The code from github.com/opencontainers/runc/libcontainer/userns package
was moved into github.com/moby/sys/user and github.com/moby/sys/userns
(see [1]), and the runc package is now deprecated in favor of moby/sys
(see [2]).
In addition, moby/sys/userns now has a non-Linux implementation, so
pkg/kubelet/user/userns package (introduced in commit 2e999ff to make a
non-Linux implementation) is not really needed anymore.
Let's switch to moby/sys/userns, and remove the package.
[1]: https://github.com/moby/sys/releases/tag/userns%2Fv0.1.0
[2]: https://github.com/opencontainers/runc/pull/4350
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Enable LocalStorageCapacityIsolationFSQuotaMonitoring
only when hostUsers in PodSpec is set to false.
Modify unit tests and e2e tests to verify
Signed-off-by: PannagaRamamanohara <pbhojara@redhat.com>
We don't have the alpha limitation anymore, let's just use the kubelet
maxPods instead of our hardcoded 1024 max.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
When we were alocating the whole UID space, the first range was reserved
to the host. Now we don't allocate the whole UID space, but just the
range configured, so the first range doesn't point to [0;65535] anymore,
so no need to test it is always set.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
allow to specify what IDs must be used by the kubelet to create user
namespaces.
If no additional UIDs/GIDs are not allocated to the "kubelet" user,
then the kubelet assumes it can use any ID on the system.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
We just added some more functionality, let's make sure it works fine
with the feature gate disabled.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
block the creation of a pod that requires a user namespace, unless the
runtime handler has support for it.
If the pod requested for a user namespace, and the handler does not
support it then return an error regardless of the feature gate.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
For some reason the CI didn't fail when we open the PR. But when you run
"go test" as root, with all the capabilities, tests that exercise
permission errors will never work. As the capabilities makes them always
bypass the permission checks.
For some reason it seems that:
* Not all our CI was run when the PR was open
* The CI was changed to run as root now
* _Some_ CI was added and it runs as root
If it wasn't one of that, or a combination, I don't see how this could
have happened. If any of that indeed happened, it can break more tests
outside the userns package too.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
This adds a test for the just added wrapping error message, as well as
for the other already present error messages that initialization can
fail with.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
These tests will create the userns record mapping file, so let's use a
temporal directory for that.
Without specifying one, by mistake we were using the
"/tmp/non-existant-dir.This-is-not-used-in-tests/" directory.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
The error we are wrapping is already verbose, let's just use minimal
wrapping as it is usually the case in go code.
Note that the error on parseUserNsFileAndRecord() can be returned to the
user, so we added some context about user namespace. Otherwise, an error
to parse the json would not be clear to which of all the json the kubelet
parses it refers to.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
Most error messages are properly wrapped already, but this was missing.
The kubelet logs will show something like this now:
E0201 12:00:03.505680 3007049 run.go:74] "command failed" err="failed to run Kubelet: failed to create kubelet: record pod mappings: create user namespace store: mkdir XXX: permission denied"
Before this commit, the message was not so clear:
E0120 16:02:40.484404 474711 run.go:74] "command failed" err="failed to run Kubelet: failed to create kubelet: mkdir XXX: permission denied"
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
To that end, we need to add one kubelet getter listPodsFromDisk(). Other
than that, it is a pretty trivial move.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
