cri-o · openshift-merge-robot · Dec 22, 2022 · Oct 22, 2021 · Sep 22, 2022 · Sep 1, 2021
@@ -107,6 +107,18 @@ jobs:
           sudo -E make completions-generation
           hack/tree_status.sh
 
+  validate-nri-tests:
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/download-artifact@v3
+        with:
+          name: build
+          path: bin
+      - run: |
+          sudo -E make check-nri-bats-tests
+
   build-static-amd64:
     runs-on: ubuntu-latest
     steps:

@@ -225,6 +225,6 @@ linters-settings:
       - unnamedResult
       - unnecessaryBlock
   gocyclo:
-    min-complexity: 141
+    min-complexity: 154
   nakedret:
     max-func-lines: 15
@@ -92,6 +92,10 @@ GOPKGDIR := $(GOPATH)/src/$(PROJECT)
 GOPKGBASEDIR := $(shell dirname "$(GOPKGDIR)")
 GO_FILES := $(shell find . -type f -name '*.go' -not -name '*_test.go')
 
+# Some of the packages use the golang testing infra in end-to-end tests.
+# These can't be run as unit tests so ginkgo should skip them.
+GINKGO_SKIP_PACKAGES = test/nri
+
 # Update VPATH so make finds .gopathok
 VPATH := $(VPATH):$(GOPATH)
 
@@ -173,6 +177,9 @@ shellcheck: shellfiles ${SHELLCHECK}
 		-x \
 		${SHELLFILES} ${BATS_FILES}
 
+check-nri-bats-tests: test/nri/nri.test
+	./hack/check-nri-bats-tests.sh
+
 bin/pinns:
 	$(MAKE) -C pinns
 
@@ -185,6 +192,9 @@ test/checkseccomp/checkseccomp: $(GO_FILES) .gopathok
 test/checkcriu/checkcriu: $(GO_FILES) .gopathok
 	$(GO_BUILD) $(GCFLAGS) $(GO_LDFLAGS) -tags "$(BUILDTAGS)" -o $@ $(PROJECT)/test/checkcriu
 
+test/nri/nri.test: $(wildcard test/nri/*.go) .gopathok
+	$(GO) test --tags "test $(BUILDTAGS)" -c $(PROJECT)/test/nri -o $@ 
+
 bin/crio: $(GO_FILES) .gopathok
 	$(GO_BUILD) $(GCFLAGS) $(GO_LDFLAGS) -tags "$(BUILDTAGS)" -o $@ $(PROJECT)/cmd/crio
 
@@ -229,6 +239,7 @@ endif
 	rm -f test/copyimg/copyimg
 	rm -f test/checkseccomp/checkseccomp
 	rm -f test/checkcriu/checkcriu
+	rm -f test/nri/nri.test
 	rm -rf ${BUILD_BIN_PATH}
 
 # the approach here, rather than this target depending on the build targets
@@ -308,6 +319,7 @@ testunit: ${GINKGO}
 	${BUILD_BIN_PATH}/ginkgo run \
 		${TESTFLAGS} \
 		-r \
+		--skip-package $(GINKGO_SKIP_PACKAGES) \
 		--trace \
 		--cover \
 		--covermode atomic \
@@ -386,7 +398,8 @@ localintegration: clean binaries test-binaries
 	./test/test_runner.sh ${TESTFLAGS}
 
 binaries: bin/crio bin/crio-status bin/pinns
-test-binaries: test/copyimg/copyimg test/checkseccomp/checkseccomp test/checkcriu/checkcriu
+test-binaries: test/copyimg/copyimg test/checkseccomp/checkseccomp test/checkcriu/checkcriu \
+	test/nri/nri.test
 
 MANPAGES_MD := $(wildcard docs/*.md)
 MANPAGES    := $(MANPAGES_MD:%.md=%)

@@ -47,6 +47,7 @@ h
 --drop-infra-ctr
 --enable-criu-support
 --enable-metrics
+--enable-nri
 --enable-profile-unix-socket
 --enable-tracing
 --gid-mappings
@@ -76,6 +77,9 @@ h
 --minimum-mappable-uid
 --namespaces-dir
 --no-pivot
+--nri-config-file
+--nri-listen
+--nri-plugin-dir
 --pause-command
 --pause-image
 --pause-image-auth-file

@@ -52,6 +52,7 @@ complete -c crio -n '__fish_crio_no_subcommand' -f -l device-ownership-from-secu
 complete -c crio -n '__fish_crio_no_subcommand' -f -l drop-infra-ctr -d 'Determines whether pods are created without an infra container, when the pod is not using a pod level PID namespace.'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l enable-criu-support -d 'Enable CRIU integration, requires that the criu binary is available in $PATH.'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l enable-metrics -d 'Enable metrics endpoint for the server on localhost:9090.'
+complete -c crio -n '__fish_crio_no_subcommand' -f -l enable-nri -d 'Enable NRI (Node Resource Interface) support. (default: false)'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l enable-profile-unix-socket -d 'Enable pprof profiler on crio unix domain socket.'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l enable-tracing -d 'Enable OpenTelemetry trace data exporting.'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l gid-mappings -r -d 'Specify the GID mappings to use for the user namespace.'
@@ -113,6 +114,9 @@ complete -c crio -n '__fish_crio_no_subcommand' -f -l minimum-mappable-gid -r -d
 complete -c crio -n '__fish_crio_no_subcommand' -f -l minimum-mappable-uid -r -d 'Specify the lowest host UID which can be specified in mappings for a pod that will be run as a UID other than 0.'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l namespaces-dir -r -d 'The directory where the state of the managed namespaces gets tracked. Only used when manage-ns-lifecycle is true.'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l no-pivot -d 'If true, the runtime will not use `pivot_root`, but instead use `MS_MOVE`.'
+complete -c crio -n '__fish_crio_no_subcommand' -f -l nri-config-file -r -d 'NRI configuration file to use. (default: "/etc/nri/nri.conf")'
+complete -c crio -n '__fish_crio_no_subcommand' -f -l nri-listen -r -d 'Socket to listen on for externally started NRI plugins to connect to. (default: "/var/run/nri.sock")'
+complete -c crio -n '__fish_crio_no_subcommand' -f -l nri-plugin-dir -r -d 'Directory to scan for pre-installed NRI plugins to start automatically. (default: "/opt/nri/plugins")'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l pause-command -r -d 'Path to the pause executable in the pause image.'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l pause-image -r -d 'Image which contains the pause executable.'
 complete -c crio -n '__fish_crio_no_subcommand' -l pause-image-auth-file -r -d 'Path to a config file containing credentials for --pause-image.'

@@ -54,6 +54,7 @@ it later with **--config**. Global options will modify the output.'
         '--drop-infra-ctr'
         '--enable-criu-support'
         '--enable-metrics'
+        '--enable-nri'
         '--enable-profile-unix-socket'
         '--enable-tracing'
         '--gid-mappings'
@@ -83,6 +84,9 @@ it later with **--config**. Global options will modify the output.'
         '--minimum-mappable-uid'
         '--namespaces-dir'
         '--no-pivot'
+        '--nri-config-file'
+        '--nri-listen'
+        '--nri-plugin-dir'
         '--pause-command'
         '--pause-image'
         '--pause-image-auth-file'

@@ -45,6 +45,7 @@ crio
 [--drop-infra-ctr]
 [--enable-criu-support]
 [--enable-metrics]
+[--enable-nri]
 [--enable-profile-unix-socket]
 [--enable-tracing]
 [--gid-mappings]=[value]
@@ -75,6 +76,9 @@ crio
 [--minimum-mappable-uid]=[value]
 [--namespaces-dir]=[value]
 [--no-pivot]
+[--nri-config-file]=[value]
+[--nri-listen]=[value]
+[--nri-plugin-dir]=[value]
 [--pause-command]=[value]
 [--pause-image-auth-file]=[value]
 [--pause-image]=[value]
@@ -214,6 +218,8 @@ crio [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...]
 
 **--enable-metrics**: Enable metrics endpoint for the server on localhost:9090.
 
+**--enable-nri**: Enable NRI (Node Resource Interface) support. (default: false)
+
 **--enable-profile-unix-socket**: Enable pprof profiler on crio unix domain socket.
 
 **--enable-tracing**: Enable OpenTelemetry trace data exporting.
@@ -306,6 +312,12 @@ crio [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...]
 
 **--no-pivot**: If true, the runtime will not use `pivot_root`, but instead use `MS_MOVE`.
 
+**--nri-config-file**="": NRI configuration file to use. (default: "/etc/nri/nri.conf")
+
+**--nri-listen**="": Socket to listen on for externally started NRI plugins to connect to. (default: "/var/run/nri.sock")
+
+**--nri-plugin-dir**="": Directory to scan for pre-installed NRI plugins to start automatically. (default: "/opt/nri/plugins")
+
 **--pause-command**="": Path to the pause executable in the pause image. (default: /pause)
 
 **--pause-image**="": Image which contains the pause executable. (default: registry.k8s.io/pause:3.6)

@@ -465,6 +465,20 @@ The `crio.stats` table specifies all necessary configuration for reporting conta
 **stats_collection_period**=0
   The number of seconds between collecting pod and container stats. If set to 0, the stats are collected on-demand instead.
 
+## CRIO.NRI TABLE
+The `crio.nri` table contains settings for controlling NRI (Node Resource Interface) support in CRI-O.
+**enable_nri**=false
+  Enable CRI-O NRI support.
+
+**nri_config_file**="/etc/nri/nri.conf"
+  NRI configuration file to use.
+
+**nri_plugin_dir**="/opt/nri/plugins"
+  Directory to scan for pre-installed plugins to automatically start.
+
+**nri_listen**="/var/run/nri.sock"
+  Socket to listen on for externally started NRI plugins to connect to.
+
 # SEE ALSO
 crio.conf.d(5), containers-storage.conf(5), containers-policy.json(5), containers-registries.conf(5), crio(8)
 

@@ -13,6 +13,7 @@ require (
 	github.com/containerd/containerd v1.7.0-beta.0
 	github.com/containerd/cri-containerd v1.19.0
 	github.com/containerd/fifo v1.0.0
+	github.com/containerd/nri v0.2.0
 	github.com/containerd/ttrpc v1.1.1-0.20220420014843-944ef4a40df3
 	github.com/containerd/typeurl v1.0.3-0.20220422153119-7f6e6d160d67
 	github.com/containernetworking/cni v1.1.2
@@ -51,7 +52,7 @@ require (
 	github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b
 	github.com/opencontainers/runc v1.1.4
 	github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb
-	github.com/opencontainers/runtime-tools v0.9.1-0.20221014010322-58c91d646d86
+	github.com/opencontainers/runtime-tools v0.9.1-0.20221026201742-946c877fa809
 	github.com/opencontainers/selinux v1.10.2
 	github.com/prometheus/client_golang v1.14.0
 	github.com/psampaz/go-mod-outdated v0.8.0
@@ -76,7 +77,7 @@ require (
 	k8s.io/api v0.25.0
 	k8s.io/apimachinery v0.25.0
 	k8s.io/client-go v1.5.2
-	k8s.io/cri-api v0.25.0
+	k8s.io/cri-api v0.25.3
 	k8s.io/klog/v2 v2.80.1
 	k8s.io/kubernetes v1.24.1
 	k8s.io/release v0.14.0

@@ -542,6 +542,8 @@ github.com/containerd/imgcrypt v1.1.4/go.mod h1:LorQnPtzL/T0IyCeftcsMEO7AqxUDbdO
 github.com/containerd/nri v0.0.0-20201007170849-eb1350a75164/go.mod h1:+2wGSDGFYfE5+So4M5syatU0N0f0LbWpuqyMi4/BE8c=
 github.com/containerd/nri v0.0.0-20210316161719-dbaa18c31c14/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY=
 github.com/containerd/nri v0.1.0/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY=
+github.com/containerd/nri v0.2.0 h1:gSHG+SyKvWp5xJxyXbx2miR0ajssuOImr52Z2lt/GKI=
+github.com/containerd/nri v0.2.0/go.mod h1:Q2u9Sudol4IkJ6YK0gShznKMxM6Un0Y3O4Wslf5Nerg=
 github.com/containerd/stargz-snapshotter/estargz v0.4.1/go.mod h1:x7Q9dg9QYb4+ELgxmo4gBUeJB0tl5dqH1Sdz0nJU1QM=
 github.com/containerd/stargz-snapshotter/estargz v0.9.0/go.mod h1:aE5PCyhFMwR8sbrErO5eM2GcvkyXTTJremG883D4qF0=
 github.com/containerd/stargz-snapshotter/estargz v0.12.0/go.mod h1:AIQ59TewBFJ4GOPEQXujcrJ/EKxh5xXZegW1rkR1P/M=
@@ -1650,8 +1652,8 @@ github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.m
 github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb h1:1xSVPOd7/UA+39/hXEGnBJ13p6JFB0E1EvQFlrRDOXI=
 github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs=
-github.com/opencontainers/runtime-tools v0.9.1-0.20221014010322-58c91d646d86 h1:AaK4/fBxOmEFtb1bs/7KrJsQIgVPnhIrtgJ92RaqM60=
-github.com/opencontainers/runtime-tools v0.9.1-0.20221014010322-58c91d646d86/go.mod h1:BRHJJd0E+cx42OybVYSgUvZmU0B8P9gZuRXlZUP7TKI=
+github.com/opencontainers/runtime-tools v0.9.1-0.20221026201742-946c877fa809 h1:VLCrW5qA1ADIYmmJFhHtkzIRrUy6dTM5zEqiax68lBg=
+github.com/opencontainers/runtime-tools v0.9.1-0.20221026201742-946c877fa809/go.mod h1:BRHJJd0E+cx42OybVYSgUvZmU0B8P9gZuRXlZUP7TKI=
 github.com/opencontainers/selinux v1.6.0/go.mod h1:VVGKuOLlE7v4PJyT6h7mNWvq1rzqiriPsEqVhc+svHE=
 github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo=
 github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8=

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+TOPDIR="${0%/*}/.."
+NRITEST_BINARY="$TOPDIR/test/nri/nri.test"
+NRI_BATS="$TOPDIR/test/nri.bats"
+
+status=0
+for i in $($NRITEST_BINARY -test.list Test); do
+    if ! grep -q -e "-test.run $i"' *$' "$NRI_BATS"; then
+        echo "NRI test case $i missing from $(realpath --relative-to "$TOPDIR" "$NRI_BATS")"
+        status=1
+    fi
+done
+exit "$status"
@@ -0,0 +1,51 @@
+package nri
+
+import (
+	"fmt"
+
+	nri "github.com/containerd/nri/pkg/adaptation"
+)
+
+// Config represents the CRI-O NRI configuration.
+type Config struct {
+	Enabled    bool   `toml:"enable_nri"`
+	ConfigPath string `toml:"nri_config_file"`
+	SocketPath string `toml:"nri_listen"`
+	PluginPath string `toml:"nri_plugin_dir"`
+}
+
+// New returns the default CRI-O NRI configuration.
+func New() *Config {
+	return &Config{
+		ConfigPath: nri.DefaultConfigPath,
+		SocketPath: nri.DefaultSocketPath,
+		PluginPath: nri.DefaultPluginPath,
+	}
+}
+
+// Validate loads and validates the effective runtime NRI configuration.
+func (c *Config) Validate(onExecution bool) error {
+	if c.Enabled {
+		_, err := nri.ReadConfig(c.ConfigPath)
+		if err != nil {
+			return fmt.Errorf("failed to load %q: %w", c.ConfigPath, err)
+		}
+	}
+
+	return nil
+}
+
+// ToOptions returns NRI options for this configuration.
+func (c *Config) ToOptions() []nri.Option {
+	opts := []nri.Option{}
+	if c != nil && c.ConfigPath != "" {
+		opts = append(opts, nri.WithConfigPath(c.ConfigPath))
+	}
+	if c != nil && c.SocketPath != "" {
+		opts = append(opts, nri.WithSocketPath(c.SocketPath))
+	}
+	if c != nil && c.PluginPath != "" {
+		opts = append(opts, nri.WithPluginPath(c.PluginPath))
+	}
+	return opts
+}
@@ -0,0 +1,53 @@
+package nri_test
+
+import (
+	"os"
+
+	"github.com/cri-o/cri-o/internal/config/nri"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+func tempFileWithData(data string) string {
+	f := t.MustTempFile("")
+	Expect(os.WriteFile(f, []byte(data), 0o644)).To(BeNil())
+	return f
+}
+
+// NRI configuration tests.
+var _ = t.Describe("When parsing NRI config file", func() {
+	t.Describe("non-existent file", func() {
+		It("should return an error", func() {
+			cfg := nri.New()
+			cfg.Enabled = true
+			cfg.ConfigPath = "non-existent-file"
+			err := cfg.Validate(true)
+			Expect(err).NotTo(BeNil())
+		})
+	})
+
+	t.Describe("invalid file format", func() {
+		It("should return an error", func() {
+			f := tempFileWithData(`fooBar:
+  - none
+`)
+			cfg := nri.New()
+			cfg.Enabled = true
+			cfg.ConfigPath = f
+			err := cfg.Validate(true)
+			Expect(err).NotTo(BeNil())
+		})
+	})
+
+	t.Describe("correct file format", func() {
+		It("should not return an error", func() {
+			f := tempFileWithData(`disableConnections: true
+`)
+			cfg := nri.New()
+			cfg.Enabled = true
+			cfg.ConfigPath = f
+			err := cfg.Validate(true)
+			Expect(err).To(BeNil())
+		})
+	})
+})
@@ -0,0 +1,26 @@
+package nri_test
+
+import (
+	"testing"
+
+	. "github.com/cri-o/cri-o/test/framework"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+// TestLib runs the created specs
+func TestLibConfig(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunFrameworkSpecs(t, "NRIConfig")
+}
+
+var t *TestFramework
+
+var _ = BeforeSuite(func() {
+	t = NewTestFramework(NilFunc, NilFunc)
+	t.Setup()
+})
+
+var _ = AfterSuite(func() {
+	t.Teardown()
+})