Merge pull request #47 from drachenfels-de/fixes

Fix race, update API and container image

Author: r10r

Dockerfile

@@ -3,8 +3,8 @@ ARG installcmd=install_all
 
 #ENV PKGS="psmisc util-linux"
 
-ENV GOLANG_SRC=https://golang.org/dl/go1.16.2.linux-amd64.tar.gz
-ENV GOLANG_CHECKSUM=542e936b19542e62679766194364f45141fde55169db2d8d01046555ca9eb4b8
+ENV GOLANG_SRC=https://golang.org/dl/go1.16.3.linux-amd64.tar.gz
+ENV GOLANG_CHECKSUM=951a3c7c6ce4e56ad883f97d9db74d3d6d80d5fec77455c6ada6c1f7ac4776d2
 
 ENV CNI_PLUGINS_GIT_REPO=https://github.com/containernetworking/plugins.git
 ENV CNI_PLUGINS_GIT_VERSION=v0.9.1
@@ -13,18 +13,18 @@ ENV CONMON_GIT_REPO=https://github.com/containers/conmon.git
 ENV CONMON_GIT_VERSION=v2.0.27
 
 ENV CRIO_GIT_REPO=https://github.com/cri-o/cri-o.git
-ENV CRIO_GIT_VERSION=v1.20.1
+ENV CRIO_GIT_VERSION=v1.20.2
 
 ENV CRICTL_CHECKSUM=44d5f550ef3f41f9b53155906e0229ffdbee4b19452b4df540265e29572b899c
 ENV CRICTL_URL="https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.20.0/crictl-v1.20.0-linux-amd64.tar.gz"
 
 # see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.20.md
-ENV K8S_CHECKSUM=37738bc8430b0832f32c6d13cdd68c376417270568cd9b31a1ff37e96cfebcc1e2970c72bed588f626e35ed8273671c77200f0d164e67809b5626a2a99e3c5f5
-ENV K8S_URL="https://dl.k8s.io/v1.20.4/kubernetes-server-linux-amd64.tar.gz"
+ENV K8S_CHECKSUM=ac936e05aef7bb887a5fb57d50f8c384ee395b5f34c85e5c0effd8709db042359f63247d4a6ae2c0831fe019cd3029465377117e42fff1b00a8e4b7473b88db9
+ENV K8S_URL="https://dl.k8s.io/v1.20.6/kubernetes-server-linux-amd64.tar.gz"
 
 ## development
 ENV LXC_GIT_REPO=https://github.com/lxc/lxc.git
-ENV LXC_GIT_VERSION=master
+ENV LXC_GIT_VERSION=b9f3cd48ecfed02e4218b55ea1b46273e429a083
 
 ENV LXCRI_GIT_REPO=https://github.com/lxc/lxcri.git
 ENV LXCRI_GIT_VERSION=main

cgroup.go

@@ -97,7 +97,7 @@ func configureCgroup(rt *Runtime, c *Container) error {
 	}
 
 	if pids := c.Spec.Linux.Resources.Pids; pids != nil {
-		if err := c.SetConfigItem("lxc.cgroup2.pids.max", fmt.Sprintf("%d", pids.Limit)); err != nil {
+		if err := c.setConfigItem("lxc.cgroup2.pids.max", fmt.Sprintf("%d", pids.Limit)); err != nil {
 			return err
 		}
 	}
@@ -122,30 +122,30 @@ func configureCgroupPath(rt *Runtime, c *Container) error {
 		c.CgroupDir = c.Spec.Linux.CgroupsPath
 	}
 
-	if err := c.SetConfigItem("lxc.cgroup.relative", "0"); err != nil {
+	if err := c.setConfigItem("lxc.cgroup.relative", "0"); err != nil {
 		return err
 	}
 
 	// @since lxc @a900cbaf257c6a7ee9aa73b09c6d3397581d38fb
 	// checking for on of the config items shuld be enough, because they were introduced together ...
 	//  lxc.cgroup.dir.payload and lxc.cgroup.dir.monitor
-	splitCgroup := c.SupportsConfigItem("lxc.cgroup.dir.container", "lxc.cgroup.dir.monitor")
+	splitCgroup := c.supportsConfigItem("lxc.cgroup.dir.container", "lxc.cgroup.dir.monitor")
 
 	if !splitCgroup || rt.MonitorCgroup == "" {
-		return c.SetConfigItem("lxc.cgroup.dir", c.CgroupDir)
+		return c.setConfigItem("lxc.cgroup.dir", c.CgroupDir)
 	}
 
 	c.MonitorCgroupDir = filepath.Join(rt.MonitorCgroup, c.ContainerID+".scope")
 
-	if err := c.SetConfigItem("lxc.cgroup.dir.container", c.CgroupDir); err != nil {
+	if err := c.setConfigItem("lxc.cgroup.dir.container", c.CgroupDir); err != nil {
 		return err
 	}
-	if err := c.SetConfigItem("lxc.cgroup.dir.monitor", c.MonitorCgroupDir); err != nil {
+	if err := c.setConfigItem("lxc.cgroup.dir.monitor", c.MonitorCgroupDir); err != nil {
 		return err
 	}
 
-	if c.SupportsConfigItem("lxc.cgroup.dir.monitor.pivot") {
-		if err := c.SetConfigItem("lxc.cgroup.dir.monitor.pivot", rt.MonitorCgroup); err != nil {
+	if c.supportsConfigItem("lxc.cgroup.dir.monitor.pivot") {
+		if err := c.setConfigItem("lxc.cgroup.dir.monitor.pivot", rt.MonitorCgroup); err != nil {
 			return err
 		}
 	}
@@ -191,16 +191,16 @@ func configureDeviceController(c *Container) error {
 			}
 			// decompose
 			val := fmt.Sprintf("%s %s:%s %s", blockDevice, maj, min, dev.Access)
-			if err := c.SetConfigItem(key, val); err != nil {
+			if err := c.setConfigItem(key, val); err != nil {
 				return err
 			}
 			val = fmt.Sprintf("%s %s:%s %s", charDevice, maj, min, dev.Access)
-			if err := c.SetConfigItem(key, val); err != nil {
+			if err := c.setConfigItem(key, val); err != nil {
 				return err
 			}
 		case blockDevice, charDevice:
 			val := fmt.Sprintf("%s %s:%s %s", dev.Type, maj, min, dev.Access)
-			if err := c.SetConfigItem(key, val); err != nil {
+			if err := c.setConfigItem(key, val); err != nil {
 				return err
 			}
 		default:
@@ -216,32 +216,32 @@ func configureCPUController(clxc *Runtime, slinux *specs.LinuxCPU) error {
 	clxc.Log.Debug().Msg("TODO configure cgroup cpu controller")
 	/*
 		if cpu.Shares != nil && *cpu.Shares > 0 {
-				if err := clxc.SetConfigItem("lxc.cgroup2.cpu.shares", fmt.Sprintf("%d", *cpu.Shares)); err != nil {
+				if err := clxc.setConfigItem("lxc.cgroup2.cpu.shares", fmt.Sprintf("%d", *cpu.Shares)); err != nil {
 					return err
 				}
 		}
 		if cpu.Quota != nil && *cpu.Quota > 0 {
-			if err := clxc.SetConfigItem("lxc.cgroup2.cpu.cfs_quota_us", fmt.Sprintf("%d", *cpu.Quota)); err != nil {
+			if err := clxc.setConfigItem("lxc.cgroup2.cpu.cfs_quota_us", fmt.Sprintf("%d", *cpu.Quota)); err != nil {
 				return err
 			}
 		}
 			if cpu.Period != nil && *cpu.Period != 0 {
-				if err := clxc.SetConfigItem("lxc.cgroup2.cpu.cfs_period_us", fmt.Sprintf("%d", *cpu.Period)); err != nil {
+				if err := clxc.setConfigItem("lxc.cgroup2.cpu.cfs_period_us", fmt.Sprintf("%d", *cpu.Period)); err != nil {
 					return err
 				}
 			}
 		if cpu.Cpus != "" {
-			if err := clxc.SetConfigItem("lxc.cgroup2.cpuset.cpus", cpu.Cpus); err != nil {
+			if err := clxc.setConfigItem("lxc.cgroup2.cpuset.cpus", cpu.Cpus); err != nil {
 				return err
 			}
 		}
 		if cpu.RealtimePeriod != nil && *cpu.RealtimePeriod > 0 {
-			if err := clxc.SetConfigItem("lxc.cgroup2.cpu.rt_period_us", fmt.Sprintf("%d", *cpu.RealtimePeriod)); err != nil {
+			if err := clxc.setConfigItem("lxc.cgroup2.cpu.rt_period_us", fmt.Sprintf("%d", *cpu.RealtimePeriod)); err != nil {
 				return err
 			}
 		}
 		if cpu.RealtimeRuntime != nil && *cpu.RealtimeRuntime > 0 {
-			if err := clxc.SetConfigItem("lxc.cgroup2.cpu.rt_runtime_us", fmt.Sprintf("%d", *cpu.RealtimeRuntime)); err != nil {
+			if err := clxc.setConfigItem("lxc.cgroup2.cpu.rt_runtime_us", fmt.Sprintf("%d", *cpu.RealtimeRuntime)); err != nil {
 				return err
 			}
 		}

container.go

@@ -31,17 +31,21 @@ type ContainerConfig struct {
 	// The ContainerID should match the following pattern `[a-z][a-z0-9-_]+`
 	ContainerID string
 
-	BundlePath    string
+	// BundlePath is the OCI bundle path.
+	BundlePath string
+
 	ConsoleSocket string `json:",omitempty"`
 
-	// PidFile is the absolute PID file path
-	// for the container monitor process (ExecStart)
+	// MonitorCgroupDir is the cgroup directory path
+	// for the liblxc monitor process `lxcri-start`
+	// relative to the cgroup root.
 	MonitorCgroupDir string
 
 	CgroupDir string
 
 	// LogFile is the liblxc log file path
 	LogFile string
+
 	// LogLevel is the liblxc log level
 	LogLevel string
 
@@ -59,7 +63,7 @@ func (c Container) syncFifoPath() string {
 }
 
 // RuntimePath returns the absolute path to the given sub path
-// within the container root.
+// within the container runtime directory.
 func (c Container) RuntimePath(subPath ...string) string {
 	return filepath.Join(c.runtimeDir, filepath.Join(subPath...))
 }
@@ -151,7 +155,7 @@ func (c *Container) isMonitorRunning() bool {
 	}
 
 	// if WNOHANG was specified and one or more child(ren) specified by pid exist,
-	// but have not yet changed state, then 0 is returned
+	// but have not yet exited, then 0 is returned
 	if pid == 0 {
 		return true
 	}
@@ -205,7 +209,7 @@ func (c *Container) waitStarted(ctx context.Context) error {
 			return ctx.Err()
 		default:
 			if !c.isMonitorRunning() {
-				return fmt.Errorf("monitor already died")
+				return nil
 			}
 			initState, _ := c.getContainerInitState()
 			if initState != specs.StateCreated {
@@ -308,9 +312,9 @@ func (c *Container) kill(ctx context.Context, signum unix.Signal) error {
 	return nil
 }
 
-// GetConfigItem is a wrapper function and returns the
-// first value returned by  *lxc.Container.ConfigItem
-func (c *Container) GetConfigItem(key string) string {
+// getConfigItem is a wrapper function and returns the
+// first value returned by lxc.Container.ConfigItem
+func (c *Container) getConfigItem(key string) string {
 	vals := c.LinuxContainer.ConfigItem(key)
 	if len(vals) > 0 {
 		first := vals[0]
@@ -323,9 +327,9 @@ func (c *Container) GetConfigItem(key string) string {
 	return ""
 }
 
-// SetConfigItem is a wrapper for *lxc.Container.SetConfigItem.
+// setConfigItem is a wrapper for lxc.Container.setConfigItem.
 // and only adds additional logging.
-func (c *Container) SetConfigItem(key, value string) error {
+func (c *Container) setConfigItem(key, value string) error {
 	err := c.LinuxContainer.SetConfigItem(key, value)
 	if err != nil {
 		return fmt.Errorf("failed to set config item '%s=%s': %w", key, value, err)
@@ -334,8 +338,8 @@ func (c *Container) SetConfigItem(key, value string) error {
 	return nil
 }
 
-// SupportsConfigItem is a wrapper for *lxc.Container.IsSupportedConfig item.
-func (c *Container) SupportsConfigItem(keys ...string) bool {
+// supportsConfigItem is a wrapper for lxc.Container.IsSupportedConfig item.
+func (c *Container) supportsConfigItem(keys ...string) bool {
 	canCheck := lxc.VersionAtLeast(4, 0, 6)
 	if !canCheck {
 		c.Log.Warn().Msg("lxc.IsSupportedConfigItem is broken in liblxc < 4.0.6")

create.go

@@ -97,13 +97,13 @@ func configureContainer(rt *Runtime, c *Container) error {
 	}
 
 	if c.Spec.Process.OOMScoreAdj != nil {
-		if err := c.SetConfigItem("lxc.proc.oom_score_adj", fmt.Sprintf("%d", *c.Spec.Process.OOMScoreAdj)); err != nil {
+		if err := c.setConfigItem("lxc.proc.oom_score_adj", fmt.Sprintf("%d", *c.Spec.Process.OOMScoreAdj)); err != nil {
 			return err
 		}
 	}
 
 	if c.Spec.Process.NoNewPrivileges {
-		if err := c.SetConfigItem("lxc.no_new_privs", "1"); err != nil {
+		if err := c.setConfigItem("lxc.no_new_privs", "1"); err != nil {
 			return err
 		}
 	}
@@ -122,7 +122,7 @@ func configureContainer(rt *Runtime, c *Container) error {
 			if err := writeSeccompProfile(profilePath, c.Spec.Linux.Seccomp); err != nil {
 				return err
 			}
-			if err := c.SetConfigItem("lxc.seccomp.profile", profilePath); err != nil {
+			if err := c.setConfigItem("lxc.seccomp.profile", profilePath); err != nil {
 				return err
 			}
 		}
@@ -139,7 +139,7 @@ func configureContainer(rt *Runtime, c *Container) error {
 	}
 
 	// make sure autodev is disabled
-	if err := c.SetConfigItem("lxc.autodev", "0"); err != nil {
+	if err := c.setConfigItem("lxc.autodev", "0"); err != nil {
 		return err
 	}
 
@@ -190,7 +190,7 @@ func configureContainer(rt *Runtime, c *Container) error {
 	}
 
 	for key, val := range c.Spec.Linux.Sysctl {
-		if err := c.SetConfigItem("lxc.sysctl."+key, val); err != nil {
+		if err := c.setConfigItem("lxc.sysctl."+key, val); err != nil {
 			return err
 		}
 	}
@@ -207,7 +207,7 @@ func configureContainer(rt *Runtime, c *Container) error {
 		}
 		seenLimits = append(seenLimits, name)
 		val := fmt.Sprintf("%d:%d", limit.Soft, limit.Hard)
-		if err := c.SetConfigItem("lxc.prlimit."+name, val); err != nil {
+		if err := c.setConfigItem("lxc.prlimit."+name, val); err != nil {
 			return err
 		}
 	}
@@ -226,7 +226,7 @@ func configureHostname(rt *Runtime, c *Container) error {
 	if c.Spec.Hostname == "" {
 		return nil
 	}
-	if err := c.SetConfigItem("lxc.uts.name", c.Spec.Hostname); err != nil {
+	if err := c.setConfigItem("lxc.uts.name", c.Spec.Hostname); err != nil {
 		return err
 	}
 
@@ -256,20 +256,20 @@ func configureRootfs(rt *Runtime, c *Container) error {
 	if !filepath.IsAbs(rootfs) {
 		rootfs = filepath.Join(c.BundlePath, rootfs)
 	}
-	if err := c.SetConfigItem("lxc.rootfs.path", rootfs); err != nil {
+	if err := c.setConfigItem("lxc.rootfs.path", rootfs); err != nil {
 		return err
 	}
 
-	if err := c.SetConfigItem("lxc.rootfs.mount", rootfs); err != nil {
+	if err := c.setConfigItem("lxc.rootfs.mount", rootfs); err != nil {
 		return err
 	}
 
-	if err := c.SetConfigItem("lxc.rootfs.managed", "0"); err != nil {
+	if err := c.setConfigItem("lxc.rootfs.managed", "0"); err != nil {
 		return err
 	}
 
 	// Resources not created by the container runtime MUST NOT be deleted by it.
-	if err := c.SetConfigItem("lxc.ephemeral", "0"); err != nil {
+	if err := c.setConfigItem("lxc.ephemeral", "0"); err != nil {
 		return err
 	}
 
@@ -280,20 +280,20 @@ func configureRootfs(rt *Runtime, c *Container) error {
 	if c.Spec.Root.Readonly {
 		rootfsOptions = append(rootfsOptions, "ro")
 	}
-	if err := c.SetConfigItem("lxc.rootfs.options", strings.Join(rootfsOptions, ",")); err != nil {
+	if err := c.setConfigItem("lxc.rootfs.options", strings.Join(rootfsOptions, ",")); err != nil {
 		return err
 	}
 	return nil
 }
 
 func configureReadonlyPaths(c *Container) error {
-	rootmnt := c.GetConfigItem("lxc.rootfs.mount")
+	rootmnt := c.getConfigItem("lxc.rootfs.mount")
 	if rootmnt == "" {
 		return fmt.Errorf("lxc.rootfs.mount unavailable")
 	}
 	for _, p := range c.Spec.Linux.ReadonlyPaths {
 		mnt := fmt.Sprintf("%s %s %s %s", filepath.Join(rootmnt, p), strings.TrimPrefix(p, "/"), "bind", "bind,ro,optional")
-		if err := c.SetConfigItem("lxc.mount.entry", mnt); err != nil {
+		if err := c.setConfigItem("lxc.mount.entry", mnt); err != nil {
 			return fmt.Errorf("failed to make path readonly: %w", err)
 		}
 	}
@@ -306,7 +306,7 @@ func configureApparmor(c *Container) error {
 	if aaprofile == "" {
 		aaprofile = "unconfined"
 	}
-	return c.SetConfigItem("lxc.apparmor.profile", aaprofile)
+	return c.setConfigItem("lxc.apparmor.profile", aaprofile)
 }
 
 // configureCapabilities configures the linux capabilities / privileges granted to the container processes.
@@ -326,7 +326,7 @@ func configureCapabilities(c *Container) error {
 		}
 	}
 
-	return c.SetConfigItem("lxc.cap.keep", keepCaps)
+	return c.setConfigItem("lxc.cap.keep", keepCaps)
 }
 
 // NOTE keep in sync with cmd/lxcri-hook#ociHooksAndState
@@ -359,22 +359,22 @@ func configureHooks(rt *Runtime, c *Container) error {
 	c.Spec.Hooks = &hooks
 
 	// pass context information as environment variables to hook scripts
-	if err := c.SetConfigItem("lxc.hook.version", "1"); err != nil {
+	if err := c.setConfigItem("lxc.hook.version", "1"); err != nil {
 		return err
 	}
 
 	if len(c.Spec.Hooks.Prestart) > 0 || len(c.Spec.Hooks.CreateRuntime) > 0 {
-		if err := c.SetConfigItem("lxc.hook.pre-mount", rt.libexec(ExecHook)); err != nil {
+		if err := c.setConfigItem("lxc.hook.pre-mount", rt.libexec(ExecHook)); err != nil {
 			return err
 		}
 	}
 	if len(c.Spec.Hooks.CreateContainer) > 0 {
-		if err := c.SetConfigItem("lxc.hook.mount", rt.libexec(ExecHook)); err != nil {
+		if err := c.setConfigItem("lxc.hook.mount", rt.libexec(ExecHook)); err != nil {
 			return err
 		}
 	}
 	if len(c.Spec.Hooks.StartContainer) > 0 {
-		if err := c.SetConfigItem("lxc.hook.start", rt.libexec(ExecHook)); err != nil {
+		if err := c.setConfigItem("lxc.hook.start", rt.libexec(ExecHook)); err != nil {
 			return err
 		}
 	}