From d75d3d732c02f4961667edb39022da2e0d380e83 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Nov 11 2017 09:50:32 +0000 Subject: Initial import (rhbz#1511605) Signed-off-by: Giuseppe Scrivano --- diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..d143045 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,30 @@ +FROM registry.fedoraproject.org/fedora:rawhide + +ENV VERSION=0 RELEASE=1 ARCH=x86_64 +LABEL com.redhat.component="cri-o" \ + name="$FGC/cri-o" \ + version="$VERSION" \ + release="$RELEASE.$DISTTAG" \ + architecture="$ARCH" \ + usage="atomic install --system --system-package=no crio && systemctl start crio" \ + summary="The cri-o daemon as a system container." \ + maintainer="Giuseppe Scrivano " \ + atomic.type="system" + +COPY README.md / + +RUN dnf install --setopt=tsflags=nodocs -y iptables cri-o iproute runc && \ + rpm -V iptables cri-o iproute runc && \ + dnf clean all && \ + mkdir -p /exports/hostfs/etc/crio /exports/hostfs/opt/cni/bin/ /exports/hostfs/var/lib/containers/storage/ && \ + cp /etc/crio/* /exports/hostfs/etc/crio && \ + if test -e /usr/libexec/cni; then cp -Lr /usr/libexec/cni/* /exports/hostfs/opt/cni/bin/; fi + +RUN sed -i '/storage_option =/s/.*/&\n"overlay.override_kernel_check=1",/' /exports/hostfs/etc/crio/crio.conf + +COPY manifest.json tmpfiles.template config.json.template service.template /exports/ + +COPY set_mounts.sh / +COPY run.sh /usr/bin/ + +CMD ["/usr/bin/run.sh"] diff --git a/README.md b/README.md index 0e576fe..db8d51d 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,54 @@ # cri-o -The cri-o package \ No newline at end of file +This is the cri-o daemon as a system container. + +## Building the image from source: + +``` +# git clone https://github.com/projectatomic/atomic-system-containers +# cd atomic-system-containers/cri-o +# docker build -t crio . +``` + +## Running the system container, with the atomic CLI: + +Pull from registry into ostree: + +``` +# atomic pull --storage ostree $REGISTRY/crio +``` + +Or alternatively, pull from local docker: + +``` +# atomic pull --storage ostree docker:crio:latest +``` + +Install the container: + +Currently we recommend using --system-package=no to avoid having rpmbuild create an rpm file +during installation. This flag will tell the atomic CLI to fall back to copying files to the +host instead. + +``` +# atomic install --system --system-package=no --name=crio ($REGISTRY)/crio +``` + +Start as a systemd service: + +``` +# systemctl start crio +``` + +Stopping the service + +``` +# systemctl stop crio +``` + +Removing the container + +``` +# atomic uninstall crio +``` + diff --git a/config.json.template b/config.json.template new file mode 100644 index 0000000..8fc262b --- /dev/null +++ b/config.json.template @@ -0,0 +1,432 @@ +{ + "ociVersion": "1.0.0", + "platform": { + "arch": "amd64", + "os": "linux" + }, + "process": { + "args": [ + "/usr/bin/run.sh" + ], + "selinuxLabel": "system_u:system_r:container_runtime_t:s0", + "capabilities": { + "ambient": [ + "CAP_CHOWN", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_DAC_OVERRIDE", + "CAP_MAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ" + ], + "bounding": [ + "CAP_CHOWN", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_DAC_OVERRIDE", + "CAP_MAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ" + ], + "effective": [ + "CAP_CHOWN", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_DAC_OVERRIDE", + "CAP_MAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ" + ], + "inheritable": [ + "CAP_CHOWN", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_DAC_OVERRIDE", + "CAP_MAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ" + ], + "permitted": [ + "CAP_CHOWN", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_DAC_OVERRIDE", + "CAP_MAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ" + ] + }, + "cwd": "/", + "env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/go/bin:/root/go/bin", + "TERM=xterm", + "LOG_LEVEL=$LOG_LEVEL", + "NAME=$NAME" + ], + "noNewPrivileges": false, + "terminal": false, + "user": { + "gid": 0, + "uid": 0 + } + }, + "root": { + "path": "rootfs", + "readonly": true + }, + "hooks": {}, + "linux": { + "namespaces": [ + { + "type": "mount" + } + ], + "resources": { + "devices": [ + { + "access": "rwm", + "allow": true + } + ] + }, + "rootfsPropagation": "private" + }, + "mounts": [ + { + "destination": "/tmp", + "options": [ + "private", + "bind", + "rw", + "mode=755" + ], + "source": "/tmp", + "type": "bind" + }, + { + "destination": "/etc", + "options": [ + "rbind", + "rprivate", + "rw", + "mode=755" + ], + "source": "/etc", + "type": "bind" + }, + { + "destination": "/lib/modules", + "options": [ + "rbind", + "rprivate", + "rw", + "mode=755" + ], + "source": "/lib/modules", + "type": "bind" + }, + { + "destination": "/root", + "options": [ + "rbind", + "rprivate", + "rw", + "mode=755" + ], + "source": "/root", + "type": "bind" + }, + { + "destination": "/home", + "options": [ + "rbind", + "rprivate", + "rw", + "mode=755" + ], + "source": "/home", + "type": "bind" + }, + { + "destination": "/mnt", + "options": [ + "rbind", + "rw", + "rprivate", + "mode=755" + ], + "source": "/mnt", + "type": "bind" + }, + { + "type": "bind", + "source": "${RUN_DIRECTORY}", + "destination": "/run", + "options": [ + "rshared", + "rbind", + "rw", + "mode=755" + ] + }, + { + "type": "bind", + "source": "${RUN_DIRECTORY}/systemd", + "destination": "/run/systemd", + "options": [ + "rslave", + "bind", + "rw", + "mode=755" + ] + }, + { + "destination": "/var/log", + "options": [ + "rbind", + "rslave", + "rw" + ], + "source": "/var/log", + "type": "bind" + }, + { + "destination": "/var/lib", + "options": [ + "rbind", + "rprivate", + "rw" + ], + "source": "${STATE_DIRECTORY}", + "type": "bind" + }, + { + "destination": "/var/lib/containers", + "options": [ + "rbind", + "rshared", + "rw" + ], + "source": "${VAR_LIB_CONTAINERS_STORAGE}", + "type": "bind" + }, + { + "destination": "/var/lib/origin", + "options": [ + "rshared", + "bind", + "rw" + ], + "source": "${VAR_LIB_ORIGIN}", + "type": "bind" + }, + { + "destination": "/var/lib/kubelet", + "options": [ + "rshared", + "bind", + "rw" + ], + "source": "${VAR_LIB_KUBE}", + "type": "bind" + }, + { + "destination": "/opt/cni", + "options": [ + "rbind", + "rprivate", + "ro", + "mode=755" + ], + "source": "${OPT_CNI}", + "type": "bind" + }, + { + "destination": "/dev", + "options": [ + "rprivate", + "rbind", + "rw", + "mode=755" + ], + "source": "/dev", + "type": "bind" + }, + { + "destination": "/sys", + "options": [ + "rprivate", + "rbind", + "rw", + "mode=755" + ], + "source": "/sys", + "type": "bind" + }, + { + "destination": "/proc", + "options": [ + "rbind", + "rw", + "mode=755" + ], + "source": "/proc", + "type": "proc" + } + ] +} diff --git a/config.json.template.orig b/config.json.template.orig new file mode 100644 index 0000000..a64c4a1 --- /dev/null +++ b/config.json.template.orig @@ -0,0 +1,422 @@ +{ + "ociVersion": "1.0.0", + "platform": { + "arch": "amd64", + "os": "linux" + }, + "process": { + "args": [ + "/usr/bin/run.sh" + ], + "capabilities": { + "ambient": [ + "CAP_CHOWN", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_DAC_OVERRIDE", + "CAP_MAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ" + ], + "bounding": [ + "CAP_CHOWN", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_DAC_OVERRIDE", + "CAP_MAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ" + ], + "effective": [ + "CAP_CHOWN", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_DAC_OVERRIDE", + "CAP_MAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ" + ], + "inheritable": [ + "CAP_CHOWN", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_DAC_OVERRIDE", + "CAP_MAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ" + ], + "permitted": [ + "CAP_CHOWN", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_DAC_OVERRIDE", + "CAP_MAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ" + ] + }, + "cwd": "/", + "env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/go/bin:/root/go/bin", + "TERM=xterm", + "NAME=$NAME" + ], + "noNewPrivileges": false, + "terminal": false, + "user": { + "gid": 0, + "uid": 0 + } + }, + "root": { + "path": "rootfs", + "readonly": true + }, + "hooks": {}, + "linux": { + "namespaces": [ + { + "type": "mount" + } + ], + "resources": { + "devices": [ + { + "access": "rwm", + "allow": true + } + ] + }, + "rootfsPropagation": "shared", + "selinuxProcessLabel": "system_u:system_r:container_runtime_t:s0" + }, + "mounts": [ + { + "destination": "/tmp", + "options": [ + "private", + "bind", + "rw", + "mode=755" + ], + "source": "/tmp", + "type": "bind" + }, + { + "destination": "/etc", + "options": [ + "rbind", + "rprivate", + "rw", + "mode=755" + ], + "source": "/etc", + "type": "bind" + }, + { + "destination": "/lib/modules", + "options": [ + "rbind", + "rprivate", + "rw", + "mode=755" + ], + "source": "/lib/modules", + "type": "bind" + }, + { + "destination": "/root", + "options": [ + "rbind", + "rprivate", + "rw", + "mode=755" + ], + "source": "/root", + "type": "bind" + }, + { + "destination": "/home", + "options": [ + "rbind", + "rprivate", + "rw", + "mode=755" + ], + "source": "/home", + "type": "bind" + }, + { + "destination": "/mnt", + "options": [ + "rbind", + "rw", + "rprivate", + "mode=755" + ], + "source": "/mnt", + "type": "bind" + }, + { + "type": "bind", + "source": "/usr/share/rhel", + "destination": "/usr/share/rhel", + "options": [ + "rprivate", + "rbind", + "ro", + "mode=755" + ] + }, + { + "type": "bind", + "source": "${RUN_DIRECTORY}", + "destination": "/run", + "options": [ + "rshared", + "rbind", + "rw", + "mode=755" + ] + }, + { + "type": "bind", + "source": "${RUN_DIRECTORY}/systemd", + "destination": "/run/systemd", + "options": [ + "rslave", + "bind", + "rw", + "mode=755" + ] + }, + { + "destination": "/var/log", + "options": [ + "rbind", + "rslave", + "rw" + ], + "source": "/var/log", + "type": "bind" + }, + { + "destination": "/var/lib", + "options": [ + "rbind", + "rshared", + "rw" + ], + "source": "${STATE_DIRECTORY}", + "type": "bind" + }, + { + "destination": "/var/lib/origin", + "options": [ + "rshared", + "rbind", + "rw" + ], + "source": "${STATE_DIRECTORY}/origin", + "type": "bind" + }, + { + "destination": "/opt/cni", + "options": [ + "rbind", + "rprivate", + "ro", + "mode=755" + ], + "source": "/opt/cni", + "type": "bind" + }, + { + "destination": "/dev", + "options": [ + "rprivate", + "rbind", + "rw", + "mode=755" + ], + "source": "/dev", + "type": "bind" + }, + { + "destination": "/sys", + "options": [ + "rprivate", + "rbind", + "rw", + "mode=755" + ], + "source": "/sys", + "type": "bind" + }, + { + "destination": "/proc", + "options": [ + "rbind", + "rw", + "mode=755" + ], + "source": "/proc", + "type": "proc" + } + ] +} diff --git a/manifest.json b/manifest.json new file mode 100644 index 0000000..38f4dc8 --- /dev/null +++ b/manifest.json @@ -0,0 +1,10 @@ +{ + "version": "1.0", + "defaultValues": { + "LOG_LEVEL" : "info", + "OPT_CNI" : "/opt/cni", + "VAR_LIB_CONTAINERS_STORAGE" : "/var/lib/containers/storage", + "VAR_LIB_ORIGIN" : "/var/lib/origin", + "VAR_LIB_KUBE" : "/var/lib/kubelet" + } +} diff --git a/run.sh b/run.sh new file mode 100755 index 0000000..5621a7b --- /dev/null +++ b/run.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +# Ensure that new process maintain this SELinux label +PID=$$ +LABEL=`tr -d '\000' < /proc/$PID/attr/current` +printf %s $LABEL > /proc/self/attr/exec + +exec /usr/bin/crio --log-level=$LOG_LEVEL diff --git a/service.template b/service.template new file mode 100644 index 0000000..daa9ffd --- /dev/null +++ b/service.template @@ -0,0 +1,19 @@ +[Unit] +Description=crio daemon +After=network.target + +[Service] +Type=notify +ExecStartPre=/bin/sh $DESTDIR/rootfs/set_mounts.sh +ExecStart=$EXEC_START +ExecStop=$EXEC_STOP +Restart=on-failure +WorkingDirectory=$DESTDIR +RuntimeDirectory=${NAME} +TasksMax=infinity +LimitNOFILE=1048576 +LimitNPROC=1048576 +LimitCORE=infinity + +[Install] +WantedBy=multi-user.target diff --git a/set_mounts.sh b/set_mounts.sh new file mode 100755 index 0000000..c1f0c05 --- /dev/null +++ b/set_mounts.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +findmnt /var/lib/containers/storage > /dev/null || mount --rbind --make-shared /var/lib/containers/storage /var/lib/containers/storage +findmnt /var/lib/origin > /dev/null || mount --bind --make-shared /var/lib/origin /var/lib/origin +findmnt /var/lib/kubelet > /dev/null || mount --bind --make-shared /var/lib/kubelet /var/lib/kubelet +mount --make-shared /run +findmnt /run/systemd > /dev/null || mount --bind --make-rslave /run/systemd /run/systemd diff --git a/tmpfiles.template b/tmpfiles.template new file mode 100644 index 0000000..015919c --- /dev/null +++ b/tmpfiles.template @@ -0,0 +1,5 @@ +d ${RUN_DIRECTORY}/${NAME} - - - - - +d /etc/crio - - - - - +Z /etc/crio - - - - - +d ${STATE_DIRECTORY}/origin - - - - - +d ${STATE_DIRECTORY}/kubelet - - - - -