CRI-O container support #1310
CRI-O container support #1310
Conversation
| namespace libsinsp { | ||
| namespace runc { | ||
|
|
||
| /// runc-based runtimes (Docker, containerd, CRI-O, probably others) use the same two cgroup layouts |
There was a problem hiding this comment.
i appreciate the comment, but still slightly confused. maybe just an exapmle for each of the runc runtimes we support?
There was a problem hiding this comment.
Do you still find it confusing after looking at the instances of this struct (container_engine/cri.cpp, container_engine/docker_linux.cpp)?
There was a problem hiding this comment.
less so, but one don't want to have to dig into the implementation to understand the api.
| namespace { | ||
|
|
||
| const size_t CONTAINER_ID_LENGTH = 64; | ||
| const size_t REPORTED_CONTAINER_ID_LENGTH = 12; |
There was a problem hiding this comment.
maybe a note what these values represent?
There was a problem hiding this comment.
I'm not sure what to add that wouldn't duplicate the constant names or the static_assert below.
There was a problem hiding this comment.
what does "reported" mean here? is it what's reported to us? what we're reporting to someone else?
userspace/libsinsp/runc.cpp
Outdated
|
|
||
| static_assert(REPORTED_CONTAINER_ID_LENGTH <= CONTAINER_ID_LENGTH, "Reported container ID length cannot be longer than actual length"); | ||
|
|
||
| bool detect_one_container_id(const std::string& cgroup, const std::string& prefix, const std::string& suffix, std::string& container_id) |
There was a problem hiding this comment.
should these two functions be static?
There was a problem hiding this comment.
also quick comment on which are inputs and ouputs of this function
There was a problem hiding this comment.
They're already in a private namespace.
I'll add a comment.
There was a problem hiding this comment.
must have missed that they're still in the NS. that's fine then.
| const char* suffix; | ||
| }; | ||
|
|
||
| /// If any of the cgroups of the thread in `tinfo` matches the `layout`, set `container_id` to the found id |
There was a problem hiding this comment.
what if multiple cgroups match the layout?
I assume we're assuming that impossible, and if that's the case ,we should perhaps note the assumption
There was a problem hiding this comment.
Then we take the first matching one (AFAICT, the iteration order matches contents of /proc//cgroups). If the cgroups are inconsistent (matching different containers), there's no single right answer we can choose. What do you propose?
There was a problem hiding this comment.
so long as we're okay with that, it's fine, but we should at least be explicit in that "if it matches multiple, we'll only return the first" or something
|
|
||
| bool detect_container_id(const std::string& cgroup, const libsinsp::runc::cgroup_layout *layout, std::string &container_id) | ||
| { | ||
| for(size_t i = 0; layout[i].prefix && layout[i].suffix; ++i) |
There was a problem hiding this comment.
this way of doing bounds checking is somewhat risky, as it depends on someone putting null pointers at the end of arrays put in.
We should be able to statically determine the size of those arrays with sizeof(X)/sizeof(X[0]) and then that value can be passed in, or even better, we can wrap the array in a struct which stores the size of the array, calculated at compile time
There was a problem hiding this comment.
sizeof won't work across function calls. Given that we have only two of these arrays, hardcoded in the source and not modifiable at runtime, I'm not sure it's a big deal (if you insist, I'd probably go for std::array).
There was a problem hiding this comment.
i don't think the number of instance is the issue as much as the fact that depending on the last entry of an array to be null in order to prevent a segfault is not really idiomatic, and there's no compelling reason to do it that way when safer options exist.
I didn't mean computing sizeof in the function itself, but along with the array
static const int foo = {1,5,7,2,7};
static const foo_length = sizeof(foo) / sizeof(foo[0]);
Then you use foo_length as your loop bounds, as it's clear and safe.
std::array is fine or even vector would work fine here as well
|
|
||
| static_assert(std::string::npos == (size_t)(-1), "std::string::npos must be largest valid size_t"); | ||
| size_t invalid_ch_pos = cgroup.find_first_not_of(CONTAINER_ID_VALID_CHARACTERS, pos); | ||
| if (invalid_ch_pos < CONTAINER_ID_LENGTH) |
There was a problem hiding this comment.
just match the ID against [0-9a-fA-F]{64} ?
There was a problem hiding this comment.
This is literally what this code does. Just not using regexes.
| #include "sinsp.h" | ||
| #include "sinsp_int.h" | ||
|
|
||
| namespace { | ||
| bool pod_uses_host_netns(const runtime::v1alpha2::PodSandboxStatusResponse& resp) |
There was a problem hiding this comment.
is this common in the code base instead of static?
There was a problem hiding this comment.
I got tired of your (plural you) review comments asking me to switch from static to namespace{}. Make up your mind, will you? :P
There was a problem hiding this comment.
yeah i don't really care either way, i was just asking to ensure it's consistent
|
|
||
| constexpr const cgroup_layout DOCKER_CGROUP_LAYOUT[] = { | ||
| {"/", ""}, // non-systemd docker | ||
| {"/docker-", ".scope"}, // systemd docker |
There was a problem hiding this comment.
How confident are we about the ".scope" suffix of systemd.
this page here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/resource_management_guide/sec-default_cgroup_hierarchies
seems to suggest we could have ".slice" too.
Will review the entire PR a little later. Wanted to capture this one thing first.
| bool cri::resolve(sinsp_container_manager* manager, sinsp_threadinfo* tinfo, bool query_os_for_missing_info) | ||
| { | ||
| sinsp_container_info container_info; | ||
|
|
||
| if(docker::detect_docker(tinfo, container_info.m_id)) | ||
| if(matches_runc_cgroups(tinfo, CRI_CGROUP_LAYOUT, container_info.m_id)) | ||
| { | ||
| container_info.m_type = s_cri_runtime_type; |
There was a problem hiding this comment.
Is the need here only to specify if it is a CRI-based run-time or not ? Do we not need to know if it is CT_CRIO or CT_CONTAINERD ?
There was a problem hiding this comment.
yes, we must be as specific as possible. i think we should report a container type being "CRI" only as a last resort.
| @@ -79,32 +109,27 @@ bool parse_cri(sinsp_container_manager *manager, sinsp_container_info *container | |||
| parse_cri_image(resp_container, container); | |||
| parse_cri_mounts(resp_container, container); | |||
|
|
|||
| const auto &info_it = resp.info().find("info"); | |||
| if(info_it == resp.info().end()) | |||
| if(parse_containerd(resp, container, tinfo)) | |||
There was a problem hiding this comment.
this call seems out of place. why call logic specific to containerd unconditionally when the container type is known at this point. if there is an expectation that the logic in parse_containerd() could apply to cri-o as well, why not rename the function to be clear?
There was a problem hiding this comment.
btw, can't line 102 be removed since the same operation is done in the caller of this function?
There was a problem hiding this comment.
About the duplicate assignment, good catch, removed.
parse_containerd should be pretty cheap when the engine is not containerd compatible (no metadata in info) and if some other runtime decides that this is actually worth following, it saves us two extra api calls.
I'd leave this as is (currently it only applies to containerd and I don't have a better idea for the name).
| bool cri::resolve(sinsp_container_manager* manager, sinsp_threadinfo* tinfo, bool query_os_for_missing_info) | ||
| { | ||
| sinsp_container_info container_info; | ||
|
|
||
| if(docker::detect_docker(tinfo, container_info.m_id)) | ||
| if(matches_runc_cgroups(tinfo, CRI_CGROUP_LAYOUT, container_info.m_id)) | ||
| { | ||
| container_info.m_type = s_cri_runtime_type; |
There was a problem hiding this comment.
yes, we must be as specific as possible. i think we should report a container type being "CRI" only as a last resort.
userspace/libsinsp/filterchecks.cpp
Outdated
| @@ -6151,6 +6151,9 @@ uint8_t* sinsp_filter_check_container::extract(sinsp_evt *evt, OUT uint32_t* len | |||
| case sinsp_container_type::CT_CONTAINERD: | |||
| m_tstr = "containerd"; | |||
| break; | |||
| case sinsp_container_type::CT_CRIO: | |||
| m_tstr = "crio"; | |||
There was a problem hiding this comment.
Done (in both places). AFAIK this doesn't relate to the backend at all, just to container.type=cri-o style filters and Lua chisels
userspace/libsinsp/chisel_api.cpp
Outdated
| @@ -1193,6 +1193,10 @@ int lua_cbacks::get_container_table(lua_State *ls) | |||
| { | |||
| lua_pushstring(ls, "containerd"); | |||
| } | |||
| else if(it->second.m_type == CT_CRIO) | |||
| { | |||
| lua_pushstring(ls, "crio"); | |||
|
@gnosek , i just saw your comment on how the container type is stringified in the backend. so if "cri-o" is not possible, then ignore my comments about renaming "crio". |
gnosek
force-pushed
the
cri-o
branch
2 times, most recently
from
aa07d75 to
e4e4ae4
Compare
While containerd returns everything in the `info` dictionary, it's empty for CRIO, which means we need to get the IP address and the image ID from extra API calls. Unfortunately, it seems there's no way to get: * environment variables * privileged status * resource limits in any way from CRIO.
We set the container type in the calling method
CRI-O uses CRI so most of the work is done already but it differs in some important ways from containerd and has to be supported explicitly.