Skip to content
This repository has been archived by the owner on May 12, 2021. It is now read-only.

make sure kataAgent/createContainer can decode old specs.Spec #334

Merged
merged 1 commit into from
Jun 4, 2018
Merged

make sure kataAgent/createContainer can decode old specs.Spec #334

merged 1 commit into from
Jun 4, 2018

Conversation

keloyang
Copy link
Contributor

In old specs.Spec, Capabilities is [] string, but we don't use CompatOCISpec for compatibility in kataAgent/createContainer, it lead to docker-1.11.2 failed to start kata-container, this pr will fix this.

before this pr,

[root@localhost linux]# docker run --rm -it --runtime kata-runtime busybox sh
docker: Error response from daemon: oci runtime error: json: cannot unmarshal array into Go struct field Process.capabilities of type specs.LinuxCapabilities.

after this pr

[root@localhost linux]# docker run --rm -it --runtime kata-runtime busybox sh
/ # exit

@keloyang keloyang force-pushed the spec-compatibility branch 4 times, most recently from 4a3e33f to e195a6f Compare May 23, 2018 08:13
@katabuilder
Copy link

PSS Measurement:
Qemu: 141908 KB
Proxy: 6785 KB
Shim: 10897 KB

Memory inside container:
Total Memory: 2045972 KB
Free Memory: 2011676 KB

@jodh-intel
Copy link
Contributor

Hi @keloyang - thanks for raising. However, I'm not clear why we need to support docker 1.11 since:

Also, note that this change breaks a number of the tests hence the CI failures.

@keloyang
Copy link
Contributor Author

@jodh-intel thanks for your review.
The purpose of this pr is not only aim to the support for docker-1.11.2.
refer to https://github.com/kata-containers/runtime/blob/master/virtcontainers/pkg/oci/utils.go#L522 and https://github.com/kata-containers/runtime/blob/master/virtcontainers/kata_agent.go#L741
in ContainerConfig, we use CompatOCISpec and send it to kata-agent, but kata-agent use specs.Spec to decode it , if docker send [] string as capabilities to kata-runtime, it will lead to a json decode err.
So before consuming capabilities, agent need translate capabilities to vc.LinuxCapabilities, or use CompatOCISpec to replace specs.Spec in kata-agent.

sboeuf
sboeuf reviewed May 25, 2018
View reviewed changes
Copy link

@sboeuf sboeuf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@keloyang This looks good to me, but just want to make sure about functionality here. Do you get the expected capabilities inside your container with Docker 1.11 ?

Also, this might be worth adding a test to ensure that we get the expected list of capabilities listed as a vc.LinuxCapabilities, no matter which spec version is used. This is important to make sure this PR solved an actual issue, and also to ensure this won't get broken later.

@keloyang keloyang force-pushed the spec-compatibility branch from e195a6f to 043fa5f Compare May 26, 2018 06:39
@keloyang keloyang closed this May 26, 2018
@keloyang keloyang force-pushed the spec-compatibility branch from 043fa5f to 086d197 Compare May 26, 2018 06:54
@keloyang keloyang reopened this May 26, 2018
@katabuilder
Copy link

PSS Measurement:
Qemu: 144251 KB
Proxy: 4703 KB
Shim: 8811 KB

Memory inside container:
Total Memory: 2045972 KB
Free Memory: 2012604 KB

@keloyang
Copy link
Contributor Author

@sboeuf I have added the test cases. PTAL

@katabuilder
Copy link

PSS Measurement:
Qemu: 144025 KB
Proxy: 6728 KB
Shim: 10857 KB

Memory inside container:
Total Memory: 2045972 KB
Free Memory: 2015388 KB

@WeiZhang555
Copy link
Member

CI is failing on these:

--- FAIL: TestCreateCreateSandboxFail (0.02s)
	assertions.go:239: 
                          
	Error Trace:	create_test.go:929
		
	Error:      	Should be true
=== RUN   TestCreateCreateContainerContainerConfigFail
--- FAIL: TestCreateCreateContainerContainerConfigFail (0.02s)
	assertions.go:239: 
                          
	Error Trace:	create_test.go:968
		
	Error:      	Should be true
	assertions.go:239: 
                          
	Error Trace:	create_test.go:968
		
	Error:      	Should be true
=== RUN   TestCreateCreateContainerFail
--- FAIL: TestCreateCreateContainerFail (0.02s)
	assertions.go:239: 
                          
	Error Trace:	create_test.go:1008
		
	Error:      	Should be true
	assertions.go:239: 
                          
	Error Trace:	create_test.go:1008
		
	Error:      	Should be true
=== RUN   TestCreateCreateContainer
--- FAIL: TestCreateCreateContainer (0.02s)
	assertions.go:239: 
                          
	Error Trace:	create_test.go:1055
		
	Error:      	Received unexpected error:
		
	            	Unexpected format for capabilities: map[permitted:[CAP_AUDIT_WRITE CAP_KILL CAP_NET_BIND_SERVICE] ambient:[CAP_AUDIT_WRITE CAP_KILL CAP_NET_BIND_SERVICE] bounding:[CAP_AUDIT_WRITE CAP_KILL CAP_NET_BIND_SERVICE] effective:[CAP_AUDIT_WRITE CAP_KILL CAP_NET_BIND_SERVICE] inheritable:[CAP_AUDIT_WRITE CAP_KILL CAP_NET_BIND_SERVICE]]
	assertions.go:239: 
                          
	Error Trace:	create_test.go:1055
		
	Error:      	Received unexpected error:
		
	            	Unexpected format for capabilities: map[inheritable:[CAP_AUDIT_WRITE CAP_KILL CAP_NET_BIND_SERVICE] permitted:[CAP_AUDIT_WRITE CAP_KILL CAP_NET_BIND_SERVICE] ambient:[CAP_AUDIT_WRITE CAP_KILL CAP_NET_BIND_SERVICE] bounding:[CAP_AUDIT_WRITE CAP_KILL CAP_NET_BIND_SERVICE] effective:[CAP_AUDIT_WRITE CAP_KILL CAP_NET_BIND_SERVICE]]

I think they are real failing test cases, can you resolve this?

@keloyang keloyang force-pushed the spec-compatibility branch from c778371 to 29144d0 Compare May 30, 2018 03:47
@keloyang
Copy link
Contributor Author

@WeiZhang555 fixed, thanks.

@katabuilder
Copy link

PSS Measurement:
Qemu: 142563 KB
Proxy: 6591 KB
Shim: 8792 KB

Memory inside container:
Total Memory: 2045972 KB
Free Memory: 2011340 KB

@keloyang keloyang force-pushed the spec-compatibility branch from 29144d0 to 1b592fa Compare May 30, 2018 04:49
@katabuilder
Copy link

PSS Measurement:
Qemu: 142565 KB
Proxy: 6786 KB
Shim: 10880 KB

Memory inside container:
Total Memory: 2045972 KB
Free Memory: 2013720 KB

@jodh-intel jodh-intel mentioned this pull request May 30, 2018
Merged
@amshinde
Copy link
Member

Looks like this broke with the kata-agent since the parsing is done in a couple of places now. I remember this working with clear-containers.

amshinde
amshinde reviewed May 30, 2018
View reviewed changes
cli/main_test.go Outdated
@@ -421,7 +421,13 @@ func readOCIConfigFile(configPath string) (oci.CompatOCISpec, error) {
if err := json.Unmarshal(data, &ociSpec); err != nil {
return oci.CompatOCISpec{}, err
}

if ociSpec.Process != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be better to add this check for Process in containerCapabilities function itself. If the process is nil, return empty capabilities in that function itself. You can avoid checking for nil value of Process at multiple places.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If add the check in ContainerCapabilities, we don't know whether ociSpec.Process is nil, so we still need check outside of ContainerCapabilities.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@amshinde what do you mean, like the following ?

	caps, err := containerCapabilities(ocispec)  
	if err != nil {  
		return CompatOCISpec{}, err  
	}  
	ocispec.Process.Capabilities = caps  

func containerCapabilities(s CompatOCISpec) (vc.LinuxCapabilities, error) {
	if ocispec.Process == nil {
		return vc.LinuxCapabilities{}, err
	}
	...
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think @amshinde 's suggestion is right.

func containerCapabilities(s CompatOCISpec) (vc.LinuxCapabilities, error) {
	if s.Process == nil {
		return vc.LinuxCapabilities{}, nil
	}
	...
}

This is also necessary for avoiding contianerCapabilities() to panic in case s.Process is nil

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@keloyang Yes, basically what @WeiZhang555 pasted above.

@sboeuf
Copy link

sboeuf commented May 31, 2018

@keloyang please rework as suggested by @WeiZhang555 and @amshinde. This LGTM when this will be done !

@keloyang keloyang force-pushed the spec-compatibility branch from 1b592fa to 16bf8bf Compare June 1, 2018 01:56
@codecov
Copy link

codecov bot commented Jun 1, 2018
edited
Loading

Codecov Report

Merging #334 into master will increase coverage by 0.14%.
The diff coverage is 50%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #334      +/-   ##
==========================================
+ Coverage   63.74%   63.89%   +0.14%     
==========================================
  Files          87       87              
  Lines        8731     8633      -98     
==========================================
- Hits         5566     5516      -50     
+ Misses       2569     2532      -37     
+ Partials      596      585      -11
Impacted Files Coverage Δ
virtcontainers/pkg/oci/utils.go 77.64% <50%> (-0.76%) ⬇️
virtcontainers/kata_agent.go 28.61% <0%> (-1.17%) ⬇️
virtcontainers/noop_agent.go 90.9% <0%> (-0.76%) ⬇️
virtcontainers/api.go 63.12% <0%> (-0.62%) ⬇️
virtcontainers/pkg/vcmock/mock.go 95.18% <0%> (-0.43%) ⬇️
cli/pause.go 100% <0%> (ø) ⬆️
virtcontainers/implementation.go 0% <0%> (ø) ⬆️
virtcontainers/sandbox.go 67.45% <0%> (+0.34%) ⬆️
virtcontainers/hyperstart_agent.go 59.12% <0%> (+0.54%) ⬆️
... and 1 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5f5f619...9a0434d. Read the comment docs.

@keloyang
Copy link
Contributor Author

keloyang commented Jun 1, 2018

ping @sboeuf @WeiZhang555 @amshinde

@keloyang keloyang force-pushed the spec-compatibility branch from 16bf8bf to 9a0434d Compare June 1, 2018 05:46
@katabuilder
Copy link

PSS Measurement:
Qemu: 161906 KB
Proxy: 4664 KB
Shim: 12811 KB

Memory inside container:
Total Memory: 2045972 KB
Free Memory: 1996004 KB

@sboeuf
Copy link

sboeuf commented Jun 1, 2018

Thanks @keloyang, this LGTM. I'm leaving the final words to @amshinde and @WeiZhang555 for merging this :)

virtcontainers: make kataAgent/createContainer can decode old specs.Spec
9a0434d 
in old specs.Spec, Capabilities is [] string, but we don't use CompatOCISpec
for compatibility in kataAgent/createContainer.

fixes #333

Signed-off-by: y00316549 <yangshukui@huawei.com>
@keloyang
Copy link
Contributor Author

keloyang commented Jun 4, 2018

ping @WeiZhang555 @amshinde, PTAL, thanks.

@bergwolf
Copy link
Member

bergwolf commented Jun 4, 2018
edited by amshinde
Loading

lgtm!

ubuntu ci failure looks to be unrelated.

Makefile:35: recipe for target 'crio' failed
make: *** [crio] Error 1
Build step 'Execute shell' marked build as failure

Approved with PullApprove

@WeiZhang555
Copy link
Member

WeiZhang555 commented Jun 4, 2018
edited by amshinde
Loading

LGTM

Approved with PullApprove

@WeiZhang555 WeiZhang555 merged commit 813c8c3 into kata-containers:master Jun 4, 2018
@jodh-intel jodh-intel mentioned this pull request Jun 19, 2018
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@amshinde amshinde amshinde left review comments

@WeiZhang555 WeiZhang555 WeiZhang555 left review comments

@sboeuf sboeuf sboeuf approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@keloyang @katabuilder @jodh-intel @WeiZhang555 @amshinde @sboeuf @bergwolf