Add containerd shim v2 support. (google#13)

* Update vendors

Signed-off-by: Lantao Liu <lantaol@google.com>

* Add containerd shim v2 support.

Signed-off-by: Lantao Liu <lantaol@google.com>

* Add test and doc for containerd-shim-runsc-v1.

Signed-off-by: Lantao Liu <lantaol@google.com>

* Address comments.

Author: Random-Liu

.travis.yml

@@ -7,6 +7,7 @@ env:
   - CONTAINERD_VERSION=1.1.5 RUNSC_VERSION=2018-12-07 TEST=untrusted-workload
   - CONTAINERD_VERSION=1.2.1 RUNSC_VERSION=2018-12-07 TEST=untrusted-workload
   - CONTAINERD_VERSION=1.2.1 RUNSC_VERSION=2018-12-07 TEST=runtime-handler
+  - CONTAINERD_VERSION=1.2.1 RUNSC_VERSION=2018-12-07 TEST=runtime-handler-shim-v2
 
 
 go_import_path: github.com/google/gvisor-containerd-shim

Makefile

@@ -7,16 +7,22 @@ SOURCES=$(shell find cmd/ pkg/ vendor/ -name '*.go')
 DEPLOY_PATH=cri-containerd-staging/gvisor-containerd-shim
 VERSION=$(shell git rev-parse HEAD)
 
+all: bin/gvisor-containerd-shim bin/containerd-shim-runsc-v1
+
 bin/gvisor-containerd-shim: $(SOURCES)
 	CGO_ENABLED=0 go build ${GO_BUILD_FLAGS} -o bin/gvisor-containerd-shim ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/gvisor-containerd-shim
 
+bin/containerd-shim-runsc-v1: $(SOURCES)
+	CGO_ENABLED=0 go build ${GO_BUILD_FLAGS} -o bin/containerd-shim-runsc-v1 ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim-runsc-v1
 
 install: bin/gvisor-containerd-shim
 	mkdir -p $(DESTDIR)/bin
 	install bin/gvisor-containerd-shim $(DESTDIR)/bin
+	install bin/containerd-shim-runsc-v1 $(DESTDIR)/bin
 
 uninstall:
 	rm -f $(DESTDIR)/bin/gvisor-containerd-shim
+	rm -f $(DESTDIR)/bin/containerd-shim-runsc-v1
 
 clean:
 	rm -rf bin/*

README.md

@@ -14,6 +14,7 @@ gvisor-containerd-shim is a containerd shim for [gVisor](https://github.com/goog
 
 - [Untrusted Workload Quick Start (containerd >=1.1)](docs/untrusted-workload-quickstart.md)
 - [Runtime Handler Quick Start (containerd >=1.2)](docs/runtime-handler-quickstart.md)
+- [Runtime Handler Quick Start (shim v2) (containerd >=1.2)](docs/runtime-handler-shim-v2-quickstart.md)
 
 # Contributing
 

cmd/containerd-shim-runsc-v1/main.go

@@ -0,0 +1,24 @@
+/*
+   Copyright The containerd Authors.
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+       http://www.apache.org/licenses/LICENSE-2.0
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/containerd/containerd/runtime/v2/shim"
+
+	runsc "github.com/google/gvisor-containerd-shim/pkg/v2"
+)
+
+func main() {
+	shim.Run("io.containerd.runsc.v1", runsc.New)
+}

cmd/gvisor-containerd-shim/main.go

@@ -48,7 +48,7 @@ import (
 	"golang.org/x/sys/unix"
 
 	runsc "github.com/google/gvisor-containerd-shim/pkg/go-runsc"
-	"github.com/google/gvisor-containerd-shim/pkg/shim"
+	"github.com/google/gvisor-containerd-shim/pkg/v1/shim"
 )
 
 var (

docs/README.md

@@ -4,3 +4,4 @@ Everything you need to know about gvisor-containerd-shim
 
 - [Untrusted Workload Quick Start (containerd >=1.1)](untrusted-workload-quickstart.md)
 - [Runtime Handler Quick Start (containerd >=1.2)](runtime-handler-quickstart.md)
+- [Runtime Handler Quick Start (shim v2) (containerd >=1.2)](runtime-handler-shim-v2-quickstart.md)

docs/runtime-handler-quickstart.md

@@ -16,30 +16,22 @@ later.
 1. Download the latest release of the `gvisor-containerd-shim`. See the
    [releases page](https://github.com/google/gvisor-containerd-shim/releases)
 
-[embedmd]:# (../test/e2e/shim-install.sh shell /{ # Step 1/ /^}/)
+[embedmd]:# (../test/e2e/shim-install.sh shell /{ # Step 1\(release\)/ /^}/)
 ```shell
-{ # Step 1: Download gvisor-containerd-shim
+{ # Step 1(release): Install gvisor-containerd-shim
 LATEST_RELEASE=$(wget -qO - https://api.github.com/repos/google/gvisor-containerd-shim/releases | grep -oP '(?<="browser_download_url": ")https://[^"]*' | head -1)
 wget -O gvisor-containerd-shim
 chmod +x gvisor-containerd-shim
+sudo mv gvisor-containerd-shim /usr/local/bin/gvisor-containerd-shim
 }
 ```
 
-2. Copy the binary to the desired directory:
-
-[embedmd]:# (../test/e2e/shim-install.sh shell /{ # Step 2/ /^}/)
-```shell
-{ # Step 2: Copy the binary to the desired directory
-sudo mv gvisor-containerd-shim-* /usr/local/bin/gvisor-containerd-shim
-}
-```
-
-3. Create the configuration for the gvisor shim in
+2. Create the configuration for the gvisor shim in
    `/etc/containerd/gvisor-containerd-shim.yaml`:
 
-[embedmd]:# (../test/e2e/shim-install.sh shell /{ # Step 3/ /^}/)
+[embedmd]:# (../test/e2e/shim-install.sh shell /{ # Step 2/ /^}/)
 ```shell
-{ # Step 3: Create the gvisor-containerd-shim.yaml
+{ # Step 2: Create the gvisor-containerd-shim.yaml
 cat <<EOF | sudo tee /etc/containerd/gvisor-containerd-shim.yaml
 # This is the path to the default runc containerd-shim.
 runc_shim = "/usr/local/bin/containerd-shim"

docs/runtime-handler-shim-v2-quickstart.md

@@ -0,0 +1,187 @@
+# Runtime Handler Quickstart (Shim V2)
+
+This document describes how to install and run `containerd-shim-runsc-v1` using
+the containerd runtime handler support. This requires containerd 1.2 or later.
+
+## Requirements
+
+- **runsc**: See the [gVisor documentation](https://github.com/google/gvisor) for information on how to install runsc.
+- **containerd**: See the [containerd website](https://containerd.io/) for information on how to install containerd.
+
+## Install
+
+### Install containerd-shim-runsc-v1
+
+1. Build and install `containerd-shim-runsc-v1`.
+
+<!-- TODO: Use a release once we have one available. -->
+[embedmd]:# (../test/e2e/shim-install.sh shell /{ # Step 1\(dev\)/ /^}/)
+```shell
+{ # Step 1(dev): Build and install gvisor-containerd-shim and containerd-shim-runsc-v1
+    make
+    sudo make install
+}
+```
+
+### Configure containerd
+
+1. Update `/etc/containerd/config.toml`. Make sure `containerd-shim-runsc-v1` is
+   in `${PATH}`.
+
+[embedmd]:# (../test/e2e/runtime-handler-shim-v2/install.sh shell /{ # Step 1/ /^}/)
+```shell
+{ # Step 1: Create containerd config.toml
+cat <<EOF | sudo tee /etc/containerd/config.toml
+disabled_plugins = ["restart"]
+[plugins.linux]
+  shim_debug = true
+[plugins.cri.containerd.runtimes.runsc]
+  runtime_type = "io.containerd.runsc.v1"
+EOF
+}
+```
+
+2. Restart `containerd`
+
+```shell
+sudo systemctl restart containerd
+```
+
+## Usage
+
+You can run containers in gVisor via containerd's CRI.
+
+### Install crictl
+
+1. Download and install the crictl binary:
+
+[embedmd]:# (../test/e2e/crictl-install.sh shell /{ # Step 1/ /^}/)
+```shell
+{ # Step 1: Download crictl
+wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.13.0/crictl-v1.13.0-linux-amd64.tar.gz
+tar xf crictl-v1.13.0-linux-amd64.tar.gz
+sudo mv crictl /usr/local/bin
+}
+```
+
+2. Write the crictl configuration file
+
+[embedmd]:# (../test/e2e/crictl-install.sh shell /{ # Step 2/ /^}/)
+```shell
+{ # Step 2: Configure crictl
+cat <<EOF | sudo tee /etc/crictl.yaml
+runtime-endpoint: unix:///run/containerd/containerd.sock
+EOF
+}
+```
+
+### Create the nginx Sandbox in gVisor
+
+1. Pull the nginx image
+
+[embedmd]:# (../test/e2e/runtime-handler/usage.sh shell /{ # Step 1/ /^}/)
+```shell
+{ # Step 1: Pull the nginx image
+sudo crictl pull nginx
+}
+```
+
+2. Create the sandbox creation request
+
+[embedmd]:# (../test/e2e/runtime-handler/usage.sh shell /{ # Step 2/ /^EOF\n}/)
+```shell
+{ # Step 2: Create sandbox.json
+cat <<EOF | tee sandbox.json
+{
+    "metadata": {
+        "name": "nginx-sandbox",
+        "namespace": "default",
+        "attempt": 1,
+        "uid": "hdishd83djaidwnduwk28bcsb"
+    },
+    "linux": {
+    },
+    "log_directory": "/tmp"
+}
+EOF
+}
+```
+
+3. Create the pod in gVisor
+
+[embedmd]:# (../test/e2e/runtime-handler/usage.sh shell /{ # Step 3/ /^}/)
+```shell
+{ # Step 3: Create the sandbox
+SANDBOX_ID=$(sudo crictl runp --runtime runsc sandbox.json)
+}
+```
+
+### Run the nginx Container in the Sandbox
+
+1. Create the nginx container creation request
+
+[embedmd]:# (../test/e2e/run-container.sh shell /{ # Step 1/ /^EOF\n}/)
+```shell
+{ # Step 1: Create nginx container config
+cat <<EOF | tee container.json
+{
+  "metadata": {
+      "name": "nginx"
+    },
+  "image":{
+      "image": "nginx"
+    },
+  "log_path":"nginx.0.log",
+  "linux": {
+  }
+}
+EOF
+}
+```
+
+2. Create the nginx container
+
+[embedmd]:# (../test/e2e/run-container.sh shell /{ # Step 2/ /^}/)
+```shell
+{ # Step 2: Create nginx container
+CONTAINER_ID=$(sudo crictl create ${SANDBOX_ID} container.json sandbox.json)
+}
+```
+
+3. Start the nginx container
+
+[embedmd]:# (../test/e2e/run-container.sh shell /{ # Step 3/ /^}/)
+```shell
+{ # Step 3: Start nginx container
+sudo crictl start ${CONTAINER_ID}
+}
+```
+
+### Validate the container
+
+1. Inspect the created pod
+
+[embedmd]:# (../test/e2e/validate.sh shell /{ # Step 1/ /^}/)
+```shell
+{ # Step 1: Inspect the pod
+sudo crictl inspectp ${SANDBOX_ID}
+}
+```
+
+2. Inspect the nginx container
+
+[embedmd]:# (../test/e2e/validate.sh shell /{ # Step 2/ /^}/)
+```shell
+{ # Step 2: Inspect the container
+sudo crictl inspect ${CONTAINER_ID}
+}
+```
+
+3. Verify that nginx is running in gVisor
+
+[embedmd]:# (../test/e2e/validate.sh shell /{ # Step 3/ /^}/)
+```shell
+{ # Step 3: Check dmesg
+sudo crictl exec ${CONTAINER_ID} dmesg | grep -i gvisor
+}
+```

docs/untrusted-workload-quickstart.md

@@ -13,36 +13,28 @@ are using containerd 1.2, please consider using runtime handler.*
 - **containerd**: See the [containerd website](https://containerd.io/) for information on how to install containerd.
 
 ## Install
- 
+
 ### Install gvisor-containerd-shim
 
 1. Download the latest release of the `gvisor-containerd-shim`. See the
    [releases page](https://github.com/google/gvisor-containerd-shim/releases)
 
 [embedmd]:# (../test/e2e/shim-install.sh shell /{ # Step 1/ /^}/)
 ```shell
-{ # Step 1: Download gvisor-containerd-shim
+{ # Step 1(release): Install gvisor-containerd-shim
 LATEST_RELEASE=$(wget -qO - https://api.github.com/repos/google/gvisor-containerd-shim/releases | grep -oP '(?<="browser_download_url": ")https://[^"]*' | head -1)
 wget -O gvisor-containerd-shim
 chmod +x gvisor-containerd-shim
+sudo mv gvisor-containerd-shim /usr/local/bin/gvisor-containerd-shim
 }
 ```
 
-2. Copy the binary to the desired directory:
-
-[embedmd]:# (../test/e2e/shim-install.sh shell /{ # Step 2/ /^}/)
-```shell
-{ # Step 2: Copy the binary to the desired directory
-sudo mv gvisor-containerd-shim-* /usr/local/bin/gvisor-containerd-shim
-}
-```
-
-3. Create the configuration for the gvisor shim in
+2. Create the configuration for the gvisor shim in
    `/etc/containerd/gvisor-containerd-shim.yaml`:
 
-[embedmd]:# (../test/e2e/shim-install.sh shell /{ # Step 3/ /^}/)
+[embedmd]:# (../test/e2e/shim-install.sh shell /{ # Step 2/ /^}/)
 ```shell
-{ # Step 3: Create the gvisor-containerd-shim.yaml
+{ # Step 2: Create the gvisor-containerd-shim.yaml
 cat <<EOF | sudo tee /etc/containerd/gvisor-containerd-shim.yaml
 # This is the path to the default runc containerd-shim.
 runc_shim = "/usr/local/bin/containerd-shim"

pkg/proc/deleted_state.go pkg/v1/proc/deleted_state.go

@@ -30,7 +30,6 @@ import (
 	"github.com/containerd/console"
 	"github.com/containerd/containerd/errdefs"
 	"github.com/containerd/containerd/runtime/proc"
-	"github.com/containerd/containerd/runtime/v1/shim"
 	"github.com/containerd/fifo"
 	runc "github.com/containerd/go-runc"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
@@ -171,19 +170,19 @@ func (e *execProcess) start(ctx context.Context) (err error) {
 	if socket != nil {
 		opts.ConsoleSocket = socket
 	}
-	eventCh := shim.Default.Subscribe()
+	eventCh := e.parent.Monitor.Subscribe()
 	defer func() {
 		// Unsubscribe if an error is returned.
 		if err != nil {
-			shim.Default.Unsubscribe(eventCh)
+			e.parent.Monitor.Unsubscribe(eventCh)
 		}
 	}()
 	if err := e.parent.runtime.Exec(ctx, e.parent.id, e.spec, opts); err != nil {
 		close(e.waitBlock)
 		return e.parent.runtimeError(err, "OCI runtime exec failed")
 	}
 	if e.stdio.Stdin != "" {
-		sc, err := fifo.OpenFifo(ctx, e.stdio.Stdin, syscall.O_WRONLY|syscall.O_NONBLOCK, 0)
+		sc, err := fifo.OpenFifo(context.Background(), e.stdio.Stdin, syscall.O_WRONLY|syscall.O_NONBLOCK, 0)
 		if err != nil {
 			return errors.Wrapf(err, "failed to open stdin fifo %s", e.stdio.Stdin)
 		}
@@ -192,11 +191,7 @@ func (e *execProcess) start(ctx context.Context) (err error) {
 	}
 	var copyWaitGroup sync.WaitGroup
 	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
-	defer func() {
-		if err != nil {
-			cancel()
-		}
-	}()
+	defer cancel()
 	if socket != nil {
 		console, err := socket.ReceiveMaster()
 		if err != nil {
@@ -222,7 +217,7 @@ func (e *execProcess) start(ctx context.Context) (err error) {
 	}
 	e.internalPid = internalPid
 	go func() {
-		defer shim.Default.Unsubscribe(eventCh)
+		defer e.parent.Monitor.Unsubscribe(eventCh)
 		for event := range eventCh {
 			if event.Pid == e.pid {
 				ExitCh <- Exit{