diff options
Diffstat (limited to 'shim')
| -rw-r--r-- | shim/v1/BUILD | 10 | ||||
| -rw-r--r-- | shim/v1/README.md | 14 | ||||
| -rw-r--r-- | shim/v1/api.go | 24 | ||||
| -rw-r--r-- | shim/v1/main.go | 38 | ||||
| -rw-r--r-- | shim/v2/BUILD | 7 | ||||
| -rw-r--r-- | shim/v2/README.md | 15 | ||||
| -rw-r--r-- | shim/v2/main.go | 4 | ||||
| -rw-r--r-- | shim/v2/runtime-handler-shim-v2-quickstart.md | 59 |
8 files changed, 104 insertions, 67 deletions
diff --git a/shim/v1/BUILD b/shim/v1/BUILD index 3a863ecbb..7b837630c 100644 --- a/shim/v1/BUILD +++ b/shim/v1/BUILD @@ -6,28 +6,26 @@ package(licenses = ["notice"]) go_binary( name = "gvisor-containerd-shim", srcs = [ + "api.go", "config.go", "main.go", ], - pure = True, + static = True, visibility = [ "//visibility:public", ], deps = [ "//pkg/shim/runsc", "//pkg/shim/v1/shim", - "//pkg/shim/v2", "@com_github_burntsushi_toml//:go_default_library", "@com_github_containerd_containerd//events:go_default_library", "@com_github_containerd_containerd//namespaces:go_default_library", - "@com_github_containerd_containerd//runtime/v1/linux/proc:go_default_library", - "@com_github_containerd_containerd//runtime/v1/shim:go_default_library", "@com_github_containerd_containerd//runtime/v1/shim/v1:go_default_library", - "@com_github_containerd_containerd//runtime/v2/shim:go_default_library", + "@com_github_containerd_containerd//sys:go_default_library", + "@com_github_containerd_containerd//sys/reaper:go_default_library", "@com_github_containerd_ttrpc//:go_default_library", "@com_github_containerd_typeurl//:go_default_library", "@com_github_gogo_protobuf//types:go_default_library", - "@com_github_opencontainers_runc//libcontainer/system:go_default_library", "@org_golang_x_sys//unix:go_default_library", ], ) diff --git a/shim/v1/README.md b/shim/v1/README.md index fcdf3ad77..7aa4513a1 100644 --- a/shim/v1/README.md +++ b/shim/v1/README.md @@ -29,15 +29,15 @@ sudo systemctl restart containerd ## Shim Confguration -The shim configuration is stored in `/etc/containerd/runsc.toml`. The +The shim configuration is stored in `/etc/containerd/runsc.toml`. The configuration file supports two values. -* `runc_shim`: The path to the runc shim. This is used by - `gvisor-containerd-shim` to run standard containers. +* `runc_shim`: The path to the runc shim. This is used by + `gvisor-containerd-shim` to run standard containers. -* `runsc_config`: This is a set of key/value pairs that are converted into - `runsc` command line flags. You can learn more about which flags are available - by running `runsc flags`. +* `runsc_config`: This is a set of key/value pairs that are converted into + `runsc` command line flags. You can learn more about which flags are + available by running `runsc flags`. For example, a configuration might look as follows: @@ -46,5 +46,5 @@ runc_shim = "/usr/local/bin/containerd-shim" [runsc_config] platform = "kvm" debug = true -debug-log = /var/log/%ID%/gvisor.log +debug-log = /var/log/%ID%/gvisor/ ``` diff --git a/shim/v1/api.go b/shim/v1/api.go new file mode 100644 index 000000000..2444d23f1 --- /dev/null +++ b/shim/v1/api.go @@ -0,0 +1,24 @@ +// Copyright 2018 The containerd Authors. +// Copyright 2019 The gVisor Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package main + +import ( + shim "github.com/containerd/containerd/runtime/v1/shim/v1" +) + +type KillRequest = shim.KillRequest + +var registerShimService = shim.RegisterShimService diff --git a/shim/v1/main.go b/shim/v1/main.go index 43deee858..3159923af 100644 --- a/shim/v1/main.go +++ b/shim/v1/main.go @@ -32,13 +32,11 @@ import ( "github.com/containerd/containerd/events" "github.com/containerd/containerd/namespaces" - "github.com/containerd/containerd/runtime/v1/linux/proc" - containerdshim "github.com/containerd/containerd/runtime/v1/shim" - shimapi "github.com/containerd/containerd/runtime/v1/shim/v1" + "github.com/containerd/containerd/sys" + "github.com/containerd/containerd/sys/reaper" "github.com/containerd/ttrpc" "github.com/containerd/typeurl" - ptypes "github.com/gogo/protobuf/types" - "github.com/opencontainers/runc/libcontainer/system" + "github.com/gogo/protobuf/types" "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/shim/runsc" @@ -56,17 +54,17 @@ var ( shimConfigFlag string ) +// Containerd defaults to runc, unless another runtime is explicitly specified. +// We keep the same default to make the default behavior consistent. +const defaultRoot = "/run/containerd/runc" + func init() { flag.BoolVar(&debugFlag, "debug", false, "enable debug output in logs") flag.StringVar(&namespaceFlag, "namespace", "", "namespace that owns the shim") flag.StringVar(&socketFlag, "socket", "", "abstract socket path to serve") flag.StringVar(&addressFlag, "address", "", "grpc address back to main containerd") flag.StringVar(&workdirFlag, "workdir", "", "path used to storge large temporary data") - - // Containerd default to runc, unless another runtime is explicitly - // specified. We keep the same default to make the default behavior - // consistent. - flag.StringVar(&runtimeRootFlag, "runtime-root", proc.RuncRoot, "root directory for the runtime") + flag.StringVar(&runtimeRootFlag, "runtime-root", defaultRoot, "root directory for the runtime") // Currently, the `containerd publish` utility is embedded in the // daemon binary. The daemon invokes `containerd-shim @@ -148,7 +146,7 @@ func executeShim() error { if err != nil { return err } - shimapi.RegisterShimService(server, sv) + registerShimService(server, sv) if err := serve(server, socketFlag); err != nil { return err } @@ -191,10 +189,10 @@ func setupSignals() (chan os.Signal, error) { signal.Notify(signals, unix.SIGTERM, unix.SIGINT, unix.SIGCHLD, unix.SIGPIPE) // make sure runc is setup to use the monitor for waiting on processes. // TODO(random-liu): Move shim/reaper.go to a separate package. - runsc.Monitor = containerdshim.Default + runsc.Monitor = reaper.Default // Set the shim as the subreaper for all orphaned processes created by // the container. - if err := system.SetSubreaper(1); err != nil { + if err := unix.Prctl(unix.PR_SET_CHILD_SUBREAPER, 1, 0, 0, 0); err != nil { return nil, err } return signals, nil @@ -213,21 +211,21 @@ func handleSignals(signals chan os.Signal, server *ttrpc.Server, sv *shim.Servic case s := <-signals: switch s { case unix.SIGCHLD: - if err := containerdshim.Reap(); err != nil { - log.Printf("reap exit status: %v") + if _, err := sys.Reap(false); err != nil { + log.Printf("reap error: %v", err) } case unix.SIGTERM, unix.SIGINT: go termOnce.Do(func() { ctx := context.TODO() if err := server.Shutdown(ctx); err != nil { - log.Printf("failed to shutdown server: %v") + log.Printf("failed to shutdown server: %v", err) } // Ensure our child is dead if any. - sv.Kill(ctx, &shimapi.KillRequest{ + sv.Kill(ctx, &KillRequest{ Signal: uint32(syscall.SIGKILL), All: true, }) - sv.Delete(context.Background(), &ptypes.Empty{}) + sv.Delete(context.Background(), &types.Empty{}) close(done) }) case unix.SIGPIPE: @@ -252,11 +250,11 @@ func (l *remoteEventsPublisher) Publish(ctx context.Context, topic string, event } cmd := exec.CommandContext(ctx, containerdBinaryFlag, "--address", l.address, "publish", "--topic", topic, "--namespace", ns) cmd.Stdin = bytes.NewReader(data) - c, err := containerdshim.Default.Start(cmd) + c, err := reaper.Default.Start(cmd) if err != nil { return err } - status, err := containerdshim.Default.Wait(cmd, c) + status, err := reaper.Default.Wait(cmd, c) if err != nil { return fmt.Errorf("failed to publish event: %w", err) } diff --git a/shim/v2/BUILD b/shim/v2/BUILD index 1e1947dab..ae4705935 100644 --- a/shim/v2/BUILD +++ b/shim/v2/BUILD @@ -1,4 +1,4 @@ -load("//tools:defs.bzl", "go_binary", "pkg_tar") +load("//tools:defs.bzl", "go_binary") load("//website:defs.bzl", "doc") package(licenses = ["notice"]) @@ -8,15 +8,12 @@ go_binary( srcs = [ "main.go", ], - pure = True, + static = True, visibility = [ "//visibility:public", ], deps = [ - "//pkg/shim/runsc", - "//pkg/shim/v1/shim", "//pkg/shim/v2", - "@com_github_burntsushi_toml//:go_default_library", "@com_github_containerd_containerd//runtime/v2/shim:go_default_library", ], ) diff --git a/shim/v2/README.md b/shim/v2/README.md index 2fd625415..2aa7c21e3 100644 --- a/shim/v2/README.md +++ b/shim/v2/README.md @@ -51,17 +51,18 @@ In order to pick up the new configuration, you may need to restart containerd: ```shell sudo systemctl restart containerd ``` + ## Shim Confguration The shim configuration may carry the following options: -* `shim_cgroup`: The cgroup to use for the shim itself. -* `io_uid`: The UID to use for pipes. -* `ui_gid`: The GID to use for pipes. -* `binary_name`: The runtime binary name (defaults to `runsc`). -* `root`: The root directory for the runtime. -* `runsc_config`: A dictionary of key-value pairs that will be passed to the - runtime as arguments. +* `shim_cgroup`: The cgroup to use for the shim itself. +* `io_uid`: The UID to use for pipes. +* `ui_gid`: The GID to use for pipes. +* `binary_name`: The runtime binary name (defaults to `runsc`). +* `root`: The root directory for the runtime. +* `runsc_config`: A dictionary of key-value pairs that will be passed to the + runtime as arguments. ### Example: Enable the KVM platform diff --git a/shim/v2/main.go b/shim/v2/main.go index 41c77394a..753871eea 100644 --- a/shim/v2/main.go +++ b/shim/v2/main.go @@ -18,9 +18,9 @@ package main import ( "github.com/containerd/containerd/runtime/v2/shim" - runsc "gvisor.dev/gvisor/pkg/shim/v2" + "gvisor.dev/gvisor/pkg/shim/v2" ) func main() { - shim.Run("io.containerd.runsc.v1", runsc.New) + shim.Run("io.containerd.runsc.v1", v2.New) } diff --git a/shim/v2/runtime-handler-shim-v2-quickstart.md b/shim/v2/runtime-handler-shim-v2-quickstart.md index ca8336089..3b88ca74b 100644 --- a/shim/v2/runtime-handler-shim-v2-quickstart.md +++ b/shim/v2/runtime-handler-shim-v2-quickstart.md @@ -5,17 +5,21 @@ the containerd runtime handler support. This requires containerd 1.2 or later. ## Requirements -- **runsc**: See the [gVisor documentation](https://github.com/google/gvisor) for information on how to install runsc. -- **containerd**: See the [containerd website](https://containerd.io/) for information on how to install containerd. +- **runsc**: See the [gVisor documentation](https://github.com/google/gvisor) + for information on how to install runsc. +- **containerd**: See the [containerd website](https://containerd.io/) for + information on how to install containerd. ## Install ### Install containerd-shim-runsc-v1 -1. Build and install `containerd-shim-runsc-v1`. +1. Build and install `containerd-shim-runsc-v1`. <!-- TODO: Use a release once we have one available. --> + [embedmd]:# (../test/e2e/shim-install.sh shell /{ # Step 1\(dev\)/ /^}/) + ```shell { # Step 1(dev): Build and install gvisor-containerd-shim and containerd-shim-runsc-v1 make @@ -25,10 +29,11 @@ the containerd runtime handler support. This requires containerd 1.2 or later. ### Configure containerd -1. Update `/etc/containerd/config.toml`. Make sure `containerd-shim-runsc-v1` is - in `${PATH}`. +1. Update `/etc/containerd/config.toml`. Make sure `containerd-shim-runsc-v1` + is in `${PATH}`. [embedmd]:# (../test/e2e/runtime-handler-shim-v2/install.sh shell /{ # Step 1/ /^}/) + ```shell { # Step 1: Create containerd config.toml cat <<EOF | sudo tee /etc/containerd/config.toml @@ -41,7 +46,7 @@ EOF } ``` -2. Restart `containerd` +1. Restart `containerd` ```shell sudo systemctl restart containerd @@ -53,9 +58,10 @@ You can run containers in gVisor via containerd's CRI. ### Install crictl -1. Download and install the crictl binary: +1. Download and install the crictl binary: [embedmd]:# (../test/e2e/crictl-install.sh shell /{ # Step 1/ /^}/) + ```shell { # Step 1: Download crictl wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.13.0/crictl-v1.13.0-linux-amd64.tar.gz @@ -64,9 +70,10 @@ sudo mv crictl /usr/local/bin } ``` -2. Write the crictl configuration file +1. Write the crictl configuration file [embedmd]:# (../test/e2e/crictl-install.sh shell /{ # Step 2/ /^}/) + ```shell { # Step 2: Configure crictl cat <<EOF | sudo tee /etc/crictl.yaml @@ -77,18 +84,20 @@ EOF ### Create the nginx Sandbox in gVisor -1. Pull the nginx image +1. Pull the nginx image [embedmd]:# (../test/e2e/runtime-handler/usage.sh shell /{ # Step 1/ /^}/) + ```shell { # Step 1: Pull the nginx image sudo crictl pull nginx } ``` -2. Create the sandbox creation request +1. Create the sandbox creation request [embedmd]:# (../test/e2e/runtime-handler/usage.sh shell /{ # Step 2/ /^EOF\n}/) + ```shell { # Step 2: Create sandbox.json cat <<EOF | tee sandbox.json @@ -107,9 +116,10 @@ EOF } ``` -3. Create the pod in gVisor +1. Create the pod in gVisor [embedmd]:# (../test/e2e/runtime-handler/usage.sh shell /{ # Step 3/ /^}/) + ```shell { # Step 3: Create the sandbox SANDBOX_ID=$(sudo crictl runp --runtime runsc sandbox.json) @@ -118,9 +128,10 @@ SANDBOX_ID=$(sudo crictl runp --runtime runsc sandbox.json) ### Run the nginx Container in the Sandbox -1. Create the nginx container creation request +1. Create the nginx container creation request [embedmd]:# (../test/e2e/run-container.sh shell /{ # Step 1/ /^EOF\n}/) + ```shell { # Step 1: Create nginx container config cat <<EOF | tee container.json @@ -139,18 +150,20 @@ EOF } ``` -2. Create the nginx container +1. Create the nginx container [embedmd]:# (../test/e2e/run-container.sh shell /{ # Step 2/ /^}/) + ```shell { # Step 2: Create nginx container CONTAINER_ID=$(sudo crictl create ${SANDBOX_ID} container.json sandbox.json) } ``` -3. Start the nginx container +1. Start the nginx container [embedmd]:# (../test/e2e/run-container.sh shell /{ # Step 3/ /^}/) + ```shell { # Step 3: Start nginx container sudo crictl start ${CONTAINER_ID} @@ -159,27 +172,30 @@ sudo crictl start ${CONTAINER_ID} ### Validate the container -1. Inspect the created pod +1. Inspect the created pod [embedmd]:# (../test/e2e/validate.sh shell /{ # Step 1/ /^}/) + ```shell { # Step 1: Inspect the pod sudo crictl inspectp ${SANDBOX_ID} } ``` -2. Inspect the nginx container +1. Inspect the nginx container [embedmd]:# (../test/e2e/validate.sh shell /{ # Step 2/ /^}/) + ```shell { # Step 2: Inspect the container sudo crictl inspect ${CONTAINER_ID} } ``` -3. Verify that nginx is running in gVisor +1. Verify that nginx is running in gVisor [embedmd]:# (../test/e2e/validate.sh shell /{ # Step 3/ /^}/) + ```shell { # Step 3: Check dmesg sudo crictl exec ${CONTAINER_ID} dmesg | grep -i gvisor @@ -188,9 +204,10 @@ sudo crictl exec ${CONTAINER_ID} dmesg | grep -i gvisor ### Set up the Kubernetes Runtime Class -1. Install the Runtime Class for gVisor +1. Install the Runtime Class for gVisor [embedmd]:# (../test/e2e/runtimeclass-install.sh shell /{ # Step 1/ /^}/) + ```shell { # Step 1: Install a RuntimeClass cat <<EOF | kubectl apply -f - @@ -203,9 +220,10 @@ EOF } ``` -2. Create a Pod with the gVisor Runtime Class +1. Create a Pod with the gVisor Runtime Class [embedmd]:# (../test/e2e/runtimeclass-install.sh shell /{ # Step 2/ /^}/) + ```shell { # Step 2: Create a pod cat <<EOF | kubectl apply -f - @@ -222,9 +240,10 @@ EOF } ``` -3. Verify that the Pod is running +1. Verify that the Pod is running [embedmd]:# (../test/e2e/runtimeclass-install.sh shell /{ # Step 3/ /^}/) + ```shell { # Step 3: Get the pod kubectl get pod nginx-gvisor -o wide |