULL) {
+ ERROR("Failed to set sandbox key for network setting");
+ error.Errorf("Failed to set sandbox key for network setting");
+ return;
+ }
+
+ setting_json = container_network_settings_generate_json(settings, nullptr, &jerr);
+ if (setting_json == nullptr) {
+ error.Errorf("Get network settings json err:%s", jerr);
+ }
+
+ network_setting_json = std::string(setting_json);
+}
+
+void PodSandboxManagerService::StartPodSandboxAndSetupNetowrk(std::shared_ptr<sandbox::Sandbox> sandbox, std::string &sandboxKey, std::string &sandboxName, std::string &networkMode, Errors &error)
{
- std::string response_id;
- std::string sandboxName;
- sandbox::RuntimeInfo runtimeInfo;
- std::string networkMode;
- std::string sandboxKey;
- std::string jsonCheckpoint;
- std::string network_setting_json;
- runtime::v1::PodSandboxConfig copyConfig = config;
cri_container_message_t msg = { 0 };
-#ifdef ENABLE_NRI
- Errors nriErr;
-#endif
+ std::string network_setting_json;
- // Step 1: Parepare sandbox name, runtime and networkMode
- PrepareSandboxData(config, runtimeHandler, sandboxName, runtimeInfo, networkMode, error);
+ // Step 7.2.1: Call sandbox create.
+ sandbox->Create(error);
if (error.NotEmpty()) {
- return response_id;
+ ERROR("Failed to create sandbox: %s", sandboxName.c_str());
+ return;
}
- // Step 2: Pull the image for the sandbox.
- // Maybe we should pull image in shim controller ?
- // But pull image interface is only in CRI image service, and it can't be called in shim controller,
- // so we pull image in CRI pod service.
- const std::string &image = m_podSandboxImage;
- if (!EnsureSandboxImageExists(image, runtimeInfo.sandboxer, error)) {
- ERROR("Failed to pull sandbox image %s: %s", image.c_str(), error.NotEmpty() ? error.GetCMessage() : "");
- error.Errorf("Failed to pull sandbox image %s: %s", image.c_str(), error.NotEmpty() ? error.GetCMessage() : "");
- return response_id;
+ msg.container_id = sandbox->GetId().c_str();
+ msg.sandbox_id = sandbox->GetId().c_str();
+ msg.type = CRI_CONTAINER_MESSAGE_TYPE_CREATED;
+ mailbox_publish(MAILBOX_TOPIC_CRI_CONTAINER, &msg);
+
+ // Step 7.2.2: Save network settings json to disk
+ // Update network settings before start sandbox since sandbox container will use the sandbox key
+ if (namespace_is_cni(networkMode.c_str())) {
+ GenerateNetworkSetting(sandboxKey, network_setting_json, error);
+ // If saving network settings failed, ignore error
+ if (error.NotEmpty()) {
+ ERROR("Failed to generate networksetting :%s", error.GetCMessage());
+ return;
+ }
+
+ sandbox->UpdateNetworkSettings(network_setting_json, error);
+ // If saving network settings failed, ignore error
+ if (error.NotEmpty()) {
+ ERROR("%s", error.GetCMessage());
+ return;
+ }
}
- // Step 3: Prepare sandbox checkpoint
- PrepareSandboxCheckpoint(config, jsonCheckpoint, error);
+ // Step 7.2.3: Call sandbox start.
+ sandbox->Start(error);
if (error.NotEmpty()) {
- return response_id;
+ ERROR("Failed to start sandbox: %s", sandboxName.c_str());
+ return;
}
- // Step 4: Update sandbox instance config
- UpdateSandboxConfig(copyConfig, jsonCheckpoint, error);
+ // Step 7.2.4:Setup networking for the sandbox.
+ SetupSandboxNetwork(sandbox, network_setting_json, error);
if (error.NotEmpty()) {
- return response_id;
+ goto stop_sandbox;
}
- // Step 5: Prepare sandboxKey
+ // Step 7.2.5:update Network settings after setup network to update ip info.
if (namespace_is_cni(networkMode.c_str())) {
- // cleanup sandboxKey file in DeleteSandbox
- PrepareSandboxKey(sandboxKey, error);
- if (error.NotEmpty()) {
- return response_id;
+ Errors tmpErr;
+ sandbox->UpdateNetworkSettings(network_setting_json, tmpErr);
+ // If saving network settings failed, ignore error
+ if (tmpErr.NotEmpty()) {
+ WARN("%s", tmpErr.GetCMessage());
}
}
- // Step 6: Create sandbox instance
- auto sandbox = sandbox::SandboxManager::GetInstance()->CreateSandbox(sandboxName, runtimeInfo, sandboxKey,
- networkMode, copyConfig, image, error);
+ // Step 7.2.6: Save sandbox to disk
+ sandbox->Save(error);
if (error.NotEmpty()) {
- if (namespace_is_cni(networkMode.c_str())) {
- (void)remove_network_namespace_file(sandboxKey.c_str());
+ ERROR("Failed to save sandbox, %s", sandboxName.c_str());
+ goto cleanup_network;
+ }
+ return;
+
+cleanup_network:
+ if (namespace_is_cni(sandbox->GetNetMode().c_str())) {
+ Errors clearErr;
+ ClearCniNetwork(sandbox, clearErr);
+ if (clearErr.NotEmpty()) {
+ ERROR("Failed to clean cni network: %s", clearErr.GetCMessage());
}
- return response_id;
}
- // Step 7: Setup networking for the sandbox.
+stop_sandbox:
+ Errors stopError;
+ CRIHelpers::StopContainerHelper(m_cb, sandbox->GetId(), 0, stopError);
+ WARN("Error stop container: %s: %s", sandbox->GetId().c_str(), stopError.GetCMessage());
+}
+
+void PodSandboxManagerService::SetupNetowrkAndStartPodSandbox(std::shared_ptr<sandbox::Sandbox> sandbox, std::string &sandboxName, std::string &networkMode, Errors &error)
+{
+ cri_container_message_t msg = { 0 };
+ std::string network_setting_json;
+
+ // Step 7.1.1: Setup networking for the sandbox.
// Setup sandbox network before create sandbox since the remote create might fail for sandbox
SetupSandboxNetwork(sandbox, network_setting_json, error);
if (error.NotEmpty()) {
- goto cleanup_sandbox;
+ return;
}
- // Step 8: Save sandbox to disk
+ // Step 7.1.2: Save sandbox to disk
sandbox->Save(error);
if (error.NotEmpty()) {
ERROR("Failed to save sandbox, %s", sandboxName.c_str());
goto cleanup_network;
}
- // Step 9: Call sandbox create.
+ // Step 7.1.3: Call sandbox create.
sandbox->Create(error);
if (error.NotEmpty()) {
ERROR("Failed to create sandbox: %s", sandboxName.c_str());
@@ -385,7 +432,7 @@ auto PodSandboxManagerService::RunPodSandbox(const runtime::v1::PodSandboxConfig
msg.type = CRI_CONTAINER_MESSAGE_TYPE_CREATED;
mailbox_publish(MAILBOX_TOPIC_CRI_CONTAINER, &msg);
- // Step 10: Save network settings json to disk
+ // Step 7.1.4: Save network settings json to disk
// Update network settings before start sandbox since sandbox container will use the sandbox key
if (namespace_is_cni(networkMode.c_str())) {
Errors tmpErr;
@@ -396,26 +443,15 @@ auto PodSandboxManagerService::RunPodSandbox(const runtime::v1::PodSandboxConfig
}
}
- // Step 11: Call sandbox start.
+ // Step 7.1.5: Call sandbox start.
sandbox->Start(error);
if (error.NotEmpty()) {
ERROR("Failed to start sandbox: %s", sandboxName.c_str());
- // If start failed, sandbox should be NotReady, we cleanup network and delete sandbox in remove
- return response_id;
- }
-
- msg.type = CRI_CONTAINER_MESSAGE_TYPE_STARTED;
- mailbox_publish(MAILBOX_TOPIC_CRI_CONTAINER, &msg);
-
-#ifdef ENABLE_NRI
- if (!NRIAdaptation::GetInstance()->RunPodSandbox(sandbox, nriErr)) {
- ERROR("NRI RunPodSandbox failed: %s", nriErr.GetCMessage());
- error.Errorf("NRI RunPodSandbox failed: %s", nriErr.GetCMessage());
- return response_id;
+ // If start failed, sandbox should be NotReady, we cleanup network, but delete sandbox in remove
+ goto cleanup_network;
}
-#endif
- return sandbox->GetId();
+ return;
cleanup_network:
if (namespace_is_cni(sandbox->GetNetMode().c_str())) {
@@ -423,21 +459,115 @@ cleanup_network:
ClearCniNetwork(sandbox, clearErr);
if (clearErr.NotEmpty()) {
ERROR("Failed to clean cni network: %s", clearErr.GetCMessage());
+ return;
+ }
+ }
+}
+
+auto PodSandboxManagerService::RunPodSandbox(const runtime::v1::PodSandboxConfig &config,
+ const std::string &runtimeHandler, Errors &error) -> std::string
+{
+ std::string response_id;
+ std::string sandboxName;
+ sandbox::RuntimeInfo runtimeInfo;
+ std::string networkMode;
+ std::string sandboxKey;
+ std::string jsonCheckpoint;
+ runtime::v1::PodSandboxConfig copyConfig = config;
+ std::map<std::string, std::string> stdAnnos;
+ cri_container_message_t msg = { 0 };
+ std::shared_ptr<sandbox::Sandbox> sandbox;
+#ifdef ENABLE_NRI
+ Errors nriErr;
+#endif
+
+ // Step 1: Parepare sandbox name, runtime and networkMode
+ PrepareSandboxData(config, runtimeHandler, sandboxName, runtimeInfo, networkMode, error);
+ if (error.NotEmpty()) {
+ return response_id;
+ }
+
+ // Step 2: Pull the image for the sandbox.
+ // Maybe we should pull image in shim controller ?
+ // But pull image interface is only in CRI image service, and it can't be called in shim controller,
+ // so we pull image in CRI pod service.
+ const std::string &image = m_podSandboxImage;
+ if (!EnsureSandboxImageExists(image, runtimeInfo.sandboxer, error)) {
+ ERROR("Failed to pull sandbox image %s: %s", image.c_str(), error.NotEmpty() ? error.GetCMessage() : "");
+ error.Errorf("Failed to pull sandbox image %s: %s", image.c_str(), error.NotEmpty() ? error.GetCMessage() : "");
+ return response_id;
+ }
+
+ // Step 3: Prepare sandbox checkpoint
+ PrepareSandboxCheckpoint(config, jsonCheckpoint, error);
+ if (error.NotEmpty()) {
+ return response_id;
+ }
+
+ // Step 4: Update sandbox instance config
+ UpdateSandboxConfig(copyConfig, jsonCheckpoint, error);
+ if (error.NotEmpty()) {
+ return response_id;
+ }
+
+ // Step 5: Prepare sandboxKey and mount ns namespace
+ if (namespace_is_cni(networkMode.c_str())) {
+ // cleanup sandboxKey file in DeleteSandbox
+ PrepareSandboxKey(sandboxKey, error);
+ if (error.NotEmpty()) {
return response_id;
}
+ if (prepare_network_namespace(sandboxKey.c_str(), false, 0) != 0) {
+ error.Errorf("Failed to prepare network namespace: %s", sandboxKey.c_str());
+ ERROR("Failed to prepare network namespace: %s", sandboxKey.c_str());
+ goto clean_ns;
+ }
}
-cleanup_sandbox:
- sandbox::SandboxManager::GetInstance()->DeleteSandbox(sandbox->GetId(), error);
+ // Step 6: Create sandbox instance
+ sandbox = sandbox::SandboxManager::GetInstance()->CreateSandbox(sandboxName, runtimeInfo, sandboxKey,
+ networkMode, copyConfig, image, error);
+ if (error.NotEmpty()) {
+ goto clean_ns;
+ }
+
+ CRIHelpers::ProtobufAnnoMapToStd(sandbox->GetSandboxConfig().annotations(), stdAnnos);
+ // Step 7: According to the annotation and network namespace mode,
+ // determine the order of start sandbox and setup network.
+ // tips: clean sandbox and network in sub function.
+ if (CRIHelpers::SetupNetworkFirst(stdAnnos)) {
+ // Step 7.1: Setup networking for the sandbox, and then start the sandbox container.
+ SetupNetowrkAndStartPodSandbox(sandbox, sandboxName, networkMode, error);
+ } else {
+ // Step 7.2: (Default)Start the sandbox container, and then setup networking for the sandbox.
+ // why: Some kata multi-network plane plugins (such as configuring vfio device pass-through)
+ // need to be called after the pod is already running.
+ StartPodSandboxAndSetupNetowrk(sandbox, sandboxKey, sandboxName, networkMode, error);
+ }
if (error.NotEmpty()) {
- ERROR("Failed to delete sandbox: %s", sandbox->GetId().c_str());
+ goto clean_ns;
}
+
+ msg.type = CRI_CONTAINER_MESSAGE_TYPE_STARTED;
+ mailbox_publish(MAILBOX_TOPIC_CRI_CONTAINER, &msg);
+
#ifdef ENABLE_NRI
- if (!NRIAdaptation::GetInstance()->RemovePodSandbox(sandbox, nriErr)) {
- DEBUG("NRI RemovePodSandbox failed: %s", nriErr.GetCMessage());
+ if (!NRIAdaptation::GetInstance()->RunPodSandbox(sandbox, nriErr)) {
+ ERROR("NRI RunPodSandbox failed: %s", nriErr.GetCMessage());
+ error.Errorf("NRI RunPodSandbox failed: %s", nriErr.GetCMessage());
+ return response_id;
}
#endif
+ return sandbox->GetId();
+clean_ns:
+ if (namespace_is_cni(networkMode.c_str())) {
+ // umount netns when prepare runp failed
+ if (remove_network_namespace(sandboxKey.c_str()) != 0) {
+ SYSERROR("Failed to umount directory %s", sandboxKey.c_str());
+ }
+ (void)remove_network_namespace_file(sandboxKey.c_str());
+ }
return response_id;
}
diff --git a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h
index b02216c0..01d06624 100644
--- a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h
+++ b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h
@@ -86,6 +86,9 @@ private:
void UpdateSandboxConfig(runtime::v1::PodSandboxConfig &config, std::string &jsonCheckpoint, Errors &error);
void SetupSandboxFiles(const std::string &resolvPath, const runtime::v1::PodSandboxConfig &config,
Errors &error);
+ void GenerateNetworkSetting(std::string &sandboxKey, std::string &network_setting_json, Errors &error);
+ void StartPodSandboxAndSetupNetowrk(std::shared_ptr<sandbox::Sandbox> sandbox, std::string &sandboxKey, std::string &sandboxName, std::string &networkMode, Errors &error);
+ void SetupNetowrkAndStartPodSandbox(std::shared_ptr<sandbox::Sandbox> sandbox, std::string &sandboxName, std::string &networkMode, Errors &error);
void SetupSandboxNetwork(const std::shared_ptr<sandbox::Sandbox> sandbox, std::string &network_settings_json,
Errors &error);
void ClearCniNetwork(const std::shared_ptr<sandbox::Sandbox> sandbox, Errors &error);
--
2.34.1

36
0191-bugfix-dereference-null-pointer.patch Normal file
View File

@ -0,0 +1,36 @@
From 2861c3105e1605c0a0b037558b0ccf54c9780678 Mon Sep 17 00:00:00 2001
From: liuxu <liuxu156@huawei.com>
Date: Tue, 11 Feb 2025 11:08:31 +0800
Subject: [PATCH 191/198] bugfix:dereference null pointer
Signed-off-by: liuxu <liuxu156@huawei.com>
---
src/daemon/modules/container/container_gc/containers_gc.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/daemon/modules/container/container_gc/containers_gc.c b/src/daemon/modules/container/container_gc/containers_gc.c
index 3f2473d5..5dd299dc 100644
--- a/src/daemon/modules/container/container_gc/containers_gc.c
+++ b/src/daemon/modules/container/container_gc/containers_gc.c
@@ -461,15 +461,16 @@ static void gc_container_process(struct linked_list *it)
unsigned long long start_time = 0;
char *runtime = NULL;
char *id = NULL;
- container_garbage_config_gc_containers_element *gc_cont = NULL;
+ container_garbage_config_gc_containers_element *gc_cont = (container_garbage_config_gc_containers_element *)it->elem;
rt_detect_process_params_t detect_params = {
.pid = gc_cont->pid,
.start_time = gc_cont->start_time,
};
- gc_cont = (container_garbage_config_gc_containers_element *)it->elem;
id = gc_cont->id;
runtime = gc_cont->runtime;
+ pid = gc_cont->pid;
+ start_time = gc_cont->start_time;
if (runtime_detect_process(id, runtime, &detect_params) < 0) {
ret = clean_container_resource(id, runtime, pid);
--
2.34.1

158
0192-modify-save-step-in-run-sandbox.patch Normal file
View File

@ -0,0 +1,158 @@
From edb21523aac45aa5628243599a296592a6b84d79 Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Wed, 12 Feb 2025 11:18:46 +1400
Subject: [PATCH 192/198] modify save step in run sandbox
Signed-off-by: zhongtao <zhongtao17@huawei.com>
---
.../v1/v1_cri_pod_sandbox_manager_service.cc | 55 +++++++------------
1 file changed, 19 insertions(+), 36 deletions(-)
diff --git a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc
index 62464acd..8a7779ad 100644
--- a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc
+++ b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc
@@ -325,7 +325,7 @@ void PodSandboxManagerService::StartPodSandboxAndSetupNetowrk(std::shared_ptr<sa
cri_container_message_t msg = { 0 };
std::string network_setting_json;
- // Step 7.2.1: Call sandbox create.
+ // Step 8.2.1: Call sandbox create.
sandbox->Create(error);
if (error.NotEmpty()) {
ERROR("Failed to create sandbox: %s", sandboxName.c_str());
@@ -337,7 +337,7 @@ void PodSandboxManagerService::StartPodSandboxAndSetupNetowrk(std::shared_ptr<sa
msg.type = CRI_CONTAINER_MESSAGE_TYPE_CREATED;
mailbox_publish(MAILBOX_TOPIC_CRI_CONTAINER, &msg);
- // Step 7.2.2: Save network settings json to disk
+ // Step 8.2.2: Save network settings json to disk
// Update network settings before start sandbox since sandbox container will use the sandbox key
if (namespace_is_cni(networkMode.c_str())) {
GenerateNetworkSetting(sandboxKey, network_setting_json, error);
@@ -355,20 +355,20 @@ void PodSandboxManagerService::StartPodSandboxAndSetupNetowrk(std::shared_ptr<sa
}
}
- // Step 7.2.3: Call sandbox start.
+ // Step 8.2.3: Call sandbox start.
sandbox->Start(error);
if (error.NotEmpty()) {
ERROR("Failed to start sandbox: %s", sandboxName.c_str());
return;
}
- // Step 7.2.4:Setup networking for the sandbox.
+ // Step 8.2.4:Setup networking for the sandbox.
SetupSandboxNetwork(sandbox, network_setting_json, error);
if (error.NotEmpty()) {
goto stop_sandbox;
}
- // Step 7.2.5:update Network settings after setup network to update ip info.
+ // Step 8.2.5:update Network settings after setup network to update ip info.
if (namespace_is_cni(networkMode.c_str())) {
Errors tmpErr;
sandbox->UpdateNetworkSettings(network_setting_json, tmpErr);
@@ -378,23 +378,7 @@ void PodSandboxManagerService::StartPodSandboxAndSetupNetowrk(std::shared_ptr<sa
}
}
- // Step 7.2.6: Save sandbox to disk
- sandbox->Save(error);
- if (error.NotEmpty()) {
- ERROR("Failed to save sandbox, %s", sandboxName.c_str());
- goto cleanup_network;
- }
return;
-
-cleanup_network:
- if (namespace_is_cni(sandbox->GetNetMode().c_str())) {
- Errors clearErr;
- ClearCniNetwork(sandbox, clearErr);
- if (clearErr.NotEmpty()) {
- ERROR("Failed to clean cni network: %s", clearErr.GetCMessage());
- }
- }
-
stop_sandbox:
Errors stopError;
CRIHelpers::StopContainerHelper(m_cb, sandbox->GetId(), 0, stopError);
@@ -406,21 +390,14 @@ void PodSandboxManagerService::SetupNetowrkAndStartPodSandbox(std::shared_ptr<sa
cri_container_message_t msg = { 0 };
std::string network_setting_json;
- // Step 7.1.1: Setup networking for the sandbox.
+ // Step 8.1.1: Setup networking for the sandbox.
// Setup sandbox network before create sandbox since the remote create might fail for sandbox
SetupSandboxNetwork(sandbox, network_setting_json, error);
if (error.NotEmpty()) {
return;
}
- // Step 7.1.2: Save sandbox to disk
- sandbox->Save(error);
- if (error.NotEmpty()) {
- ERROR("Failed to save sandbox, %s", sandboxName.c_str());
- goto cleanup_network;
- }
-
- // Step 7.1.3: Call sandbox create.
+ // Step 8.1.2: Call sandbox create.
sandbox->Create(error);
if (error.NotEmpty()) {
ERROR("Failed to create sandbox: %s", sandboxName.c_str());
@@ -432,7 +409,7 @@ void PodSandboxManagerService::SetupNetowrkAndStartPodSandbox(std::shared_ptr<sa
msg.type = CRI_CONTAINER_MESSAGE_TYPE_CREATED;
mailbox_publish(MAILBOX_TOPIC_CRI_CONTAINER, &msg);
- // Step 7.1.4: Save network settings json to disk
+ // Step 8.1.3: Save network settings json to disk
// Update network settings before start sandbox since sandbox container will use the sandbox key
if (namespace_is_cni(networkMode.c_str())) {
Errors tmpErr;
@@ -443,14 +420,13 @@ void PodSandboxManagerService::SetupNetowrkAndStartPodSandbox(std::shared_ptr<sa
}
}
- // Step 7.1.5: Call sandbox start.
+ // Step 8.1.4: Call sandbox start.
sandbox->Start(error);
if (error.NotEmpty()) {
ERROR("Failed to start sandbox: %s", sandboxName.c_str());
// If start failed, sandbox should be NotReady, we cleanup network, but delete sandbox in remove
goto cleanup_network;
}
-
return;
cleanup_network:
@@ -531,15 +507,22 @@ auto PodSandboxManagerService::RunPodSandbox(const runtime::v1::PodSandboxConfig
goto clean_ns;
}
+ // Step 7: Save sandbox metadate to disk for sandbox instance create success
+ sandbox->Save(error);
+ if (error.NotEmpty()) {
+ ERROR("Failed to save sandbox, %s", sandboxName.c_str());
+ goto clean_ns;
+ }
+
CRIHelpers::ProtobufAnnoMapToStd(sandbox->GetSandboxConfig().annotations(), stdAnnos);
- // Step 7: According to the annotation and network namespace mode,
+ // Step 8: According to the annotation and network namespace mode,
// determine the order of start sandbox and setup network.
// tips: clean sandbox and network in sub function.
if (CRIHelpers::SetupNetworkFirst(stdAnnos)) {
- // Step 7.1: Setup networking for the sandbox, and then start the sandbox container.
+ // Step 8.1: Setup networking for the sandbox, and then start the sandbox container.
SetupNetowrkAndStartPodSandbox(sandbox, sandboxName, networkMode, error);
} else {
- // Step 7.2: (Default)Start the sandbox container, and then setup networking for the sandbox.
+ // Step 8.2: (Default)Start the sandbox container, and then setup networking for the sandbox.
// why: Some kata multi-network plane plugins (such as configuring vfio device pass-through)
// need to be called after the pod is already running.
StartPodSandboxAndSetupNetowrk(sandbox, sandboxKey, sandboxName, networkMode, error);
--
2.34.1

209
0193-add-dt-for-cri-v1.patch Normal file
View File

@ -0,0 +1,209 @@
From bb2ed9b37d7c69b0af88487693826556321d46e9 Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Tue, 11 Feb 2025 22:42:39 +0800
Subject: [PATCH 193/198] add dt for cri v1
Signed-off-by: zhongtao <zhongtao17@huawei.com>
---
CI/test_cases/container_cases/cri_stats.sh | 90 ++++++++++++++++++++++
CI/test_cases/container_cases/cri_test.sh | 80 +++++++++++++++++++
2 files changed, 170 insertions(+)
create mode 100755 CI/test_cases/container_cases/cri_stats.sh
diff --git a/CI/test_cases/container_cases/cri_stats.sh b/CI/test_cases/container_cases/cri_stats.sh
new file mode 100755
index 00000000..f6acb397
--- /dev/null
+++ b/CI/test_cases/container_cases/cri_stats.sh
@@ -0,0 +1,90 @@
+#!/bin/bash
+#
+# attributes: isulad basic cri seccomp
+# concurrent: NA
+# spend time: 4
+
+#######################################################################
+##- Copyright (c) Huawei Technologies Co., Ltd. 2022. All rights reserved.
+# - iSulad licensed under the Mulan PSL v2.
+# - You can use this software according to the terms and conditions of the Mulan PSL v2.
+# - You may obtain a copy of Mulan PSL v2 at:
+# - http://license.coscl.org.cn/MulanPSL2
+# - THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+# - IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+# - PURPOSE.
+# - See the Mulan PSL v2 for more details.
+##- @Description:CI
+##- @Author: wangfengtu
+##- @Create: 2022-08-13
+#######################################################################
+
+source ../helpers.sh
+curr_path=$(dirname $(readlink -f "$0"))
+data_path=$(realpath $curr_path/criconfigs)
+pause_img_path=$(realpath $curr_path/test_data)
+
+function do_pre()
+{
+ sed -i "s#seccomp_localhost_ref#${data_path}/seccomp_localhost.json#g" ${data_path}/container-config-seccomp-localhost.json
+
+ init_cri_conf $1 "without_valgrind"
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to init cri conf: ${1}" && return ${FAILURE}
+
+ isula pull busybox
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to pull busybox" && return ${FAILURE}
+
+ return 0
+}
+
+function do_post()
+{
+ local ret=0
+ restore_cri_conf "without_valgrind"
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to restore cri conf" && ((ret++))
+ return $ret
+}
+
+function test_cri_stats()
+{
+ local ret=0
+ local test="cri stats test => (${FUNCNAME[@]})"
+
+ msg_info "${test} starting..."
+
+ sid=$(crictl runp ${data_path}/sandbox-config.json)
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to run sandbox" && ((ret++))
+
+ cid=$(crictl create $sid ${data_path}/container-config.json ${data_path}/sandbox-config.json)
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to create container" && ((ret++))
+
+ crictl start $cid
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to start container" && ((ret++))
+
+ crictl statsp $sid
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to get cri stats" && ((ret++))
+
+ crictl stats $cid
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to get cri stats" && ((ret++))
+
+ msg_info "${test} finished with return ${ret}..."
+ return ${ret}
+}
+
+declare -i ans=0
+
+for version in ${CRI_LIST[@]};
+do
+ test="test_cri_test_fun, use cri version => (${version})"
+ msg_info "${test} starting..."
+
+ do_pre $version || ((ans++))
+
+ test_cri_stats || ((ans++))
+
+ do_post || ((ans++))
+ msg_info "${test} finished with return ${ans}..."
+done
+
+show_result ${ans} "${curr_path}/${0}"
+
diff --git a/CI/test_cases/container_cases/cri_test.sh b/CI/test_cases/container_cases/cri_test.sh
index ed333a28..6dc2291e 100755
--- a/CI/test_cases/container_cases/cri_test.sh
+++ b/CI/test_cases/container_cases/cri_test.sh
@@ -45,6 +45,83 @@ function do_post()
return $ret
}
+function test_cri_info()
+{
+ local ret=0
+ local image="busybox"
+ local test="cri info test => (${FUNCNAME[@]})"
+
+ msg_info "${test} starting..."
+
+ crictl info
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to get cri info" && ((ret++))
+
+ msg_info "${test} finished with return ${ret}..."
+ return ${ret}
+}
+
+function test_cri_list()
+{
+ local ret=0
+ local image="busybox"
+ local test="cri list test => (${FUNCNAME[@]})"
+
+ msg_info "${test} starting..."
+
+ sid=$(crictl runp ${data_path}/sandbox-config.json)
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to run sandbox" && ((ret++))
+
+ cid=$(crictl create $sid ${data_path}/container-config.json ${data_path}/sandbox-config.json)
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to create container" && ((ret++))
+
+ crictl start $cid
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to start container" && ((ret++))
+
+ crictl pods | grep "^${sid:0:5}"
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to list cri pod" && ((ret++))
+
+ crictl ps -a | grep "^${cid:0:5}"
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to list cri container" && ((ret++))
+
+ stop_isulad_without_valgrind
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++))
+
+ start_isulad_without_valgrind
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++))
+
+ crictl ps -a | grep "^${cid:0:5}"
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to list cri container after restart" && ((ret++))
+
+ crictl pods | grep "^${sid:0:5}"
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to list cri pod after restart" && ((ret++))
+
+ crictl rmp -f $(crictl pods -q)
+
+ msg_info "${test} finished with return ${ret}..."
+ return ${ret}
+}
+
+function test_cri_images()
+{
+ local ret=0
+ local image="busybox"
+ local test="cri images test => (${FUNCNAME[@]})"
+
+ msg_info "${test} starting..."
+
+ crictl pull $image
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to pull image" && ((ret++))
+
+ crictl images | grep $image
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to list cri images" && ((ret++))
+
+ crictl rmi $image
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to remove image" && ((ret++))
+
+ msg_info "${test} finished with return ${ret}..."
+ return ${ret}
+}
+
function test_cri_seccomp()
{
local ret=0
@@ -97,6 +174,9 @@ do
test_cri_seccomp "default" || ((ans++))
test_cri_seccomp "unconfined" || ((ans++))
test_cri_seccomp "localhost" || ((ans++))
+ test_cri_info || ((ans++))
+ test_cri_list || ((ans++))
+ test_cri_images || ((ans++))
do_post || ((ans++))
msg_info "${test} finished with return ${ans}..."
--
2.34.1

26
0194-modify-the-CreateContainer-failed-return.patch Normal file
View File

@ -0,0 +1,26 @@
From b2bf7c101852a90fba3f7e85734fa887e3cd5fad Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Fri, 14 Feb 2025 15:23:21 +1400
Subject: [PATCH 194/198] modify the CreateContainer failed return
Signed-off-by: zhongtao <zhongtao17@huawei.com>
---
src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc
index abf60c0c..fe1cca0c 100644
--- a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc
+++ b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc
@@ -486,7 +486,7 @@ std::string ContainerManagerService::CreateContainer(const std::string &podSandb
// verify whether the sandbox is ready
if (!sandbox->IsReady()) {
error.Errorf("Failed to generate sandbox_info because the sandbox %s is not ready", sandbox->GetId().c_str());
- return nullptr;
+ return response_id;
}
#ifdef ENABLE_NRI
--
2.34.1

379
0195-Add-some-unit-tests-for-sandbox-and-shim-controller.patch Normal file
View File

@ -0,0 +1,379 @@
From 94f867944d0f36ad77a488ab35f5555bf3c09c01 Mon Sep 17 00:00:00 2001
From: xuxuepeng <xuxuepeng1@huawei.com>
Date: Fri, 14 Feb 2025 14:48:25 +0800
Subject: [PATCH 195/198] Add some unit tests for sandbox and shim controller
Signed-off-by: xuxuepeng <xuxuepeng1@huawei.com>
---
src/daemon/sandbox/sandbox.h | 2 +-
.../shim/controller/shim_controller.cc | 5 +
test/sandbox/controller/shim/CMakeLists.txt | 2 +
.../controller/shim/shim_controller_ut.cc | 123 +++++++++++++++++-
test/sandbox/sandbox/CMakeLists.txt | 5 +
test/sandbox/sandbox/sandbox_ut.cc | 64 ++++++++-
6 files changed, 196 insertions(+), 5 deletions(-)
diff --git a/src/daemon/sandbox/sandbox.h b/src/daemon/sandbox/sandbox.h
index 9007ea16..0aeec826 100644
--- a/src/daemon/sandbox/sandbox.h
+++ b/src/daemon/sandbox/sandbox.h
@@ -118,6 +118,7 @@ public:
auto UpdateStatsInfo(const StatsInfo &info) -> StatsInfo;
void SetNetworkReady(bool ready);
void SetNetworkMode(const std::string &networkMode);
+ void SetSandboxConfig(const runtime::v1::PodSandboxConfig &config);
auto FindAvailableVsockPort(uint32_t &port) -> bool;
void ReleaseVsockPort(uint32_t port);
auto CleanupSandboxFiles(Errors &error) -> bool;
@@ -162,7 +163,6 @@ private:
auto LoadMetadata(Errors &error) -> bool;
void LoadNetworkSetting();
- void SetSandboxConfig(const runtime::v1::PodSandboxConfig &config);
void SetNetworkSettings(const std::string &settings, Errors &error);
auto CreateHostname(bool shareHost, Errors &error) -> bool;
auto CreateHosts(bool shareHost, Errors &error) -> bool;
diff --git a/src/daemon/sandbox/shim/controller/shim_controller.cc b/src/daemon/sandbox/shim/controller/shim_controller.cc
index 7e4338f6..563a2f3d 100644
--- a/src/daemon/sandbox/shim/controller/shim_controller.cc
+++ b/src/daemon/sandbox/shim/controller/shim_controller.cc
@@ -289,6 +289,11 @@ bool ShimController::Create(const std::string &sandboxId,
std::unique_ptr<ControllerSandboxInfo> ShimController::Start(const std::string &sandboxId, Errors &error)
{
+ if (m_cb == nullptr || m_cb->container.start == nullptr) {
+ ERROR("Unimplemented callback");
+ error.SetError("Unimplemented callback");
+ return nullptr;
+ }
std::unique_ptr<ControllerSandboxInfo> sandboxInfo(new ControllerSandboxInfo());
auto requestWrapper = makeUniquePtrCStructWrapper<container_start_request>(free_container_start_request);
if (requestWrapper == nullptr) {
diff --git a/test/sandbox/controller/shim/CMakeLists.txt b/test/sandbox/controller/shim/CMakeLists.txt
index 069312c9..18f989f1 100644
--- a/test/sandbox/controller/shim/CMakeLists.txt
+++ b/test/sandbox/controller/shim/CMakeLists.txt
@@ -28,6 +28,7 @@ add_executable(${EXE}
target_include_directories(${EXE} PUBLIC
${GTEST_INCLUDE_DIR}
+ ${CMAKE_CURRENT_SOURCE_DIR}/../../../include
${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/common
${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/common/cri
${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/common/cri/v1
@@ -52,6 +53,7 @@ target_include_directories(${EXE} PUBLIC
${CMAKE_BINARY_DIR}/grpc/src/api/services/cri/v1
)
+set_target_properties(${EXE} PROPERTIES LINK_FLAGS "-Wl,--wrap,isula_common_calloc_s")
target_link_libraries(${EXE} ${GTEST_BOTH_LIBRARIES} ${GMOCK_LIBRARY} ${GMOCK_MAIN_LIBRARY} ${CMAKE_THREAD_LIBS_INIT} ${ISULA_LIBUTILS_LIBRARY} libutils_ut -lgrpc++ -lprotobuf -lcrypto -lyajl -lz)
target_link_libraries(${EXE} -Wl,--as-needed ${ISULAD_ABSL_USED_TARGETS})
add_test(NAME ${EXE} COMMAND ${EXE} --gtest_output=xml:${EXE}-Results.xml)
diff --git a/test/sandbox/controller/shim/shim_controller_ut.cc b/test/sandbox/controller/shim/shim_controller_ut.cc
index 75a51797..d85a87b2 100644
--- a/test/sandbox/controller/shim/shim_controller_ut.cc
+++ b/test/sandbox/controller/shim/shim_controller_ut.cc
@@ -21,6 +21,12 @@
#include "image_api_mock.h"
#include "service_container_api_mock.h"
#include "shim_controller.h"
+#include "mock.h"
+
+extern "C" {
+ DECLARE_WRAPPER(isula_common_calloc_s, void *, (size_t size));
+ DEFINE_WRAPPER(isula_common_calloc_s, void *, (size_t size), (size));
+}
class ShimControllerTest : public testing::Test {
protected:
@@ -76,6 +82,32 @@ TEST_F(ShimControllerTest, CreateTestFailed)
EXPECT_FALSE(m_contoller->Create(DUMMY_SANDBOX_ID, *params, err));
}
+TEST_F(ShimControllerTest, CreateTestContainerCallbackNullPtrError)
+{
+ Errors err;
+ std::unique_ptr<sandbox::ControllerCreateParams> params = CreateTestCreateParams();
+ // shim controller create needs linux config.
+ (void)params->config->mutable_linux();
+ (void)params->config->mutable_linux()->mutable_resources();
+ auto callback = get_service_executor();
+ auto tmp_create = callback->container.create;
+ callback->container.create = nullptr;
+ EXPECT_FALSE(m_contoller->Create(DUMMY_SANDBOX_ID, *params, err));
+ callback->container.create = tmp_create;
+}
+
+TEST_F(ShimControllerTest, CreateTestContainerCallocError)
+{
+ Errors err;
+ std::unique_ptr<sandbox::ControllerCreateParams> params = CreateTestCreateParams();
+ // shim controller create needs linux config.
+ (void)params->config->mutable_linux();
+ (void)params->config->mutable_linux()->mutable_resources();
+ MOCK_SET(isula_common_calloc_s, nullptr);
+ EXPECT_FALSE(m_contoller->Create(DUMMY_SANDBOX_ID, *params, err));
+ MOCK_CLEAR(isula_common_calloc_s);
+}
+
/************* Unit tests for Start *************/
TEST_F(ShimControllerTest, StartTestSucceed)
{
@@ -99,7 +131,6 @@ TEST_F(ShimControllerTest, StartTestSucceed)
EXPECT_EQ(ret->pid, 1234);
}
-/************* Unit tests for Start *************/
TEST_F(ShimControllerTest, StartTestFailed)
{
Errors err;
@@ -108,6 +139,24 @@ TEST_F(ShimControllerTest, StartTestFailed)
EXPECT_EQ(ret, nullptr);
}
+TEST_F(ShimControllerTest, StartTestContainerCallbackNullPtrError)
+{
+ Errors err;
+ auto callback = get_service_executor();
+ auto tmp_start = callback->container.start;
+ callback->container.start = nullptr;
+ EXPECT_FALSE(m_contoller->Start(DUMMY_SANDBOX_ID, err));
+ callback->container.start = tmp_start;
+}
+
+TEST_F(ShimControllerTest, StartTestContainerCallocError)
+{
+ Errors err;
+ MOCK_SET(isula_common_calloc_s, nullptr);
+ EXPECT_FALSE(m_contoller->Start(DUMMY_SANDBOX_ID, err));
+ MOCK_CLEAR(isula_common_calloc_s);
+}
+
/************* Unit tests for Stop *************/
TEST_F(ShimControllerTest, StopTestSucceed)
{
@@ -123,6 +172,24 @@ TEST_F(ShimControllerTest, StopTestFailed)
EXPECT_FALSE(m_contoller->Stop(DUMMY_SANDBOX_ID, 0, err));
}
+TEST_F(ShimControllerTest, StopTestContainerCallbackNullPtrError)
+{
+ Errors err;
+ auto callback = get_service_executor();
+ auto tmp_stop = callback->container.stop;
+ callback->container.stop = nullptr;
+ EXPECT_FALSE(m_contoller->Stop(DUMMY_SANDBOX_ID, 0, err));
+ callback->container.stop = tmp_stop;
+}
+
+TEST_F(ShimControllerTest, StopTestContainerCallocError)
+{
+ Errors err;
+ MOCK_SET(isula_common_calloc_s, nullptr);
+ EXPECT_FALSE(m_contoller->Stop(DUMMY_SANDBOX_ID, 0, err));
+ MOCK_CLEAR(isula_common_calloc_s);
+}
+
/************* Unit tests for Status *************/
TEST_F(ShimControllerTest, StatusTestSucceed)
{
@@ -167,3 +234,57 @@ TEST_F(ShimControllerTest, ShutdownTestFailed)
EXPECT_CALL(*m_containerCallbackMock, ContainerRemove).Times(1).WillOnce(testing::Return(1));
EXPECT_FALSE(m_contoller->Shutdown(DUMMY_SANDBOX_ID, err));
}
+
+TEST_F(ShimControllerTest, ShutdownTestContainerCallbackNullPtrError)
+{
+ Errors err;
+ auto callback = get_service_executor();
+ auto tmp_remove = callback->container.remove;
+ callback->container.remove = nullptr;
+ EXPECT_FALSE(m_contoller->Shutdown(DUMMY_SANDBOX_ID, err));
+ callback->container.remove = tmp_remove;
+}
+
+TEST_F(ShimControllerTest, ShutdownTestContainerCallocError)
+{
+ Errors err;
+ MOCK_SET(isula_common_calloc_s, nullptr);
+ EXPECT_FALSE(m_contoller->Shutdown(DUMMY_SANDBOX_ID, err));
+ MOCK_CLEAR(isula_common_calloc_s);
+}
+
+/*********** Unit tests for Platform ***********/
+TEST_F(ShimControllerTest, PlatformTestSucceed)
+{
+ Errors err;
+ // Not support yet
+ std::unique_ptr<sandbox::ControllerPlatformInfo> ret = m_contoller->Platform(DUMMY_SANDBOX_ID, err);
+ EXPECT_EQ(ret, nullptr);
+}
+
+/*********** Unit tests for Update ***********/
+TEST_F(ShimControllerTest, UpdateTestSucceed)
+{
+ Errors err;
+ // Shim Controller update is always true
+ EXPECT_TRUE(m_contoller->Update(nullptr, nullptr, err));
+}
+
+/*********** Unit tests for UpdateNetworkSettings ***********/
+TEST_F(ShimControllerTest, UpdateNetworkSettingsTestCallbackNullPtrError)
+{
+ Errors err;
+ auto callback = get_service_executor();
+ auto tmp_update_network_settings = callback->container.update_network_settings;
+ callback->container.update_network_settings = nullptr;
+ EXPECT_FALSE(m_contoller->UpdateNetworkSettings(DUMMY_SANDBOX_ID, "networkSettings", err));
+ callback->container.update_network_settings = tmp_update_network_settings;
+}
+
+TEST_F(ShimControllerTest, UpdateNetworkSettingsTestContainerCallocError)
+{
+ Errors err;
+ MOCK_SET(isula_common_calloc_s, nullptr);
+ EXPECT_FALSE(m_contoller->UpdateNetworkSettings(DUMMY_SANDBOX_ID, "networkSettings", err));
+ MOCK_CLEAR(isula_common_calloc_s);
+}
diff --git a/test/sandbox/sandbox/CMakeLists.txt b/test/sandbox/sandbox/CMakeLists.txt
index 358633dc..3a249f90 100644
--- a/test/sandbox/sandbox/CMakeLists.txt
+++ b/test/sandbox/sandbox/CMakeLists.txt
@@ -29,7 +29,9 @@ add_executable(${EXE}
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cpputils/transform.cc
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cpputils/cxxutils.cc
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandbox.cc
+ ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandbox_ops.cc
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/controller_manager.cc
+ ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandbox_manager.cc
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/common/id_name_manager.c
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/config/isulad_config.c
${CMAKE_CURRENT_SOURCE_DIR}/../../../test/sandbox/controller/controller_common.cc
@@ -43,6 +45,7 @@ target_include_directories(${EXE} PUBLIC
${GTEST_INCLUDE_DIR}
${sandbox_dir}
${CMAKE_CURRENT_SOURCE_DIR}/../../../test/mocks
+ ${CMAKE_CURRENT_SOURCE_DIR}/../../include
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/common
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/config
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/entry/cri
@@ -54,10 +57,12 @@ target_include_directories(${EXE} PUBLIC
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/common
${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cpputils
+ ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cutils
${CMAKE_BINARY_DIR}/grpc/src/api/services/cri
${CMAKE_BINARY_DIR}/grpc/src/api/services/cri/v1
)
+set_target_properties(${EXE} PROPERTIES LINK_FLAGS "-Wl,--wrap,util_file_exists -Wl,--wrap,mount")
target_link_libraries(${EXE} ${GTEST_BOTH_LIBRARIES} ${GMOCK_LIBRARY} ${GMOCK_MAIN_LIBRARY} ${CMAKE_THREAD_LIBS_INIT} ${ISULA_LIBUTILS_LIBRARY} libutils_ut -lgrpc -lgrpc++ -lprotobuf -lcrypto -lyajl -lz)
target_link_libraries(${EXE} -Wl,--as-needed ${ISULAD_ABSL_USED_TARGETS})
add_test(NAME ${EXE} COMMAND ${EXE} --gtest_output=xml:${EXE}-Results.xml)
diff --git a/test/sandbox/sandbox/sandbox_ut.cc b/test/sandbox/sandbox/sandbox_ut.cc
index dd84d8fb..7534d67a 100644
--- a/test/sandbox/sandbox/sandbox_ut.cc
+++ b/test/sandbox/sandbox/sandbox_ut.cc
@@ -14,8 +14,22 @@
*/
#include <gtest/gtest.h>
-
+#include <fstream>
#include "sandbox.h"
+#include "sandbox_ops.h"
+#include "mock.h"
+#include "utils_file.h"
+
+extern "C" {
+ DECLARE_WRAPPER(util_file_exists, bool, (const char * path));
+ DEFINE_WRAPPER(util_file_exists, bool, (const char * path), (path));
+ DECLARE_WRAPPER(mount, int, (const char *__special_file, const char *__dir,
+ const char *__fstype, unsigned long int __rwflag,
+ const void *__data));
+ DEFINE_WRAPPER(mount, int, (const char *__special_file, const char *__dir,
+ const char *__fstype, unsigned long int __rwflag,
+ const void *__data), (__special_file, __dir, __fstype, __rwflag, __data));
+}
namespace sandbox {
@@ -39,8 +53,10 @@ TEST_F(SandboxTest, TestDefaultGetters)
std::string sandbox_statedir = statedir + "/" + id;
std::string name = "test";
RuntimeInfo info = {"runc", "shim", "kuasar"};
+ std::shared_ptr<runtime::v1::PodSandboxConfig> pod_config = std::make_shared<runtime::v1::PodSandboxConfig>();
+ pod_config->set_hostname("test");
- auto sandbox = new Sandbox(id, rootdir, statedir, name, info);
+ auto sandbox = std::unique_ptr<Sandbox>(new Sandbox(id, rootdir, statedir, name, info));
ASSERT_NE(sandbox, nullptr);
ASSERT_EQ(sandbox->IsReady(), false);
@@ -57,6 +73,8 @@ TEST_F(SandboxTest, TestDefaultGetters)
ASSERT_EQ(sandbox->GetStatsInfo().cpuUseNanos, 0);
ASSERT_EQ(sandbox->GetNetworkReady(), false);
ASSERT_STREQ(sandbox->GetNetMode().c_str(), DEFAULT_NETMODE.c_str());
+ sandbox->SetSandboxConfig(*pod_config);
+ ASSERT_STREQ(sandbox->GetMutableSandboxConfig()->hostname().c_str(), pod_config->hostname().c_str());
}
TEST_F(SandboxTest, TestGettersAndSetters)
@@ -66,7 +84,7 @@ TEST_F(SandboxTest, TestGettersAndSetters)
std::string statedir = "/test2/statedir";
std::string mode = "host";
- auto sandbox = new Sandbox(id, rootdir, statedir);
+ auto sandbox = std::unique_ptr<Sandbox>(new Sandbox(id, rootdir, statedir));
ASSERT_NE(sandbox, nullptr);
sandbox->SetNetMode(mode);
@@ -93,4 +111,44 @@ TEST_F(SandboxTest, TestGettersAndSetters)
EXPECT_TRUE(sandbox->GetNetworkReady());
}
+TEST_F(SandboxTest, TestCreateDefaultResolveConf)
+{
+ std::string id = "34567890";
+ std::string rootdir = "/tmp/test3/rootdir";
+ std::string statedir = "/tmp/test3/statedir";
+ std::string name = "test";
+ RuntimeInfo info = {"runc", "shim", "kuasar"};
+ std::string host_nework = "host";
+ Errors error;
+
+ auto sandbox = std::unique_ptr<Sandbox>(new Sandbox(id, rootdir, statedir, name, info, host_nework));
+ ASSERT_NE(sandbox, nullptr);
+ MOCK_SET(util_file_exists, false);
+ MOCK_SET(mount, 0);
+ sandbox->PrepareSandboxDirs(error);
+ ASSERT_TRUE(error.Empty());
+ MOCK_CLEAR(util_file_exists);
+ MOCK_CLEAR(mount);
+ const std::string RESOLVE_CONF = "\nnameserver 8.8.8.8\nnameserver 8.8.4.4\n";
+ std::string RESOLVE_PATH = rootdir + "/" + id + "/resolv.conf";
+ ASSERT_TRUE(util_file_exists(RESOLVE_PATH.c_str()));
+ std::ifstream f(RESOLVE_PATH);
+ std::string line;
+ std::string content = "";
+ while (std::getline(f, line)) {
+ content += line;
+ content +="\n";
+ }
+ f.close();
+ ASSERT_STREQ(RESOLVE_CONF.c_str(), content.c_str());
+ sandbox->CleanupSandboxDirs();
+ ASSERT_FALSE(util_file_exists(RESOLVE_PATH.c_str()));
+}
+
+TEST_F(SandboxTest, TestSandboxOpsOnExitFailed)
+{
+ ASSERT_EQ(sandbox_on_sandbox_exit(nullptr, 0), -1);
+ ASSERT_EQ(sandbox_on_sandbox_exit("12345678", 0), -1);
+}
+
}
\ No newline at end of file
--
2.34.1

26
0196-add-remove-pod-in-cri-stats.patch Normal file
View File

@ -0,0 +1,26 @@
From a478553bc957d0cd684883ad63fec6a639631658 Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Mon, 17 Feb 2025 16:27:10 +0800
Subject: [PATCH 196/198] add remove pod in cri stats
Signed-off-by: zhongtao <zhongtao17@huawei.com>
---
CI/test_cases/container_cases/cri_stats.sh | 2 ++
1 file changed, 2 insertions(+)
diff --git a/CI/test_cases/container_cases/cri_stats.sh b/CI/test_cases/container_cases/cri_stats.sh
index f6acb397..72fb2856 100755
--- a/CI/test_cases/container_cases/cri_stats.sh
+++ b/CI/test_cases/container_cases/cri_stats.sh
@@ -66,6 +66,8 @@ function test_cri_stats()
crictl stats $cid
[[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to get cri stats" && ((ret++))
+
+ crictl rmp -f $(crictl pods -q)
msg_info "${test} finished with return ${ret}..."
return ${ret}
--
2.34.1

539
0197-coco-support-confidential-containers.patch Normal file
View File

@ -0,0 +1,539 @@
From 2edae8a425ae3442ee73469ca3fd2f3bf9422301 Mon Sep 17 00:00:00 2001
From: liuxu <liuxu156@huawei.com>
Date: Mon, 16 Dec 2024 17:11:04 +0800
Subject: [PATCH 197/198] coco:support confidential containers
Signed-off-by: liuxu <liuxu156@huawei.com>
---
cmake/options.cmake | 11 +++
src/common/constants.h | 6 ++
src/daemon/common/cri/v1/v1_cri_helpers.cc | 71 +++++++++++++---
src/daemon/common/cri/v1/v1_cri_helpers.h | 4 +
.../v1/v1_cri_container_manager_service.cc | 5 ++
.../v1/v1_cri_pod_sandbox_manager_service.cc | 14 +++-
.../executor/container_cb/execution_create.c | 12 +++
src/daemon/modules/api/image_api.h | 3 +
src/daemon/modules/image/CMakeLists.txt | 10 +++
src/daemon/modules/image/image.c | 46 +++++++++++
.../modules/image/remote/CMakeLists.txt | 13 +++
.../modules/image/remote/remote_image.c | 81 +++++++++++++++++++
.../modules/image/remote/remote_image.h | 40 +++++++++
.../sandbox/sandboxer/sandboxer_sandbox.cc | 10 ++-
14 files changed, 308 insertions(+), 18 deletions(-)
create mode 100644 src/daemon/modules/image/remote/CMakeLists.txt
create mode 100644 src/daemon/modules/image/remote/remote_image.c
create mode 100644 src/daemon/modules/image/remote/remote_image.h
diff --git a/cmake/options.cmake b/cmake/options.cmake
index 018502d7..efbd0a52 100644
--- a/cmake/options.cmake
+++ b/cmake/options.cmake
@@ -62,6 +62,17 @@ if (ENABLE_SANDBOXER STREQUAL "ON")
endif()
endif()
+option(ENABLE_REMOTE_IMAGE "Enable remote image" OFF)
+if (ENABLE_REMOTE_IMAGE STREQUAL "ON")
+ if (ENABLE_SANDBOXER)
+ add_definitions(-DENABLE_REMOTE_IMAGE)
+ set(ENABLE_REMOTE_IMAGE 1)
+ message("${Green}-- Enable remote image${ColourReset}")
+ else()
+ message("${Yellow}-- Can not enable remote image, remote image need enable sandboxer first ${ColourReset}")
+ endif()
+endif()
+
option(ENABLE_OOM_MONITOR "Enable oom monitor" ON)
if (ENABLE_OOM_MONITOR STREQUAL "ON")
add_definitions(-DENABLE_OOM_MONITOR)
diff --git a/src/common/constants.h b/src/common/constants.h
index 8a6f86d8..7759896f 100644
--- a/src/common/constants.h
+++ b/src/common/constants.h
@@ -218,6 +218,12 @@ typedef enum { WAIT_CONDITION_STOPPED = 0, WAIT_CONDITION_REMOVED = 1 } wait_con
#define CRI_CONTAINER_TYPE_LABEL_KEY "cri.isulad.type"
#define CRI_CONTAINER_TYPE_LABEL_SANDBOX "podsandbox"
+#ifdef ENABLE_REMOTE_IMAGE
+// Note: Currently, remote image is used only in confidentail container, so the image is supposed to be encrypted
+#define SANDBOX_IMAGE_TYPE_REMOTE "remote"
+#define IMAGE_NAME_COCO "[Encrypted]"
+#endif
+
#ifdef __cplusplus
}
#endif
diff --git a/src/daemon/common/cri/v1/v1_cri_helpers.cc b/src/daemon/common/cri/v1/v1_cri_helpers.cc
index d71e3681..48dcfb45 100644
--- a/src/daemon/common/cri/v1/v1_cri_helpers.cc
+++ b/src/daemon/common/cri/v1/v1_cri_helpers.cc
@@ -325,10 +325,32 @@ void AddSecurityOptsToHostConfig(std::vector<std::string> &securityOpts, host_co
}
#ifdef ENABLE_SANDBOXER
+static defs_map_string_object_sandboxer_element *GetCRISandboxer(
+ const std::string &runtime, struct service_arguments *args)
+{
+ defs_map_string_object_sandboxer_element *criSandboxer = nullptr;
+ defs_map_string_object_sandboxer *criSandboxerList = nullptr;
+
+ criSandboxerList = args->json_confs->cri_sandboxers;
+ for (size_t i = 0; i < criSandboxerList->len; i++) {
+ if (criSandboxerList->keys[i] == nullptr || criSandboxerList->values[i] == nullptr ||
+ criSandboxerList->values[i]->name == nullptr) {
+ WARN("CRI runtimes key or value is null");
+ continue;
+ }
+
+ if (runtime == std::string(criSandboxerList->keys[i])) {
+ criSandboxer = criSandboxerList->values[i];
+ break;
+ }
+ }
+ return criSandboxer;
+}
+
std::string CRISandboxerConvert(const std::string &runtime)
{
std::string sandboxer;
- defs_map_string_object_sandboxer *criSandboxerList = nullptr;
+ defs_map_string_object_sandboxer_element *criSandboxer = nullptr;
if (runtime.empty()) {
return DEFAULT_SANDBOXER_NAME;
@@ -346,24 +368,47 @@ std::string CRISandboxerConvert(const std::string &runtime)
}
sandboxer = DEFAULT_SANDBOXER_NAME;
- criSandboxerList = args->json_confs->cri_sandboxers;
- for (size_t i = 0; i < criSandboxerList->len; i++) {
- if (criSandboxerList->keys[i] == nullptr || criSandboxerList->values[i] == nullptr ||
- criSandboxerList->values[i]->name == nullptr) {
- WARN("CRI runtimes key or value is null");
- continue;
- }
-
- if (runtime == std::string(criSandboxerList->keys[i])) {
- sandboxer = std::string(criSandboxerList->values[i]->name);
- break;
- }
+ criSandboxer = GetCRISandboxer(runtime, args);
+ if (criSandboxer != nullptr) {
+ sandboxer = std::string(criSandboxer->name);
}
out:
(void)isulad_server_conf_unlock();
return sandboxer;
}
+
+#ifdef ENABLE_REMOTE_IMAGE
+std::string GetCRISandboxerImageType(const std::string &runtime)
+{
+ std::string imageType = "";
+ defs_map_string_object_sandboxer_element *criSandboxer = nullptr;
+
+ if (runtime.empty()) {
+ return imageType;
+ }
+
+ if (isulad_server_conf_rdlock()) {
+ ERROR("Lock isulad server conf failed");
+ return imageType;
+ }
+
+ struct service_arguments *args = conf_get_server_conf();
+ if (args == nullptr || args->json_confs == nullptr || args->json_confs->cri_sandboxers == nullptr) {
+ ERROR("Cannot get cri sandboxer list");
+ goto out;
+ }
+
+ criSandboxer = GetCRISandboxer(runtime, args);
+ if (criSandboxer != nullptr && criSandboxer->image_type != nullptr) {
+ imageType = std::string(criSandboxer->image_type);
+ }
+
+out:
+ (void)isulad_server_conf_unlock();
+ return imageType;
+}
+#endif
#else
std::string CRISandboxerConvert(const std::string &runtime)
{
diff --git a/src/daemon/common/cri/v1/v1_cri_helpers.h b/src/daemon/common/cri/v1/v1_cri_helpers.h
index 6a848581..4fd15d0b 100644
--- a/src/daemon/common/cri/v1/v1_cri_helpers.h
+++ b/src/daemon/common/cri/v1/v1_cri_helpers.h
@@ -69,6 +69,10 @@ void AddSecurityOptsToHostConfig(std::vector<std::string> &securityOpts, host_co
std::string CRISandboxerConvert(const std::string &runtime);
+#ifdef ENABLE_REMOTE_IMAGE
+std::string GetCRISandboxerImageType(const std::string &runtime);
+#endif
+
void ApplySandboxSecurityContextToHostConfig(const runtime::v1::LinuxSandboxSecurityContext &context, host_config *hc,
Errors &error);
#ifdef ENABLE_CDI
diff --git a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc
index fe1cca0c..1cc584fb 100644
--- a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc
+++ b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc
@@ -371,6 +371,11 @@ auto ContainerManagerService::GenerateSandboxInfo(
}
sandbox_info->sandboxer = util_strdup_s(sandbox.GetSandboxer().c_str());
+#ifdef ENABLE_REMOTE_IMAGE
+ sandbox_info->image_type = util_strdup_s(
+ CRIHelpersV1::GetCRISandboxerImageType(sandbox.GetSandboxer()).c_str()
+ );
+#endif
sandbox_info->id = util_strdup_s(sandbox.GetId().c_str());
sandbox_info->pid = sandbox.GetPid();
sandbox_info->task_address = util_strdup_s(sandbox.GetTaskAddress().c_str());
diff --git a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc
index 8a7779ad..fd87e90b 100644
--- a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc
+++ b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc
@@ -468,11 +468,17 @@ auto PodSandboxManagerService::RunPodSandbox(const runtime::v1::PodSandboxConfig
// But pull image interface is only in CRI image service, and it can't be called in shim controller,
// so we pull image in CRI pod service.
const std::string &image = m_podSandboxImage;
- if (!EnsureSandboxImageExists(image, runtimeInfo.sandboxer, error)) {
- ERROR("Failed to pull sandbox image %s: %s", image.c_str(), error.NotEmpty() ? error.GetCMessage() : "");
- error.Errorf("Failed to pull sandbox image %s: %s", image.c_str(), error.NotEmpty() ? error.GetCMessage() : "");
- return response_id;
+#ifdef ENABLE_REMOTE_IMAGE
+ if (CRIHelpersV1::GetCRISandboxerImageType(runtimeInfo.sandboxer) != std::string(SANDBOX_IMAGE_TYPE_REMOTE)) {
+#endif
+ if (!EnsureSandboxImageExists(image, runtimeInfo.sandboxer, error)) {
+ ERROR("Failed to pull sandbox image %s: %s", image.c_str(), error.NotEmpty() ? error.GetCMessage() : "");
+ error.Errorf("Failed to pull sandbox image %s: %s", image.c_str(), error.NotEmpty() ? error.GetCMessage() : "");
+ return response_id;
+ }
+#ifdef ENABLE_REMOTE_IMAGE
}
+#endif
// Step 3: Prepare sandbox checkpoint
PrepareSandboxCheckpoint(config, jsonCheckpoint, error);
diff --git a/src/daemon/executor/container_cb/execution_create.c b/src/daemon/executor/container_cb/execution_create.c
index dcbdd1d3..6cd860c2 100644
--- a/src/daemon/executor/container_cb/execution_create.c
+++ b/src/daemon/executor/container_cb/execution_create.c
@@ -1016,6 +1016,18 @@ static int get_request_container_info(const container_create_request *request, c
static int get_request_image_info(const container_create_request *request, char **image_type, char **image_name)
{
+#ifdef ENABLE_REMOTE_IMAGE
+ if (is_container_in_sandbox(request->sandbox) &&
+ strcmp(request->sandbox->image_type, IMAGE_TYPE_REMOTE) == 0) {
+ /*
+ * Note: Currently, remote image type and coco image type
+ * are considered to be the same type.
+ */
+ *image_type = util_strdup_s(IMAGE_TYPE_REMOTE);
+ *image_name = util_strdup_s(IMAGE_NAME_COCO);
+ return 0;
+ }
+#endif
*image_type = im_get_image_type(request->image, request->rootfs);
if (*image_type == NULL) {
return -1;
diff --git a/src/daemon/modules/api/image_api.h b/src/daemon/modules/api/image_api.h
index f35cd013..062684c9 100644
--- a/src/daemon/modules/api/image_api.h
+++ b/src/daemon/modules/api/image_api.h
@@ -41,6 +41,9 @@ extern "C" {
#define IMAGE_TYPE_OCI "oci"
#define IMAGE_TYPE_EMBEDDED "embedded"
#define IMAGE_TYPE_EXTERNAL "external"
+#ifdef ENABLE_REMOTE_IMAGE
+#define IMAGE_TYPE_REMOTE SANDBOX_IMAGE_TYPE_REMOTE
+#endif
typedef struct {
char *image;
diff --git a/src/daemon/modules/image/CMakeLists.txt b/src/daemon/modules/image/CMakeLists.txt
index d8b78ce1..6d31a1ea 100644
--- a/src/daemon/modules/image/CMakeLists.txt
+++ b/src/daemon/modules/image/CMakeLists.txt
@@ -33,6 +33,16 @@ if (ENABLE_EMBEDDED_IMAGE)
)
endif()
+if (ENABLE_REMOTE_IMAGE)
+ add_subdirectory(remote)
+ list(APPEND local_image_srcs
+ ${REMOTE_SRCS}
+ )
+ list(APPEND local_image_incs
+ ${REMOTE_INCS}
+ )
+endif()
+
set(IMAGE_SRCS
${local_image_srcs}
PARENT_SCOPE
diff --git a/src/daemon/modules/image/image.c b/src/daemon/modules/image/image.c
index 871f5f39..baf2ba9d 100644
--- a/src/daemon/modules/image/image.c
+++ b/src/daemon/modules/image/image.c
@@ -125,6 +125,10 @@ struct bim_type {
#include "oci_image.h"
#endif
+#ifdef ENABLE_REMOTE_IMAGE
+#include "remote_image.h"
+#endif
+
#ifdef ENABLE_EMBEDDED_IMAGE
#include "embedded_image.h"
#include "db_all.h"
@@ -243,6 +247,45 @@ static const struct bim_ops g_ext_ops = {
#endif
};
+#ifdef ENABLE_REMOTE_IMAGE
+/* remote */
+static const struct bim_ops g_remote_ops = {
+ .init = NULL,
+ .clean_resource = NULL,
+ .detect = NULL,
+
+ .prepare_rf = remote_prepare_rf,
+ .mount_rf = remote_mount_rf,
+ .umount_rf = remote_umount_rf,
+ .delete_rf = remote_delete_rf,
+ .delete_broken_rf = remote_delete_broken_rf,
+ .export_rf = NULL,
+ .get_dir_rf = NULL,
+
+ .merge_conf = remote_merge_conf_rf,
+ .get_user_conf = remote_get_user_conf,
+
+ .list_ims = NULL,
+ .get_image_count = NULL,
+ .rm_image = remote_rmi,
+ .inspect_image = NULL,
+ .resolve_image_name = remote_resolve_image_name,
+ .container_fs_usage = remote_container_filesystem_usage,
+ .get_filesystem_info = remote_get_filesystem_info,
+ .image_status = NULL,
+ .load_image = NULL,
+ .pull_image = NULL,
+ .login = NULL,
+ .logout = NULL,
+ .tag_image = NULL,
+ .import = NULL,
+ .image_summary = NULL,
+#ifdef ENABLE_IMAGE_SEARCH
+ .search_image = NULL,
+#endif
+};
+#endif
+
static const struct bim_type g_bims[] = {
#ifdef ENABLE_OCI_IMAGE
{
@@ -254,6 +297,9 @@ static const struct bim_type g_bims[] = {
#ifdef ENABLE_EMBEDDED_IMAGE
{ .image_type = IMAGE_TYPE_EMBEDDED, .ops = &g_embedded_ops },
#endif
+#ifdef ENABLE_REMOTE_IMAGE
+ { .image_type = IMAGE_TYPE_REMOTE, .ops = &g_remote_ops },
+#endif
};
diff --git a/src/daemon/modules/image/remote/CMakeLists.txt b/src/daemon/modules/image/remote/CMakeLists.txt
new file mode 100644
index 00000000..6e7dab6d
--- /dev/null
+++ b/src/daemon/modules/image/remote/CMakeLists.txt
@@ -0,0 +1,13 @@
+# get current directory sources files
+aux_source_directory(${CMAKE_CURRENT_SOURCE_DIR} local_remote_srcs)
+
+set(REMOTE_SRCS
+ ${local_remote_srcs}
+ PARENT_SCOPE
+ )
+
+set(REMOTE_INCS
+ ${CMAKE_CURRENT_SOURCE_DIR}
+ PARENT_SCOPE
+ )
+
diff --git a/src/daemon/modules/image/remote/remote_image.c b/src/daemon/modules/image/remote/remote_image.c
new file mode 100644
index 00000000..87b7593d
--- /dev/null
+++ b/src/daemon/modules/image/remote/remote_image.c
@@ -0,0 +1,81 @@
+/******************************************************************************
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2026. All rights reserved.
+ * iSulad licensed under the Mulan PSL v2.
+ * You can use this software according to the terms and conditions of the Mulan PSL v2.
+ * You may obtain a copy of Mulan PSL v2 at:
+ * http://license.coscl.org.cn/MulanPSL2
+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+ * PURPOSE.
+ * See the Mulan PSL v2 for more details.
+ * Author: liuxu
+ * Create: 2025-02-11
+ * Explanation: provide remote image function
+ ******************************************************************************/
+#include "remote_image.h"
+
+#include <isula_libutils/log.h>
+
+#include "utils.h"
+
+
+char *remote_resolve_image_name(const char *name)
+{
+ return util_strdup_s(IMAGE_NAME_COCO);
+}
+
+int remote_prepare_rf(const im_prepare_request *request, char **real_rootfs)
+{
+ if (real_rootfs == NULL) {
+ ERROR("Failed to prepare remote rootfs, rootfs is NULL.");
+ return -1;
+ }
+ // real_rootfs will be changed by runtime when sandbox image type is "remote"
+ *real_rootfs = util_strdup_s("rootfs");
+ return 0;
+}
+
+int remote_rmi(const im_rmi_request *request)
+{
+ return 0;
+}
+
+int remote_get_filesystem_info(im_fs_info_response **response)
+{
+ return 0;
+}
+
+int remote_container_filesystem_usage(const im_container_fs_usage_request *request, imagetool_fs_info **fs_usage)
+{
+ return 0;
+}
+
+int remote_delete_broken_rf(const im_delete_rootfs_request *request)
+{
+ return 0;
+}
+
+int remote_delete_rf(const im_delete_rootfs_request *request)
+{
+ return 0;
+}
+
+int remote_umount_rf(const im_umount_request *request)
+{
+ return 0;
+}
+
+int remote_mount_rf(const im_mount_request *request)
+{
+ return 0;
+}
+
+int remote_merge_conf_rf(const char *img_name, container_config *container_spec)
+{
+ return 0;
+}
+
+int remote_get_user_conf(const char *basefs, host_config *hc, const char *userstr, defs_process_user *puser)
+{
+ return 0;
+}
diff --git a/src/daemon/modules/image/remote/remote_image.h b/src/daemon/modules/image/remote/remote_image.h
new file mode 100644
index 00000000..be952129
--- /dev/null
+++ b/src/daemon/modules/image/remote/remote_image.h
@@ -0,0 +1,40 @@
+/******************************************************************************
+ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2026. All rights reserved.
+ * iSulad licensed under the Mulan PSL v2.
+ * You can use this software according to the terms and conditions of the Mulan PSL v2.
+ * You may obtain a copy of Mulan PSL v2 at:
+ * http://license.coscl.org.cn/MulanPSL2
+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+ * PURPOSE.
+ * See the Mulan PSL v2 for more details.
+ * Author: liuxu
+ * Create: 2025-02-11
+ * Explanation: provide remote image function definition
+ ******************************************************************************/
+#ifndef DAEMON_MODULES_IMAGE_REMOTE_IMAGE_H
+#define DAEMON_MODULES_IMAGE_REMOTE_IMAGE_H
+
+#include "image_api.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+char *remote_resolve_image_name(const char *name);
+int remote_prepare_rf(const im_prepare_request *request, char **real_rootfs);
+int remote_rmi(const im_rmi_request *request);
+int remote_get_filesystem_info(im_fs_info_response **response);
+int remote_container_filesystem_usage(const im_container_fs_usage_request *request, imagetool_fs_info **fs_usage);
+int remote_delete_broken_rf(const im_delete_rootfs_request *request);
+int remote_delete_rf(const im_delete_rootfs_request *request);
+int remote_umount_rf(const im_umount_request *request);
+int remote_mount_rf(const im_mount_request *request);
+int remote_merge_conf_rf(const char *img_name, container_config *container_spec);
+int remote_get_user_conf(const char *basefs, host_config *hc, const char *userstr, defs_process_user *puser);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/src/daemon/sandbox/sandboxer/sandboxer_sandbox.cc b/src/daemon/sandbox/sandboxer/sandboxer_sandbox.cc
index b2e2fb32..e26b87c8 100644
--- a/src/daemon/sandbox/sandboxer/sandboxer_sandbox.cc
+++ b/src/daemon/sandbox/sandboxer/sandboxer_sandbox.cc
@@ -31,6 +31,8 @@
#include "cxxutils.h"
#include "utils_timestamp.h"
#include "utils_array.h"
+#include "constants.h"
+#include "v1_cri_helpers.h"
namespace sandbox {
@@ -297,6 +299,12 @@ static defs_process *clone_defs_process(defs_process *process_spec)
auto SandboxerSandbox::GenerateCtrlRootfs(sandbox_task *task, const char *baseFs) -> int
{
+#ifdef ENABLE_REMOTE_IMAGE
+ // do not mount image to vm for remote or confidential containers
+ if (CRIHelpersV1::GetCRISandboxerImageType(GetSandboxer()) == std::string(SANDBOX_IMAGE_TYPE_REMOTE)) {
+ return 0;
+ }
+#endif
size_t len = 1;
if (nullptr == baseFs) {
ERROR("Container %s has no base fs", task->task_id);
@@ -573,7 +581,7 @@ auto SandboxerSandbox::PrepareExec(const char *containerId, const char *execId,
}
process = process_wrapper->move();
if (InitApiSandbox(apiSandbox) != 0) {
- ERROR("Failed to init %s api sandbox.", containerId);
+ ERROR("Failed to update %s api sandbox.", containerId);
goto del_out;
}
if (DoSandboxUpdate(apiSandbox) != 0) {
--
2.34.1

169
0198-isolate-isula-search-ut-in-registry_images_ut.patch Normal file
View File

@ -0,0 +1,169 @@
From 487191cf6bbedc14524056dd653bdc920e78f545 Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Wed, 19 Feb 2025 11:52:59 +1400
Subject: [PATCH 198/198] isolate isula search ut in registry_images_ut
Signed-off-by: zhongtao <zhongtao17@huawei.com>
---
test/image/oci/registry/CMakeLists.txt | 10 ++-
test/image/oci/registry/registry_ut.cc | 103 +++++++++++++------------
2 files changed, 61 insertions(+), 52 deletions(-)
diff --git a/test/image/oci/registry/CMakeLists.txt b/test/image/oci/registry/CMakeLists.txt
index d78bb7d3..5ae59ebc 100644
--- a/test/image/oci/registry/CMakeLists.txt
+++ b/test/image/oci/registry/CMakeLists.txt
@@ -2,7 +2,16 @@ project(iSulad_UT)
SET(EXE registry_images_ut)
+if(ENABLE_IMAGE_SEARCH)
+ set(search_srcs
+ ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/image/oci/registry/registry_apiv1.c
+ )
+else()
+ set(search_srcs "")
+endif()
+
add_executable(${EXE}
+ ${search_srcs}
${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/utils/cutils/utils.c
${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/utils/cutils/utils_regex.c
${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/utils/cutils/utils_verify.c
@@ -34,7 +43,6 @@ add_executable(${EXE}
${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/image/oci/storage/remote_layer_support/ro_symlink_maintain.c
${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/image/oci/registry/registry.c
${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/image/oci/registry/registry_apiv2.c
- ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/image/oci/registry/registry_apiv1.c
${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/image/oci/registry/http_request.c
${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/image/oci/registry/certs.c
${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/image/oci/registry/auths.c
diff --git a/test/image/oci/registry/registry_ut.cc b/test/image/oci/registry/registry_ut.cc
index 4eacdb11..c5d9717c 100644
--- a/test/image/oci/registry/registry_ut.cc
+++ b/test/image/oci/registry/registry_ut.cc
@@ -395,57 +395,6 @@ int invokeHttpRequestLogin(const char *url, struct http_get_options *options, lo
return 0;
}
-int invokeHttpRequestSearch(const char *url, struct http_get_options *options, long *response_code, int recursive_len)
-{
-#define RETRY_TIMES 3
-#define SEARCH_TEST_NOT_FOUND 2
-#define SEARCH_TEST_SERVER_ERROR 5
-#define SEARCH_TEST_RETRY_SUCCESS 8
- std::string file;
- char *data = nullptr;
- Buffer *output_buffer = (Buffer *)options->output;
- static int search_count = 0;
-
- ERROR("url is %s", url);
- ERROR("search_count is %d", search_count);
-
- std::string data_path = get_dir() + "/data/oci/";
- if (strcmp(url, "https://index.docker.io/v1/_ping") == 0) {
- file = data_path + "ping_v1_head";
- } else if (util_has_prefix(url, "https://index.docker.io/v1/search?q=busybox")) {
- search_count++;
- // test not find
- if (search_count >= SEARCH_TEST_NOT_FOUND && search_count < SEARCH_TEST_NOT_FOUND + RETRY_TIMES) {
- file = data_path + "search_result_404";
- }
- // test server error and restry
- else if ((search_count >= SEARCH_TEST_SERVER_ERROR && search_count < SEARCH_TEST_SERVER_ERROR + RETRY_TIMES) ||
- (search_count == SEARCH_TEST_RETRY_SUCCESS)) {
- file = data_path + "search_server_error";
- } else {
- file = data_path + "search_result";
- }
- } else {
- ERROR("%s not match failed", url);
- return -1;
- }
-
- data = util_read_text_file(file.c_str());
- if (data == nullptr) {
- ERROR("read file %s failed", file.c_str());
- return -1;
- }
-
- if (options->outputtype == HTTP_REQUEST_STRBUF) {
- free(output_buffer->contents);
- output_buffer->contents = util_strdup_s(data);
- }
- free(data);
-
- return 0;
-}
-
-
int invokeStorageImgCreate(const char *id, const char *parent_id, const char *metadata,
struct storage_img_create_options *opts)
{
@@ -921,6 +870,57 @@ TEST_F(RegistryUnitTest, test_cleanup)
ASSERT_EQ(remove_certs(mirror_dir), 0);
}
+#ifdef ENABLE_IMAGE_SEARCH
+int invokeHttpRequestSearch(const char *url, struct http_get_options *options, long *response_code, int recursive_len)
+{
+#define RETRY_TIMES 3
+#define SEARCH_TEST_NOT_FOUND 2
+#define SEARCH_TEST_SERVER_ERROR 5
+#define SEARCH_TEST_RETRY_SUCCESS 8
+ std::string file;
+ char *data = nullptr;
+ Buffer *output_buffer = (Buffer *)options->output;
+ static int search_count = 0;
+
+ ERROR("url is %s", url);
+ ERROR("search_count is %d", search_count);
+
+ std::string data_path = get_dir() + "/data/oci/";
+ if (strcmp(url, "https://index.docker.io/v1/_ping") == 0) {
+ file = data_path + "ping_v1_head";
+ } else if (util_has_prefix(url, "https://index.docker.io/v1/search?q=busybox")) {
+ search_count++;
+ // test not find
+ if (search_count >= SEARCH_TEST_NOT_FOUND && search_count < SEARCH_TEST_NOT_FOUND + RETRY_TIMES) {
+ file = data_path + "search_result_404";
+ }
+ // test server error and restry
+ else if ((search_count >= SEARCH_TEST_SERVER_ERROR && search_count < SEARCH_TEST_SERVER_ERROR + RETRY_TIMES) ||
+ (search_count == SEARCH_TEST_RETRY_SUCCESS)) {
+ file = data_path + "search_server_error";
+ } else {
+ file = data_path + "search_result";
+ }
+ } else {
+ ERROR("%s not match failed", url);
+ return -1;
+ }
+
+ data = util_read_text_file(file.c_str());
+ if (data == nullptr) {
+ ERROR("read file %s failed", file.c_str());
+ return -1;
+ }
+
+ if (options->outputtype == HTTP_REQUEST_STRBUF) {
+ free(output_buffer->contents);
+ output_buffer->contents = util_strdup_s(data);
+ }
+ free(data);
+
+ return 0;
+}
+
TEST_F(RegistryUnitTest, test_search_image)
{
registry_search_options *options = nullptr;
@@ -971,3 +971,4 @@ TEST_F(RegistryUnitTest, test_search_image)
free_registry_search_options(options);
}
+#endif
\ No newline at end of file
--
2.34.1

80
0199-move-sandbox-network_ready-from-metadata-to-state-fo.patch Normal file
View File

@ -0,0 +1,80 @@
From c61807c0f18022117fc02889b42d87ec19e9d1e9 Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Sat, 22 Feb 2025 10:38:59 +1400
Subject: [PATCH 1/2] move sandbox network_ready from metadata to state for
save optimization
Signed-off-by: zhongtao <zhongtao17@huawei.com>
---
src/daemon/sandbox/sandbox.cc | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc
index b97c0bc6..33d7f63f 100644
--- a/src/daemon/sandbox/sandbox.cc
+++ b/src/daemon/sandbox/sandbox.cc
@@ -431,7 +431,11 @@ auto Sandbox::UpdateStatsInfo(const StatsInfo &info) -> StatsInfo
void Sandbox::SetNetworkReady(bool ready)
{
+ Errors tmp_error;
m_networkReady = ready;
+ if (!SaveState(tmp_error)) {
+ ERROR("Failed to save sandbox state, %s for %s", m_id.c_str(), tmp_error.GetMessage().c_str());
+ }
}
auto Sandbox::Save(Errors &error) -> bool
@@ -504,6 +508,8 @@ auto Sandbox::Load(Errors &error) -> bool
return true;
}
+// no need to save state after recovery
+// when restarting isulad, the status will be updated again and wait sandbox
void Sandbox::OnSandboxReady()
{
WriteGuard<RWMutex> lock(m_stateMutex);
@@ -514,6 +520,8 @@ void Sandbox::OnSandboxReady()
m_state.status = SANDBOX_STATUS_RUNNING;
}
+// no need to save intermediate state
+// when restarting isulad, the status will be updated again and wait sandbox
void Sandbox::OnSandboxPending()
{
WriteGuard<RWMutex> lock(m_stateMutex);
@@ -842,6 +850,7 @@ auto Sandbox::SaveState(Errors &error) -> bool
state.pid = m_state.pid;
state.status = m_state.status;
state.updated_at = m_state.updatedAt;
+ state.network_ready = m_networkReady;
stateJson = GenerateSandboxStateJson(&state);
if (stateJson.length() == 0) {
@@ -953,6 +962,7 @@ auto Sandbox::LoadState(Errors &error) -> bool
m_state.createdAt = state->get()->created_at;
m_state.updatedAt = state->get()->updated_at;
m_state.status = (SandboxStatus)state->get()->status;
+ m_networkReady = state->get()->network_ready;
return true;
}
@@ -1005,7 +1015,6 @@ auto Sandbox::LoadMetadata(Errors &error) -> bool
m_runtimeInfo.sandboxer = std::string(metadata->get()->runtime_info->sandboxer);
m_runtimeInfo.runtimeHandler = std::string(metadata->get()->runtime_info->runtime_handler);
m_netMode = std::string(metadata->get()->net_mode);
- m_networkReady = metadata->get()->network_ready;
m_taskAddress = std::string(metadata->get()->task_address);
m_netNsPath = std::string(metadata->get()->net_ns_path);
@@ -1125,7 +1134,6 @@ void Sandbox::FillSandboxMetadata(sandbox_metadata* metadata, Errors &error)
metadata->runtime_info->runtime_handler = util_strdup_s(m_runtimeInfo.runtimeHandler.c_str());
metadata->net_mode = util_strdup_s(m_netMode.c_str());
- metadata->network_ready = m_networkReady;
metadata->task_address = util_strdup_s(m_taskAddress.c_str());
metadata->net_ns_path = util_strdup_s(m_netNsPath.c_str());
--
2.43.0

91
0200-clean-sandbox-when-create-failed-to-be-consisent-wit.patch Normal file
View File

@ -0,0 +1,91 @@
From e980d889e5af64219cbb1bf7ec4ebaa14c05588a Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Mon, 24 Feb 2025 15:10:28 +1400
Subject: [PATCH 2/2] clean sandbox when create failed to be consisent with CRI
v1alpha
Signed-off-by: zhongtao <zhongtao17@huawei.com>
---
.../v1/v1_cri_pod_sandbox_manager_service.cc | 25 +++++++++++++++++--
1 file changed, 23 insertions(+), 2 deletions(-)
diff --git a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc
index fd87e90b..35f968e8 100644
--- a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc
+++ b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc
@@ -324,12 +324,14 @@ void PodSandboxManagerService::StartPodSandboxAndSetupNetowrk(std::shared_ptr<sa
{
cri_container_message_t msg = { 0 };
std::string network_setting_json;
+ Errors stopError;
// Step 8.2.1: Call sandbox create.
sandbox->Create(error);
if (error.NotEmpty()) {
ERROR("Failed to create sandbox: %s", sandboxName.c_str());
- return;
+ // clean_sandbox to be consisent with CRI v1alpha
+ goto cleanup_sandbox;
}
msg.container_id = sandbox->GetId().c_str();
@@ -380,15 +382,21 @@ void PodSandboxManagerService::StartPodSandboxAndSetupNetowrk(std::shared_ptr<sa
return;
stop_sandbox:
- Errors stopError;
CRIHelpers::StopContainerHelper(m_cb, sandbox->GetId(), 0, stopError);
WARN("Error stop container: %s: %s", sandbox->GetId().c_str(), stopError.GetCMessage());
+ return;
+cleanup_sandbox:
+ sandbox::SandboxManager::GetInstance()->DeleteSandbox(sandbox->GetId(), error);
+ if (error.NotEmpty()) {
+ WARN("Error remove container: %s: %s", sandbox->GetId().c_str(), error.GetCMessage());
+ }
}
void PodSandboxManagerService::SetupNetowrkAndStartPodSandbox(std::shared_ptr<sandbox::Sandbox> sandbox, std::string &sandboxName, std::string &networkMode, Errors &error)
{
cri_container_message_t msg = { 0 };
std::string network_setting_json;
+ bool clean_sandbox = true;
// Step 8.1.1: Setup networking for the sandbox.
// Setup sandbox network before create sandbox since the remote create might fail for sandbox
@@ -404,6 +412,8 @@ void PodSandboxManagerService::SetupNetowrkAndStartPodSandbox(std::shared_ptr<sa
goto cleanup_network;
}
+ // clean_sandbox is false, no need to clean sandbox to be consisent with CRI v1alpha
+ clean_sandbox = false;
msg.container_id = sandbox->GetId().c_str();
msg.sandbox_id = sandbox->GetId().c_str();
msg.type = CRI_CONTAINER_MESSAGE_TYPE_CREATED;
@@ -438,6 +448,13 @@ cleanup_network:
return;
}
}
+ if (clean_sandbox) {
+ sandbox::SandboxManager::GetInstance()->DeleteSandbox(sandbox->GetId(), error);
+ if (error.NotEmpty()) {
+ WARN("Error remove sanbox: %s: %s", sandbox->GetId().c_str(), error.GetCMessage());
+ }
+ }
+
}
auto PodSandboxManagerService::RunPodSandbox(const runtime::v1::PodSandboxConfig &config,
@@ -517,6 +534,10 @@ auto PodSandboxManagerService::RunPodSandbox(const runtime::v1::PodSandboxConfig
sandbox->Save(error);
if (error.NotEmpty()) {
ERROR("Failed to save sandbox, %s", sandboxName.c_str());
+ sandbox::SandboxManager::GetInstance()->DeleteSandbox(sandbox->GetId(), error);
+ if (error.NotEmpty()) {
+ WARN("Error remove sanbox: %s: %s", sandbox->GetId().c_str(), error.GetCMessage());
+ }
goto clean_ns;
}
--
2.43.0

37
iSulad.spec
View File

@ -1,5 +1,5 @@
%global _version 2.1.5 %global _version 2.1.5
%global _release 18 %global _release 19
%global is_systemd 1 %global is_systemd 1
%global enable_criv1 1 %global enable_criv1 1
%global enable_cdi 1 %global enable_cdi 1
@ -10,6 +10,7 @@
%ifarch x86_64 aarch64 %ifarch x86_64 aarch64
%global enable_nri 0 %global enable_nri 0
%global enable_sandboxer 0 %global enable_sandboxer 0
%global enable_remote_image 0
%endif %endif
Name: iSulad Name: iSulad
@ -196,6 +197,31 @@ Patch0172: 0172-image-store-fix-code-style.patch
Patch0173: 0173-bugfix-mem-leak.patch Patch0173: 0173-bugfix-mem-leak.patch
Patch0174: 0174-bugfix-for-parse_http_header.patch Patch0174: 0174-bugfix-for-parse_http_header.patch
Patch0175: 0175-add-layer-storage-ut-test.patch Patch0175: 0175-add-layer-storage-ut-test.patch
Patch0176: 0176-add-registry-ut-test.patch
Patch0177: 0177-add-loongarch64-support.patch
Patch0178: 0178-add-storage-driver-ut.patch
Patch0179: 0179-iSulad-support-shim-stats-cmd.patch
Patch0180: 0180-fix-storage-driver-ut.patch
Patch0181: 0181-apply-patch-for-lib-shim-v2-install.patch
Patch0182: 0182-fix-error-macro-isolation-memory-leak-and-meanless-r.patch
Patch0183: 0183-add-dt-for-cri-v1.patch
Patch0184: 0184-do-check-process-alive-read-pid-ppid-info-in-runtime.patch
Patch0185: 0185-sandbox-sandboxer-code-isolation.patch
Patch0186: 0186-UT-sandboxer-code-isolation.patch
Patch0187: 0187-remove-uncalled-functions-in-cri-v1.patch
Patch0188: 0188-sandbox-fix-memory-leak-in-fill-sandbox-metadate.patch
Patch0189: 0189-add-sandbox-pid-init-and-verify-sandbox-ready-when-c.patch
Patch0190: 0190-modified-the-procedure-of-start-pod-and-set-up-netwo.patch
Patch0191: 0191-bugfix-dereference-null-pointer.patch
Patch0192: 0192-modify-save-step-in-run-sandbox.patch
Patch0193: 0193-add-dt-for-cri-v1.patch
Patch0194: 0194-modify-the-CreateContainer-failed-return.patch
Patch0195: 0195-Add-some-unit-tests-for-sandbox-and-shim-controller.patch
Patch0196: 0196-add-remove-pod-in-cri-stats.patch
Patch0197: 0197-coco-support-confidential-containers.patch
Patch0198: 0198-isolate-isula-search-ut-in-registry_images_ut.patch
Patch0199: 0199-move-sandbox-network_ready-from-metadata-to-state-fo.patch
Patch0200: 0200-clean-sandbox-when-create-failed-to-be-consisent-wit.patch
%ifarch x86_64 aarch64 %ifarch x86_64 aarch64
Provides: libhttpclient.so()(64bit) Provides: libhttpclient.so()(64bit)
@ -280,6 +306,9 @@ cd build
%endif %endif
%if 0%{?enable_sandboxer} %if 0%{?enable_sandboxer}
-DENABLE_SANDBOXER=ON \ -DENABLE_SANDBOXER=ON \
%if 0%{?enable_remote_image}
-DENABLE_REMOTE_IMAGE=ON \
%endif
%endif %endif
%endif %endif
%if 0%{?enable_shimv2} %if 0%{?enable_shimv2}
@ -463,6 +492,12 @@ fi
%endif %endif
%changelog %changelog
* Wed May 14 2025 dongyuzhen <dongyuzhen@h-partners.com> - 2.1.5-19
- Type:enhancement
- CVE:NA
- SUG:NA
- DESC:sync patches from upstream
* Mon Dec 30 2024 jingxiaolu<lujingxiao@huawei.com> - 2.1.5-18 * Mon Dec 30 2024 jingxiaolu<lujingxiao@huawei.com> - 2.1.5-18
- Type: bugfix - Type: bugfix
- ID: NA - ID: NA