From 37f3a6441172810d9710c8c9fad7c9cab3121480 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20F=20Bj=C3=B6rklund?= Date: Sun, 7 Jul 2019 14:10:02 +0200 Subject: [PATCH 1/2] Upgrade crio.conf to version v1.15.0 --- .../minikube-iso/package/crio-bin/crio.conf | 58 +++++++++++++----- .../package/crio-bin/crio.conf.default | 60 +++++++++++++------ 2 files changed, 85 insertions(+), 33 deletions(-) diff --git a/deploy/iso/minikube-iso/package/crio-bin/crio.conf b/deploy/iso/minikube-iso/package/crio-bin/crio.conf index f096f4492903..2d96ded019b8 100644 --- a/deploy/iso/minikube-iso/package/crio-bin/crio.conf +++ b/deploy/iso/minikube-iso/package/crio-bin/crio.conf @@ -5,6 +5,11 @@ # # Please refer to crio.conf(5) for details of all configuration options. +# CRI-O supports partial configuration reload during runtime, which can be +# done by sending SIGHUP to the running process. Currently supported options +# are explicitly mentioned with: 'This option supports live configuration +# reload'. + # CRI-O reads its storage defaults from the containers-storage.conf(5) file # located at /etc/containers/storage.conf. Modify this storage configuration if # you want to change the system's defaults. If you want to modify storage just @@ -28,9 +33,11 @@ storage_driver = "overlay" #] # If set to false, in-memory locking will be used instead of file-based locking. -file_locking = true +# **Deprecated** this option will be removed in the future. +file_locking = false # Path to the lock file. +# **Deprecated** this option will be removed in the future. file_locking_path = "/run/crio.lock" @@ -90,6 +97,9 @@ no_pivot = true # Path to the conmon binary, used for monitoring the OCI runtime. conmon = "/usr/libexec/crio/conmon" +# Cgroup setting for conmon +conmon_cgroup = "pod" + # Environment variable list for the conmon process, used for passing necessary # environment variables to conmon or the runtime. conmon_env = [ @@ -100,8 +110,9 @@ conmon_env = [ selinux = false # Path to the seccomp.json profile which is used as the default seccomp profile -# for the runtime. -seccomp_profile = "/etc/crio/seccomp.json" +# for the runtime. If not specified, then the internal default seccomp profile +# will be used. +seccomp_profile = "" # Used to change the name of the default AppArmor profile of CRI-O. The default # profile name is "crio-default-" followed by the version string of CRI-O. @@ -185,9 +196,13 @@ container_attach_socket_dir = "/var/run/crio" read_only = false # Changes the verbosity of the logs based on the level it is set to. Options -# are fatal, panic, error, warn, info, and debug. +# are fatal, panic, error, warn, info, and debug. This option supports live +# configuration reload. log_level = "error" +# The default log directory where all logs will go unless directly specified by the kubelet +log_dir = "/var/log/crio/pods" + # The UID mappings for the user namespace of each container. A range is # specified in the form containerUID:HostUID:Size. Multiple ranges must be # separated by comma. @@ -202,15 +217,19 @@ gid_mappings = "" # regarding the proper termination of the container. ctr_stop_timeout = 0 - # The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes. - # The runtime to use is picked based on the runtime_handler provided by the CRI. - # If no runtime_handler is provided, the runtime will be picked based on the level - # of trust of the workload. - - [crio.runtime.runtimes.runc] - runtime_path = "/usr/bin/runc" - runtime_type = "oci" - +# ManageNetworkNSLifecycle determines whether we pin and remove network namespace +# and manage its lifecycle. +manage_network_ns_lifecycle = false + +# The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes. +# The runtime to use is picked based on the runtime_handler provided by the CRI. +# If no runtime_handler is provided, the runtime will be picked based on the level +# of trust of the workload. + +[crio.runtime.runtimes.runc] +runtime_path = "/usr/bin/runc" +runtime_type = "oci" +runtime_root = "/run/runc" # The crio.image table contains settings pertaining to the management of OCI images. @@ -225,14 +244,21 @@ ctr_stop_timeout = 0 # Default transport for pulling images from a remote container storage. default_transport = "docker://" +# The path to a file containing credentials necessary for pulling images from +# secure registries. The file is similar to that of /var/lib/kubelet/config.json +global_auth_file = "" + # The image used to instantiate infra containers. +# This option supports live configuration reload. pause_image = "k8s.gcr.io/pause:3.1" -# If not empty, the path to a docker/config.json-like file containing credentials -# necessary for pulling the image specified by pause_imageĀ above. +# The path to a file containing credentials specific for pulling the pause_image from +# above. The file is similar to that of /var/lib/kubelet/config.json +# This option supports live configuration reload. pause_image_auth_file = "" # The command to run to have a container stay in the paused state. +# This option supports live configuration reload. pause_command = "/pause" # Path to the file which decides what sort of policy we use when deciding @@ -264,6 +290,6 @@ registries = [ network_dir = "/etc/cni/net.d/" # Paths to directories where CNI plugin binaries are located. -plugin_dir = [ +plugin_dirs = [ "/opt/cni/bin/", ] diff --git a/deploy/iso/minikube-iso/package/crio-bin/crio.conf.default b/deploy/iso/minikube-iso/package/crio-bin/crio.conf.default index 725a0e413e86..86cb3df9ff99 100644 --- a/deploy/iso/minikube-iso/package/crio-bin/crio.conf.default +++ b/deploy/iso/minikube-iso/package/crio-bin/crio.conf.default @@ -5,6 +5,11 @@ # # Please refer to crio.conf(5) for details of all configuration options. +# CRI-O supports partial configuration reload during runtime, which can be +# done by sending SIGHUP to the running process. Currently supported options +# are explicitly mentioned with: 'This option supports live configuration +# reload'. + # CRI-O reads its storage defaults from the containers-storage.conf(5) file # located at /etc/containers/storage.conf. Modify this storage configuration if # you want to change the system's defaults. If you want to modify storage just @@ -20,7 +25,7 @@ # Storage driver used to manage the storage of images and containers. Please # refer to containers-storage.conf(5) to see all available storage drivers. -#storage_driver = "overlay" +#storage_driver = "" # List to pass options to the storage driver. Please refer to # containers-storage.conf(5) to see all available storage options. @@ -28,9 +33,11 @@ #] # If set to false, in-memory locking will be used instead of file-based locking. -file_locking = true +# **Deprecated** this option will be removed in the future. +file_locking = false # Path to the lock file. +# **Deprecated** this option will be removed in the future. file_locking_path = "/run/crio.lock" @@ -90,6 +97,9 @@ no_pivot = false # Path to the conmon binary, used for monitoring the OCI runtime. conmon = "/usr/local/libexec/crio/conmon" +# Cgroup setting for conmon +conmon_cgroup = "pod" + # Environment variable list for the conmon process, used for passing necessary # environment variables to conmon or the runtime. conmon_env = [ @@ -100,8 +110,9 @@ conmon_env = [ selinux = false # Path to the seccomp.json profile which is used as the default seccomp profile -# for the runtime. -seccomp_profile = "/etc/crio/seccomp.json" +# for the runtime. If not specified, then the internal default seccomp profile +# will be used. +seccomp_profile = "" # Used to change the name of the default AppArmor profile of CRI-O. The default # profile name is "crio-default-" followed by the version string of CRI-O. @@ -185,9 +196,13 @@ container_attach_socket_dir = "/var/run/crio" read_only = false # Changes the verbosity of the logs based on the level it is set to. Options -# are fatal, panic, error, warn, info, and debug. +# are fatal, panic, error, warn, info, and debug. This option supports live +# configuration reload. log_level = "error" +# The default log directory where all logs will go unless directly specified by the kubelet +log_dir = "/var/log/crio/pods" + # The UID mappings for the user namespace of each container. A range is # specified in the form containerUID:HostUID:Size. Multiple ranges must be # separated by comma. @@ -202,15 +217,19 @@ gid_mappings = "" # regarding the proper termination of the container. ctr_stop_timeout = 0 - # The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes. - # The runtime to use is picked based on the runtime_handler provided by the CRI. - # If no runtime_handler is provided, the runtime will be picked based on the level - # of trust of the workload. - - [crio.runtime.runtimes.runc] - runtime_path = "/usr/bin/runc" - runtime_type = "oci" - +# ManageNetworkNSLifecycle determines whether we pin and remove network namespace +# and manage its lifecycle. +manage_network_ns_lifecycle = false + +# The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes. +# The runtime to use is picked based on the runtime_handler provided by the CRI. +# If no runtime_handler is provided, the runtime will be picked based on the level +# of trust of the workload. + +[crio.runtime.runtimes.runc] +runtime_path = "" +runtime_type = "oci" +runtime_root = "/run/runc" # The crio.image table contains settings pertaining to the management of OCI images. @@ -225,14 +244,21 @@ ctr_stop_timeout = 0 # Default transport for pulling images from a remote container storage. default_transport = "docker://" +# The path to a file containing credentials necessary for pulling images from +# secure registries. The file is similar to that of /var/lib/kubelet/config.json +global_auth_file = "" + # The image used to instantiate infra containers. +# This option supports live configuration reload. pause_image = "k8s.gcr.io/pause:3.1" -# If not empty, the path to a docker/config.json-like file containing credentials -# necessary for pulling the image specified by pause_imageĀ above. +# The path to a file containing credentials specific for pulling the pause_image from +# above. The file is similar to that of /var/lib/kubelet/config.json +# This option supports live configuration reload. pause_image_auth_file = "" # The command to run to have a container stay in the paused state. +# This option supports live configuration reload. pause_command = "/pause" # Path to the file which decides what sort of policy we use when deciding @@ -263,6 +289,6 @@ image_volumes = "mkdir" network_dir = "/etc/cni/net.d/" # Paths to directories where CNI plugin binaries are located. -plugin_dir = [ +plugin_dirs = [ "/opt/cni/bin/", ] From 85adbd76cb941999e2b2e7929bf1d0ccb7f9a3e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20F=20Bj=C3=B6rklund?= Date: Sun, 7 Jul 2019 10:00:23 +0200 Subject: [PATCH 2/2] Upgrade crio to 1.15.0 The repository was moved to a separate organization strings.ReplaceAll only work in go1.12, not go1.10 Need to create conmon/config.h without tags and git The configuration _needs_ to be updated (yet again) --- .../package/crio-bin/conmon-config.h | 9 +++++ .../package/crio-bin/crio-bin.hash | 1 + .../minikube-iso/package/crio-bin/crio-bin.mk | 15 ++++--- .../package/crio-bin/crio-bin.patch | 39 +++++++++++++++++++ 4 files changed, 56 insertions(+), 8 deletions(-) create mode 100755 deploy/iso/minikube-iso/package/crio-bin/conmon-config.h create mode 100644 deploy/iso/minikube-iso/package/crio-bin/crio-bin.patch diff --git a/deploy/iso/minikube-iso/package/crio-bin/conmon-config.h b/deploy/iso/minikube-iso/package/crio-bin/conmon-config.h new file mode 100755 index 000000000000..1783492d0d8b --- /dev/null +++ b/deploy/iso/minikube-iso/package/crio-bin/conmon-config.h @@ -0,0 +1,9 @@ + +#if !defined(CONFIG_H) +#define CONFIG_H + +#define BUF_SIZE 8192 +#define STDIO_BUF_SIZE 8192 +#define DEFAULT_SOCKET_PATH "/var/run/crio" + +#endif // CONFIG_H diff --git a/deploy/iso/minikube-iso/package/crio-bin/crio-bin.hash b/deploy/iso/minikube-iso/package/crio-bin/crio-bin.hash index dc0e1a46d4b2..21804064852d 100644 --- a/deploy/iso/minikube-iso/package/crio-bin/crio-bin.hash +++ b/deploy/iso/minikube-iso/package/crio-bin/crio-bin.hash @@ -5,3 +5,4 @@ sha256 92588998dbb79002c38f65f84602b5659f0d0ef1cd36b1a568a2e40269b66816 v1.13.0. sha256 48e7cf64a757d62a3edf214e1b93b74d99f090ca924f956ede2494a260eab2db v1.13.1.tar.gz sha256 7435c4745017f06c260973b049440d924efe65b0df008d14175dfb8f5e23b599 v1.14.0.tar.gz sha256 1f6f72b1f89d4286b2d5b54a48f4d5ed4c0c01065d484635dcb343a706feb743 v1.14.1.tar.gz +sha256 f7041a92e2d3a4c341be8df58f1076ba57ecb5daa02b6c65e652530c5f242739 v1.15.0.tar.gz diff --git a/deploy/iso/minikube-iso/package/crio-bin/crio-bin.mk b/deploy/iso/minikube-iso/package/crio-bin/crio-bin.mk index 9331619cdfce..8fbe0ae3bee1 100644 --- a/deploy/iso/minikube-iso/package/crio-bin/crio-bin.mk +++ b/deploy/iso/minikube-iso/package/crio-bin/crio-bin.mk @@ -4,9 +4,9 @@ # ################################################################################ -CRIO_BIN_VERSION = v1.14.1 -CRIO_BIN_COMMIT = b7644f67e6383cc862b3e37fb74fba334b0b2721 -CRIO_BIN_SITE = https://github.com/kubernetes-sigs/cri-o/archive +CRIO_BIN_VERSION = v1.15.0 +CRIO_BIN_COMMIT = 485227d727401fa0472a449b5df3b0537e314ebb +CRIO_BIN_SITE = https://github.com/cri-o/cri-o/archive CRIO_BIN_SOURCE = $(CRIO_BIN_VERSION).tar.gz CRIO_BIN_DEPENDENCIES = host-go libgpgme CRIO_BIN_GOPATH = $(@D)/_output @@ -23,8 +23,10 @@ define CRIO_BIN_USERS endef define CRIO_BIN_CONFIGURE_CMDS - mkdir -p $(CRIO_BIN_GOPATH)/src/github.com/kubernetes-sigs - ln -sf $(@D) $(CRIO_BIN_GOPATH)/src/github.com/kubernetes-sigs/cri-o + mkdir -p $(CRIO_BIN_GOPATH)/src/github.com/cri-o + ln -sf $(@D) $(CRIO_BIN_GOPATH)/src/github.com/cri-o/cri-o + # Generate conmon/config.h with a simplified bin/crio-config + $(CRIO_BIN_ENV) $(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) BUILDTAGS="containers_image_ostree_stub exclude_graphdriver_btrfs exclude_graphdriver_devicemapper containers_image_openpgp" conmon/config.h endef define CRIO_BIN_BUILD_CMDS @@ -45,9 +47,6 @@ define CRIO_BIN_INSTALL_TARGET_CMDS $(INSTALL) -Dm755 \ $(@D)/bin/pause \ $(TARGET_DIR)/usr/libexec/crio/pause - $(INSTALL) -Dm644 \ - $(@D)/seccomp.json \ - $(TARGET_DIR)/etc/crio/seccomp.json $(INSTALL) -Dm644 \ $(BR2_EXTERNAL_MINIKUBE_PATH)/package/crio-bin/crio.conf \ $(TARGET_DIR)/etc/crio/crio.conf diff --git a/deploy/iso/minikube-iso/package/crio-bin/crio-bin.patch b/deploy/iso/minikube-iso/package/crio-bin/crio-bin.patch new file mode 100644 index 000000000000..e66dd99275b2 --- /dev/null +++ b/deploy/iso/minikube-iso/package/crio-bin/crio-bin.patch @@ -0,0 +1,39 @@ +diff --git a/Makefile b/Makefile +index de79f63..a9ea13b 100644 +--- a/Makefile ++++ b/Makefile +@@ -136,7 +136,7 @@ crio.conf: bin/crio + release-note: ${RELEASE_TOOL} + ${RELEASE_TOOL} -n $(release) + +-conmon/config.h: git-vars cmd/crio-config/config.go oci/oci.go ++conmon/config.h: cmd/crio-config/config.go oci/oci.go + $(GO) build $(LDFLAGS) -tags "$(BUILDTAGS)" -o bin/crio-config $(PROJECT)/cmd/crio-config + ( cd conmon && $(CURDIR)/bin/crio-config ) + +diff --git a/cmd/crio/main.go b/cmd/crio/main.go +index 0bc347a..ab9969f 100644 +--- a/cmd/crio/main.go ++++ b/cmd/crio/main.go +@@ -207,7 +207,7 @@ func mergeConfig(config *server.Config, ctx *cli.Context) (string, error) { + } + + func writeCrioGoroutineStacks() { +- path := filepath.Join("/tmp", fmt.Sprintf("crio-goroutine-stacks-%s.log", strings.ReplaceAll(time.Now().Format(time.RFC3339), ":", ""))) ++ path := filepath.Join("/tmp", fmt.Sprintf("crio-goroutine-stacks-%s.log", strings.Replace(time.Now().Format(time.RFC3339), ":", "", -1))) + if err := utils.WriteGoroutineStacksToFile(path); err != nil { + logrus.Warnf("Failed to write goroutine stacks: %s", err) + } +diff --git a/oci/runtime_vm.go b/oci/runtime_vm.go +index 57a1fde..64f853f 100644 +--- a/oci/runtime_vm.go ++++ b/oci/runtime_vm.go +@@ -172,7 +172,7 @@ func (r *runtimeVM) startRuntimeDaemon(c *Container) error { + args = append(args, "start") + + // Modify the runtime path so that it complies with v2 shim API +- newRuntimePath := strings.ReplaceAll(r.path, "-", ".") ++ newRuntimePath := strings.Replace(r.path, "-", ".", -1) + + // Setup default namespace + r.ctx = namespaces.WithNamespace(r.ctx, namespaces.Default)