cri-o · openshift-merge-robot · Jul 17, 2020 · Jul 6, 2020 · Jul 6, 2020
diff --git a/completions/bash/crio b/completions/bash/crio
@@ -51,7 +51,6 @@ h
 --log-journald
 --log-level
 --log-size-max
---manage-network-ns-lifecycle
 --manage-ns-lifecycle
 --metrics-port
 --metrics-socket

diff --git a/completions/fish/crio.fish b/completions/fish/crio.fish
@@ -89,8 +89,7 @@ complete -c crio -n '__fish_crio_no_subcommand' -f -l log-format -r -d 'Set the
 complete -c crio -n '__fish_crio_no_subcommand' -f -l log-journald -d 'Log to systemd journal (journald) in addition to kubernetes log file (default: false)'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l log-level -s l -r -d 'Log messages above specified level: trace, debug, info, warn, error, fatal or panic'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l log-size-max -r -d 'Maximum log size in bytes for a container. If it is positive, it must be >= 8192 to match/exceed conmon read buffer'
-complete -c crio -n '__fish_crio_no_subcommand' -f -l manage-network-ns-lifecycle -d 'Deprecated: this option is being replaced by `manage_ns_lifecycle`, which is described below'
-complete -c crio -n '__fish_crio_no_subcommand' -f -l manage-ns-lifecycle -d 'Determines whether we pin and remove IPC, network and UTS namespaces and manage their lifecycle (default: false)'
+complete -c crio -n '__fish_crio_no_subcommand' -f -l manage-ns-lifecycle -d 'Determines whether we pin and remove IPC, network and UTS namespaces and manage their lifecycle (default: true)'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l metrics-port -r -d 'Port for the metrics endpoint'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l metrics-socket -r -d 'Socket for the metrics endpoint'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l namespaces-dir -r -d 'The directory where the state of the managed namespaces gets tracked. Only used when manage-ns-lifecycle is true'

diff --git a/completions/zsh/_crio b/completions/zsh/_crio
@@ -7,7 +7,7 @@ it later with **--config**. Global options will modify the output.' 'version:dis
   _describe 'commands' cmds
 
   local -a opts
-  opts=('--additional-devices' '--apparmor-profile' '--bind-mount-prefix' '--cgroup-manager' '--cni-config-dir' '--cni-default-network' '--cni-plugin-dir' '--config' '--config-dir' '--conmon' '--conmon-cgroup' '--conmon-env' '--container-attach-socket-dir' '--container-exits-dir' '--ctr-stop-timeout' '--decryption-keys-path' '--default-capabilities' '--default-env' '--default-mounts-file' '--default-runtime' '--default-sysctls' '--default-transport' '--default-ulimits' '--enable-metrics' '--gid-mappings' '--global-auth-file' '--grpc-max-recv-msg-size' '--grpc-max-send-msg-size' '--hooks-dir' '--image-volumes' '--insecure-registry' '--listen' '--log' '--log-dir' '--log-filter' '--log-format' '--log-journald' '--log-level' '--log-size-max' '--manage-network-ns-lifecycle' '--manage-ns-lifecycle' '--metrics-port' '--metrics-socket' '--namespaces-dir' '--no-pivot' '--pause-command' '--pause-image' '--pause-image-auth-file' '--pids-limit' '--pinns-path' '--profile' '--profile-port' '--read-only' '--registries-conf' '--registry' '--root' '--runroot' '--runtime' '--runtimes' '--seccomp-profile' '--selinux' '--signature-policy' '--storage-driver' '--storage-opt' '--stream-address' '--stream-enable-tls' '--stream-port' '--stream-tls-ca' '--stream-tls-cert' '--stream-tls-key' '--uid-mappings' '--version-file' '--version-file-persist' '--help' '--version')
+  opts=('--additional-devices' '--apparmor-profile' '--bind-mount-prefix' '--cgroup-manager' '--cni-config-dir' '--cni-default-network' '--cni-plugin-dir' '--config' '--config-dir' '--conmon' '--conmon-cgroup' '--conmon-env' '--container-attach-socket-dir' '--container-exits-dir' '--ctr-stop-timeout' '--decryption-keys-path' '--default-capabilities' '--default-env' '--default-mounts-file' '--default-runtime' '--default-sysctls' '--default-transport' '--default-ulimits' '--enable-metrics' '--gid-mappings' '--global-auth-file' '--grpc-max-recv-msg-size' '--grpc-max-send-msg-size' '--hooks-dir' '--image-volumes' '--insecure-registry' '--listen' '--log' '--log-dir' '--log-filter' '--log-format' '--log-journald' '--log-level' '--log-size-max' '--manage-ns-lifecycle' '--metrics-port' '--metrics-socket' '--namespaces-dir' '--no-pivot' '--pause-command' '--pause-image' '--pause-image-auth-file' '--pids-limit' '--pinns-path' '--profile' '--profile-port' '--read-only' '--registries-conf' '--registry' '--root' '--runroot' '--runtime' '--runtimes' '--seccomp-profile' '--selinux' '--signature-policy' '--storage-driver' '--storage-opt' '--stream-address' '--stream-enable-tls' '--stream-port' '--stream-tls-ca' '--stream-tls-cert' '--stream-tls-key' '--uid-mappings' '--version-file' '--version-file-persist' '--help' '--version')
   _describe 'global options' opts
 
   return

diff --git a/docs/crio.8.md b/docs/crio.8.md
@@ -51,7 +51,6 @@ crio
 [--log-level|-l]=[value]
 [--log-size-max]=[value]
 [--log]=[value]
-[--manage-network-ns-lifecycle]
 [--manage-ns-lifecycle]
 [--metrics-port]=[value]
 [--metrics-socket]=[value]
@@ -231,9 +230,7 @@ crio [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...]
 
 **--log-size-max**="": Maximum log size in bytes for a container. If it is positive, it must be >= 8192 to match/exceed conmon read buffer (default: -1)
 
-**--manage-network-ns-lifecycle**: Deprecated: this option is being replaced by `manage_ns_lifecycle`, which is described below
-
-**--manage-ns-lifecycle**: Determines whether we pin and remove IPC, network and UTS namespaces and manage their lifecycle (default: false)
+**--manage-ns-lifecycle**: Determines whether we pin and remove IPC, network and UTS namespaces and manage their lifecycle (default: true)
 
 **--metrics-port**="": Port for the metrics endpoint (default: 9090)
 

diff --git a/docs/crio.conf.5.md b/docs/crio.conf.5.md
@@ -215,11 +215,8 @@ the container runtime configuration.
 **ctr_stop_timeout**=30
   The minimal amount of time in seconds to wait before issuing a timeout regarding the proper termination of the container.
 
-**manage_network_ns_lifecycle**=false
-  **DEPRECATED** this option is being replaced by manage_ns_lifecycle, which is described below.
-
-**manage_ns_lifecycle**=false
-  Determines whether we pin and remove namespaces and manage their lifecycle
+**manage_ns_lifecycle**=true
+  Determines whether we pin and remove namespaces and manage their lifecycle.
 
 **namespaces_dir**="/var/run"
   The directory where the state of the managed namespaces gets tracked. Only used when manage_ns_lifecycle is true

diff --git a/internal/criocli/criocli.go b/internal/criocli/criocli.go
@@ -711,11 +711,6 @@ func getCrioFlags(defConf *libconfig.Config) []cli.Flag {
 			Value:   defConf.GRPCMaxSendMsgSize,
 			EnvVars: []string{"CONTAINER_GRPC_MAX_SEND_MSG_SIZE"},
 		},
-		&cli.BoolFlag{
-			Name:    "manage-network-ns-lifecycle",
-			Usage:   "Deprecated: this option is being replaced by `manage_ns_lifecycle`, which is described below",
-			EnvVars: []string{"CONTAINER_MANAGE_NETWORK_NS_LIFECYCLE"},
-		},
 		&cli.BoolFlag{
 			Name:    "manage-ns-lifecycle",
 			Usage:   fmt.Sprintf("Determines whether we pin and remove IPC, network and UTS namespaces and manage their lifecycle (default: %v)", defConf.ManageNSLifecycle),

diff --git a/internal/lib/suite_test.go b/internal/lib/suite_test.go
@@ -90,7 +90,7 @@ var _ = BeforeSuite(func() {
 		},
 		"linux": {
 			"namespaces": [
-				{"type": "network", "path": "default"}
+				{"type": "network", "path": "/proc/self/ns/net"}
 			]
 		},
 		"process": {

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -279,9 +279,6 @@ type RuntimeConfig struct {
 	// to the kubernetes log file
 	LogToJournald bool `toml:"log_to_journald"`
 
-	// Deprecated: In favor of ManageNSLifecycle (described below)
-	ManageNetworkNSLifecycle bool `toml:"manage_network_ns_lifecycle"`
-
 	// ManageNSLifecycle determines whether we pin and remove namespaces
 	// and manage their lifecycle
 	ManageNSLifecycle bool `toml:"manage_ns_lifecycle"`
@@ -568,6 +565,7 @@ func DefaultConfig() (*Config, error) {
 			LogLevel:                 "info",
 			HooksDir:                 []string{hooks.DefaultDir},
 			NamespacesDir:            "/var/run",
+			ManageNSLifecycle:        true,
 			seccompConfig:            seccomp.New(),
 			apparmorConfig:           apparmor.New(),
 			ulimitsConfig:            ulimits.New(),
@@ -745,10 +743,6 @@ func (c *RuntimeConfig) Validate(systemContext *types.SystemContext, onExecution
 		return errors.New("conmon cgroup should be 'pod' or a systemd slice")
 	}
 
-	// while ManageNetworkNSLifecycle is being deprecated, set
-	// ManageNSLifecycle to be true if either are
-	c.ManageNSLifecycle = c.ManageNetworkNSLifecycle || c.ManageNSLifecycle
-
 	if c.UIDMappings != "" && c.ManageNSLifecycle {
 		return fmt.Errorf("cannot use UIDMappings with ManageNSLifecycle")
 	}

diff --git a/pkg/config/template.go b/pkg/config/template.go
@@ -247,9 +247,6 @@ gid_mappings = "{{ .GIDMappings }}"
 # value is 30s, whereas lower values are not considered by CRI-O.
 ctr_stop_timeout = {{ .CtrStopTimeout }}
 
-# **DEPRECATED** this option is being replaced by manage_ns_lifecycle, which is described below.
-# manage_network_ns_lifecycle = {{ .ManageNSLifecycle }}
-
 # manage_ns_lifecycle determines whether we pin and remove namespaces
 # and manage their lifecycle
 manage_ns_lifecycle = {{ .ManageNSLifecycle }}

diff --git a/server/sandbox_run_test.go b/server/sandbox_run_test.go
@@ -28,6 +28,10 @@ var _ = t.Describe("RunPodSandbox", func() {
 		// cyclomatic complexity and test it separately
 		It("should fail when container creation errors", func() {
 			// Given
+			// when we ManageNSLifecycle, we do networking setup before we do container creation
+			// mocking the networking setup blows up complexity of this test, which is really
+			// not testing the behavior of managing ns lifecycle. Override default for this test
+			sut.SetManageNSLifecycle(false)
 			gomock.InOrder(
 				runtimeServerMock.EXPECT().CreatePodSandbox(gomock.Any(),
 					gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(),

diff --git a/server/sandbox_stop_linux.go b/server/sandbox_stop_linux.go
@@ -96,12 +96,6 @@ func (s *Server) stopPodSandbox(ctx context.Context, req *pb.StopPodSandboxReque
 		}
 	}
 
-	if s.config.ManageNSLifecycle {
-		if err := sb.RemoveManagedNamespaces(); err != nil {
-			return nil, err
-		}
-	}
-
 	if err := sb.UnmountShm(); err != nil {
 		return nil, err
 	}

diff --git a/server/server_test_inject.go b/server/server_test_inject.go
@@ -23,3 +23,7 @@ func (s *StreamService) SetRuntimeServer(server *Server) {
 func (s *Server) SetCNIPlugin(plugin ocicni.CNIPlugin) error {
 	return s.config.SetCNIPlugin(plugin)
 }
+
+func (s *Server) SetManageNSLifecycle(manageNS bool) {
+	s.config.ManageNSLifecycle = manageNS
+}
diff --git a/server/suite_test.go b/server/suite_test.go
@@ -127,7 +127,7 @@ var beforeEach = func() {
 		},
 		"linux": {
 			"namespaces": [
-				{"type": "network", "path": "default"}
+				{"type": "network", "path": "/proc/self/ns/net"}
 			]
 		},
 		"process": {