share pid namespace for Pod container #1149
Conversation
|
Hi @weiwei04. Thanks for your PR. I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
the
needs-ok-to-test
k8s-ci-robot
added
size/S
weiwei04
force-pushed
the
share_pid_namespace
branch
from
384ca40
to
10c1796
Compare
|
/ok-to-test |
openshift-ci-robot
removed
the
needs-ok-to-test
cmd/crio/config.go
Outdated
| @@ -115,6 +115,9 @@ default_mounts = [ | |||
| # pids_limit is the number of processes allowed in a container | |||
| pids_limit = {{ .PidsLimit }} | |||
|
|
|||
| # using a shared PID namespace for containers in a pod | |||
There was a problem hiding this comment.
default to using shared PID Namespace for containers in a pod
cmd/crio/main.go
Outdated
| @@ -296,6 +299,10 @@ func main() { | |||
| Value: libkpod.DefaultPidsLimit, | |||
| Usage: "maximum number of processes allowed in a container", | |||
| }, | |||
| cli.BoolFlag{ | |||
| Name: "share-pid-namespace", | |||
| Usage: "using a shared PID namespace for containers in a pod", | |||
There was a problem hiding this comment.
default to use a spared PID Namespace for containes in a pod (Default is false)
There was a problem hiding this comment.
Do we want the default to be true?
docs/crio.8.md
Outdated
| @@ -118,6 +118,9 @@ set the CPU profile file path | |||
| **--pids-limit**="" | |||
| Maximum number of processes allowed in a container (default: 1024) | |||
|
|
|||
| **--share-pid-namespace**="" | |||
| Using a shared PID namespace for containers in a pod (default: false) | |||
There was a problem hiding this comment.
Default to use ashared PID namespace for containers in a pod (default: false)
docs/crio.conf.5.md
Outdated
| @@ -87,6 +87,9 @@ Example: | |||
| **pids_limit**="" | |||
| Maximum number of processes allowed in a container (default: 1024) | |||
|
|
|||
| **share_pid_namespace**="" | |||
| Using a shared PID namespace for containers in a pod (default: false) | |||
There was a problem hiding this comment.
Default to use a shared PID namespace for containers in a pod (default: false)
libkpod/config.go
Outdated
| @@ -121,6 +121,9 @@ type RuntimeConfig struct { | |||
| // NoPivot instructs the runtime to not use `pivot_root`, but instead use `MS_MOVE` | |||
| NoPivot bool `toml:"no_pivot"` | |||
|
|
|||
| // SharePidNamespace instructs the runtime to share pid namespace | |||
There was a problem hiding this comment.
// SharePidNamespace instructs the runtime to share pid namespace by default
|
Thanks this looks pretty good, except for some nits on docs. |
I think so, docker in kube already share the pid ns kubernetes/kubernetes#45236 This is related to #488 and that issue talks about an init container as well |
|
There was some discussion around this being passed over the CRI. That hasn't happened yet and so I think that we should probably default to False instead till that CRI field is added. |
weiwei04
force-pushed
the
share_pid_namespace
branch
from
10c1796
to
3e9f4dc
Compare
k8s-ci-robot
added
size/L
weiwei04
force-pushed
the
share_pid_namespace
branch
2 times, most recently
from
4a253bd
to
80285f6
Compare
k8s-ci-robot
added
size/M
weiwei04
force-pushed
the
share_pid_namespace
branch
from
80285f6
to
7bf8bb8
Compare
k8s-ci-robot
added
size/L
weiwei04
force-pushed
the
share_pid_namespace
branch
2 times, most recently
from
5367b83
to
e91916b
Compare
|
changed from --share-pid-namespace to --disable-pid-namespace(like kubelet --docker-disable-shared-pid flag) add a e2e test, please take a look @rhatdan @runcom @mrunalp thanks :) Some TODOs:
|
|
Yes we are planning on moving from crioctl to crictl. |
❤️ |
weiwei04
force-pushed
the
share_pid_namespace
branch
from
e91916b
to
29a5bae
Compare
|
Rebased @rhatdan please take a look :) |
cmd/crio/config.go
Outdated
| @@ -115,6 +115,9 @@ default_mounts = [ | |||
| # pids_limit is the number of processes allowed in a container | |||
| pids_limit = {{ .PidsLimit }} | |||
|
|
|||
| # disable using a shared PID namespace for containers in a pod | |||
| disable_share_pid_namespace = {{ .DisableSharePIDNamespace }} | |||
There was a problem hiding this comment.
Shoulda spotted this yesterday, but I think this variable and especially the customer facing parameter should be
disable_shared_pid_namespace (added 'd' to share). I'd make all of the variables 'shared' instead of "share".
There was a problem hiding this comment.
I agree change it to shared.
weiwei04
force-pushed
the
share_pid_namespace
branch
2 times, most recently
from
fab79f3
to
9468bdf
Compare
|
@TomSweeneyRedHat changed to disable-shared-pid-namespace, please take a look, thanks! :) |
|
@weiwei04 LGTM, thanks for the touch up. Going to kick off the tests as you've initial green happiness. |
|
/test all |
|
/test e2e_fedora |
|
Ping @rhatdan for merge :) |
test/namespaces.bats
Outdated
| @test "pod disable shared pid namespace" { | ||
| export DISABLE_SHARED_PID_NAMESPACE="true" | ||
|
|
||
| start_crio |
There was a problem hiding this comment.
You can just do
DISABLE_SHARED_PID_NAMESPACE="true" start_crio
There is no need to export or add in cleanup then.
Signed-off-by: Wei Wei <weiwei.inf@gmail.com>
weiwei04
force-pushed
the
share_pid_namespace
branch
from
9468bdf
to
702ab3e
Compare
k8s-ci-robot
added
size/M
|
/test all |
|
LGTM |
|
Should this be backported into the v1.8 branch? |
Signed-off-by: Wei Wei weiwei.inf@gmail.com
- What I did
enable share pid namespace for containers in a pod, and add a --disable-share-pid-namespace flag to disable this feature
- How I did it
vim
- How to verify it
start crio with/without
--disable-shared-pid-namespace- Description for the changelog
enable share pid namespace for containers in a pod and add a --disable-share-pid-namespace flag to disable this feature
closes #1135
closes #488