From 5720b90e9515a698b5f9cde21a99194848f2c66a Mon Sep 17 00:00:00 2001 From: gaohuatao Date: Fri, 13 Nov 2020 03:21:16 -0500 Subject: [PATCH 03/17] update api.proto to v1.19.3 according to kubelet Signed-off-by: gaohuatao --- src/api/services/cri/api.proto | 31 ++++++++++++++++++++ src/daemon/entry/cri/cri_security_context.cc | 7 +++++ 2 files changed, 38 insertions(+) diff --git a/src/api/services/cri/api.proto b/src/api/services/cri/api.proto index 67e5527e..dc0cfeb9 100644 --- a/src/api/services/cri/api.proto +++ b/src/api/services/cri/api.proto @@ -219,6 +219,13 @@ enum NamespaceMode { // For example, a container with a PID namespace of NODE expects to view // all of the processes on the host running the kubelet. NODE = 2; + // TARGET targets the namespace of another container. When this is specified, + // a target_id must be specified in NamespaceOption and refer to a container + // previously created with NamespaceMode CONTAINER. This containers namespace + // will be made to match that of container target_id. + // For example, a container with a PID namespace of TARGET expects to view + // all of the processes that container target_id can view. + TARGET = 3; } // NamespaceOption provides options for Linux namespaces. @@ -236,6 +243,10 @@ message NamespaceOption { // Note: There is currently no way to set CONTAINER scoped IPC in the Kubernetes API. // Namespaces currently set by the kubelet: POD, NODE NamespaceMode ipc = 3; + // Target Container ID for NamespaceMode of TARGET. This container must have been + // previously created in the same pod. It is not possible to specify different targets + // for each namespace. + string target_id = 4; } // Int64Value is the wrapper of int64. @@ -519,6 +530,10 @@ message ListPodSandboxResponse { // future it will include more detailed information about the different image types. message ImageSpec { string image = 1; + // Unstructured key-value map holding arbitrary metadata. + // ImageSpec Annotations can be used to help the runtime target specific + // images in multi-arch images. + map annotations = 2; } message KeyValue { @@ -545,6 +560,19 @@ message LinuxContainerResources { string cpuset_cpus = 6; // CpusetMems constrains the allowed set of memory nodes. Default: "" (not specified). string cpuset_mems = 7; + // List of HugepageLimits to limit the HugeTLB usage of container per page size. Default: nil (not specified). + repeated HugepageLimit hugepage_limits = 8; +} + +// HugepageLimit corresponds to the file`hugetlb..limit_in_byte` in container level cgroup. +// For example, `PageSize=1GB`, `Limit=1073741824` means setting `1073741824` bytes to hugetlb.1GB.limit_in_bytes. +message HugepageLimit { + // The value of PageSize has the format B (2MB, 1GB), + // and must match the of the corresponding control file found in `hugetlb..limit_in_bytes`. + // The values of are intended to be parsed using base 1024("1KB" = 1024, "1MB" = 1048576, etc). + string page_size = 1; + // limit in bytes of hugepagesize HugeTLB usage. + uint64 limit = 2; } // SELinuxOption are the labels to be applied to the container. @@ -1040,6 +1068,9 @@ message Image { // User name that will run the command(s). This is used if UID is not set // and no user is specified when creating container. string username = 6; + // ImageSpec for image which includes annotations + ImageSpec spec = 7; + } message ListImagesResponse { diff --git a/src/daemon/entry/cri/cri_security_context.cc b/src/daemon/entry/cri/cri_security_context.cc index 634e53ad..1d332261 100644 --- a/src/daemon/entry/cri/cri_security_context.cc +++ b/src/daemon/entry/cri/cri_security_context.cc @@ -179,6 +179,13 @@ static void ModifyContainerNamespaceOptions(const runtime::v1alpha2::NamespaceOp hostConfig->pid_mode = util_strdup_s(sandboxNSMode.c_str()); } + + if (nsOpts.pid() == runtime::v1alpha2::NamespaceMode::TARGET) { + std::string targetPidNsMode = "container:" + nsOpts.target_id(); + free(hostConfig->pid_mode); + hostConfig->pid_mode = util_strdup_s(targetPidNsMode.c_str()); + } + /* set common Namespace options */ ModifyCommonNamespaceOptions(nsOpts, hostConfig); /* modify host network option for container */ -- 2.25.1