summaryrefslogtreecommitdiffhomepage
path: root/shim/v1/main.go
diff options
context:
space:
mode:
authorAdin Scannell <ascannell@google.com>2020-10-19 16:26:42 -0700
committergVisor bot <gvisor-bot@google.com>2020-10-19 16:28:40 -0700
commit54e989ec3a2d9c6928047ea09a3d6053cbf2441f (patch)
treed64ef5014191725e66de7c1f81795927be9d96d3 /shim/v1/main.go
parent4b4d12d5bb9c4902380fa999b5f49d3ed7029938 (diff)
Remove legacy bazel configurations.
Using the newer bazel rules necessitates a transition from proto1 to proto2. In order to resolve the incompatibility between proto2 and gogoproto, the cri runtimeoptions proto must be vendored. Further, some of the semantics of bazel caching changed during the transition. It is now necessary to: - Ensure that :gopath depends only on pure library targets, as the propagation of go_binary build attributes (pure, static) will affected the generated files (though content remains the same, there are conflicts with respect to the gopath). - Update bazel.mk to include the possibility of binaries in the bazel-out directory, as it will now put runsc and others there. This required some refinements to the mechanism of extracting paths, since some the existing regex resulted in false positives. - Change nogo rules to prevent escape generation on binary targets. For some reason, the newer version of bazel attempted to run the nogo analysis on the binary targets, which fails due to the fact that objdump does not work on the final binary. This must be due to a change in the semantics of aspects in bazel3. PiperOrigin-RevId: 337958324
Diffstat (limited to 'shim/v1/main.go')
-rw-r--r--shim/v1/main.go249
1 files changed, 4 insertions, 245 deletions
diff --git a/shim/v1/main.go b/shim/v1/main.go
index 3159923af..11ff4add1 100644
--- a/shim/v1/main.go
+++ b/shim/v1/main.go
@@ -1,5 +1,4 @@
-// Copyright 2018 The containerd Authors.
-// Copyright 2019 The gVisor Authors.
+// Copyright 2020 The gVisor Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
@@ -13,253 +12,13 @@
// See the License for the specific language governing permissions and
// limitations under the License.
+// Binary gvisor-containerd-shim is the v1 containerd shim.
package main
import (
- "bytes"
- "context"
- "flag"
- "fmt"
- "log"
- "net"
- "os"
- "os/exec"
- "os/signal"
- "path/filepath"
- "strings"
- "sync"
- "syscall"
-
- "github.com/containerd/containerd/events"
- "github.com/containerd/containerd/namespaces"
- "github.com/containerd/containerd/sys"
- "github.com/containerd/containerd/sys/reaper"
- "github.com/containerd/ttrpc"
- "github.com/containerd/typeurl"
- "github.com/gogo/protobuf/types"
- "golang.org/x/sys/unix"
-
- "gvisor.dev/gvisor/pkg/shim/runsc"
- "gvisor.dev/gvisor/pkg/shim/v1/shim"
-)
-
-var (
- debugFlag bool
- namespaceFlag string
- socketFlag string
- addressFlag string
- workdirFlag string
- runtimeRootFlag string
- containerdBinaryFlag string
- shimConfigFlag string
+ "gvisor.dev/gvisor/shim/v1/cli"
)
-// Containerd defaults to runc, unless another runtime is explicitly specified.
-// We keep the same default to make the default behavior consistent.
-const defaultRoot = "/run/containerd/runc"
-
-func init() {
- flag.BoolVar(&debugFlag, "debug", false, "enable debug output in logs")
- flag.StringVar(&namespaceFlag, "namespace", "", "namespace that owns the shim")
- flag.StringVar(&socketFlag, "socket", "", "abstract socket path to serve")
- flag.StringVar(&addressFlag, "address", "", "grpc address back to main containerd")
- flag.StringVar(&workdirFlag, "workdir", "", "path used to storge large temporary data")
- flag.StringVar(&runtimeRootFlag, "runtime-root", defaultRoot, "root directory for the runtime")
-
- // Currently, the `containerd publish` utility is embedded in the
- // daemon binary. The daemon invokes `containerd-shim
- // -containerd-binary ...` with its own os.Executable() path.
- flag.StringVar(&containerdBinaryFlag, "containerd-binary", "containerd", "path to containerd binary (used for `containerd publish`)")
- flag.StringVar(&shimConfigFlag, "config", "/etc/containerd/runsc.toml", "path to the shim configuration file")
-}
-
func main() {
- flag.Parse()
-
- // This is a hack. Exec current process to run standard containerd-shim
- // if runtime root is not `runsc`. We don't need this for shim v2 api.
- if filepath.Base(runtimeRootFlag) != "runsc" {
- if err := executeRuncShim(); err != nil {
- fmt.Fprintf(os.Stderr, "gvisor-containerd-shim: %s\n", err)
- os.Exit(1)
- }
- }
-
- // Run regular shim if needed.
- if err := executeShim(); err != nil {
- fmt.Fprintf(os.Stderr, "gvisor-containerd-shim: %s\n", err)
- os.Exit(1)
- }
-}
-
-// executeRuncShim execs current process to a containerd-shim process and
-// retains all flags and envs.
-func executeRuncShim() error {
- c, err := loadConfig(shimConfigFlag)
- if err != nil && !os.IsNotExist(err) {
- return fmt.Errorf("failed to load shim config: %w", err)
- }
- shimPath := c.RuncShim
- if shimPath == "" {
- shimPath, err = exec.LookPath("containerd-shim")
- if err != nil {
- return fmt.Errorf("lookup containerd-shim failed: %w", err)
- }
- }
-
- args := append([]string{shimPath}, os.Args[1:]...)
- if err := syscall.Exec(shimPath, args, os.Environ()); err != nil {
- return fmt.Errorf("exec containerd-shim @ %q failed: %w", shimPath, err)
- }
- return nil
-}
-
-func executeShim() error {
- // start handling signals as soon as possible so that things are
- // properly reaped or if runtime exits before we hit the handler.
- signals, err := setupSignals()
- if err != nil {
- return err
- }
- path, err := os.Getwd()
- if err != nil {
- return err
- }
- server, err := ttrpc.NewServer(ttrpc.WithServerHandshaker(ttrpc.UnixSocketRequireSameUser()))
- if err != nil {
- return fmt.Errorf("failed creating server: %w", err)
- }
- c, err := loadConfig(shimConfigFlag)
- if err != nil && !os.IsNotExist(err) {
- return fmt.Errorf("failed to load shim config: %w", err)
- }
- sv, err := shim.NewService(
- shim.Config{
- Path: path,
- Namespace: namespaceFlag,
- WorkDir: workdirFlag,
- RuntimeRoot: runtimeRootFlag,
- RunscConfig: c.RunscConfig,
- },
- &remoteEventsPublisher{address: addressFlag},
- )
- if err != nil {
- return err
- }
- registerShimService(server, sv)
- if err := serve(server, socketFlag); err != nil {
- return err
- }
- return handleSignals(signals, server, sv)
-}
-
-// serve serves the ttrpc API over a unix socket at the provided path this
-// function does not block.
-func serve(server *ttrpc.Server, path string) error {
- var (
- l net.Listener
- err error
- )
- if path == "" {
- l, err = net.FileListener(os.NewFile(3, "socket"))
- path = "[inherited from parent]"
- } else {
- if len(path) > 106 {
- return fmt.Errorf("%q: unix socket path too long (> 106)", path)
- }
- l, err = net.Listen("unix", "\x00"+path)
- }
- if err != nil {
- return err
- }
- go func() {
- defer l.Close()
- err := server.Serve(context.Background(), l)
- if err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
- log.Fatalf("ttrpc server failure: %v", err)
- }
- }()
- return nil
-}
-
-// setupSignals creates a new signal handler for all signals and sets the shim
-// as a sub-reaper so that the container processes are reparented.
-func setupSignals() (chan os.Signal, error) {
- signals := make(chan os.Signal, 32)
- signal.Notify(signals, unix.SIGTERM, unix.SIGINT, unix.SIGCHLD, unix.SIGPIPE)
- // make sure runc is setup to use the monitor for waiting on processes.
- // TODO(random-liu): Move shim/reaper.go to a separate package.
- runsc.Monitor = reaper.Default
- // Set the shim as the subreaper for all orphaned processes created by
- // the container.
- if err := unix.Prctl(unix.PR_SET_CHILD_SUBREAPER, 1, 0, 0, 0); err != nil {
- return nil, err
- }
- return signals, nil
-}
-
-func handleSignals(signals chan os.Signal, server *ttrpc.Server, sv *shim.Service) error {
- var (
- termOnce sync.Once
- done = make(chan struct{})
- )
-
- for {
- select {
- case <-done:
- return nil
- case s := <-signals:
- switch s {
- case unix.SIGCHLD:
- if _, err := sys.Reap(false); err != nil {
- log.Printf("reap error: %v", err)
- }
- case unix.SIGTERM, unix.SIGINT:
- go termOnce.Do(func() {
- ctx := context.TODO()
- if err := server.Shutdown(ctx); err != nil {
- log.Printf("failed to shutdown server: %v", err)
- }
- // Ensure our child is dead if any.
- sv.Kill(ctx, &KillRequest{
- Signal: uint32(syscall.SIGKILL),
- All: true,
- })
- sv.Delete(context.Background(), &types.Empty{})
- close(done)
- })
- case unix.SIGPIPE:
- }
- }
- }
-}
-
-type remoteEventsPublisher struct {
- address string
-}
-
-func (l *remoteEventsPublisher) Publish(ctx context.Context, topic string, event events.Event) error {
- ns, _ := namespaces.Namespace(ctx)
- encoded, err := typeurl.MarshalAny(event)
- if err != nil {
- return err
- }
- data, err := encoded.Marshal()
- if err != nil {
- return err
- }
- cmd := exec.CommandContext(ctx, containerdBinaryFlag, "--address", l.address, "publish", "--topic", topic, "--namespace", ns)
- cmd.Stdin = bytes.NewReader(data)
- c, err := reaper.Default.Start(cmd)
- if err != nil {
- return err
- }
- status, err := reaper.Default.Wait(cmd, c)
- if err != nil {
- return fmt.Errorf("failed to publish event: %w", err)
- }
- if status != 0 {
- return fmt.Errorf("failed to publish event: status %d", status)
- }
- return nil
+ cli.Main()
}