cri-o · mrunalp · Mar 2, 2018 · Mar 1, 2018 · Feb 28, 2018 · wking
diff --git a/cmd/crio/config.go b/cmd/crio/config.go
@@ -114,9 +114,6 @@ default_mounts = [
 # pids_limit is the number of processes allowed in a container
 pids_limit = {{ .PidsLimit }}
 
-# enable using a shared PID namespace for containers in a pod
-enable_shared_pid_namespace = {{ .EnableSharedPIDNamespace }}
-
 # log_size_max is the max limit for the container log size in bytes.
 # Negative values indicate that no limit is imposed.
 log_size_max = {{ .LogSizeMax }}

diff --git a/cmd/crio/main.go b/cmd/crio/main.go
@@ -131,9 +131,6 @@ func mergeConfig(config *server.Config, ctx *cli.Context) error {
 	if ctx.GlobalIsSet("pids-limit") {
 		config.PidsLimit = ctx.GlobalInt64("pids-limit")
 	}
-	if ctx.GlobalIsSet("enable-shared-pid-namespace") {
-		config.EnableSharedPIDNamespace = ctx.GlobalBool("enable-shared-pid-namespace")
-	}
 	if ctx.GlobalIsSet("log-size-max") {
 		config.LogSizeMax = ctx.GlobalInt64("log-size-max")
 	}
@@ -299,10 +296,6 @@ func main() {
 			Value: lib.DefaultPidsLimit,
 			Usage: "maximum number of processes allowed in a container",
 		},
-		cli.BoolFlag{
-			Name:  "enable-shared-pid-namespace",
-			Usage: "enable using a shared PID namespace for containers in a pod",
-		},
 		cli.Int64Flag{
 			Name:  "log-size-max",
 			Value: lib.DefaultLogSizeMax,

diff --git a/contrib/test/integration/main.yml b/contrib/test/integration/main.yml
@@ -118,7 +118,7 @@
       include: "build/kubernetes.yml"
       vars:
           force_clone: True
-          k8s_git_version: "master"
+          k8s_git_version: "release-1.10"
           k8s_github_fork: "kubernetes"
           crio_socket: "/var/run/crio/crio.sock"
     - name: run k8s e2e tests

diff --git a/docs/crio.8.md b/docs/crio.8.md
@@ -94,8 +94,6 @@ crio [GLOBAL OPTIONS] config [OPTIONS]
 
 **--pids-limit**="": Maximum number of processes allowed in a container (default: 1024)
 
-**--enable-shared-pid-namespace**="": Enable using a shared PID namespace for containers in a pod (default: false)
-
 **--root**="": The crio root dir (default: "/var/lib/containers/storage")
 
 **--registry**="": Registry host which will be prepended to unqualified images, can be specified multiple times

diff --git a/docs/crio.conf.5.md b/docs/crio.conf.5.md
@@ -87,9 +87,6 @@ Example:
 **pids_limit**=""
   Maximum number of processes allowed in a container (default: 1024)
 
-**enable_shared_pid_namespace**=""
-  Enable using a shared PID namespace for containers in a pod (default: false)
-
 **runtime**=""
   OCI runtime path (default: "/usr/bin/runc")
 

diff --git a/lib/config.go b/lib/config.go
@@ -121,9 +121,6 @@ type RuntimeConfig struct {
 	// NoPivot instructs the runtime to not use `pivot_root`, but instead use `MS_MOVE`
 	NoPivot bool `toml:"no_pivot"`
 
-	// EnableSharePidNamespace instructs the runtime to enable share pid namespace
-	EnableSharedPIDNamespace bool `toml:"enable_shared_pid_namespace"`
-
 	// Conmon is the path to conmon binary, used for managing the runtime.
 	Conmon string `toml:"conmon"`
 

diff --git a/server/container_create.go b/server/container_create.go
@@ -1000,7 +1000,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 	if containerConfig.GetLinux().GetSecurityContext().GetNamespaceOptions().GetPid() == pb.NamespaceMode_NODE {
 		// kubernetes PodSpec specify to use Host PID namespace
 		specgen.RemoveLinuxNamespace(string(rspec.PIDNamespace))
-	} else if s.config.EnableSharedPIDNamespace {
+	} else if containerConfig.GetLinux().GetSecurityContext().GetNamespaceOptions().GetPid() == pb.NamespaceMode_POD {
 		// share Pod PID namespace
 		pidNsPath := fmt.Sprintf("/proc/%d/ns/pid", podInfraState.Pid)
 		if err := specgen.AddOrReplaceLinuxNamespace(string(rspec.PIDNamespace), pidNsPath); err != nil {

diff --git a/test/helpers.bash b/test/helpers.bash
@@ -56,8 +56,6 @@ IMAGE_VOLUMES=${IMAGE_VOLUMES:-mkdir}
 PIDS_LIMIT=${PIDS_LIMIT:-1024}
 # Log size max limit
 LOG_SIZE_MAX_LIMIT=${LOG_SIZE_MAX_LIMIT:--1}
-# enable share container pid namespace
-ENABLE_SHARED_PID_NAMESPACE=${ENABLE_SHARED_PID_NAMESPACE:-false}
 
 TESTDIR=$(mktemp -d)
 
@@ -217,7 +215,7 @@ function start_crio() {
 	"$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTIONS --runroot "$TESTDIR/crio-run" --image-name=docker.io/mrunalp/image-volume-test:latest --import-from=dir:"$ARTIFACTS_PATH"/image-volume-test-image --signature-policy="$INTEGRATION_ROOT"/policy.json
 	"$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTIONS --runroot "$TESTDIR/crio-run" --image-name=docker.io/library/busybox:latest --import-from=dir:"$ARTIFACTS_PATH"/busybox-image --signature-policy="$INTEGRATION_ROOT"/policy.json
 	"$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTIONS --runroot "$TESTDIR/crio-run" --image-name=docker.io/runcom/stderr-test:latest --import-from=dir:"$ARTIFACTS_PATH"/stderr-test --signature-policy="$INTEGRATION_ROOT"/policy.json
-	"$CRIO_BINARY" ${DEFAULT_MOUNTS_OPTS} ${HOOKS_OPTS} --conmon "$CONMON_BINARY" --listen "$CRIO_SOCKET" --cgroup-manager "$CGROUP_MANAGER" --registry "docker.io" --runtime "$RUNTIME_BINARY" --root "$TESTDIR/crio" --runroot "$TESTDIR/crio-run" $STORAGE_OPTIONS --seccomp-profile "$seccomp" --apparmor-profile "$apparmor" --cni-config-dir "$CRIO_CNI_CONFIG" --cni-plugin-dir "$CRIO_CNI_PLUGIN" --signature-policy "$INTEGRATION_ROOT"/policy.json --image-volumes "$IMAGE_VOLUMES" --pids-limit "$PIDS_LIMIT" --enable-shared-pid-namespace=${ENABLE_SHARED_PID_NAMESPACE} --log-size-max "$LOG_SIZE_MAX_LIMIT" --config /dev/null config >$CRIO_CONFIG
+	"$CRIO_BINARY" ${DEFAULT_MOUNTS_OPTS} ${HOOKS_OPTS} --conmon "$CONMON_BINARY" --listen "$CRIO_SOCKET" --cgroup-manager "$CGROUP_MANAGER" --registry "docker.io" --runtime "$RUNTIME_BINARY" --root "$TESTDIR/crio" --runroot "$TESTDIR/crio-run" $STORAGE_OPTIONS --seccomp-profile "$seccomp" --apparmor-profile "$apparmor" --cni-config-dir "$CRIO_CNI_CONFIG" --cni-plugin-dir "$CRIO_CNI_PLUGIN" --signature-policy "$INTEGRATION_ROOT"/policy.json --image-volumes "$IMAGE_VOLUMES" --pids-limit "$PIDS_LIMIT" --log-size-max "$LOG_SIZE_MAX_LIMIT" --config /dev/null config >$CRIO_CONFIG
 
 	# Prepare the CNI configuration files, we're running with non host networking by default
 	if [[ -n "$4" ]]; then

diff --git a/test/namespaces.bats b/test/namespaces.bats
@@ -6,14 +6,15 @@ function teardown() {
 	cleanup_test
 }
 
-function pid_namespace_test() {
+@test "pid_namespace_mode_pod_test" {
 	start_crio
-
-	run crictl runp "$TESTDATA"/sandbox_config.json
+	pidNamespaceMode=$(cat "$TESTDATA"/sandbox_config.json | python -c 'import json,sys;obj=json.load(sys.stdin);obj["linux"]["security_context"]["namespace_options"]["pid"] = 0; json.dump(obj, sys.stdout)')
+	echo "$pidNamespaceMode" > "$TESTDIR"/sandbox_pidnamespacemode_config.json
+	run crictl runp "$TESTDIR"/sandbox_pidnamespacemode_config.json
 	echo "$output"
 	[ "$status" -eq 0 ]
 	pod_id="$output"
-	run crictl create "$pod_id" "$TESTDATA"/container_redis.json "$TESTDATA"/sandbox_config.json
+	run crictl create "$pod_id" "$TESTDATA"/container_redis.json "$TESTDIR"/sandbox_pidnamespacemode_config.json
 	echo "$output"
 	[ "$status" -eq 0 ]
 	ctr_id="$output"
@@ -23,7 +24,7 @@ function pid_namespace_test() {
 	run crictl exec --sync "$ctr_id" cat /proc/1/cmdline
 	echo "$output"
 	[ "$status" -eq 0 ]
-	[[ "$output" =~ "${EXPECTED_INIT:-redis}" ]]
+	[[ "$output" =~ pause ]]
 
 	run crictl stopp "$pod_id"
 	echo "$output"
@@ -35,11 +36,3 @@ function pid_namespace_test() {
 	cleanup_pods
 	stop_crio
 }
-
-@test "pod disable shared pid namespace" {
-	ENABLE_SHARED_PID_NAMESPACE=false pid_namespace_test
-}
-
-@test "pod enable shared pid namespace" {
-	ENABLE_SHARED_PID_NAMESPACE=true EXPECTED_INIT=pause pid_namespace_test
-}
diff --git a/vendor.conf b/vendor.conf
@@ -1,11 +1,11 @@
-k8s.io/kubernetes 7488d1c9210e60aef9ad49f07cb5d8a24152db88 https://github.com/kubernetes/kubernetes
+k8s.io/kubernetes 305052d6d2c1fa976c7a841350396061a2c26ac0 https://github.com/kubernetes/kubernetes
 k8s.io/client-go 7cd1d3291b7d9b1e2d54d4b69eb65995eaf8888e https://github.com/kubernetes/client-go
 k8s.io/apimachinery 616b23029fa3dc3e0ccefd47963f5651a6543d94 https://github.com/kubernetes/apimachinery
 k8s.io/apiserver 4d1163080139f1f9094baf8a3a6099e85e1867f6 https://github.com/kubernetes/apiserver
 k8s.io/utils 258e2a2fa64568210fbd6267cf1d8fd87c3cb86e https://github.com/kubernetes/utils
-k8s.io/api 2694da5be9c4ab4f3fd826112d4c3f71b8bf4b23 https://github.com/kubernetes/api
+k8s.io/api 5ce4aa0bf2f097f6021127b3d879eeda82026be8 https://github.com/kubernetes/api
 k8s.io/kube-openapi 275e2ce91dec4c05a4094a7b1daee5560b555ac9 https://github.com/kubernetes/kube-openapi
-k8s.io/apiextensions-apiserver 7a8c4a8494109c5ce12cb35d9699b81a240583c0 https://github.com/kubernetes/apiextensions-apiserver
+k8s.io/apiextensions-apiserver 1b31e26d82f1ec2e945c560790e98f34bb5f2e63 https://github.com/kubernetes/apiextensions-apiserver
 #
 github.com/googleapis/gnostic 0c5108395e2debce0d731cf0287ddf7242066aba
 github.com/gregjones/httpcache 787624de3eb7bd915c329cba748687a3b22666a6

diff --git a/vendor/k8s.io/api/admissionregistration/v1alpha1/zz_generated.deepcopy.go b/vendor/k8s.io/api/admissionregistration/v1alpha1/zz_generated.deepcopy.go
diff --git a/vendor/k8s.io/api/admissionregistration/v1beta1/zz_generated.deepcopy.go b/vendor/k8s.io/api/admissionregistration/v1beta1/zz_generated.deepcopy.go
diff --git a/vendor/k8s.io/api/apps/v1/zz_generated.deepcopy.go b/vendor/k8s.io/api/apps/v1/zz_generated.deepcopy.go