Skip to content
This repository has been archived by the owner on Jun 28, 2024. It is now read-only.

integration/cri-o: skip crio test 'ctr list filtering' #946

Closed

Conversation

devimc
Copy link

@devimc devimc commented Nov 27, 2018

Skip crio test 'ctr list filtering' to allow
kata-containers/runtime#847 lands

fixes #945

Signed-off-by: Julio Montes julio.montes@intel.com

Skip crio test 'ctr list filtering' to allow
kata-containers/runtime#847 lands

fixes kata-containers#945

Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc pushed a commit to devimc/kata-runtime that referenced this pull request Nov 27, 2018
Unlike other runtimes, we have several components like qemu, kata-shim and
kata-proxy that should be placed in new namespace to improve the isolation and
security. The problem is that we need persistent namespaces and in the case of
the mount namespace (aka headache namespace ;)), it MUST BE created before
starting golang execution and in a new mount point with a propagation different
to shared, even worse, to make it persistent the new namespace
(/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the
existence of it. To get more information about this, see
github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1

With these new functions now is possible to join, create, remove and make
persistent namespaces. Next diagram can help us to understand how it works.

```
 ============================================================================
| Host's namespace                                    | New namespace!       |
|                                                     |                      |
| ---------------------------------------------------------------------------|
| C (no threads, no goroutines, NO GOLANG!)           |                      |
|                                                     |                      |
|  ---------   ---------------                        |                      |
| | Runtime |-|listen children|--|fork-setns-unshare|-|-------.              |
|  ---------   ---------------\                       |       |              |
|      |               |       \                      |       |              |
|    fork              |        Wait children &       |       |              |
|      |               |             exit             |       |              |
|----------------------------------------------------------------------------|
| Golang               |                              |       |              |
|      |        join,create,make,remove               |       |              |
|  ---------    persistent namespace                  |   ---------          |
| | Runtime |          |                              |  | Runtime |         |
|  ---------        --------                          |   ---------          |
|      |           |-Create |                         |       |              |
|  parse jsons     |-Start  |                         | Create,start,etc.    |
|  and cmdline     |-Delete |                         |   Containers         |
|       \          |-etc    |                         |       |              |
|        \         |--------                          |      exit            |
|         --subcmd-'                                  |                      |
|          \                                          |                      |
|           - exit                                    |                      |
 ============================================================================
```

fixes kata-containers#160

Depends-on: github.com/kata-containers/tests#946

Signed-off-by: Julio Montes <julio.montes@intel.com>
@grahamwhaley
Copy link
Contributor

For ref (as it is many hops to find) kata-containers/runtime#944
@devimc - is there any way we can skip this only for devicemapper based CIs or similar? Also, is there an upstream k8s/crio issue open for this anywhere?
Do we have a plan to ever turn this back on? I don't like the idea of disabling a test just to land a single PR etc.

@sboeuf
Copy link

sboeuf commented Nov 27, 2018

@devimc

Skip crio test 'ctr list filtering' to allow kata-containers/runtime#847 lands

Maybe I'm missing something here, but why would we skip a test if it was working fine before and without the PR kata-containers/runtime#847?

@devimc
Copy link
Author

devimc commented Nov 27, 2018

@grahamwhaley

is there any way we can skip this only for devicemapper based CIs or similar?

No, but I can implemented

Also, is there an upstream k8s/crio issue open for this anywhere?

No, I spent a week debugging the issue, and seems like the problem is with the mount namespace and its propagation, might be the problem is the test

Do we have a plan to ever turn this back on? I don't like the idea of disabling a test just to land a single
PR etc.

Yes, kata-containers/runtime#944, and I'll be working on it

@sboeuf

why would we skip a test if it was working fine before and without the PR kata-containers/runtime#847?

I understand your concerns, it's just one test that fails with devicemapper (with overlay it works correctly), I'd like to see 847 landing and then fix this specific test

CI in kata-containers/runtime#847 is green, but first we need this change

@sboeuf
Copy link

sboeuf commented Nov 27, 2018

@devimc

I understand your concerns, it's just one test that fails with devicemapper (with overlay it works correctly), I'd like to see 847 landing and then fix this specific test

Well if it's only one test to fix, then let's fix it first right? There's no rush having kata-containers/runtime#847 merged since it needs to be discussed with the Kata community during the AC meeting. This gives you some time to fix the test in the meantime.

@jodh-intel
Copy link
Contributor

Ping @devimc - any update?

@devimc
Copy link
Author

devimc commented Dec 3, 2018

Hi @jodh-intel nop 😄

@ghost
Copy link

ghost commented Dec 18, 2018

Ping @devimc - any update?

@devimc devimc closed this Dec 18, 2018
devimc pushed a commit to devimc/kata-runtime that referenced this pull request Dec 17, 2019
Unlike other runtimes, we have several components like qemu, kata-shim and
kata-proxy that should be placed in new namespace to improve the isolation and
security. The problem is that we need persistent namespaces and in the case of
the mount namespace (aka headache namespace ;)), it MUST BE created before
starting golang execution and in a new mount point with a propagation different
to shared, even worse, to make it persistent the new namespace
(/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the
existence of it. To get more information about this, see
github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1

With these new functions now is possible to join, create, remove and make
persistent namespaces. Next diagram can help us to understand how it works.

```
 ============================================================================
| Host's namespace                                    | New namespace!       |
|                                                     |                      |
| ---------------------------------------------------------------------------|
| C (no threads, no goroutines, NO GOLANG!)           |                      |
|                                                     |                      |
|  ---------   ---------------                        |                      |
| | Runtime |-|listen children|--|fork-setns-unshare|-|-------.              |
|  ---------   ---------------\                       |       |              |
|      |               |       \                      |       |              |
|    fork              |        Wait children &       |       |              |
|      |               |             exit             |       |              |
|----------------------------------------------------------------------------|
| Golang               |                              |       |              |
|      |        join,create,make,remove               |       |              |
|  ---------    persistent namespace                  |   ---------          |
| | Runtime |          |                              |  | Runtime |         |
|  ---------        --------                          |   ---------          |
|      |           |-Create |                         |       |              |
|  parse jsons     |-Start  |                         | Create,start,etc.    |
|  and cmdline     |-Delete |                         |   Containers         |
|       \          |-etc    |                         |       |              |
|        \         |--------                          |      exit            |
|         --subcmd-'                                  |                      |
|          \                                          |                      |
|           - exit                                    |                      |
 ============================================================================
```

fixes kata-containers#160

Depends-on: github.com/kata-containers/tests#946

Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc pushed a commit to devimc/kata-runtime that referenced this pull request Dec 17, 2019
Unlike other runtimes, we have several components like qemu, kata-shim and
kata-proxy that should be placed in new namespace to improve the isolation and
security. The problem is that we need persistent namespaces and in the case of
the mount namespace (aka headache namespace ;)), it MUST BE created before
starting golang execution and in a new mount point with a propagation different
to shared, even worse, to make it persistent the new namespace
(/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the
existence of it. To get more information about this, see
github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1

With these new functions now is possible to join, create, remove and make
persistent namespaces. Next diagram can help us to understand how it works.

```
 ============================================================================
| Host's namespace                                    | New namespace!       |
|                                                     |                      |
| ---------------------------------------------------------------------------|
| C (no threads, no goroutines, NO GOLANG!)           |                      |
|                                                     |                      |
|  ---------   ---------------                        |                      |
| | Runtime |-|listen children|--|fork-setns-unshare|-|-------.              |
|  ---------   ---------------\                       |       |              |
|      |               |       \                      |       |              |
|    fork              |        Wait children &       |       |              |
|      |               |             exit             |       |              |
|----------------------------------------------------------------------------|
| Golang               |                              |       |              |
|      |        join,create,make,remove               |       |              |
|  ---------    persistent namespace                  |   ---------          |
| | Runtime |          |                              |  | Runtime |         |
|  ---------        --------                          |   ---------          |
|      |           |-Create |                         |       |              |
|  parse jsons     |-Start  |                         | Create,start,etc.    |
|  and cmdline     |-Delete |                         |   Containers         |
|       \          |-etc    |                         |       |              |
|        \         |--------                          |      exit            |
|         --subcmd-'                                  |                      |
|          \                                          |                      |
|           - exit                                    |                      |
 ============================================================================
```

fixes kata-containers#160

Depends-on: github.com/kata-containers/tests#946

Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc pushed a commit to devimc/kata-runtime that referenced this pull request Dec 17, 2019
Unlike other runtimes, we have several components like qemu, kata-shim and
kata-proxy that should be placed in new namespace to improve the isolation and
security. The problem is that we need persistent namespaces and in the case of
the mount namespace (aka headache namespace ;)), it MUST BE created before
starting golang execution and in a new mount point with a propagation different
to shared, even worse, to make it persistent the new namespace
(/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the
existence of it. To get more information about this, see
github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1

With these new functions now is possible to join, create, remove and make
persistent namespaces. Next diagram can help us to understand how it works.

```
 ============================================================================
| Host's namespace                                    | New namespace!       |
|                                                     |                      |
| ---------------------------------------------------------------------------|
| C (no threads, no goroutines, NO GOLANG!)           |                      |
|                                                     |                      |
|  ---------   ---------------                        |                      |
| | Runtime |-|listen children|--|fork-setns-unshare|-|-------.              |
|  ---------   ---------------\                       |       |              |
|      |               |       \                      |       |              |
|    fork              |        Wait children &       |       |              |
|      |               |             exit             |       |              |
|----------------------------------------------------------------------------|
| Golang               |                              |       |              |
|      |        join,create,make,remove               |       |              |
|  ---------    persistent namespace                  |   ---------          |
| | Runtime |          |                              |  | Runtime |         |
|  ---------        --------                          |   ---------          |
|      |           |-Create |                         |       |              |
|  parse jsons     |-Start  |                         | Create,start,etc.    |
|  and cmdline     |-Delete |                         |   Containers         |
|       \          |-etc    |                         |       |              |
|        \         |--------                          |      exit            |
|         --subcmd-'                                  |                      |
|          \                                          |                      |
|           - exit                                    |                      |
 ============================================================================
```

fixes kata-containers#160

Depends-on: github.com/kata-containers/tests#946

Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc pushed a commit to devimc/kata-runtime that referenced this pull request Dec 17, 2019
Unlike other runtimes, we have several components like qemu, kata-shim and
kata-proxy that should be placed in new namespace to improve the isolation and
security. The problem is that we need persistent namespaces and in the case of
the mount namespace (aka headache namespace ;)), it MUST BE created before
starting golang execution and in a new mount point with a propagation different
to shared, even worse, to make it persistent the new namespace
(/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the
existence of it. To get more information about this, see
github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1

With these new functions now is possible to join, create, remove and make
persistent namespaces. Next diagram can help us to understand how it works.

```
 ============================================================================
| Host's namespace                                    | New namespace!       |
|                                                     |                      |
| ---------------------------------------------------------------------------|
| C (no threads, no goroutines, NO GOLANG!)           |                      |
|                                                     |                      |
|  ---------   ---------------                        |                      |
| | Runtime |-|listen children|--|fork-setns-unshare|-|-------.              |
|  ---------   ---------------\                       |       |              |
|      |               |       \                      |       |              |
|    fork              |        Wait children &       |       |              |
|      |               |             exit             |       |              |
|----------------------------------------------------------------------------|
| Golang               |                              |       |              |
|      |        join,create,make,remove               |       |              |
|  ---------    persistent namespace                  |   ---------          |
| | Runtime |          |                              |  | Runtime |         |
|  ---------        --------                          |   ---------          |
|      |           |-Create |                         |       |              |
|  parse jsons     |-Start  |                         | Create,start,etc.    |
|  and cmdline     |-Delete |                         |   Containers         |
|       \          |-etc    |                         |       |              |
|        \         |--------                          |      exit            |
|         --subcmd-'                                  |                      |
|          \                                          |                      |
|           - exit                                    |                      |
 ============================================================================
```

fixes kata-containers#160

Depends-on: github.com/kata-containers/tests#946

Signed-off-by: Julio Montes <julio.montes@intel.com>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Skip crio test 'ctr list filtering'
4 participants