Merge pull request #952 from Random-Liu/cherrypick-#949-release-1.0

Random-Liu · web-flow · commit ac043660063c · 2018-10-20T22:38:30.000-07:00
Cherrypick #949 release 1.0
diff --git a/integration/restart_test.go b/integration/restart_test.go
@@ -18,7 +18,6 @@ package integration
 
 import (
 	"testing"
-	"time"
 
 	"github.com/containerd/containerd"
 	"github.com/stretchr/testify/assert"
@@ -128,27 +127,8 @@ func TestContainerdRestart(t *testing.T) {
 		}
 	}
 
-	t.Logf("Kill containerd")
-	require.NoError(t, KillProcess("containerd"))
-	defer func() {
-		assert.NoError(t, Eventually(func() (bool, error) {
-			return ConnectDaemons() == nil, nil
-		}, time.Second, 30*time.Second), "make sure containerd is running before test finish")
-	}()
-
-	t.Logf("Wait until containerd is killed")
-	require.NoError(t, Eventually(func() (bool, error) {
-		pid, err := PidOf("containerd")
-		if err != nil {
-			return false, err
-		}
-		return pid == 0, nil
-	}, time.Second, 30*time.Second), "wait for containerd to be killed")
-
-	t.Logf("Wait until containerd is restarted")
-	require.NoError(t, Eventually(func() (bool, error) {
-		return ConnectDaemons() == nil, nil
-	}, time.Second, 30*time.Second), "wait for containerd to be restarted")
+	t.Logf("Restart containerd")
+	RestartContainerd(t)
 
 	t.Logf("Check sandbox and container state after restart")
 	loadedSandboxes, err := runtimeService.ListPodSandbox(&runtime.PodSandboxFilter{})
diff --git a/integration/sandbox_clean_remove_test.go b/integration/sandbox_clean_remove_test.go
@@ -17,14 +17,23 @@ limitations under the License.
 package integration
 
 import (
+	"encoding/json"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strings"
 	"testing"
 	"time"
 
 	"github.com/containerd/containerd"
+	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/net/context"
+	"golang.org/x/sys/unix"
 	runtime "k8s.io/kubernetes/pkg/kubelet/apis/cri/runtime/v1alpha2"
+
+	"github.com/containerd/cri/pkg/server"
 )
 
 func TestSandboxCleanRemove(t *testing.T) {
@@ -66,3 +75,100 @@ func TestSandboxCleanRemove(t *testing.T) {
 	assert.NoError(t, runtimeService.StopPodSandbox(sb))
 	assert.NoError(t, runtimeService.RemovePodSandbox(sb))
 }
+
+func TestSandboxRemoveWithoutIPLeakage(t *testing.T) {
+	ctx := context.Background()
+	const hostLocalCheckpointDir = "/var/lib/cni"
+
+	t.Logf("Make sure host-local ipam is in use")
+	config, err := CRIConfig()
+	require.NoError(t, err)
+	fs, err := ioutil.ReadDir(config.NetworkPluginConfDir)
+	require.NoError(t, err)
+	require.NotEmpty(t, fs)
+	f := filepath.Join(config.NetworkPluginConfDir, fs[0].Name())
+	cniConfig, err := ioutil.ReadFile(f)
+	require.NoError(t, err)
+	if !strings.Contains(string(cniConfig), "host-local") {
+		t.Skip("host-local ipam is not in use")
+	}
+
+	t.Logf("Create a sandbox")
+	sbConfig := PodSandboxConfig("sandbox", "remove-without-ip-leakage")
+	sb, err := runtimeService.RunPodSandbox(sbConfig)
+	require.NoError(t, err)
+	defer func() {
+		// Make sure the sandbox is cleaned up in any case.
+		runtimeService.StopPodSandbox(sb)
+		runtimeService.RemovePodSandbox(sb)
+	}()
+
+	t.Logf("Get pod information")
+	client, err := RawRuntimeClient()
+	require.NoError(t, err)
+	resp, err := client.PodSandboxStatus(ctx, &runtime.PodSandboxStatusRequest{
+		PodSandboxId: sb,
+		Verbose:      true,
+	})
+	require.NoError(t, err)
+	status := resp.GetStatus()
+	info := resp.GetInfo()
+	ip := status.GetNetwork().GetIp()
+	require.NotEmpty(t, ip)
+	var sbInfo server.SandboxInfo
+	require.NoError(t, json.Unmarshal([]byte(info["info"]), &sbInfo))
+	require.NotNil(t, sbInfo.RuntimeSpec.Linux)
+	var netNS string
+	for _, n := range sbInfo.RuntimeSpec.Linux.Namespaces {
+		if n.Type == runtimespec.NetworkNamespace {
+			netNS = n.Path
+		}
+	}
+	require.NotEmpty(t, netNS, "network namespace should be set")
+
+	t.Logf("Should be able to find the pod ip in host-local checkpoint")
+	checkIP := func(ip string) bool {
+		found := false
+		filepath.Walk(hostLocalCheckpointDir, func(_ string, info os.FileInfo, _ error) error {
+			if info != nil && info.Name() == ip {
+				found = true
+			}
+			return nil
+		})
+		return found
+	}
+	require.True(t, checkIP(ip))
+
+	t.Logf("Kill sandbox container")
+	require.NoError(t, KillPid(int(sbInfo.Pid)))
+
+	t.Logf("Unmount network namespace")
+	// The umount will take effect after containerd is stopped.
+	require.NoError(t, unix.Unmount(netNS, unix.MNT_DETACH))
+
+	t.Logf("Restart containerd")
+	RestartContainerd(t)
+
+	t.Logf("Sandbox state should be NOTREADY")
+	assert.NoError(t, Eventually(func() (bool, error) {
+		status, err := runtimeService.PodSandboxStatus(sb)
+		if err != nil {
+			return false, err
+		}
+		return status.GetState() == runtime.PodSandboxState_SANDBOX_NOTREADY, nil
+	}, time.Second, 30*time.Second), "sandbox state should become NOTREADY")
+
+	t.Logf("Network namespace should have been removed")
+	_, err = os.Stat(netNS)
+	assert.True(t, os.IsNotExist(err))
+
+	t.Logf("Should still be able to find the pod ip in host-local checkpoint")
+	assert.True(t, checkIP(ip))
+
+	t.Logf("Should be able to remove the sandbox after properly stopped")
+	assert.NoError(t, runtimeService.StopPodSandbox(sb))
+	assert.NoError(t, runtimeService.RemovePodSandbox(sb))
+
+	t.Logf("Should not be able to find the pod ip in host-local checkpoint")
+	assert.False(t, checkIP(ip))
+}
diff --git a/integration/test_utils.go b/integration/test_utils.go
@@ -24,11 +24,14 @@ import (
 	"os/exec"
 	"strconv"
 	"strings"
+	"testing"
 	"time"
 
 	"github.com/containerd/containerd"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc"
 	"k8s.io/kubernetes/pkg/kubelet/apis/cri"
 	runtime "k8s.io/kubernetes/pkg/kubelet/apis/cri/runtime/v1alpha2"
@@ -265,6 +268,15 @@ func KillProcess(name string) error {
 	return nil
 }
 
+// KillPid kills the process by pid. kill is used.
+func KillPid(pid int) error {
+	output, err := exec.Command("kill", strconv.Itoa(pid)).CombinedOutput()
+	if err != nil {
+		return errors.Errorf("failed to kill %d - error: %v, output: %q", pid, err, output)
+	}
+	return nil
+}
+
 // PidOf returns pid of a process by name.
 func PidOf(name string) (int, error) {
 	b, err := exec.Command("pidof", name).CombinedOutput()
@@ -278,8 +290,8 @@ func PidOf(name string) (int, error) {
 	return strconv.Atoi(output)
 }
 
-// CRIConfig gets current cri config from containerd.
-func CRIConfig() (*criconfig.Config, error) {
+// RawRuntimeClient returns a raw grpc runtime service client.
+func RawRuntimeClient() (runtime.RuntimeServiceClient, error) {
 	addr, dialer, err := kubeletutil.GetAddressAndDialer(*criEndpoint)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to get dialer")
@@ -290,8 +302,16 @@ func CRIConfig() (*criconfig.Config, error) {
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to connect cri endpoint")
 	}
-	client := runtime.NewRuntimeServiceClient(conn)
-	resp, err := client.Status(ctx, &runtime.StatusRequest{Verbose: true})
+	return runtime.NewRuntimeServiceClient(conn), nil
+}
+
+// CRIConfig gets current cri config from containerd.
+func CRIConfig() (*criconfig.Config, error) {
+	client, err := RawRuntimeClient()
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to get raw runtime client")
+	}
+	resp, err := client.Status(context.Background(), &runtime.StatusRequest{Verbose: true})
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to get status")
 	}
@@ -301,3 +321,21 @@ func CRIConfig() (*criconfig.Config, error) {
 	}
 	return config, nil
 }
+
+func RestartContainerd(t *testing.T) {
+	require.NoError(t, KillProcess("containerd"))
+
+	// Use assert so that the 3rd wait always runs, this makes sure
+	// containerd is running before this function returns.
+	assert.NoError(t, Eventually(func() (bool, error) {
+		pid, err := PidOf("containerd")
+		if err != nil {
+			return false, err
+		}
+		return pid == 0, nil
+	}, time.Second, 30*time.Second), "wait for containerd to be killed")
+
+	require.NoError(t, Eventually(func() (bool, error) {
+		return ConnectDaemons() == nil, nil
+	}, time.Second, 30*time.Second), "wait for containerd to be restarted")
+}
diff --git a/pkg/server/container_status.go b/pkg/server/container_status.go
@@ -99,7 +99,8 @@ func toCRIContainerStatus(container containerstore.Container, spec *runtime.Imag
 	}
 }
 
-type containerInfo struct {
+// ContainerInfo is extra information for a container.
+type ContainerInfo struct {
 	// TODO(random-liu): Add sandboxID in CRI container status.
 	SandboxID   string                   `json:"sandboxID"`
 	Pid         uint32                   `json:"pid"`
@@ -122,7 +123,7 @@ func toCRIContainerInfo(ctx context.Context, container containerstore.Container,
 	status := container.Status.Get()
 
 	// TODO(random-liu): Change CRI status info to use array instead of map.
-	ci := &containerInfo{
+	ci := &ContainerInfo{
 		SandboxID: container.SandboxID,
 		Pid:       status.Pid,
 		Removing:  status.Removing,
diff --git a/pkg/server/sandbox_status.go b/pkg/server/sandbox_status.go
@@ -100,8 +100,9 @@ func toCRISandboxStatus(meta sandboxstore.Metadata, status sandboxstore.Status,
 	}
 }
 
+// SandboxInfo is extra information for sandbox.
 // TODO (mikebrow): discuss predefining constants structures for some or all of these field names in CRI
-type sandboxInfo struct {
+type SandboxInfo struct {
 	Pid         uint32                    `json:"pid"`
 	Status      string                    `json:"processStatus"`
 	NetNSClosed bool                      `json:"netNamespaceClosed"`
@@ -131,7 +132,7 @@ func toCRISandboxInfo(ctx context.Context, sandbox sandboxstore.Sandbox) (map[st
 		processStatus = taskStatus.Status
 	}
 
-	si := &sandboxInfo{
+	si := &SandboxInfo{
 		Pid:    sandbox.Status.Get().Pid,
 		Status: string(processStatus),
 		Config: sandbox.Config,
diff --git a/pkg/server/sandbox_stop.go b/pkg/server/sandbox_stop.go
@@ -17,7 +17,6 @@ limitations under the License.
 package server
 
 import (
-	"os"
 	"time"
 
 	"github.com/containerd/containerd"
@@ -60,23 +59,21 @@ func (c *criService) StopPodSandbox(ctx context.Context, r *runtime.StopPodSandb
 	}
 
 	// Teardown network for sandbox.
-	if sandbox.NetNSPath != "" && sandbox.NetNS != nil {
-		if _, err := os.Stat(sandbox.NetNSPath); err != nil {
-			if !os.IsNotExist(err) {
-				return nil, errors.Wrapf(err, "failed to stat network namespace path %s", sandbox.NetNSPath)
-			}
-		} else {
-			if teardownErr := c.teardownPod(id, sandbox.NetNSPath, sandbox.Config); teardownErr != nil {
-				return nil, errors.Wrapf(teardownErr, "failed to destroy network for sandbox %q", id)
-			}
+	if sandbox.NetNSPath != "" {
+		netNSPath := sandbox.NetNSPath
+		if sandbox.NetNS == nil || sandbox.NetNS.Closed() {
+			// Use empty netns path if netns is not available. This is defined in:
+			// https://github.com/containernetworking/cni/blob/v0.7.0-alpha1/SPEC.md
+			netNSPath = ""
 		}
-		/*TODO:It is still possible that containerd crashes after we teardown the network, but before we remove the network namespace.
-		In that case, we'll not be able to remove the sandbox anymore. The chance is slim, but we should be aware of that.
-		In the future, once TearDownPod is idempotent, this will be fixed.*/
-
-		//Close the sandbox network namespace if it was created
-		if err = sandbox.NetNS.Remove(); err != nil {
-			return nil, errors.Wrapf(err, "failed to remove network namespace for sandbox %q", id)
+		if err := c.teardownPod(id, netNSPath, sandbox.Config); err != nil {
+			return nil, errors.Wrapf(err, "failed to destroy network for sandbox %q", id)
+		}
+		// Close the sandbox network namespace if it was created
+		if sandbox.NetNS != nil {
+			if err = sandbox.NetNS.Remove(); err != nil {
+				return nil, errors.Wrapf(err, "failed to remove network namespace for sandbox %q", id)
+			}
 		}
 	}
 
diff --git a/pkg/server/service.go b/pkg/server/service.go
@@ -148,7 +148,7 @@ func NewCRIService(config criconfig.Config, client *containerd.Client) (CRIServi
 
 	// Try to load the config if it exists. Just log the error if load fails
 	// This is not disruptive for containerd to panic
-	if err := c.netPlugin.Load(cni.WithLoNetwork(), cni.WithDefaultConf()); err != nil {
+	if err := c.netPlugin.Load(cni.WithLoNetwork, cni.WithDefaultConf); err != nil {
 		logrus.WithError(err).Error("Failed to load cni during init, please check CRI plugin status before setting up network for pods")
 	}
 	// prepare streaming server
diff --git a/pkg/server/status.go b/pkg/server/status.go
@@ -44,7 +44,7 @@ func (c *criService) Status(ctx context.Context, r *runtime.StatusRequest) (*run
 	// Check the status of the cni initialization
 	if err := c.netPlugin.Status(); err != nil {
 		// If it is not initialized, then load the config and retry
-		if err = c.netPlugin.Load(cni.WithLoNetwork(), cni.WithDefaultConf()); err != nil {
+		if err = c.netPlugin.Load(cni.WithLoNetwork, cni.WithDefaultConf); err != nil {
 			networkCondition.Status = false
 			networkCondition.Reason = networkNotReadyReason
 			networkCondition.Message = fmt.Sprintf("Network plugin returns error: %v", err)
diff --git a/pkg/server/testing/fake_cni_plugin.go b/pkg/server/testing/fake_cni_plugin.go
@@ -47,6 +47,6 @@ func (f *FakeCNIPlugin) Status() error {
 }
 
 // Load loads the network config.
-func (f *FakeCNIPlugin) Load(opts ...cni.LoadOption) error {
+func (f *FakeCNIPlugin) Load(opts ...cni.CNIOpt) error {
 	return f.LoadErr
 }
diff --git a/pkg/server/update_runtime_config.go b/pkg/server/update_runtime_config.go
@@ -52,7 +52,7 @@ func (c *criService) UpdateRuntimeConfig(ctx context.Context, r *runtime.UpdateR
 	if err := c.netPlugin.Status(); err == nil {
 		logrus.Infof("Network plugin is ready, skip generating cni config from template %q", confTemplate)
 		return &runtime.UpdateRuntimeConfigResponse{}, nil
-	} else if err := c.netPlugin.Load(cni.WithLoNetwork(), cni.WithDefaultConf()); err == nil {
+	} else if err := c.netPlugin.Load(cni.WithLoNetwork, cni.WithDefaultConf); err == nil {
 		logrus.Infof("CNI config is successfully loaded, skip generating cni config from template %q", confTemplate)
 		return &runtime.UpdateRuntimeConfigResponse{}, nil
 	}
diff --git a/pkg/store/sandbox/netns.go b/pkg/store/sandbox/netns.go
@@ -28,6 +28,13 @@ import (
 	osinterface "github.com/containerd/cri/pkg/os"
 )
 
+// The NetNS library assumes only containerd manages the lifecycle of the
+// network namespace mount. The only case that netns will be unmounted by
+// someone else is node reboot.
+// If this assumption is broken, NetNS won't be aware of the external
+// unmount, and there will be a state mismatch.
+// TODO(random-liu): Don't cache state, always load from the system.
+
 // ErrClosedNetNS is the error returned when network namespace is closed.
 var ErrClosedNetNS = errors.New("network namespace is closed")
 
diff --git a/vendor.conf b/vendor.conf
@@ -7,7 +7,7 @@ github.com/containerd/console 4d8a41f4ce5b9bae77c41786ea2458330f43f081
 github.com/containerd/containerd 57508dcb0b5776efaacd0828ed42f819fab5ba07
 github.com/containerd/continuity a60600ad77f38aaa70165825f61e2ea72e51c9b1
 github.com/containerd/fifo 3d5202aec260678c48179c56f40e6f38a095738c
-github.com/containerd/go-cni f2d7272f12d045b16ed924f50e91f9f9cecc55a7
+github.com/containerd/go-cni 40bcf8ec8acd7372be1d77031d585d5d8e561c90
 github.com/containerd/go-runc bcb223a061a3dd7de1a89c0b402a60f4dd9bd307
 github.com/containerd/typeurl f6943554a7e7e88b3c14aad190bf05932da84788
 github.com/containernetworking/cni v0.6.0
diff --git a/vendor/github.com/containerd/go-cni/README.md b/vendor/github.com/containerd/go-cni/README.md
diff --git a/vendor/github.com/containerd/go-cni/cni.go b/vendor/github.com/containerd/go-cni/cni.go
diff --git a/vendor/github.com/containerd/go-cni/opts.go b/vendor/github.com/containerd/go-cni/opts.go

Original file line number	Diff line number	Diff line change
`@@ -100,8 +100,9 @@ func toCRISandboxStatus(meta sandboxstore.Metadata, status sandboxstore.Status,`
`100`	`100`	`}`
`101`	`101`	`}`
`102`	`102`
	`103`	`+// SandboxInfo is extra information for sandbox.`
`103`	`104`	`// TODO (mikebrow): discuss predefining constants structures for some or all of these field names in CRI`
`104`		`-type sandboxInfo struct {`
	`105`	`+type SandboxInfo struct {`
`105`	`106`	Pid uint32 `json:"pid"`
`106`	`107`	Status string `json:"processStatus"`
`107`	`108`	NetNSClosed bool `json:"netNamespaceClosed"`
`@@ -131,7 +132,7 @@ func toCRISandboxInfo(ctx context.Context, sandbox sandboxstore.Sandbox) (map[st`
`131`	`132`	`processStatus = taskStatus.Status`
`132`	`133`	`}`
`133`	`134`
`134`		`- si := &sandboxInfo{`
	`135`	`+ si := &SandboxInfo{`
`135`	`136`	`Pid: sandbox.Status.Get().Pid,`
`136`	`137`	`Status: string(processStatus),`
`137`	`138`	`Config: sandbox.Config,`
Original file line number	Diff line number	Diff line change
`@@ -148,7 +148,7 @@ func NewCRIService(config criconfig.Config, client *containerd.Client) (CRIServi`
`148`	`148`
`149`	`149`	`// Try to load the config if it exists. Just log the error if load fails`
`150`	`150`	`// This is not disruptive for containerd to panic`
`151`		`- if err := c.netPlugin.Load(cni.WithLoNetwork(), cni.WithDefaultConf()); err != nil {`
	`151`	`+ if err := c.netPlugin.Load(cni.WithLoNetwork, cni.WithDefaultConf); err != nil {`
`152`	`152`	`logrus.WithError(err).Error("Failed to load cni during init, please check CRI plugin status before setting up network for pods")`
`153`	`153`	`}`
`154`	`154`	`// prepare streaming server`
Original file line number	Diff line number	Diff line change
`@@ -47,6 +47,6 @@ func (f *FakeCNIPlugin) Status() error {`
`47`	`47`	`}`
`48`	`48`
`49`	`49`	`// Load loads the network config.`
`50`		`-func (f *FakeCNIPlugin) Load(opts ...cni.LoadOption) error {`
	`50`	`+func (f *FakeCNIPlugin) Load(opts ...cni.CNIOpt) error {`
`51`	`51`	`return f.LoadErr`
`52`	`52`	`}`
Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,7 @@ func (c criService) UpdateRuntimeConfig(ctx context.Context, r runtime.UpdateR`
`52`	`52`	`if err := c.netPlugin.Status(); err == nil {`
`53`	`53`	`logrus.Infof("Network plugin is ready, skip generating cni config from template %q", confTemplate)`
`54`	`54`	`return &runtime.UpdateRuntimeConfigResponse{}, nil`
`55`		`- } else if err := c.netPlugin.Load(cni.WithLoNetwork(), cni.WithDefaultConf()); err == nil {`
	`55`	`+ } else if err := c.netPlugin.Load(cni.WithLoNetwork, cni.WithDefaultConf); err == nil {`
`56`	`56`	`logrus.Infof("CNI config is successfully loaded, skip generating cni config from template %q", confTemplate)`
`57`	`57`	`return &runtime.UpdateRuntimeConfigResponse{}, nil`
`58`	`58`	`}`