-
Notifications
You must be signed in to change notification settings - Fork 196
integration/cri-o: skip crio test 'ctr list filtering' #946
integration/cri-o: skip crio test 'ctr list filtering' #946
Conversation
Skip crio test 'ctr list filtering' to allow kata-containers/runtime#847 lands fixes kata-containers#945 Signed-off-by: Julio Montes <julio.montes@intel.com>
Unlike other runtimes, we have several components like qemu, kata-shim and kata-proxy that should be placed in new namespace to improve the isolation and security. The problem is that we need persistent namespaces and in the case of the mount namespace (aka headache namespace ;)), it MUST BE created before starting golang execution and in a new mount point with a propagation different to shared, even worse, to make it persistent the new namespace (/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the existence of it. To get more information about this, see github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1 With these new functions now is possible to join, create, remove and make persistent namespaces. Next diagram can help us to understand how it works. ``` ============================================================================ | Host's namespace | New namespace! | | | | | ---------------------------------------------------------------------------| | C (no threads, no goroutines, NO GOLANG!) | | | | | | --------- --------------- | | | | Runtime |-|listen children|--|fork-setns-unshare|-|-------. | | --------- ---------------\ | | | | | | \ | | | | fork | Wait children & | | | | | | exit | | | |----------------------------------------------------------------------------| | Golang | | | | | | join,create,make,remove | | | | --------- persistent namespace | --------- | | | Runtime | | | | Runtime | | | --------- -------- | --------- | | | |-Create | | | | | parse jsons |-Start | | Create,start,etc. | | and cmdline |-Delete | | Containers | | \ |-etc | | | | | \ |-------- | exit | | --subcmd-' | | | \ | | | - exit | | ============================================================================ ``` fixes kata-containers#160 Depends-on: github.com/kata-containers/tests#946 Signed-off-by: Julio Montes <julio.montes@intel.com>
For ref (as it is many hops to find) kata-containers/runtime#944 |
Maybe I'm missing something here, but why would we skip a test if it was working fine before and without the PR kata-containers/runtime#847? |
No, but I can implemented
No, I spent a week debugging the issue, and seems like the problem is with the mount namespace and its propagation, might be the problem is the test
Yes, kata-containers/runtime#944, and I'll be working on it
I understand your concerns, it's just one test that fails with devicemapper (with overlay it works correctly), I'd like to see 847 landing and then fix this specific test CI in kata-containers/runtime#847 is green, but first we need this change |
Well if it's only one test to fix, then let's fix it first right? There's no rush having kata-containers/runtime#847 merged since it needs to be discussed with the Kata community during the AC meeting. This gives you some time to fix the test in the meantime. |
Ping @devimc - any update? |
Hi @jodh-intel nop 😄 |
Ping @devimc - any update? |
Unlike other runtimes, we have several components like qemu, kata-shim and kata-proxy that should be placed in new namespace to improve the isolation and security. The problem is that we need persistent namespaces and in the case of the mount namespace (aka headache namespace ;)), it MUST BE created before starting golang execution and in a new mount point with a propagation different to shared, even worse, to make it persistent the new namespace (/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the existence of it. To get more information about this, see github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1 With these new functions now is possible to join, create, remove and make persistent namespaces. Next diagram can help us to understand how it works. ``` ============================================================================ | Host's namespace | New namespace! | | | | | ---------------------------------------------------------------------------| | C (no threads, no goroutines, NO GOLANG!) | | | | | | --------- --------------- | | | | Runtime |-|listen children|--|fork-setns-unshare|-|-------. | | --------- ---------------\ | | | | | | \ | | | | fork | Wait children & | | | | | | exit | | | |----------------------------------------------------------------------------| | Golang | | | | | | join,create,make,remove | | | | --------- persistent namespace | --------- | | | Runtime | | | | Runtime | | | --------- -------- | --------- | | | |-Create | | | | | parse jsons |-Start | | Create,start,etc. | | and cmdline |-Delete | | Containers | | \ |-etc | | | | | \ |-------- | exit | | --subcmd-' | | | \ | | | - exit | | ============================================================================ ``` fixes kata-containers#160 Depends-on: github.com/kata-containers/tests#946 Signed-off-by: Julio Montes <julio.montes@intel.com>
Unlike other runtimes, we have several components like qemu, kata-shim and kata-proxy that should be placed in new namespace to improve the isolation and security. The problem is that we need persistent namespaces and in the case of the mount namespace (aka headache namespace ;)), it MUST BE created before starting golang execution and in a new mount point with a propagation different to shared, even worse, to make it persistent the new namespace (/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the existence of it. To get more information about this, see github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1 With these new functions now is possible to join, create, remove and make persistent namespaces. Next diagram can help us to understand how it works. ``` ============================================================================ | Host's namespace | New namespace! | | | | | ---------------------------------------------------------------------------| | C (no threads, no goroutines, NO GOLANG!) | | | | | | --------- --------------- | | | | Runtime |-|listen children|--|fork-setns-unshare|-|-------. | | --------- ---------------\ | | | | | | \ | | | | fork | Wait children & | | | | | | exit | | | |----------------------------------------------------------------------------| | Golang | | | | | | join,create,make,remove | | | | --------- persistent namespace | --------- | | | Runtime | | | | Runtime | | | --------- -------- | --------- | | | |-Create | | | | | parse jsons |-Start | | Create,start,etc. | | and cmdline |-Delete | | Containers | | \ |-etc | | | | | \ |-------- | exit | | --subcmd-' | | | \ | | | - exit | | ============================================================================ ``` fixes kata-containers#160 Depends-on: github.com/kata-containers/tests#946 Signed-off-by: Julio Montes <julio.montes@intel.com>
Unlike other runtimes, we have several components like qemu, kata-shim and kata-proxy that should be placed in new namespace to improve the isolation and security. The problem is that we need persistent namespaces and in the case of the mount namespace (aka headache namespace ;)), it MUST BE created before starting golang execution and in a new mount point with a propagation different to shared, even worse, to make it persistent the new namespace (/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the existence of it. To get more information about this, see github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1 With these new functions now is possible to join, create, remove and make persistent namespaces. Next diagram can help us to understand how it works. ``` ============================================================================ | Host's namespace | New namespace! | | | | | ---------------------------------------------------------------------------| | C (no threads, no goroutines, NO GOLANG!) | | | | | | --------- --------------- | | | | Runtime |-|listen children|--|fork-setns-unshare|-|-------. | | --------- ---------------\ | | | | | | \ | | | | fork | Wait children & | | | | | | exit | | | |----------------------------------------------------------------------------| | Golang | | | | | | join,create,make,remove | | | | --------- persistent namespace | --------- | | | Runtime | | | | Runtime | | | --------- -------- | --------- | | | |-Create | | | | | parse jsons |-Start | | Create,start,etc. | | and cmdline |-Delete | | Containers | | \ |-etc | | | | | \ |-------- | exit | | --subcmd-' | | | \ | | | - exit | | ============================================================================ ``` fixes kata-containers#160 Depends-on: github.com/kata-containers/tests#946 Signed-off-by: Julio Montes <julio.montes@intel.com>
Unlike other runtimes, we have several components like qemu, kata-shim and kata-proxy that should be placed in new namespace to improve the isolation and security. The problem is that we need persistent namespaces and in the case of the mount namespace (aka headache namespace ;)), it MUST BE created before starting golang execution and in a new mount point with a propagation different to shared, even worse, to make it persistent the new namespace (/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the existence of it. To get more information about this, see github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1 With these new functions now is possible to join, create, remove and make persistent namespaces. Next diagram can help us to understand how it works. ``` ============================================================================ | Host's namespace | New namespace! | | | | | ---------------------------------------------------------------------------| | C (no threads, no goroutines, NO GOLANG!) | | | | | | --------- --------------- | | | | Runtime |-|listen children|--|fork-setns-unshare|-|-------. | | --------- ---------------\ | | | | | | \ | | | | fork | Wait children & | | | | | | exit | | | |----------------------------------------------------------------------------| | Golang | | | | | | join,create,make,remove | | | | --------- persistent namespace | --------- | | | Runtime | | | | Runtime | | | --------- -------- | --------- | | | |-Create | | | | | parse jsons |-Start | | Create,start,etc. | | and cmdline |-Delete | | Containers | | \ |-etc | | | | | \ |-------- | exit | | --subcmd-' | | | \ | | | - exit | | ============================================================================ ``` fixes kata-containers#160 Depends-on: github.com/kata-containers/tests#946 Signed-off-by: Julio Montes <julio.montes@intel.com>
Skip crio test 'ctr list filtering' to allow
kata-containers/runtime#847 lands
fixes #945
Signed-off-by: Julio Montes julio.montes@intel.com