Merge pull request #45 from drachenfels-de/next

The big merge.

.github/workflows/build.yml

@@ -0,0 +1,68 @@
+---
+# see https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions
+name: Static check and build project
+on:
+  - push
+  - pull_request
+
+jobs:
+  build:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.16.x
+
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Check format of go sources
+        run: |
+          go fmt ./...
+          git diff --exit-code
+
+      - name: Check format of shell scripts
+        run: |
+          GO111MODULE=off go get -u mvdan.cc/sh/v3/cmd/shfmt
+          find . -name \*.sh | xargs shfmt -d
+
+      - name: Lint go sources
+        run: |
+          GO111MODULE=off go get -u golang.org/x/lint/golint
+          golint -set_exit_status ./...
+
+      - name: Install dependencies
+        run: |
+          sudo add-apt-repository ppa:ubuntu-lxc/daily -y
+          sudo apt-get install -qq lxc-dev libc6-dev pkg-config make
+
+      - name: Build
+        run: |
+          make build
+          sudo -E "PATH=$PATH" make install
+
+      - name: Run staticcheck
+        run: |
+          GO111MODULE=off go get -u honnef.co/go/tools/cmd/staticcheck
+          staticcheck ./...
+
+
+      - name: Test unprivileged
+        run: |
+          # keep PATH to use go installed through actions/setup-go@v2
+          # and not the system version (which is currently go 1.15.x)
+          sudo /bin/sh -c "echo '$(whoami):1000:1' >> /etc/subuid"
+          sudo /bin/sh -c "echo '$(whoami):20000:65536' >> /etc/subuid"
+          sudo /bin/sh -c "echo '$(whoami):1000:1' >> /etc/subgid"
+          sudo /bin/sh -c "echo '$(whoami):20000:65536' >> /etc/subgid"
+          sudo chown -R $(whoami):$(whoami) /sys/fs/cgroup/unified$(cat /proc/self/cgroup  | grep '^0:' | cut -d: -f3)
+          # detect file descriptor leaks
+          ulimit -n 30
+          TESTCOUNT=10 make test
+
+      - name: Test privileged
+        run: |
+          # keep PATH to use go installed through actions/setup-go@v2
+          # and not the system version (which is currently go 1.15.x)
+          sudo -E "PATH=$PATH" make test

.gitignore

@@ -1,6 +1,8 @@
 *~
-crio-lxc
-crio-lxc-test*
-oci/
-roots/
+/lxcri
+/lxcri-start
+/lxcri-init
+/lxcri-hook
+/lxcri-test
+/lxcri-hook-builtin
 .stacker/

Dockerfile

@@ -0,0 +1,33 @@
+FROM ubuntu:latest
+ARG installcmd=install_all
+
+#ENV PKGS="psmisc util-linux"
+
+ENV GOLANG_SRC=https://golang.org/dl/go1.16.2.linux-amd64.tar.gz
+ENV GOLANG_CHECKSUM=542e936b19542e62679766194364f45141fde55169db2d8d01046555ca9eb4b8
+
+ENV CNI_PLUGINS_GIT_REPO=https://github.com/containernetworking/plugins.git
+ENV CNI_PLUGINS_GIT_VERSION=v0.9.1
+
+ENV CONMON_GIT_REPO=https://github.com/containers/conmon.git
+ENV CONMON_GIT_VERSION=v2.0.27
+
+ENV CRIO_GIT_REPO=https://github.com/cri-o/cri-o.git
+ENV CRIO_GIT_VERSION=v1.20.1
+
+ENV CRICTL_CHECKSUM=44d5f550ef3f41f9b53155906e0229ffdbee4b19452b4df540265e29572b899c
+ENV CRICTL_URL="https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.20.0/crictl-v1.20.0-linux-amd64.tar.gz"
+
+# see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.20.md
+ENV K8S_CHECKSUM=37738bc8430b0832f32c6d13cdd68c376417270568cd9b31a1ff37e96cfebcc1e2970c72bed588f626e35ed8273671c77200f0d164e67809b5626a2a99e3c5f5
+ENV K8S_URL="https://dl.k8s.io/v1.20.4/kubernetes-server-linux-amd64.tar.gz"
+
+## development
+ENV LXC_GIT_REPO=https://github.com/lxc/lxc.git
+ENV LXC_GIT_VERSION=master
+
+ENV LXCRI_GIT_REPO=https://github.com/drachenfels-de/lxcri.git
+ENV LXCRI_GIT_VERSION=main
+
+COPY install.sh /
+RUN /install.sh ${installcmd}

Makefile

@@ -1,26 +1,67 @@
-GO_SRC=$(shell find . -name \*.go)
-COMMIT_HASH=$(shell git rev-parse HEAD)
-COMMIT=$(if $(shell git status --porcelain --untracked-files=no),$(COMMIT_HASH)-dirty,$(COMMIT_HASH))
-TEST?=$(patsubst test/%.bats,%,$(wildcard test/*.bats))
-PACKAGES_DIR?=~/packages
+COMMIT_HASH = $(shell git describe --always --tags --long)
+COMMIT = $(if $(shell git status --porcelain --untracked-files=no),$(COMMIT_HASH)-dirty,$(COMMIT_HASH))
+BINS := lxcri
+LIBEXEC_BINS := lxcri-start lxcri-init lxcri-hook lxcri-hook-builtin
+# Installation prefix for BINS
+PREFIX ?= /usr/local
+export PREFIX
+LIBEXEC_DIR = $(PREFIX)/libexec/lxcri
+export LIBEXEC_DIR
+PKG_CONFIG_PATH ?= $(PREFIX)/lib/pkgconfig
+# Note: The default pkg-config directory is search after PKG_CONFIG_PATH
+# Note: (Exported) environment variables are NOT visible in the environment of the $(shell ...) function.
+export PKG_CONFIG_PATH
+LDFLAGS=-X main.version=$(COMMIT) -X main.libexecDir=$(LIBEXEC_DIR)
+CC ?= cc
+SHELL_SCRIPTS = $(shell find . -name \*.sh)
+GO_SRC = $(shell find . -name \*.go | grep -v _test.go)
+TESTCOUNT ?= 1
 
-lint:
-	golangci-lint run -c ./lint.yaml ./...
+all: fmt test
 
-crio-lxc: $(GO_SRC)
-	go build -ldflags "-X main.version=$(COMMIT)" -o crio-lxc ./cmd
+update-tools:
+	GO111MODULE=off go get -u mvdan.cc/sh/v3/cmd/shfmt
+	GO111MODULE=off go get -u golang.org/x/lint/golint
+	GO111MODULE=off go get -u honnef.co/go/tools/cmd/staticcheck
 
-# make test TEST=basic will run only the basic test.
-.PHONY: check
-check: crio-lxc
-	go fmt ./... && ([ -z $(TRAVIS) ] || git diff --quiet)
-	go test ./...
-	PACKAGES_DIR=$(PACKAGES_DIR) sudo -E "PATH=$$PATH" bats -t $(patsubst %,test/%.bats,$(TEST))
+fmt:
+	go fmt ./...
+	shfmt -w $(SHELL_SCRIPTS)
+	golint ./...
+	go mod tidy
+	staticcheck ./...
 
-.PHONY: vendorup
-vendorup:
-	go get -u
+.PHONY: test
+test: build
+	go build ./pkg/internal/lxcri-test
+	go test --failfast --count $(TESTCOUNT) -v ./...
+
+build: $(BINS) $(LIBEXEC_BINS)
+
+lxcri: go.mod $(GO_SRC) Makefile
+	go build -ldflags '$(LDFLAGS)' -o $@ ./cmd/lxcri
+
+lxcri-start: cmd/lxcri-start/lxcri-start.c
+	$(CC) -Werror -Wpedantic -o $@ $? $$(pkg-config --libs --cflags lxc)
+
+lxcri-init: go.mod $(GO_SRC) Makefile
+	CGO_ENABLED=0 go build -o $@ ./cmd/lxcri-init
+	# this is paranoia - but ensure it is statically compiled
+	! ldd $@  2>/dev/null
+
+lxcri-hook: go.mod $(GO_SRC) Makefile
+	go build -o $@ ./cmd/$@
+
+lxcri-hook-builtin: go.mod $(GO_SRC) Makefile
+	go build -o $@ ./cmd/$@
+
+install: build
+	mkdir -p $(PREFIX)/bin
+	cp -v $(BINS) $(PREFIX)/bin
+	mkdir -p $(LIBEXEC_DIR)
+	cp -v $(LIBEXEC_BINS) $(LIBEXEC_DIR)
 
 .PHONY: clean
 clean:
-	-rm -f crio-lxc
+	-rm -f $(BINS) $(LIBEXEC_BINS)
+

README.md

@@ -1,53 +1,28 @@
-# crio-lxc
+# About
 
-This is a wrapper around [LXC](https://github.com/lxc/lxc) which can be used as
-a drop-in container runtime replacement for use by
-[CRI-O](https://github.com/kubernetes-sigs/cri-o).
+`lxcri` is a wrapper around [LXC](https://github.com/lxc/lxc) which can be used as
+a drop-in container runtime replacement for use by [CRI-O](https://github.com/kubernetes-sigs/cri-o).
 
-To use this, simply build it:
+### OCI compliance
 
-```
-make
-```
+With liblxc >= https://github.com/lxc/lxc/commit/b5daeddc5afce1cad4915aef3e71fdfe0f428709
+it passes all sonobuoy conformance tests.
 
-Then specify the `crio-lxc` binary you just built as the value for
-`default_runtime` in the `crio.runtime` section of `/etc/crio/crio.conf`.
+## Installation
 
-## Notes
+For the installation of the runtime see [install.md](doc/install.md)</br>
+For the installation and initialization of a kubernetes cluster see [kubernetes.md](doc/kubernetes.md)
 
-Note that you must have a new enough liblxc, one which supports the
-"lxc.rootfs.managed" key.  3.0.3 is not new enough, 3.1 is.  On Ubuntu,
-you can upgrade using the ubuntu-lxc/lxc-git-master PPA.  Arch and
-OpenSUSE tumbleweed should be uptodate.
+## Bugs
 
-## Tests
+* cli: --help shows environment values not defaults https://github.com/urfave/cli/issues/1206
 
-To run the 'basic' test, you'll need to build cri-o and CNI.
+## Requirements and restrictions
 
-```
-mkdir ~/packages
-cd packages
-git clone https://github.com/kubernetes-sigs/cri-o
-cd cri-o
-make
-cd ..
-git clone https://github.com/containernetworking/cni
-git clone https://github.com/containernetworking/plugins cni-plugins
-cd cni-plugins
-./build_linux.sh
-```
+* Only cgroupv2 (unified cgroup hierarchy) is supported.
+* A recent kernel >= 5.8 is required for full cgroup support.
 
-You'll also need crictl.  Download the tarball, extract it, and
-copy crictl to somewhere in your path:
+### Unimplemented features
 
-```
-wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.14.0/crictl-v1.14.0-linux-amd64.tar.gz
-tar zxf crictl-v1.14.0-linux-amd64.tar.gz
-sudo cp crictl /usr/local/bin # or ~/.local/bin, etc.
-```
-
-You'll also need conntrack installed:
-
-```
-apt install conntrack
-```
+* [runtime: Implement POSIX platform hooks](https://github.com/Drachenfels-GmbH/lxcri/issues/10)
+* [runtime: Implement cgroup2 resource limits](https://github.com/Drachenfels-GmbH/lxcri/issues/11)