delta/docker.git/plugin/executor/containerd, branch master github.com: dotcloud/docker.git daemon: allow shimv2 runtimes to be configured 2023-02-17T23:08:06+00:00 Cory Snider csnider@mirantis.com 2023-02-17T19:12:06+00:00 b0eed5ade62404ea70cad9fd86bc1a713e394acd Kubernetes only permits RuntimeClass values which are valid lowercase RFC 1123 labels, which disallows the period character. This prevents cri-dockerd from being able to support configuring alternative shimv2 runtimes for a pod as shimv2 runtime names must contain at least one period character. Add support for configuring named shimv2 runtimes in daemon.json so that runtime names can be aliased to Kubernetes-compatible names. Allow options to be set on shimv2 runtimes in daemon.json. The names of the new daemon runtime config fields have been selected to correspond with the equivalent field names in cri-containerd's configuration so that users can more easily follow documentation from the runtime vendor written for cri-containerd and apply it to daemon.json. Signed-off-by: Cory Snider <csnider@mirantis.com> 
Kubernetes only permits RuntimeClass values which are valid lowercase
RFC 1123 labels, which disallows the period character. This prevents
cri-dockerd from being able to support configuring alternative shimv2
runtimes for a pod as shimv2 runtime names must contain at least one
period character. Add support for configuring named shimv2 runtimes in
daemon.json so that runtime names can be aliased to
Kubernetes-compatible names.

Allow options to be set on shimv2 runtimes in daemon.json.

The names of the new daemon runtime config fields have been selected to
correspond with the equivalent field names in cri-containerd's
configuration so that users can more easily follow documentation from
the runtime vendor written for cri-containerd and apply it to
daemon.json.

Signed-off-by: Cory Snider <csnider@mirantis.com>
Fix containerd task deletion after failed start 2022-11-02T17:48:13+00:00 Cory Snider csnider@mirantis.com 2022-11-02T17:48:13+00:00 1bef9e3fbfbcedce10f476f890961fd1ba574fbb Deleting a containerd task whose status is Created fails with a "precondition failed" error. This is because (aside from Windows) a process is spawned when the task is created, and deleting the task while the process is running would leak the process if it was allowed. libcontainerd and the containerd plugin executor mistakenly try to clean up from a failed start by deleting the created task, which will always fail with the aforementined error. Change them to pass the `WithProcessKill` delete option so the cleanup has a chance to succeed. Signed-off-by: Cory Snider <csnider@mirantis.com> 
Deleting a containerd task whose status is Created fails with a
"precondition failed" error. This is because (aside from Windows)
a process is spawned when the task is created, and deleting the task
while the process is running would leak the process if it was allowed.
libcontainerd and the containerd plugin executor mistakenly try to clean
up from a failed start by deleting the created task, which will always
fail with the aforementined error. Change them to pass the
`WithProcessKill` delete option so the cleanup has a chance to succeed.

Signed-off-by: Cory Snider <csnider@mirantis.com>
Share logic to create-or-replace a container 2022-08-24T18:59:08+00:00 Cory Snider csnider@mirantis.com 2022-05-05T17:00:45+00:00 6a2f385aea283aee4cce84c01308f5e7906a1564 The existing logic to handle container ID conflicts when attempting to create a plugin container is not nearly as robust as the implementation in daemon for user containers. Extract and refine the logic from daemon and use it in the plugin executor. Signed-off-by: Cory Snider <csnider@mirantis.com> 
The existing logic to handle container ID conflicts when attempting to
create a plugin container is not nearly as robust as the implementation
in daemon for user containers. Extract and refine the logic from daemon
and use it in the plugin executor.

Signed-off-by: Cory Snider <csnider@mirantis.com>
Refactor libcontainerd to minimize c8d RPCs 2022-08-24T18:59:08+00:00 Cory Snider csnider@mirantis.com 2022-05-10T19:59:00+00:00 4bafaa00aa810dd17fde13e563def08f96fffc31 The containerd client is very chatty at the best of times. Because the libcontained API is stateless and references containers and processes by string ID for every method call, the implementation is essentially forced to use the containerd client in a way which amplifies the number of redundant RPCs invoked to perform any operation. The libcontainerd remote implementation has to reload the containerd container, task and/or process metadata for nearly every operation. This in turn amplifies the number of context switches between dockerd and containerd to perform any container operation or handle a containerd event, increasing the load on the system which could otherwise be allocated to workloads. Overhaul the libcontainerd interface to reduce the impedance mismatch with the containerd client so that the containerd client can be used more efficiently. Split the API out into container, task and process interfaces which the consumer is expected to retain so that libcontainerd can retain state---especially the analogous containerd client objects---without having to manage any state-store inside the libcontainerd client. Signed-off-by: Cory Snider <csnider@mirantis.com> 
The containerd client is very chatty at the best of times. Because the
libcontained API is stateless and references containers and processes by
string ID for every method call, the implementation is essentially
forced to use the containerd client in a way which amplifies the number
of redundant RPCs invoked to perform any operation. The libcontainerd
remote implementation has to reload the containerd container, task
and/or process metadata for nearly every operation. This in turn
amplifies the number of context switches between dockerd and containerd
to perform any container operation or handle a containerd event,
increasing the load on the system which could otherwise be allocated to
workloads.

Overhaul the libcontainerd interface to reduce the impedance mismatch
with the containerd client so that the containerd client can be used
more efficiently. Split the API out into container, task and process
interfaces which the consumer is expected to retain so that
libcontainerd can retain state---especially the analogous containerd
client objects---without having to manage any state-store inside the
libcontainerd client.

Signed-off-by: Cory Snider <csnider@mirantis.com>
plugin: Executor.Signal() accept syscall.Signal 2022-05-04T22:53:55+00:00 Sebastiaan van Stijn github@gone.nl 2022-05-01T22:52:16+00:00 521807837ba60247005f78f0000cfa1b30585c21 This helps reducing some type-juggling / conversions further up the stack. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 
This helps reducing some type-juggling / conversions further up
the stack.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
libcontainerd: SignalProcess(): accept syscall.Signal 2022-05-04T22:53:49+00:00 Sebastiaan van Stijn github@gone.nl 2022-05-01T22:05:21+00:00 2ec2b65e45ca6ae28480c6da49aaf06fda1a091f This helps reducing some type-juggling / conversions further up the stack. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 
This helps reducing some type-juggling / conversions further up
the stack.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
daemon: move default namespaces to daemon/config 2022-04-17T11:10:57+00:00 Sebastiaan van Stijn github@gone.nl 2022-04-02T15:43:50+00:00 690a6fddf9564c4947e50302bd18f0005f0e3e94 Keeping the defaults in a single location, which also reduces the list of imports needed. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 
Keeping the defaults in a single location, which also reduces
the list of imports needed.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Configure shims from runtime config 2020-07-13T21:18:02+00:00 Brian Goff cpuguy83@gmail.com 2020-07-07T20:33:46+00:00 f63f73a4a8f531813d6b46a2347cab4bfd210df7 In dockerd we already have a concept of a "runtime", which specifies the OCI runtime to use (e.g. runc). This PR extends that config to add containerd shim configuration. This option is only exposed within the daemon itself (cannot be configured in daemon.json). This is due to issues in supporting unknown shims which will require more design work. What this change allows us to do is keep all the runtime config in one place. So the default "runc" runtime will just have it's already existing shim config codified within the runtime config alone. I've also added 2 more "stock" runtimes which are basically runc+shimv1 and runc+shimv2. These new runtime configurations are: - io.containerd.runtime.v1.linux - runc + v1 shim using the V1 shim API - io.containerd.runc.v2 - runc + shim v2 These names coincide with the actual names of the containerd shims. This allows the user to essentially control what shim is going to be used by either specifying these as a `--runtime` on container create or by setting `--default-runtime` on the daemon. For custom/user-specified runtimes, the default shim config (currently shim v1) is used. Signed-off-by: Brian Goff <cpuguy83@gmail.com> 
In dockerd we already have a concept of a "runtime", which specifies the
OCI runtime to use (e.g. runc).
This PR extends that config to add containerd shim configuration.
This option is only exposed within the daemon itself (cannot be
configured in daemon.json).
This is due to issues in supporting unknown shims which will require
more design work.

What this change allows us to do is keep all the runtime config in one
place.

So the default "runc" runtime will just have it's already existing shim
config codified within the runtime config alone.
I've also added 2 more "stock" runtimes which are basically runc+shimv1
and runc+shimv2.
These new runtime configurations are:

- io.containerd.runtime.v1.linux - runc + v1 shim using the V1 shim API
- io.containerd.runc.v2 - runc + shim v2

These names coincide with the actual names of the containerd shims.

This allows the user to essentially control what shim is going to be
used by either specifying these as a `--runtime` on container create or
by setting `--default-runtime` on the daemon.

For custom/user-specified runtimes, the default shim config (currently
shim v1) is used.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
cgroup2: use shim V2 2019-12-31T17:58:40+00:00 Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp 2019-11-05T07:10:19+00:00 612343618dd7dad7cf023e6263d693ab37507a92 * Requires containerd binaries from containerd/containerd#3799 . Metrics are unimplemented yet. * Works with crun v0.10.4, but `--security-opt seccomp=unconfined` is needed unless using master version of libseccomp ( containers/crun#156, seccomp/libseccomp#177 ) * Doesn't work with master runc yet * Resource limitations are unimplemented Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> 
* Requires containerd binaries from containerd/containerd#3799 . Metrics are unimplemented yet.
* Works with crun v0.10.4, but `--security-opt seccomp=unconfined` is needed unless using master version of libseccomp
  ( containers/crun#156, seccomp/libseccomp#177 )
* Doesn't work with master runc yet
* Resource limitations are unimplemented

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
goimports: fix imports 2019-09-18T10:56:54+00:00 Sebastiaan van Stijn github@gone.nl 2019-08-05T14:37:47+00:00 07ff4f1de895dd760aec11f55bc6c4ca2175cef1 Format the source according to latest goimports. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 
Format the source according to latest goimports.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>