From 32cabad8dab689fd94d6f2d19d4db10285a94e60 Mon Sep 17 00:00:00 2001 From: Nicolas Lacasse Date: Tue, 8 May 2018 11:10:53 -0700 Subject: Use the containerd annotation instead of detecting the "pause" application. FIXED=72380268 PiperOrigin-RevId: 195846596 Change-Id: Ic87fed1433482a514631e1e72f5ee208e11290d1 --- runsc/sandbox/network.go | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'runsc') diff --git a/runsc/sandbox/network.go b/runsc/sandbox/network.go index 1b6a1d9a6..d0ff64067 100644 --- a/runsc/sandbox/network.go +++ b/runsc/sandbox/network.go @@ -31,6 +31,13 @@ import ( "gvisor.googlesource.com/gvisor/runsc/boot" ) +const ( + // Annotations used to indicate whether the container corresponds to a + // pod or a container within a pod. + crioContainerTypeAnnotation = "io.kubernetes.cri-o.ContainerType" + containerdContainerTypeAnnotation = "io.kubernetes.cri.container-type" +) + // setupNetwork configures the network stack to mimic the local network // configuration. Docker uses network namespaces with vnets to configure the // network for the container. The untrusted app expects to see the same network @@ -68,17 +75,10 @@ func setupNetwork(conn *urpc.Client, pid int, spec *specs.Spec, conf *boot.Confi // For now the following HACK disables networking for the "pause" // sandbox, allowing the second sandbox to start up successfully. // - // Cri-o helpfully adds the "ContainerType" annotation that we can use - // to detect whether we are a pod or container. Cri-containerd will - // support this eventually, but does not currently - // (https://github.com/kubernetes-incubator/cri-containerd/issues/512). - // - // Thus, to support cri-containerd, we check if the exec args is - // "/pause", which is pretty gross. - // // TODO: Remove this once multiple containers per sandbox // is properly supported. - if spec.Annotations["io.kubernetes.cri-o.ContainerType"] == "sandbox" || spec.Process.Args[0] == "/pause" { + if spec.Annotations[crioContainerTypeAnnotation] == "sandbox" || + spec.Annotations[containerdContainerTypeAnnotation] == "sandbox" { log.Warningf("HACK: Disabling network") conf.Network = boot.NetworkNone } -- cgit v1.2.3