Commit Graph

230 Commits

Author SHA1 Message Date
Mike Brown
8a08aebe1d removing/cloning vendor of kubelet pod label definitions
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
2025-05-01 16:59:31 +00:00
Krisztian Litkey
7c03dd0361 nri: add type conversion functions removed from NRI.
Use internal CRI resource conversion functions instead of
the ones which were recently dropped from core NRI to get
rid of a direct NRI dependency on CRI.

Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
2025-04-25 18:03:03 +03:00
Adrien Delorme
72c8c7708c only keep one setting: concurrent_layer_fetch_buffer
Signed-off-by: Adrien Delorme <azr@users.noreply.github.com>
2025-04-24 11:41:33 +02:00
Adrien Delorme
024775dab1 set dl options on resolver
Signed-off-by: Adrien Delorme <azr@users.noreply.github.com>
2025-04-24 11:41:33 +02:00
Adrien Delorme
88116b1911 remove max_dl_operations setting
Signed-off-by: Adrien Delorme <azr@users.noreply.github.com>
2025-04-24 11:39:42 +02:00
Adrien Delorme
f9af08820b perf(pull): multipart layer fetch
Signed-off-by: Adrien Delorme <azr@users.noreply.github.com>
Co-Authored-By: Corentin REGAL <143578+co42@users.noreply.github.com>
2025-04-24 11:39:42 +02:00
Derek McGowan
fad6366871 Merge pull request #11693 from thaJeztah/lazyregexp
use lazyregexp to compile regexes on first use
2025-04-24 00:39:41 +00:00
Derek McGowan
116b98704b Merge pull request #8515 from fangn2/cri-image-transfer
Update CRI to use transfer service for image pull by default
2025-04-23 22:58:12 +00:00
Samuel Karp
33232e7853 Merge pull request #11746 from chrishenzie/containerd-metrics
Revert criserver metrics subsystem back to cri
2025-04-23 21:57:47 +00:00
Chris Henzie
f57727c423 Revert criserver metrics subsystem back to cri
This was producing different metric names which can break metric
collection. Reverting to the previous "cri" subsystem so metrics are
consistent across 1.X and 2.X.

Signed-off-by: Chris Henzie <chrishenzie@google.com>
2025-04-23 13:15:19 -07:00
Maksym Pavlenko
1f70f07480 Merge pull request #11729 from dmcgowan/erofsutils-internal
Move erofsutils to internal
2025-04-23 19:26:25 +00:00
Tony Fang
b694be29a0 Update CRI image service to pull using transfer service
- adds a transfer service progress reporter to handle timeouts. Also other test fixes
- fallback to local image pull when configuration conflict

Signed-off-by: Tony Fang <nhfang@amazon.com>

Co-authored-by: Swagat Bora <sbora@amazon.com>
2025-04-23 18:18:27 +00:00
Sebastiaan van Stijn
1477874494 use lazyregexp to compile regexes on first use
- internal/cri/bandwidth: use lazyregexp to compile regexes on first use
- pkg/identifiers: use lazyregexp to compile regexes on first use
- pkg/progress: use lazyregexp to compile regexes on first use
- pkg/reference: use lazyregexp to compile regexes on first use
- pkg/sys: use lazyregexp to compile regexes on first use

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2025-04-22 20:29:14 +02:00
Sebastiaan van Stijn
fa0e50ccf2 implement lazyregexp package
Based on the "lazyregexp" package in golang.org/x/mod;
https://cs.opensource.google/go/x/mod/+/refs/tags/v0.19.0:internal/lazyregexp/lazyre.go;l=66-78

This package allows defining regular expressions that should not be
compiled until used, but still providing validation to prevent
invalid regular expressions from producing a panic at runtime.

The lazyregexp package provides a subset of the methods provided
by "regexp" and only implements the methods used in the codebase.
Additional methods can be added when needed.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2025-04-22 20:27:06 +02:00
yylt
4b4e6f7c69 not set sandbox id when use podsandbox type
Signed-off-by: yang yang <yang8518296@163.com>
2025-04-22 09:30:14 -07:00
Derek McGowan
98eded24b8 Move erofsutils to internal
Avoid introducing utils package outside of internal. This package
should not be imported by other modules.

Signed-off-by: Derek McGowan <derek@mcg.dev>
2025-04-22 09:03:49 -07:00
Maksym Pavlenko
96fa56d3fd Merge pull request #11675 from klihub/fixes/main/nri-cdi-device-injection
cri,nri: add missing option to allow plugins to inject devices using CDI.
2025-04-21 16:48:27 +00:00
Maksym Pavlenko
adc1066168 Merge pull request #11092 from djdongjin/follow-hosts-header-in-docker-authorizer
Add cri headers and hosts.toml header to auth requests
2025-04-17 19:46:44 +00:00
Maksym Pavlenko
b39d644c7c Merge pull request #11612 from yylt/inc
[CRI] store extension when create sandbox in metadata store
2025-04-17 19:42:38 +00:00
Jin Dong
97eb1cd46f change criService.runtimeHandlers slice to a map
This patch changes `criService.runtimeHandlers` from
a slice to a map, so we don't need to for-loop slice
in `createContainer`.

It also refactors `introspectRuntimeHandler` a bit
so it can be called given a single `config.Runtime`.
This will help implement extracting runtime config
to separate files (https://github.com/containerd/containerd/issues/9296)

Signed-off-by: Jin Dong <djdongjin95@gmail.com>
2025-04-16 20:52:56 -04:00
Akihiro Suda
d9c889568e Remove the support for Schema 1 images
Schema 1 (`application/vnd.docker.distribution.manifest.v1+prettyjws`) has been
officially deprecated since containerd v1.7 (PR 6884), and disabled since v2.0 (PR 9765).

Users who have been seeing warnings like `conversion from schema 1 images is deprecated`
now have to rebuild the image with Schema 2 or OCI.

Schema 2 was introduced in Docker 1.10 (Feb 2016), so most users should have been already
using Schema 2 or OCI.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2025-04-11 09:03:26 +09:00
Krisztian Litkey
74af78b34f cri,nri: allow plugins to inject devices using CDI.
Set up NRI container adjustment with an extra option, allowing
NRI plugins to inject devices using CDI.

Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
2025-04-10 16:04:23 +03:00
Jin Dong
4857de8537 Add cri.config.headers to auth requests
Currently `cri.config.headers` is only added
to registry requests (manifests/blobs), but not
the auth requests.

This patch fixed it by passing `cri.config.headers`
when we create `DockerAuthorizer`.

Signed-off-by: Jin Dong <djdongjin95@gmail.com>
2025-04-08 20:36:03 -04:00
ningmingxiao
ead5c1ee65 cri:fix lost container exit events if they arrive before info is cached
Signed-off-by: ningmingxiao <ning.mingxiao@zte.com.cn>
2025-03-31 09:31:40 +08:00
Maksym Pavlenko
009d8be3ab Merge pull request #11588 from HirazawaUi/fix-panic
Fix the panic caused by the failure of RunPodSandbox
2025-03-30 22:55:34 +00:00
yylt
8602604346 store extension when create sandbox in store
Signed-off-by: yang yang <yang8518296@163.com>
2025-03-29 00:29:49 +08:00
Fu Wei
2fef42ab9b Merge pull request #11605 from fuweid/followup-image-volumes
*: image volume feature's follow-up
2025-03-28 13:47:30 +00:00
Wei Fu
de833ebbbe cri: enhance error handling for image volume
Signed-off-by: Wei Fu <fuweid89@gmail.com>
2025-03-25 15:16:59 -04:00
Wei Fu
be0ab6e936 cri: add volatile option to image volume mount if applicable
Unmounting a writable overlayfs can trigger [syncfs][1], causing I/O pressure
and impacting running containers. If possible, we should apply volatile
option to image volume mount.

REF:

[1]: https://github.com/containerd/containerd/pull/6478

Signed-off-by: Wei Fu <fuweid89@gmail.com>
2025-03-25 15:16:40 -04:00
Phil Estes
ee7cbe5f6b Merge pull request #11452 from liuchangyan/align-json-toml-naming
Update max container log line size json field
2025-03-24 17:20:41 +00:00
Mike Brown
c9edabaac4 Merge pull request #11311 from djdongjin/multiple-cni-dir
Support multiple cni plugin bin dirs
2025-03-24 14:37:18 +00:00
HirazawaUi
a3a66d1f2b Fix the panic caused by the failure of RunPodSandbox
Signed-off-by: BING HONGTAO <695097494plus@gmail.com>
2025-03-24 14:47:36 +08:00
Jin Dong
42effa3b91 Mark NetworkPluginBinDir as DEPRECATED
To make it as DEPRECATED, this PR does the following:

1. Changes config default to use `NetworkPluginBinDirs`;
2. Mark `NetworkPluginBinDir` as deprecated (in config version 3);
3. Add config migration from 2 to 3, which migrates `bin_dir`
  in version 2 to `bin_dirs` in version 3.

Signed-off-by: Jin Dong <djdongjin95@gmail.com>

[wip] add deprecation warning

Signed-off-by: Jin Dong <djdongjin95@gmail.com>
2025-03-21 16:59:32 +00:00
Teresaliu
7f9ca1dcb4 update max container log line size json field
Signed-off-by: Teresaliu <teresaliu@didiglobal.com>
2025-03-21 08:59:57 -04:00
Jin Dong
71f593d4a2 Support multiple CNI plugin bin dirs
Signed-off-by: Jin Dong <djdongjin95@gmail.com>
2025-03-20 17:13:34 +00:00
ningmingxiao
7c522819d2 support to set defer cleanup timeout to decrease ctx timeout
Signed-off-by: ningmingxiao <ning.mingxiao@zte.com.cn>
2025-03-15 11:01:56 +08:00
Adrian Reber
9e6beafd53 Support container restore through CRI/Kubernetes
This implements container restore as described in:

https://kubernetes.io/blog/2022/12/05/forensic-container-checkpointing-alpha/#restore-checkpointed-container-standalone

For detailed step by step instruction also see contrib/checkpoint/checkpoint-restore-cri-test.sh

The code changes are based on changes I have done in Podman around 2018
and CRI-O around 2020.

The history behind restoring container via CRI/Kubernetes probably
requires some explanation. The initial proposal to bring
checkpoint/restore to Kubernetes was looking at pod checkpoint and
restoring and the corresponding CRI changes.

https://github.com/kubernetes-sigs/cri-tools/pull/662
https://github.com/kubernetes/kubernetes/pull/97194

After discussing this topic for about two years another approach was
implemented as described in KEP-2008:

https://github.com/kubernetes/enhancements/issues/2008

"Forensic Container Checkpointing" allowed us to separate checkpointing
from restoring. For the "Forensic Container Checkpointing" it is enough
to create a checkpoint of the container. Restoring is not necessary as
the analysis of the checkpoint archive can happen without restoring the
container.

While thinking about a way to restore a container it was by coincidence
that we started to look into restoring containers in Kubernetes via
Create and Start. The way it was done in CRI-O is to figure out during
Create if the container image is a checkpoint image and if that is true
we are using another code path. The same was implemented now with this
change in containerd.

With this change it is possible to restore the container from a
checkpoint tar archive that is created during checkpointing via CRI.

To restore a container via Kubernetes we convert the tar archive to an
OCI image as described in the kubernetes.io blog post from above. Using
this OCI image it is possible to restore a container in Kubernetes.

At this point I think it should be doable to restore containers in
CRI-O and containerd no matter if they have been created by containerd or
CRI-O. The biggest difference is the container metadata and that can
be adapted during restore.

Open items:

 * It is not clear to me why restoring a container in containerd goes
   through task/Create(). But as the restore code already exists this
   change extended the existing code path to restore a container in
   task/Create() to also restore a container through the CRI via
   Create and Start.
 * Automatic image pulling. containerd does not pull images
   automatically if created via the CRI. There is an option in
   crictl to pull images before starting, but that uses the CRI
   image pull interface. It is still a separate pull and create
   operation. Restoring containers from an OCI image is a bit
   different. The checkpoint OCI image does not include the base
   image, but just a reference to the image (NAME@DIGEST).
   Using crictl with pulling will enable the pulling of the
   checkpoint image, but not of the base image the checkpoint is
   based on. So during preparation of the checkpoint containerd
   will automatically pull the base image, but I was not able how
   to pull an image blockingly in containerd. So there is a for
   loop waiting for the container image to appear in the internal
   store. I think this probably can be implemented better.

Anyway, this is a first step towards container restored in Kubernetes
when using containerd.

Signed-off-by: Adrian Reber <areber@redhat.com>
2025-03-11 12:55:13 +01:00
Derek McGowan
07dd4ccf35 Merge pull request #11518 from ningmingxiao/add_name
add name in package version
2025-03-10 15:11:02 +00:00
ningmingxiao
405a952c65 add name in package version
Signed-off-by: ningmingxiao <ning.mingxiao@zte.com.cn>
2025-03-10 20:01:20 +08:00
Samuel Karp
edd1cc50d5 docs: include note about unprivileged sysctls
We changed the default setting for `enable_unprivileged_ports` and
`enable_unprivileged_icmp` in the CRI plugin in
https://github.com/containerd/containerd/pull/9348, but missed including
this change in the release notes.

Signed-off-by: Samuel Karp <samuelkarp@google.com>
2025-03-06 16:38:38 -08:00
Maksym Pavlenko
3aa34f5a6a Merge pull request #11080 from djdongjin/consolidate-security-profile
Consolidate security profile logic into a common pkg
2025-03-05 17:58:11 +00:00
Samuel Karp
5671f0e07f Merge pull request #11115 from champtar/log_container_event_discarded
Log "container event discarded" as Info
2025-02-28 21:25:26 +00:00
Akihiro Suda
daf776c1f3 Merge pull request #11271 from fengwei0328/dev2
Fix privileged container sysfs can't be rw because pod is ro by default
2025-02-28 07:05:11 +00:00
Akihiro Suda
d40ddb3a69 Merge pull request #11384 from klihub/fixes/main/nri-plugin-sync
cri,nri: fix initial sync race of registering NRI plugins.
2025-02-28 05:20:22 +00:00
Jin Dong
71958731e8 move security profile to cri/sputil pkg
Signed-off-by: Jin Dong <djdongjin95@gmail.com>
2025-02-20 19:15:58 +00:00
Shiming Zhang
1ec10d9ae7 Add OCI/Image Volume Source support
Signed-off-by: Shiming Zhang <wzshiming@hotmail.com>
2025-02-18 15:58:57 +08:00
Mike Brown
f7149a9e22 Merge pull request #11323 from chrishenzie/pod-sandbox-timestamp
Revert "Add timestamp to PodSandboxStatusResponse for kubernetes Evented PLEG"
2025-02-17 20:31:07 +00:00
Fu Wei
5110775a92 Merge pull request #11264 from djdongjin/fix-noinline
Remove noinline in seccomp/apparmor SpecOpts
2025-02-13 18:43:01 +00:00
Krisztian Litkey
6a01ad3e16 cri,nri: block NRI plugin sync. during event processing.
Block the synchronization of registering NRI plugins during
CRI events to avoid the plugin ending up in an inconsistent
starting state after initial sync (missing pods, containers
or missed events for some pods or containers).

Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
2025-02-13 14:37:20 +02:00
fengwei0328
1fc497218a Fix privileged container sysfs can't be rw because pod is ro by default
Signed-off-by: fengwei0328 <feng.wei8@zte.com.cn>
2025-02-08 11:37:45 +08:00