cri-o · harche · Jan 13, 2021 · Jan 13, 2021 · Jan 13, 2021 · Jan 15, 2021
@@ -156,6 +156,6 @@ linters-settings:
       - unnamedResult
       - unnecessaryBlock
   gocyclo:
-    min-complexity: 122
+    min-complexity: 127
   nakedret:
     max-func-lines: 15
@@ -300,6 +300,7 @@ testunit-bin:
 	done
 
 mockgen: \
+	mock-cmdrunner \
 	mock-containerstorage \
 	mock-criostorage \
 	mock-lib-config \

@@ -78,7 +78,7 @@ It is currently in active development in the Kubernetes community through the [d
 | ---------------------------------------------------- | --------------------------------------------------------------------------|
 | [crio(8)](/docs/crio.8.md)                           | OCI Kubernetes Container Runtime daemon                                   |
 
-Note that kpod and its container management and debugging commands have moved to a separate repository, located [here](https://github.com/containers/podman).
+Note that podman and its container management and debugging commands have moved to a separate repository, located [here](https://github.com/containers/podman).
 
 ## Configuration
 | File                                       | Description                                                                                          |

@@ -63,22 +63,22 @@ func catchShutdown(ctx context.Context, cancel context.CancelFunc, gserver *grpc
 			case unix.SIGPIPE:
 				continue
 			case signals.Interrupt:
-				log.Debugf(ctx, "Caught SIGINT")
+				logrus.Debugf("Caught SIGINT")
 			case signals.Term:
-				log.Debugf(ctx, "Caught SIGTERM")
+				logrus.Debugf("Caught SIGTERM")
 			default:
 				continue
 			}
 			*signalled = true
 			gserver.GracefulStop()
 			hserver.Shutdown(ctx) // nolint: errcheck
 			if err := sserver.StopStreamServer(); err != nil {
-				log.Warnf(ctx, "error shutting down streaming server: %v", err)
+				logrus.Warnf("error shutting down streaming server: %v", err)
 			}
 			sserver.StopMonitors()
 			cancel()
 			if err := sserver.Shutdown(ctx); err != nil {
-				log.Warnf(ctx, "error shutting down main service %v", err)
+				logrus.Warnf("error shutting down main service %v", err)
 			}
 			return
 		}
@@ -185,9 +185,9 @@ func main() {
 			profilePort := c.Int("profile-port")
 			profileEndpoint := fmt.Sprintf("localhost:%v", profilePort)
 			go func() {
-				log.Debugf(ctx, "starting profiling server on %v", profileEndpoint)
+				logrus.Debugf("starting profiling server on %v", profileEndpoint)
 				if err := http.ListenAndServe(profileEndpoint, nil); err != nil {
-					log.Fatalf(ctx, "unable to run profiling server: %v", err)
+					logrus.Fatalf("unable to run profiling server: %v", err)
 				}
 			}()
 		}
@@ -211,7 +211,11 @@ func main() {
 
 		lis, err := server.Listen("unix", config.Listen)
 		if err != nil {
-			log.Fatalf(ctx, "failed to listen: %v", err)
+			logrus.Fatalf("Failed to listen: %v", err)
+		}
+
+		if err := os.Chmod(config.Listen, 0o660); err != nil {
+			logrus.Fatalf("Failed to chmod listen socket %s: %v", config.Listen, err)
 		}
 
 		grpcServer := grpc.NewServer(
@@ -243,8 +247,7 @@ func main() {
 
 		if config.CleanShutdownFile != "" {
 			// clear out the shutdown file
-			if err := os.Remove(config.CleanShutdownFile); err != nil {
-				// not a fatal error, as it could have been cleaned up
+			if err := os.Remove(config.CleanShutdownFile); err != nil && !os.IsNotExist(err) {
 				logrus.Error(err)
 			}
 
@@ -254,13 +257,13 @@ func main() {
 			// CleanShutdownFile.
 			f, err := os.Create(config.CleanShutdownSupportedFileName())
 			if err != nil {
-				log.Errorf(ctx, "Writing clean shutdown supported file: %v", err)
+				logrus.Errorf("Writing clean shutdown supported file: %v", err)
 			}
 			f.Close()
 
 			// and sync the changes to disk
 			if err := utils.SyncParent(config.CleanShutdownFile); err != nil {
-				log.Errorf(ctx, "failed to sync parent directory of clean shutdown file: %v", err)
+				logrus.Errorf("failed to sync parent directory of clean shutdown file: %v", err)
 			}
 		}
 
@@ -300,12 +303,12 @@ func main() {
 
 		go func() {
 			if err := grpcServer.Serve(grpcL); err != nil {
-				log.Errorf(ctx, "unable to run GRPC server: %v", err)
+				logrus.Errorf("unable to run GRPC server: %v", err)
 			}
 		}()
 		go func() {
 			if err := httpServer.Serve(httpL); err != nil {
-				log.Debugf(ctx, "closed http server")
+				logrus.Debugf("closed http server")
 			}
 		}()
 
@@ -316,7 +319,7 @@ func main() {
 				if graceful && strings.Contains(strings.ToLower(err.Error()), "use of closed network connection") {
 					err = nil
 				} else {
-					log.Errorf(ctx, "Failed to serve grpc request: %v", err)
+					logrus.Errorf("Failed to serve grpc request: %v", err)
 				}
 			}
 		}()
@@ -330,22 +333,22 @@ func main() {
 		}
 
 		if err := crioServer.Shutdown(ctx); err != nil {
-			log.Warnf(ctx, "error shutting down service: %v", err)
+			logrus.Warnf("error shutting down service: %v", err)
 		}
 		cancel()
 
 		<-streamServerCloseCh
-		log.Debugf(ctx, "closed stream server")
+		logrus.Debugf("closed stream server")
 		<-serverMonitorsCh
-		log.Debugf(ctx, "closed monitors")
+		logrus.Debugf("closed monitors")
 		err = <-hookSync
 		if err == nil || err == context.Canceled {
-			log.Debugf(ctx, "closed hook monitor")
+			logrus.Debugf("closed hook monitor")
 		} else {
-			log.Errorf(ctx, "hook monitor failed: %v", err)
+			logrus.Errorf("hook monitor failed: %v", err)
 		}
 		<-serverCloseCh
-		log.Debugf(ctx, "closed main server")
+		logrus.Debugf("closed main server")
 
 		return nil
 	}

@@ -67,6 +67,15 @@ func crioWipe(c *cli.Context) error {
 		return handleCleanShutdown(config, store)
 	}
 
+	// If crio is configured to wipe internally (and `--force` wasn't set)
+	// the `crio wipe` command has nothing left to do,
+	// as the remaining work will be done on server startup.
+	if config.InternalWipe && !c.IsSet("force") {
+		return nil
+	}
+
+	logrus.Infof("Internal wipe not set, meaning crio wipe will wipe. In the future, all wipes after reboot will happen when starting the crio server.")
+
 	// if we should not wipe, exit with no error
 	if !shouldWipeContainers {
 		// we should not wipe images without wiping containers

@@ -12,6 +12,7 @@ version
 wipe
 help
 h
+--absent-mount-sources-to-reject
 --additional-devices
 --apparmor-profile
 --big-files-temporary-dir
@@ -48,6 +49,7 @@ h
 --image-volumes
 --infra-ctr-cpuset
 --insecure-registry
+--internal-wipe
 --irqbalance-config-file
 --listen
 --log

@@ -9,6 +9,7 @@ function __fish_crio_no_subcommand --description 'Test if there has been any sub
     return 0
 end
 
+complete -c crio -n '__fish_crio_no_subcommand' -f -l absent-mount-sources-to-reject -r -d 'A list of paths that, when absent from the host, will cause a container creation to fail (as opposed to the current behavior of creating a directory).'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l additional-devices -r -d 'Devices to add to the containers '
 complete -c crio -n '__fish_crio_no_subcommand' -f -l apparmor-profile -r -d 'Name of the apparmor profile to be used as the runtime\'s default. This only takes effect if the user does not specify a profile via the Kubernetes Pod\'s metadata annotation.'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l big-files-temporary-dir -r -d 'Path to the temporary directory to use for storing big files, used to store image blobs and data streams related to containers image management.'
@@ -86,6 +87,7 @@ complete -c crio -n '__fish_crio_no_subcommand' -f -l insecure-registry -r -d 'E
        be enabled for testing purposes**. For increased security, users should add
        their CA to their system\'s list of trusted CAs instead of using
        \'--insecure-registry\'.'
+complete -c crio -n '__fish_crio_no_subcommand' -f -l internal-wipe -d 'Whether CRI-O should wipe containers after a reboot and images after an upgrade when the server starts. If set to false, one must run `crio wipe` to wipe the containers and images in these situations.'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l irqbalance-config-file -r -d 'The irqbalance service config file which is used by CRI-O.'
 complete -c crio -n '__fish_crio_no_subcommand' -l listen -r -d 'Path to the CRI-O socket'
 complete -c crio -n '__fish_crio_no_subcommand' -l log -r -d 'Set the log file path where internal debug information is written'

@@ -7,7 +7,7 @@ it later with **--config**. Global options will modify the output.' 'version:dis
   _describe 'commands' cmds
 
   local -a opts
-  opts=('--additional-devices' '--apparmor-profile' '--big-files-temporary-dir' '--bind-mount-prefix' '--cgroup-manager' '--clean-shutdown-file' '--cni-config-dir' '--cni-default-network' '--cni-plugin-dir' '--config' '--config-dir' '--conmon' '--conmon-cgroup' '--conmon-env' '--container-attach-socket-dir' '--container-exits-dir' '--ctr-stop-timeout' '--decryption-keys-path' '--default-capabilities' '--default-env' '--default-mounts-file' '--default-runtime' '--default-sysctls' '--default-transport' '--default-ulimits' '--drop-infra-ctr' '--enable-metrics' '--enable-profile-unix-socket' '--gid-mappings' '--global-auth-file' '--grpc-max-recv-msg-size' '--grpc-max-send-msg-size' '--hooks-dir' '--image-volumes' '--infra-ctr-cpuset' '--insecure-registry' '--irqbalance-config-file' '--listen' '--log' '--log-dir' '--log-filter' '--log-format' '--log-journald' '--log-level' '--log-size-max' '--metrics-port' '--metrics-socket' '--namespaces-dir' '--no-pivot' '--pause-command' '--pause-image' '--pause-image-auth-file' '--pids-limit' '--pinns-path' '--profile' '--profile-port' '--read-only' '--registries-conf' '--registries-conf-dir' '--registry' '--root' '--runroot' '--runtimes' '--seccomp-profile' '--seccomp-use-default-when-empty' '--selinux' '--separate-pull-cgroup' '--signature-policy' '--storage-driver' '--storage-opt' '--stream-address' '--stream-enable-tls' '--stream-idle-timeout' '--stream-port' '--stream-tls-ca' '--stream-tls-cert' '--stream-tls-key' '--uid-mappings' '--version-file' '--version-file-persist' '--help' '--version')
+  opts=('--absent-mount-sources-to-reject' '--additional-devices' '--apparmor-profile' '--big-files-temporary-dir' '--bind-mount-prefix' '--cgroup-manager' '--clean-shutdown-file' '--cni-config-dir' '--cni-default-network' '--cni-plugin-dir' '--config' '--config-dir' '--conmon' '--conmon-cgroup' '--conmon-env' '--container-attach-socket-dir' '--container-exits-dir' '--ctr-stop-timeout' '--decryption-keys-path' '--default-capabilities' '--default-env' '--default-mounts-file' '--default-runtime' '--default-sysctls' '--default-transport' '--default-ulimits' '--drop-infra-ctr' '--enable-metrics' '--enable-profile-unix-socket' '--gid-mappings' '--global-auth-file' '--grpc-max-recv-msg-size' '--grpc-max-send-msg-size' '--hooks-dir' '--image-volumes' '--infra-ctr-cpuset' '--insecure-registry' '--internal-wipe' '--irqbalance-config-file' '--listen' '--log' '--log-dir' '--log-filter' '--log-format' '--log-journald' '--log-level' '--log-size-max' '--metrics-port' '--metrics-socket' '--namespaces-dir' '--no-pivot' '--pause-command' '--pause-image' '--pause-image-auth-file' '--pids-limit' '--pinns-path' '--profile' '--profile-port' '--read-only' '--registries-conf' '--registries-conf-dir' '--registry' '--root' '--runroot' '--runtimes' '--seccomp-profile' '--seccomp-use-default-when-empty' '--selinux' '--separate-pull-cgroup' '--signature-policy' '--storage-driver' '--storage-opt' '--stream-address' '--stream-enable-tls' '--stream-idle-timeout' '--stream-port' '--stream-tls-ca' '--stream-tls-cert' '--stream-tls-key' '--uid-mappings' '--version-file' '--version-file-persist' '--help' '--version')
   _describe 'global options' opts
 
   return

@@ -7,6 +7,19 @@ if [[ $EUID -ne 0 ]]; then
     exit 1
 fi
 
+# Bypass local DNS
+sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
+
+# Prepare the system
+ufw disable
+ip6tables --list >/dev/null
+iptables -F
+sysctl -w net.ipv4.conf.all.route_localnet=1
+sysctl -w net.ipv4.ip_forward=1
+sysctl -w net.bridge.bridge-nf-call-iptables=1
+sysctl -w fs.inotify.max_user_watches=1048576
+iptables -t nat -I POSTROUTING -s 127.0.0.0/8 ! -d 127.0.0.0/8 -j MASQUERADE
+
 # Assume we're running on this arch
 ARCH=amd64
 
@@ -82,7 +95,6 @@ echo "Using IP: $IP"
 export DNS_SERVER_IP=$IP
 export API_HOST_IP=$IP
 
-iptables -F
 hack/install-etcd.sh
 export PATH="$GOPATH/src/k8s.io/kubernetes/third_party/etcd:$PATH"
 

@@ -32,7 +32,7 @@
 %global service_name crio
 
 Name: %{repo}
-Version: 1.21.0
+Version: 1.21.4
 Release: 1.ci%{?dist}
 Summary: Kubernetes Container Runtime Interface for OCI-based containers
 License: ASL 2.0

@@ -17,6 +17,7 @@
     src: https://ftp.gnu.org/gnu/parallel/parallel-20190322.tar.bz2
     dest: "{{ ansible_env.HOME }}"
     remote_src: yes
+    validate_certs: False
   when: ansible_distribution in ['RedHat', 'CentOS']
 
 - name: install parallel from sources

@@ -11,6 +11,7 @@ crio - OCI-based implementation of Kubernetes Container Runtime Interface
 crio
 
 ```
+[--absent-mount-sources-to-reject]=[value]
 [--additional-devices]=[value]
 [--apparmor-profile]=[value]
 [--big-files-temporary-dir]=[value]
@@ -48,6 +49,7 @@ crio
 [--image-volumes]=[value]
 [--infra-ctr-cpuset]=[value]
 [--insecure-registry]=[value]
+[--internal-wipe]
 [--irqbalance-config-file]=[value]
 [--listen]=[value]
 [--log-dir]=[value]
@@ -117,6 +119,8 @@ crio [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...]
 
 # GLOBAL OPTIONS
 
+**--absent-mount-sources-to-reject**="": A list of paths that, when absent from the host, will cause a container creation to fail (as opposed to the current behavior of creating a directory). (default: [])
+
 **--additional-devices**="": Devices to add to the containers  (default: [])
 
 **--apparmor-profile**="": Name of the apparmor profile to be used as the runtime's default. This only takes effect if the user does not specify a profile via the Kubernetes Pod's metadata annotation. (default: crio-default)
@@ -232,6 +236,8 @@ crio [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...]
        their CA to their system's list of trusted CAs instead of using
        '--insecure-registry'. (default: [])
 
+**--internal-wipe**: Whether CRI-O should wipe containers after a reboot and images after an upgrade when the server starts. If set to false, one must run `crio wipe` to wipe the containers and images in these situations.
+
 **--irqbalance-config-file**="": The irqbalance service config file which is used by CRI-O. (default: /etc/sysconfig/irqbalance)
 
 **--listen**="": Path to the CRI-O socket (default: /var/run/crio/crio.sock)

@@ -54,6 +54,10 @@ CRI-O reads its storage defaults from the containers-storage.conf(5) file locate
   It is used to check if crio wipe should wipe images, which should
   only happen when CRI-O has been upgraded
 
+**internal_wipe**=false
+  Whether CRI-O should wipe containers after a reboot and images after an upgrade when the server starts.
+  If set to false, one must run `crio wipe` to wipe the containers and images in these situations.
+
 **clean_shutdown_file**="/var/lib/crio/clean.shutdown"
   Location for CRI-O to lay down the clean shutdown file.
   It is used to check whether crio had time to sync before shutting down.
@@ -249,6 +253,9 @@ the container runtime configuration.
 **pinns_path**=""
   The path to find the pinns binary, which is needed to manage namespace lifecycle
 
+**absent_mount_sources_to_reject**=[]
+  A list of paths that, when absent from the host, will cause a container creation to fail (as opposed to the current behavior of creating a directory).
+
 ### CRIO.RUNTIME.RUNTIMES TABLE
 The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes.  The runtime to use is picked based on the runtime_handler provided by the CRI.  If no runtime_handler is provided, the runtime will be picked based on the level of trust of the workload.
 

@@ -4,23 +4,25 @@ module github.com/cri-o/cri-o
 
 require (
 	github.com/BurntSushi/toml v0.3.1
-	github.com/Microsoft/go-winio v0.4.17-0.20210211115548-6eac466e5fa3
+	github.com/Microsoft/go-winio v0.5.0
 	github.com/blang/semver v3.5.1+incompatible
-	github.com/containerd/containerd v1.5.0-beta.4
+	github.com/containerd/cgroups v1.0.1
+	github.com/containerd/containerd v1.5.1
 	github.com/containerd/ttrpc v1.0.2
+	github.com/containerd/typeurl v1.0.2
 	github.com/containernetworking/cni v0.8.1
 	github.com/containernetworking/plugins v0.9.1
 	github.com/containers/buildah v1.20.0
 	github.com/containers/common v0.35.4
 	github.com/containers/conmon v2.0.20+incompatible
-	github.com/containers/image/v5 v5.11.0
-	github.com/containers/ocicrypt v1.1.0
+	github.com/containers/image/v5 v5.11.1
+	github.com/containers/ocicrypt v1.1.1
 	github.com/containers/podman/v3 v3.1.0
-	github.com/containers/storage v1.28.1
+	github.com/containers/storage v1.32.3
 	github.com/coreos/go-systemd/v22 v22.3.1
 	github.com/cpuguy83/go-md2man v1.0.10
 	github.com/creack/pty v1.1.11
-	github.com/cri-o/ocicni v0.2.1-0.20210301205850-541cf7c703cf
+	github.com/cri-o/ocicni v0.2.1-0.20210623033107-4ea5fb8752cf
 	github.com/cyphar/filepath-securejoin v0.2.2
 	github.com/docker/distribution v2.7.1+incompatible
 	github.com/docker/go-units v0.4.0
@@ -33,15 +35,15 @@ require (
 	github.com/google/renameio v1.0.0
 	github.com/google/uuid v1.2.0
 	github.com/grpc-ecosystem/go-grpc-middleware v1.2.2
-	github.com/json-iterator/go v1.1.10
+	github.com/json-iterator/go v1.1.11
 	github.com/onsi/ginkgo v1.15.2
 	github.com/onsi/gomega v1.11.0
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.0.2-0.20200206005212-79b036d80240
-	github.com/opencontainers/runc v1.0.0-rc93
-	github.com/opencontainers/runtime-spec v1.0.3-0.20201121164853-7413a7f753e1
+	github.com/opencontainers/runc v1.0.0-rc95.0.20210521141834-a95237f81684
+	github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
 	github.com/opencontainers/runtime-tools v0.9.1-0.20200121211434-d1bf3e66ff0a
-	github.com/opencontainers/selinux v1.8.0
+	github.com/opencontainers/selinux v1.9.1
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.10.0
 	github.com/psampaz/go-mod-outdated v0.7.0
@@ -53,7 +55,7 @@ require (
 	github.com/vishvananda/netlink v1.1.1-0.20201029203352-d40f9887b852
 	golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	golang.org/x/sys v0.0.0-20210324051608-47abb6519492
+	golang.org/x/sys v0.0.0-20210426230700-d19ff857e887
 	google.golang.org/grpc v1.37.0
 	k8s.io/api v0.21.0
 	k8s.io/apimachinery v0.21.0
@@ -69,6 +71,9 @@ require (
 replace (
 	github.com/golang/protobuf => github.com/golang/protobuf v1.3.5
 	github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v1.0.3-0.20201121164853-7413a7f753e1
+	// Pinning the syndtr/gocapability until https://github.com/opencontainers/runc/commit/6dfbe9b80707b1ca188255e8def15263348e0f9a
+	// is included in the runc release
+	github.com/syndtr/gocapability => github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2
 	google.golang.org/genproto => google.golang.org/genproto v0.0.0-20200117163144-32f20d992d24
 	google.golang.org/grpc => google.golang.org/grpc v1.27.0
 	k8s.io/api => k8s.io/kubernetes/staging/src/k8s.io/api v0.0.0-20210408162405-cb303e613a12