cri-o · runcom · Jan 18, 2017 · Oct 17, 2016 · Oct 18, 2016 · Dec 16, 2016
diff --git a/.gitignore b/.gitignore
@@ -7,3 +7,6 @@ pause/pause.o
 ocid.conf
 *.orig
 *.rej
+test/bin2img/bin2img
+test/copyimg/copyimg
+test/testdata/redis-image
diff --git a/.travis.yml b/.travis.yml
@@ -9,6 +9,10 @@ sudo: required
 services:
   - docker
 
+before_install:
+  - sudo apt-get -qq update
+  - sudo apt-get -qq install btrfs-tools libdevmapper-dev libgpgme11-dev
+
 install:
   - make install.tools
 

diff --git a/Dockerfile b/Dockerfile
@@ -23,6 +23,7 @@ RUN apt-get update && apt-get install -y \
     btrfs-tools \
     libdevmapper1.02.1 \
     libdevmapper-dev \
+    libgpgme11-dev \
     --no-install-recommends \
     && apt-get clean
 
@@ -52,6 +53,10 @@ RUN set -x \
 	&& cp runc /usr/local/bin/runc \
 	&& rm -rf "$GOPATH"
 
+# Make sure we have some policy for pulling images
+RUN mkdir -p /etc/containers
+COPY test/policy.json /etc/containers/policy.json
+
 WORKDIR /go/src/github.com/kubernetes-incubator/cri-o
 
 ADD . /go/src/github.com/kubernetes-incubator/cri-o
diff --git a/Makefile b/Makefile
@@ -44,6 +44,12 @@ conmon:
 pause:
 	make -C $@
 
+bin2img:
+	make -C test/$@
+
+copyimg:
+	make -C test/$@
+
 ocid:
 ifndef GOPATH
 	$(error GOPATH is not set)
@@ -69,10 +75,13 @@ ocid.conf: ocid
 
 clean:
 	rm -f docs/*.1 docs/*.5 docs/*.8
+	rm -fr test/testdata/redis-image
 	find . -name \*~ -delete
 	find . -name \#\* -delete
 	make -C conmon clean
 	make -C pause clean
+	make -C test/bin2img clean
+	make -C test/copyimg clean
 
 ocidimage:
 	docker build -t ${OCID_IMAGE} .
@@ -86,7 +95,7 @@ integration: ocidimage
 localintegration: binaries
 	./test/test_runner.sh ${TESTFLAGS}
 
-binaries: ocid ocic kpod conmon pause
+binaries: ocid ocic kpod conmon pause bin2img copyimg
 
 MANPAGES_MD := $(wildcard docs/*.md)
 MANPAGES    := $(MANPAGES_MD:%.md=%)
@@ -180,9 +189,11 @@ install.tools: .install.gitvalidation .install.gometalinter .install.md2man
 	go get -u github.com/cpuguy83/go-md2man
 
 .PHONY: \
+	bin2img \
 	binaries \
 	clean \
 	conmon \
+	copyimg \
 	default \
 	docs \
 	gofmt \

diff --git a/README.md b/README.md
@@ -42,9 +42,11 @@ It is currently in active development in the Kubernetes community through the [d
 
 ### Build
 
-`glib2-devel` and `glibc-static` packages on Fedora or ` libglib2.0-dev` on Ubuntu or equivalent is required.
-In order to enable seccomp support you will need to install `libseccomp` on your platform.
+`btrfs-progs-devel`, `device-mapper-devel`, `glib2-devel`, `glibc-devel`, `gpgme-devel`, `libassuan-devel`, `libgpg-error-devel`, and `pkg-config` packages on CentOS/Fedora or `btrfs-tools`, `libassuan-dev`, `libc6-dev`, `libdevmapper-dev`, `libglib2.0-dev`, `libgpg-error-dev`, `libgpgme11-dev`, and `pkg-config` on Ubuntu or equivalent is required.
+In order to enable seccomp support you will need to install development files for `libseccomp` on your platform.
 > e.g. `libseccomp-devel` for CentOS/Fedora, or `libseccomp-dev` for Ubuntu
+In order to enable apparmor support you will need to install development files for `libapparmor` on your platform.
+> e.g. `libapparmor-dev` for Ubuntu
 
 ```bash
 $ GOPATH=/path/to/gopath

diff --git a/cmd/ocid/config.go b/cmd/ocid/config.go
@@ -12,17 +12,21 @@ var commentedConfigTemplate = template.Must(template.New("config").Parse(`
 # The "ocid" table contains all of the server options.
 [ocid]
 
-# root is a path to the "root directory". OCID stores all of its state
-# data, including container images, in this directory.
+# root is a path to the "root directory". OCID stores all of its data,
+# including container images, in this directory.
 root = "{{ .Root }}"
 
-# sandbox_dir is the directory where ocid will store all of its sandbox
-# state and other information.
-sandbox_dir = "{{ .SandboxDir }}"
+# run is a path to the "run directory". OCID stores all of its state
+# in this directory.
+runroot = "{{ .RunRoot }}"
 
-# container_dir is the directory where ocid will store all of its
-# container state and other information.
-container_dir = "{{ .ContainerDir }}"
+# storage_driver select which storage driver is used to manage storage
+# of images and containers.
+storage_driver = "{{ .Storage }}"
+
+# storage_option is used to pass an option to the storage driver.
+storage_option = [
+{{ range $opt := .StorageOptions }}{{ printf "\t%q,\n" $opt }}{{ end }}]
 
 # The "ocid.api" table contains settings for the kubelet/gRPC
 # interface (which is also used by ocic).
@@ -67,9 +71,23 @@ cgroup_manager = "{{ .CgroupManager }}"
 # management of OCI images.
 [ocid.image]
 
-# pause is the path to the statically linked pause container binary, used
-# as the entrypoint for infra containers.
-pause = "{{ .Pause }}"
+# default_transport is the prefix we try prepending to an image name if the
+# image name as we receive it can't be parsed as a valid source reference
+default_transport = "{{ .DefaultTransport }}"
+
+# pause_image is the image which we use to instantiate infra containers.
+pause_image = "{{ .PauseImage }}"
+
+# pause_command is the command to run in a pause_image to have a container just
+# sit there.  If the image contains the necessary information, this value need
+# not be specified.
+pause_command = "{{ .PauseCommand }}"
+
+# signature_policy is the name of the file which decides what sort of policy we
+# use when deciding whether or not to trust an image that we've pulled.
+# Outside of testing situations, it is strongly advised that this be left
+# unspecified so that the default system-wide policy will be used.
+signature_policy = "{{ .SignaturePolicyPath }}"
 
 # The "ocid.network" table contains settings pertaining to the
 # management of CNI plugins.

diff --git a/cmd/ocid/daemon_linux.go b/cmd/ocid/daemon_linux.go
@@ -8,7 +8,7 @@ import (
 )
 
 func sdNotify() {
-	if _, err := systemdDaemon.SdNotify("READY=1"); err != nil {
+	if _, err := systemdDaemon.SdNotify(true, "READY=1"); err != nil {
 		logrus.Warnf("Failed to sd_notify systemd: %v", err)
 	}
 }

diff --git a/cmd/ocid/main.go b/cmd/ocid/main.go
@@ -4,7 +4,10 @@ import (
 	"fmt"
 	"net"
 	"os"
+	"os/signal"
 	"sort"
+	"strings"
+	"syscall"
 
 	"github.com/Sirupsen/logrus"
 	"github.com/containers/storage/pkg/reexec"
@@ -36,17 +39,29 @@ func mergeConfig(config *server.Config, ctx *cli.Context) error {
 	if ctx.GlobalIsSet("conmon") {
 		config.Conmon = ctx.GlobalString("conmon")
 	}
-	if ctx.GlobalIsSet("containerdir") {
-		config.ContainerDir = ctx.GlobalString("containerdir")
+	if ctx.GlobalIsSet("pause-command") {
+		config.PauseCommand = ctx.GlobalString("pause-command")
 	}
-	if ctx.GlobalIsSet("pause") {
-		config.Pause = ctx.GlobalString("pause")
+	if ctx.GlobalIsSet("pause-image") {
+		config.PauseImage = ctx.GlobalString("pause-image")
+	}
+	if ctx.GlobalIsSet("signature-policy") {
+		config.SignaturePolicyPath = ctx.GlobalString("signature-policy")
 	}
 	if ctx.GlobalIsSet("root") {
 		config.Root = ctx.GlobalString("root")
 	}
-	if ctx.GlobalIsSet("sandboxdir") {
-		config.SandboxDir = ctx.GlobalString("sandboxdir")
+	if ctx.GlobalIsSet("runroot") {
+		config.RunRoot = ctx.GlobalString("runroot")
+	}
+	if ctx.GlobalIsSet("storage-driver") {
+		config.Storage = ctx.GlobalString("storage-driver")
+	}
+	if ctx.GlobalIsSet("storage-option") {
+		config.StorageOptions = ctx.GlobalStringSlice("storage-option")
+	}
+	if ctx.GlobalIsSet("default-transport") {
+		config.DefaultTransport = ctx.GlobalString("default-transport")
 	}
 	if ctx.GlobalIsSet("listen") {
 		config.Listen = ctx.GlobalString("listen")
@@ -75,6 +90,26 @@ func mergeConfig(config *server.Config, ctx *cli.Context) error {
 	return nil
 }
 
+func catchShutdown(gserver *grpc.Server, sserver *server.Server, signalled *bool) {
+	sig := make(chan os.Signal, 10)
+	signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
+	go func() {
+		for s := range sig {
+			switch s {
+			case syscall.SIGINT:
+				logrus.Debugf("Caught SIGINT")
+			case syscall.SIGTERM:
+				logrus.Debugf("Caught SIGTERM")
+			default:
+				continue
+			}
+			*signalled = true
+			gserver.GracefulStop()
+			return
+		}
+	}()
+}
+
 func main() {
 	if reexec.Init() {
 		return
@@ -97,10 +132,6 @@ func main() {
 			Name:  "conmon",
 			Usage: "path to the conmon executable",
 		},
-		cli.StringFlag{
-			Name:  "containerdir",
-			Usage: "ocid container dir",
-		},
 		cli.BoolFlag{
 			Name:  "debug",
 			Usage: "enable debug output for logging",
@@ -120,20 +151,40 @@ func main() {
 			Usage: "set the format used by logs ('text' (default), or 'json')",
 		},
 		cli.StringFlag{
-			Name:  "pause",
-			Usage: "path to the pause executable",
+			Name:  "pause-command",
+			Usage: "name of the pause command in the pause image",
+		},
+		cli.StringFlag{
+			Name:  "pause-image",
+			Usage: "name of the pause image",
+		},
+		cli.StringFlag{
+			Name:  "signature-policy",
+			Usage: "path to signature policy file",
 		},
 		cli.StringFlag{
 			Name:  "root",
 			Usage: "ocid root dir",
 		},
 		cli.StringFlag{
-			Name:  "runtime",
-			Usage: "OCI runtime path",
+			Name:  "runroot",
+			Usage: "ocid state dir",
+		},
+		cli.StringFlag{
+			Name:  "storage-driver",
+			Usage: "storage driver",
+		},
+		cli.StringSliceFlag{
+			Name:  "storage-option",
+			Usage: "storage driver option",
+		},
+		cli.StringFlag{
+			Name:  "default-transport",
+			Usage: "default transport",
 		},
 		cli.StringFlag{
-			Name:  "sandboxdir",
-			Usage: "ocid pod sandbox dir",
+			Name:  "runtime",
+			Usage: "OCI runtime path",
 		},
 		cli.StringFlag{
 			Name:  "seccomp-profile",
@@ -236,13 +287,24 @@ func main() {
 			logrus.Fatal(err)
 		}
 
+		graceful := false
+		catchShutdown(s, service, &graceful)
 		runtime.RegisterRuntimeServiceServer(s, service)
 		runtime.RegisterImageServiceServer(s, service)
 
 		// after the daemon is done setting up we can notify systemd api
 		notifySystem()
 
-		if err := s.Serve(lis); err != nil {
+		err = s.Serve(lis)
+		if graceful && strings.Contains(strings.ToLower(err.Error()), "use of closed network connection") {
+			err = nil
+		}
+
+		if err2 := service.Shutdown(); err2 != nil {
+			logrus.Infof("error shutting down layer storage: %v", err2)
+		}
+
+		if err != nil {
 			logrus.Fatal(err)
 		}
 		return nil