diff options
Diffstat (limited to 'cmd/crio')
| -rw-r--r-- | cmd/crio/config.go | 192 | ||||
| -rw-r--r-- | cmd/crio/daemon_linux.go | 20 | ||||
| -rw-r--r-- | cmd/crio/main.go | 532 |
3 files changed, 0 insertions, 744 deletions
diff --git a/cmd/crio/config.go b/cmd/crio/config.go deleted file mode 100644 index 76e3361d4..000000000 --- a/cmd/crio/config.go +++ /dev/null @@ -1,192 +0,0 @@ -package main - -import ( - "os" - "text/template" - - "github.com/kubernetes-incubator/cri-o/server" - "github.com/urfave/cli" -) - -var commentedConfigTemplate = template.Must(template.New("config").Parse(` -# The "crio" table contains all of the server options. -[crio] - -# root is a path to the "root directory". CRIO stores all of its data, -# including container images, in this directory. -root = "{{ .Root }}" - -# run is a path to the "run directory". CRIO stores all of its state -# in this directory. -runroot = "{{ .RunRoot }}" - -# storage_driver select which storage driver is used to manage storage -# of images and containers. -storage_driver = "{{ .Storage }}" - -# storage_option is used to pass an option to the storage driver. -storage_option = [ -{{ range $opt := .StorageOptions }}{{ printf "\t%q,\n" $opt }}{{ end }}] - -# The "crio.api" table contains settings for the kubelet/gRPC -# interface (which is also used by crioctl). -[crio.api] - -# listen is the path to the AF_LOCAL socket on which crio will listen. -listen = "{{ .Listen }}" - -# stream_address is the IP address on which the stream server will listen -stream_address = "{{ .StreamAddress }}" - -# stream_port is the port on which the stream server will listen -stream_port = "{{ .StreamPort }}" - -# file_locking is whether file-based locking will be used instead of -# in-memory locking -file_locking = {{ .FileLocking }} - -# The "crio.runtime" table contains settings pertaining to the OCI -# runtime used and options for how to set up and manage the OCI runtime. -[crio.runtime] - -# runtime is the OCI compatible runtime used for trusted container workloads. -# This is a mandatory setting as this runtime will be the default one -# and will also be used for untrusted container workloads if -# runtime_untrusted_workload is not set. -runtime = "{{ .Runtime }}" - -# runtime_untrusted_workload is the OCI compatible runtime used for untrusted -# container workloads. This is an optional setting, except if -# default_container_trust is set to "untrusted". -runtime_untrusted_workload = "{{ .RuntimeUntrustedWorkload }}" - -# default_workload_trust is the default level of trust crio puts in container -# workloads. It can either be "trusted" or "untrusted", and the default -# is "trusted". -# Containers can be run through different container runtimes, depending on -# the trust hints we receive from kubelet: -# - If kubelet tags a container workload as untrusted, crio will try first to -# run it through the untrusted container workload runtime. If it is not set, -# crio will use the trusted runtime. -# - If kubelet does not provide any information about the container workload trust -# level, the selected runtime will depend on the default_container_trust setting. -# If it is set to "untrusted", then all containers except for the host privileged -# ones, will be run by the runtime_untrusted_workload runtime. Host privileged -# containers are by definition trusted and will always use the trusted container -# runtime. If default_container_trust is set to "trusted", crio will use the trusted -# container runtime for all containers. -default_workload_trust = "{{ .DefaultWorkloadTrust }}" - -# no_pivot instructs the runtime to not use pivot_root, but instead use MS_MOVE -no_pivot = {{ .NoPivot }} - -# conmon is the path to conmon binary, used for managing the runtime. -conmon = "{{ .Conmon }}" - -# conmon_env is the environment variable list for conmon process, -# used for passing necessary environment variable to conmon or runtime. -conmon_env = [ -{{ range $env := .ConmonEnv }}{{ printf "\t%q,\n" $env }}{{ end }}] - -# selinux indicates whether or not SELinux will be used for pod -# separation on the host. If you enable this flag, SELinux must be running -# on the host. -selinux = {{ .SELinux }} - -# seccomp_profile is the seccomp json profile path which is used as the -# default for the runtime. -seccomp_profile = "{{ .SeccompProfile }}" - -# apparmor_profile is the apparmor profile name which is used as the -# default for the runtime. -apparmor_profile = "{{ .ApparmorProfile }}" - -# cgroup_manager is the cgroup management implementation to be used -# for the runtime. -cgroup_manager = "{{ .CgroupManager }}" - -# hooks_dir_path is the oci hooks directory for automatically executed hooks -hooks_dir_path = "{{ .HooksDirPath }}" - -# default_mounts is the mounts list to be mounted for the container when created -default_mounts = [ -{{ range $mount := .DefaultMounts }}{{ printf "\t%q, \n" $mount }}{{ end }}] - -# pids_limit is the number of processes allowed in a container -pids_limit = {{ .PidsLimit }} - -# log_size_max is the max limit for the container log size in bytes. -# Negative values indicate that no limit is imposed. -log_size_max = {{ .LogSizeMax }} - -# The "crio.image" table contains settings pertaining to the -# management of OCI images. -[crio.image] - -# default_transport is the prefix we try prepending to an image name if the -# image name as we receive it can't be parsed as a valid source reference -default_transport = "{{ .DefaultTransport }}" - -# pause_image is the image which we use to instantiate infra containers. -pause_image = "{{ .PauseImage }}" - -# pause_command is the command to run in a pause_image to have a container just -# sit there. If the image contains the necessary information, this value need -# not be specified. -pause_command = "{{ .PauseCommand }}" - -# signature_policy is the name of the file which decides what sort of policy we -# use when deciding whether or not to trust an image that we've pulled. -# Outside of testing situations, it is strongly advised that this be left -# unspecified so that the default system-wide policy will be used. -signature_policy = "{{ .SignaturePolicyPath }}" - -# image_volumes controls how image volumes are handled. -# The valid values are mkdir and ignore. -image_volumes = "{{ .ImageVolumes }}" - -# insecure_registries is used to skip TLS verification when pulling images. -insecure_registries = [ -{{ range $opt := .InsecureRegistries }}{{ printf "\t%q,\n" $opt }}{{ end }}] - -# registries is used to specify a comma separated list of registries to be used -# when pulling an unqualified image (e.g. fedora:rawhide). -registries = [ -{{ range $opt := .Registries }}{{ printf "\t%q,\n" $opt }}{{ end }}] - -# The "crio.network" table contains settings pertaining to the -# management of CNI plugins. -[crio.network] - -# network_dir is is where CNI network configuration -# files are stored. -network_dir = "{{ .NetworkDir }}" - -# plugin_dir is is where CNI plugin binaries are stored. -plugin_dir = "{{ .PluginDir }}" -`)) - -// TODO: Currently ImageDir isn't really used, so we haven't added it to this -// template. Add it once the storage code has been merged. - -var configCommand = cli.Command{ - Name: "config", - Usage: "generate crio configuration files", - Flags: []cli.Flag{ - cli.BoolFlag{ - Name: "default", - Usage: "output the default configuration", - }, - }, - Action: func(c *cli.Context) error { - // At this point, app.Before has already parsed the user's chosen - // config file. So no need to handle that here. - config := c.App.Metadata["config"].(*server.Config) - if c.Bool("default") { - config = server.DefaultConfig() - } - - // Output the commented config. - return commentedConfigTemplate.ExecuteTemplate(os.Stdout, "config", config) - }, -} diff --git a/cmd/crio/daemon_linux.go b/cmd/crio/daemon_linux.go deleted file mode 100644 index 884d3f269..000000000 --- a/cmd/crio/daemon_linux.go +++ /dev/null @@ -1,20 +0,0 @@ -// +build linux - -package main - -import ( - systemdDaemon "github.com/coreos/go-systemd/daemon" - "github.com/sirupsen/logrus" -) - -func sdNotify() { - if _, err := systemdDaemon.SdNotify(true, "READY=1"); err != nil { - logrus.Warnf("Failed to sd_notify systemd: %v", err) - } -} - -// notifySystem sends a message to the host when the server is ready to be used -func notifySystem() { - // Tell the init daemon we are accepting requests - go sdNotify() -} diff --git a/cmd/crio/main.go b/cmd/crio/main.go deleted file mode 100644 index e58adb114..000000000 --- a/cmd/crio/main.go +++ /dev/null @@ -1,532 +0,0 @@ -package main - -import ( - "context" - "fmt" - "net" - "net/http" - _ "net/http/pprof" - "os" - "os/signal" - "sort" - "strings" - "time" - - "github.com/containers/storage/pkg/reexec" - "github.com/kubernetes-incubator/cri-o/libkpod" - "github.com/kubernetes-incubator/cri-o/server" - "github.com/kubernetes-incubator/cri-o/version" - "github.com/opencontainers/selinux/go-selinux" - "github.com/sirupsen/logrus" - "github.com/soheilhy/cmux" - "github.com/urfave/cli" - "golang.org/x/sys/unix" - "google.golang.org/grpc" - "k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime" -) - -// gitCommit is the commit that the binary is being built from. -// It will be populated by the Makefile. -var gitCommit = "" - -func validateConfig(config *server.Config) error { - switch config.ImageVolumes { - case libkpod.ImageVolumesMkdir: - case libkpod.ImageVolumesIgnore: - case libkpod.ImageVolumesBind: - default: - return fmt.Errorf("Unrecognized image volume type specified") - - } - - // This needs to match the read buffer size in conmon - if config.LogSizeMax >= 0 && config.LogSizeMax < 8192 { - return fmt.Errorf("log size max should be negative or >= 8192") - } - return nil -} - -func mergeConfig(config *server.Config, ctx *cli.Context) error { - // Don't parse the config if the user explicitly set it to "". - if path := ctx.GlobalString("config"); path != "" { - if err := config.UpdateFromFile(path); err != nil { - if ctx.GlobalIsSet("config") || !os.IsNotExist(err) { - return err - } - - // We don't error out if --config wasn't explicitly set and the - // default doesn't exist. But we will log a warning about it, so - // the user doesn't miss it. - logrus.Warnf("default configuration file does not exist: %s", server.CrioConfigPath) - } - } - - // Override options set with the CLI. - if ctx.GlobalIsSet("conmon") { - config.Conmon = ctx.GlobalString("conmon") - } - if ctx.GlobalIsSet("pause-command") { - config.PauseCommand = ctx.GlobalString("pause-command") - } - if ctx.GlobalIsSet("pause-image") { - config.PauseImage = ctx.GlobalString("pause-image") - } - if ctx.GlobalIsSet("signature-policy") { - config.SignaturePolicyPath = ctx.GlobalString("signature-policy") - } - if ctx.GlobalIsSet("root") { - config.Root = ctx.GlobalString("root") - } - if ctx.GlobalIsSet("runroot") { - config.RunRoot = ctx.GlobalString("runroot") - } - if ctx.GlobalIsSet("storage-driver") { - config.Storage = ctx.GlobalString("storage-driver") - } - if ctx.GlobalIsSet("storage-opt") { - config.StorageOptions = ctx.GlobalStringSlice("storage-opt") - } - if ctx.GlobalIsSet("file-locking") { - config.FileLocking = ctx.GlobalBool("file-locking") - } - if ctx.GlobalIsSet("insecure-registry") { - config.InsecureRegistries = ctx.GlobalStringSlice("insecure-registry") - } - if ctx.GlobalIsSet("registry") { - config.Registries = ctx.GlobalStringSlice("registry") - } - if ctx.GlobalIsSet("default-transport") { - config.DefaultTransport = ctx.GlobalString("default-transport") - } - if ctx.GlobalIsSet("listen") { - config.Listen = ctx.GlobalString("listen") - } - if ctx.GlobalIsSet("stream-address") { - config.StreamAddress = ctx.GlobalString("stream-address") - } - if ctx.GlobalIsSet("stream-port") { - config.StreamPort = ctx.GlobalString("stream-port") - } - if ctx.GlobalIsSet("runtime") { - config.Runtime = ctx.GlobalString("runtime") - } - if ctx.GlobalIsSet("selinux") { - config.SELinux = ctx.GlobalBool("selinux") - } - if ctx.GlobalIsSet("seccomp-profile") { - config.SeccompProfile = ctx.GlobalString("seccomp-profile") - } - if ctx.GlobalIsSet("apparmor-profile") { - config.ApparmorProfile = ctx.GlobalString("apparmor-profile") - } - if ctx.GlobalIsSet("cgroup-manager") { - config.CgroupManager = ctx.GlobalString("cgroup-manager") - } - if ctx.GlobalIsSet("hooks-dir-path") { - config.HooksDirPath = ctx.GlobalString("hooks-dir-path") - } - if ctx.GlobalIsSet("default-mounts") { - config.DefaultMounts = ctx.GlobalStringSlice("default-mounts") - } - if ctx.GlobalIsSet("pids-limit") { - config.PidsLimit = ctx.GlobalInt64("pids-limit") - } - if ctx.GlobalIsSet("log-size-max") { - config.LogSizeMax = ctx.GlobalInt64("log-size-max") - } - if ctx.GlobalIsSet("cni-config-dir") { - config.NetworkDir = ctx.GlobalString("cni-config-dir") - } - if ctx.GlobalIsSet("cni-plugin-dir") { - config.PluginDir = ctx.GlobalString("cni-plugin-dir") - } - if ctx.GlobalIsSet("image-volumes") { - config.ImageVolumes = libkpod.ImageVolumesType(ctx.GlobalString("image-volumes")) - } - return nil -} - -func catchShutdown(gserver *grpc.Server, sserver *server.Server, hserver *http.Server, signalled *bool) { - sig := make(chan os.Signal, 10) - signal.Notify(sig, unix.SIGINT, unix.SIGTERM) - go func() { - for s := range sig { - switch s { - case unix.SIGINT: - logrus.Debugf("Caught SIGINT") - case unix.SIGTERM: - logrus.Debugf("Caught SIGTERM") - default: - continue - } - *signalled = true - gserver.GracefulStop() - hserver.Shutdown(context.Background()) - // TODO(runcom): enable this after https://github.com/kubernetes/kubernetes/pull/51377 - //sserver.StopStreamServer() - sserver.StopExitMonitor() - if err := sserver.Shutdown(); err != nil { - logrus.Warnf("error shutting down main service %v", err) - } - return - } - }() -} - -func main() { - if reexec.Init() { - return - } - app := cli.NewApp() - - var v []string - v = append(v, version.Version) - if gitCommit != "" { - v = append(v, fmt.Sprintf("commit: %s", gitCommit)) - } - app.Name = "crio" - app.Usage = "crio server" - app.Version = strings.Join(v, "\n") - app.Metadata = map[string]interface{}{ - "config": server.DefaultConfig(), - } - - app.Flags = []cli.Flag{ - cli.StringFlag{ - Name: "config", - Value: server.CrioConfigPath, - Usage: "path to configuration file", - }, - cli.StringFlag{ - Name: "conmon", - Usage: "path to the conmon executable", - }, - cli.StringFlag{ - Name: "listen", - Usage: "path to crio socket", - }, - cli.StringFlag{ - Name: "stream-address", - Usage: "bind address for streaming socket", - }, - cli.StringFlag{ - Name: "stream-port", - Usage: "bind port for streaming socket (default: \"10010\")", - }, - cli.StringFlag{ - Name: "log", - Value: "", - Usage: "set the log file path where internal debug information is written", - }, - cli.StringFlag{ - Name: "log-format", - Value: "text", - Usage: "set the format used by logs ('text' (default), or 'json')", - }, - cli.StringFlag{ - Name: "log-level", - Usage: "log messages above specified level: debug, info (default), warn, error, fatal or panic", - }, - - cli.StringFlag{ - Name: "pause-command", - Usage: "name of the pause command in the pause image", - }, - cli.StringFlag{ - Name: "pause-image", - Usage: "name of the pause image", - }, - cli.StringFlag{ - Name: "signature-policy", - Usage: "path to signature policy file", - }, - cli.StringFlag{ - Name: "root", - Usage: "crio root dir", - }, - cli.StringFlag{ - Name: "runroot", - Usage: "crio state dir", - }, - cli.StringFlag{ - Name: "storage-driver", - Usage: "storage driver", - }, - cli.StringSliceFlag{ - Name: "storage-opt", - Usage: "storage driver option", - }, - cli.BoolFlag{ - Name: "file-locking", - Usage: "enable or disable file-based locking", - }, - cli.StringSliceFlag{ - Name: "insecure-registry", - Usage: "whether to disable TLS verification for the given registry", - }, - cli.StringSliceFlag{ - Name: "registry", - Usage: "registry to be prepended when pulling unqualified images, can be specified multiple times", - }, - cli.StringFlag{ - Name: "default-transport", - Usage: "default transport", - }, - cli.StringFlag{ - Name: "runtime", - Usage: "OCI runtime path", - }, - cli.StringFlag{ - Name: "seccomp-profile", - Usage: "default seccomp profile path", - }, - cli.StringFlag{ - Name: "apparmor-profile", - Usage: "default apparmor profile name (default: \"crio-default\")", - }, - cli.BoolFlag{ - Name: "selinux", - Usage: "enable selinux support", - }, - cli.StringFlag{ - Name: "cgroup-manager", - Usage: "cgroup manager (cgroupfs or systemd)", - }, - cli.Int64Flag{ - Name: "pids-limit", - Value: libkpod.DefaultPidsLimit, - Usage: "maximum number of processes allowed in a container", - }, - cli.Int64Flag{ - Name: "log-size-max", - Value: libkpod.DefaultLogSizeMax, - Usage: "maximum log size in bytes for a container", - }, - cli.StringFlag{ - Name: "cni-config-dir", - Usage: "CNI configuration files directory", - }, - cli.StringFlag{ - Name: "cni-plugin-dir", - Usage: "CNI plugin binaries directory", - }, - cli.StringFlag{ - Name: "image-volumes", - Value: string(libkpod.ImageVolumesMkdir), - Usage: "image volume handling ('mkdir', 'bind', or 'ignore')", - }, - cli.StringFlag{ - Name: "hooks-dir-path", - Usage: "set the OCI hooks directory path", - Value: libkpod.DefaultHooksDirPath, - Hidden: true, - }, - cli.StringSliceFlag{ - Name: "default-mounts", - Usage: "add one or more default mount paths in the form host:container", - Hidden: true, - }, - cli.BoolFlag{ - Name: "profile", - Usage: "enable pprof remote profiler on localhost:6060", - }, - cli.IntFlag{ - Name: "profile-port", - Value: 6060, - Usage: "port for the pprof profiler", - }, - cli.BoolFlag{ - Name: "enable-metrics", - Usage: "enable metrics endpoint for the servier on localhost:9090", - }, - cli.IntFlag{ - Name: "metrics-port", - Value: 9090, - Usage: "port for the metrics endpoint", - }, - } - - sort.Sort(cli.FlagsByName(app.Flags)) - sort.Sort(cli.FlagsByName(configCommand.Flags)) - - app.Commands = []cli.Command{ - configCommand, - } - - app.Before = func(c *cli.Context) error { - // Load the configuration file. - config := c.App.Metadata["config"].(*server.Config) - if err := mergeConfig(config, c); err != nil { - return err - } - - if err := validateConfig(config); err != nil { - return err - } - - cf := &logrus.TextFormatter{ - TimestampFormat: "2006-01-02 15:04:05.000000000Z07:00", - FullTimestamp: true, - } - - logrus.SetFormatter(cf) - - if loglevel := c.GlobalString("log-level"); loglevel != "" { - level, err := logrus.ParseLevel(loglevel) - if err != nil { - return err - } - - logrus.SetLevel(level) - } - - if path := c.GlobalString("log"); path != "" { - f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_APPEND|os.O_SYNC, 0666) - if err != nil { - return err - } - logrus.SetOutput(f) - } - - switch c.GlobalString("log-format") { - case "text": - // retain logrus's default. - case "json": - logrus.SetFormatter(new(logrus.JSONFormatter)) - default: - return fmt.Errorf("unknown log-format %q", c.GlobalString("log-format")) - } - - return nil - } - - app.Action = func(c *cli.Context) error { - if c.GlobalBool("profile") { - profilePort := c.GlobalInt("profile-port") - profileEndpoint := fmt.Sprintf("localhost:%v", profilePort) - go func() { - http.ListenAndServe(profileEndpoint, nil) - }() - } - - args := c.Args() - if len(args) > 0 { - for _, command := range app.Commands { - if args[0] == command.Name { - break - } - } - return fmt.Errorf("command %q not supported", args[0]) - } - - config := c.App.Metadata["config"].(*server.Config) - - if !config.SELinux { - selinux.SetDisabled() - } - - if _, err := os.Stat(config.Runtime); os.IsNotExist(err) { - // path to runtime does not exist - return fmt.Errorf("invalid --runtime value %q", err) - } - - // Remove the socket if it already exists - if _, err := os.Stat(config.Listen); err == nil { - if err := os.Remove(config.Listen); err != nil { - logrus.Fatal(err) - } - } - lis, err := net.Listen("unix", config.Listen) - if err != nil { - logrus.Fatalf("failed to listen: %v", err) - } - - s := grpc.NewServer() - - service, err := server.New(config) - if err != nil { - logrus.Fatal(err) - } - - if c.GlobalBool("enable-metrics") { - metricsPort := c.GlobalInt("metrics-port") - me, err := service.CreateMetricsEndpoint() - if err != nil { - logrus.Fatalf("Failed to create metrics endpoint: %v", err) - } - l, err := net.Listen("tcp", fmt.Sprintf(":%v", metricsPort)) - if err != nil { - logrus.Fatalf("Failed to create listener for metrics: %v", err) - } - go func() { - if err := http.Serve(l, me); err != nil { - logrus.Fatalf("Failed to serve metrics endpoint: %v", err) - } - }() - } - - runtime.RegisterRuntimeServiceServer(s, service) - runtime.RegisterImageServiceServer(s, service) - - // after the daemon is done setting up we can notify systemd api - notifySystem() - - go func() { - service.StartExitMonitor() - }() - - m := cmux.New(lis) - grpcL := m.Match(cmux.HTTP2HeaderField("content-type", "application/grpc")) - httpL := m.Match(cmux.HTTP1Fast()) - - infoMux := service.GetInfoMux() - srv := &http.Server{ - Handler: infoMux, - ReadTimeout: 5 * time.Second, - } - - graceful := false - catchShutdown(s, service, srv, &graceful) - - go s.Serve(grpcL) - go srv.Serve(httpL) - - serverCloseCh := make(chan struct{}) - go func() { - defer close(serverCloseCh) - if err := m.Serve(); err != nil { - if graceful && strings.Contains(strings.ToLower(err.Error()), "use of closed network connection") { - err = nil - } else { - logrus.Errorf("Failed to serve grpc grpc request: %v", err) - } - } - }() - - // TODO(runcom): enable this after https://github.com/kubernetes/kubernetes/pull/51377 - //streamServerCloseCh := service.StreamingServerCloseChan() - serverExitMonitorCh := service.ExitMonitorCloseChan() - select { - // TODO(runcom): enable this after https://github.com/kubernetes/kubernetes/pull/51377 - //case <-streamServerCloseCh: - case <-serverExitMonitorCh: - case <-serverCloseCh: - } - - service.Shutdown() - - // TODO(runcom): enable this after https://github.com/kubernetes/kubernetes/pull/51377 - //<-streamServerCloseCh - //logrus.Debug("closed stream server") - <-serverExitMonitorCh - logrus.Debug("closed exit monitor") - <-serverCloseCh - logrus.Debug("closed main server") - - return nil - } - - if err := app.Run(os.Args); err != nil { - logrus.Fatal(err) - } -} |