Merge branch 'master' of https://github.com/alibaba/pouch into cri-co…

…mpatibility

INSTALLATION.md

@@ -36,14 +36,13 @@ sudo apt-get install curl apt-transport-https ca-certificates software-propertie
 curl -fsSL http://mirrors.aliyun.com/opsx/pouch/linux/debian/[email protected] | sudo apt-key add -
 ```
 
-Verify that you now have the key with the fingerprint `B615 DDD7 90C7 0912 582D  DC2D D7AE A5ED 439A E9EC`, by searching for the last 8 characters of the fingerprint.
+Verify that you now have the key with the fingerprint `F443 EDD0 4A58 7E8B F645  9C40 CF68 F84A BE2F 475F`, by searching for the last 8 characters of the fingerprint.
 
 ``` bash
-$ apt-key fingerprint 439AE9EC
-pub   2048R/439AE9EC 2018-01-31
-      Key fingerprint = B615 DDD7 90C7 0912 582D  DC2D D7AE A5ED 439A E9EC
-uid                  Pouch Release <[email protected]>
-sub   2048R/B3D2A915 2018-01-31
+$ apt-key fingerprint BE2F475F
+pub   4096R/BE2F475F 2018-02-28
+      Key fingerprint = F443 EDD0 4A58 7E8B F645  9C40 CF68 F84A BE2F 475F
+uid                  opsx-admin <[email protected]>
 ```
 
 **2. Set up the pouch repository**

cli/common_flags.go

@@ -84,6 +84,7 @@ func addCommonFlags(flagSet *pflag.FlagSet) *container {
 
 	flagSet.StringVarP(&c.workdir, "workdir", "w", "", "Set the working directory in a container")
 	flagSet.Var(&c.ulimit, "ulimit", "Set container ulimit")
+	flagSet.Int64Var(&c.pidsLimit, "pids-limit", -1, "Set container pids limit, -1 for unlimited")
 
 	flagSet.BoolVar(&c.rich, "rich", false, "Start container in rich container mode. (default false)")
 	flagSet.StringVar(&c.richMode, "rich-mode", "", "Choose one rich container mode. dumb-init(default), systemd, sbin-init")

cli/container.go

@@ -69,6 +69,7 @@ type container struct {
 	specAnnotation []string
 	cgroupParent   string
 	ulimit         Ulimit
+	pidsLimit      int64
 
 	//add for rich container mode
 	rich       bool
@@ -223,6 +224,7 @@ func (c *container) config() (*types.ContainerCreateConfig, error) {
 				IntelRdtL3Cbm: intelRdtL3Cbm,
 				CgroupParent:  c.cgroupParent,
 				Ulimits:       c.ulimit.value(),
+				PidsLimit:     c.pidsLimit,
 			},
 			EnableLxcfs:   c.enableLxcfs,
 			Privileged:    c.privileged,

cri/v1alpha1/cri.go

@@ -9,7 +9,6 @@ import (
 	"path"
 	"path/filepath"
 	"reflect"
-	"strings"
 	"time"
 
 	apitypes "github.com/alibaba/pouch/apis/types"
@@ -648,7 +647,7 @@ func (c *CriManager) ContainerStatus(ctx context.Context, r *runtime.ContainerSt
 	labels, annotations := extractLabels(container.Config.Labels)
 
 	imageRef := container.Image
-	imageInfo, err := c.ImageMgr.GetImage(ctx, strings.TrimPrefix(imageRef, "sha256:"))
+	imageInfo, err := c.ImageMgr.GetImage(ctx, imageRef)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get image %s: %v", imageRef, err)
 	}
@@ -825,7 +824,7 @@ func (c *CriManager) ListImages(ctx context.Context, r *runtime.ListImagesReques
 			continue
 		}
 		// NOTE: we should query image cache to get the correct image info.
-		imageInfo, err := c.ImageMgr.GetImage(ctx, strings.TrimPrefix(i.ID, "sha256:"))
+		imageInfo, err := c.ImageMgr.GetImage(ctx, i.ID)
 		if err != nil {
 			continue
 		}
@@ -849,7 +848,7 @@ func (c *CriManager) ImageStatus(ctx context.Context, r *runtime.ImageStatusRequ
 		return nil, err
 	}
 
-	imageInfo, err := c.ImageMgr.GetImage(ctx, strings.TrimPrefix(ref.String(), "sha256:"))
+	imageInfo, err := c.ImageMgr.GetImage(ctx, ref.String())
 	if err != nil {
 		// TODO: separate ErrImageNotFound with others.
 		// Now we just return empty if the error occurred.
@@ -893,7 +892,7 @@ func (c *CriManager) PullImage(ctx context.Context, r *runtime.PullImageRequest)
 
 // RemoveImage removes the image.
 func (c *CriManager) RemoveImage(ctx context.Context, r *runtime.RemoveImageRequest) (*runtime.RemoveImageResponse, error) {
-	imageRef := strings.TrimPrefix(r.GetImage().GetImage(), "sha256:")
+	imageRef := r.GetImage().GetImage()
 
 	if err := c.ImageMgr.RemoveImage(ctx, imageRef, false); err != nil {
 		if errtypes.IsNotfound(err) {

cri/v1alpha2/cri.go

@@ -9,7 +9,6 @@ import (
 	"path"
 	"path/filepath"
 	"reflect"
-	"strings"
 	"time"
 
 	apitypes "github.com/alibaba/pouch/apis/types"
@@ -54,7 +53,7 @@ const (
 	// Address and port of stream server.
 	// TODO: specify them in the parameters of pouchd.
 	streamServerAddress = ""
-	streamServerPort    = "10010"
+	streamServerPort    = "10011"
 
 	namespaceModeHost = "host"
 	namespaceModeNone = "none"
@@ -637,7 +636,7 @@ func (c *CriManager) ContainerStatus(ctx context.Context, r *runtime.ContainerSt
 	labels, annotations := extractLabels(container.Config.Labels)
 
 	imageRef := container.Image
-	imageInfo, err := c.ImageMgr.GetImage(ctx, strings.TrimPrefix(imageRef, "sha256:"))
+	imageInfo, err := c.ImageMgr.GetImage(ctx, imageRef)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get image %s: %v", imageRef, err)
 	}
@@ -823,7 +822,7 @@ func (c *CriManager) ListImages(ctx context.Context, r *runtime.ListImagesReques
 			continue
 		}
 		// NOTE: we should query image cache to get the correct image info.
-		imageInfo, err := c.ImageMgr.GetImage(ctx, strings.TrimPrefix(i.ID, "sha256:"))
+		imageInfo, err := c.ImageMgr.GetImage(ctx, i.ID)
 		if err != nil {
 			continue
 		}
@@ -847,7 +846,7 @@ func (c *CriManager) ImageStatus(ctx context.Context, r *runtime.ImageStatusRequ
 		return nil, err
 	}
 
-	imageInfo, err := c.ImageMgr.GetImage(ctx, strings.TrimPrefix(ref.String(), "sha256:"))
+	imageInfo, err := c.ImageMgr.GetImage(ctx, ref.String())
 	if err != nil {
 		// TODO: separate ErrImageNotFound with others.
 		// Now we just return empty if the error occurred.
@@ -891,7 +890,7 @@ func (c *CriManager) PullImage(ctx context.Context, r *runtime.PullImageRequest)
 
 // RemoveImage removes the image.
 func (c *CriManager) RemoveImage(ctx context.Context, r *runtime.RemoveImageRequest) (*runtime.RemoveImageResponse, error) {
-	imageRef := strings.TrimPrefix(r.GetImage().GetImage(), "sha256:")
+	imageRef := r.GetImage().GetImage()
 
 	if err := c.ImageMgr.RemoveImage(ctx, imageRef, false); err != nil {
 		if errtypes.IsNotfound(err) {

cri/v1alpha2/cri_utils.go

@@ -451,9 +451,9 @@ func modifyContainerNamespaceOptions(nsOpts *runtime.NamespaceOption, podSandbox
 		if n.hostMode {
 			*n.nsMode = namespaceModeHost
 		} else {
-			if n.nsMode == &hostConfig.PidMode && nsOpts.GetPid() == runtime.NamespaceMode_CONTAINER {
-				continue
-			}
+			//if n.nsMode == &hostConfig.PidMode && nsOpts.GetPid() == runtime.NamespaceMode_CONTAINER {
+			//	continue
+			//}
 			*n.nsMode = sandboxNSMode
 		}
 	}

daemon/mgr/container.go

@@ -36,7 +36,6 @@ import (
 	"github.com/go-openapi/strfmt"
 	"github.com/imdario/mergo"
 	"github.com/magiconair/properties"
-	digest "github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -1919,7 +1918,7 @@ func (mgr *ContainerManager) getMountPointFromImage(ctx context.Context, meta *C
 	var err error
 
 	// parse volumes from image
-	image, err := mgr.ImageMgr.GetImage(ctx, strings.TrimPrefix(meta.Image, digest.Canonical.String()+":"))
+	image, err := mgr.ImageMgr.GetImage(ctx, meta.Image)
 	if err != nil {
 		return errors.Wrapf(err, "failed to get image: %s", meta.Image)
 	}

daemon/mgr/image.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"strings"
 	"time"
 
 	"github.com/alibaba/pouch/apis/types"
@@ -178,8 +179,11 @@ func (mgr *ImageManager) RemoveImage(ctx context.Context, idOrRef string, force
 		return err
 	}
 
-	// should remove all the references if the reference is Named Only
-	if reference.IsNamedOnly(namedRef) {
+	// should remove all the references if the reference is ID (Named Only)
+	// or Digest ID (Tagged Named)
+	if reference.IsNamedOnly(namedRef) ||
+		strings.HasPrefix(id.String(), namedRef.String()) {
+
 		// NOTE: the user maybe use the following references to pull one image
 		//
 		//	busybox:1.25
@@ -257,9 +261,11 @@ func (mgr *ImageManager) CheckReference(ctx context.Context, idOrRef string) (ac
 		}
 	}
 
-	// NOTE: if the actualRef is short ID or ID, the primaryRef is first one of
-	// primary reference
-	if reference.IsNamedOnly(actualRef) {
+	// NOTE: if the actualRef is ID (Named Only) or Digest ID (Tagged Named)
+	// the primaryRef is first one of primary reference
+	if reference.IsNamedOnly(actualRef) ||
+		strings.HasPrefix(actualID.String(), actualRef.String()) {
+
 		refs := mgr.localStore.GetPrimaryReferences(actualID)
 		if len(refs) == 0 {
 			err = errtypes.ErrNotfound

daemon/mgr/image_store.go

@@ -1,6 +1,8 @@
 package mgr
 
 import (
+	"fmt"
+	"strings"
 	"sync"
 
 	"github.com/alibaba/pouch/pkg/errtypes"
@@ -141,34 +143,41 @@ func (store *imageStore) Search(ref reference.Named) (digest.Digest, reference.N
 
 	// if the reference is short ID or ID
 	//
-	// NOTE: by default, use the sha256 as the digest algorithm
-	id, err := store.searchIDs(digest.Canonical.String(), ref.String())
+	// NOTE: by default, use the sha256 as the digest algorithm if missing
+	// algorithm header.
+	id, err := store.searchIDs(ref.String())
 	if err != nil {
 		return "", nil, err
 	}
 	return id, ref, nil
 }
 
-func (store *imageStore) searchIDs(algo string, prefixID string) (digest.Digest, error) {
+func (store *imageStore) searchIDs(refID string) (digest.Digest, error) {
 	var ids []digest.Digest
+	var id string
+
+	id = refID
+	if !strings.HasPrefix(refID, digest.Canonical.String()) {
+		id = fmt.Sprintf("%s:%s", digest.Canonical.String(), refID)
+	}
 
 	fn := func(_ patricia.Prefix, item patricia.Item) error {
 		if got, ok := item.(digest.Digest); ok {
 			ids = append(ids, got)
 		}
 
 		if len(ids) > 1 {
-			return pkgerrors.Wrap(errtypes.ErrTooMany, "image: "+prefixID)
+			return pkgerrors.Wrap(errtypes.ErrTooMany, "image: "+refID)
 		}
 		return nil
 	}
 
-	if err := store.idSet.VisitSubtree(patricia.Prefix(algo+":"+prefixID), fn); err != nil {
+	if err := store.idSet.VisitSubtree(patricia.Prefix(id), fn); err != nil {
 		return "", err
 	}
 
 	if len(ids) == 0 {
-		return "", pkgerrors.Wrap(errtypes.ErrNotfound, "image: "+prefixID)
+		return "", pkgerrors.Wrap(errtypes.ErrNotfound, "image: "+refID)
 	}
 	return ids[0], nil
 }

daemon/mgr/image_store_test.go

@@ -112,7 +112,7 @@ func TestSearch(t *testing.T) {
 
 	// search
 	{
-		// should return id if the reference is id
+		// should return id if the reference is id without algorithm header
 		{
 			namedStr := id.Hex()
 
@@ -127,6 +127,21 @@ func TestSearch(t *testing.T) {
 			assert.Equal(t, gotRef.String(), namedRef.String())
 		}
 
+		// should return id if the reference is digest id
+		{
+			namedStr := id.String()
+
+			namedRef, err := reference.Parse(namedStr)
+			if err != nil {
+				t.Fatalf("unexpected error during parse reference %v: %v", namedStr, err)
+			}
+
+			gotID, gotRef, err := store.Search(namedRef)
+			assert.Equal(t, err, nil)
+			assert.Equal(t, gotID.String(), id.String())
+			assert.Equal(t, gotRef.String(), namedRef.String())
+		}
+
 		// should return busybox:latest if the reference is busybox
 		{
 			namedStr := "busybox"
@@ -202,7 +217,7 @@ func TestSearch(t *testing.T) {
 
 		// should return ErrTooMany if the reference is commonPart
 		{
-			namedStr := id.Hex()[:20]
+			namedStr := id.String()[:20]
 
 			namedRef, err := reference.Parse(namedStr)
 			if err != nil {

daemon/mgr/spec_linux.go

@@ -140,7 +140,10 @@ func setupResource(ctx context.Context, c *Container, s *specs.Spec) error {
 		return err
 	}
 
-	//TODO: nedd support Pids, HugepageLimits, Network cgroup set
+	// start to setup pids limit
+	s.Linux.Resources.Pids = &specs.LinuxPids{
+		Limit: c.HostConfig.PidsLimit,
+	}
 
 	return nil
 }

daemon/mgr/system.go

@@ -159,7 +159,7 @@ func (mgr *SystemManager) Version() (types.SystemVersion, error) {
 		Arch:          runtime.GOARCH,
 		BuildTime:     version.BuildTime,
 		GitCommit:     version.GitCommit,
-		GoVersion:     version.GOVersion,
+		GoVersion:     runtime.Version(),
 		KernelVersion: kernelVersion,
 		Os:            runtime.GOOS,
 		Version:       version.Version,

daemon/mgr/volume.go

@@ -139,6 +139,7 @@ func (vm *VolumeManager) Remove(ctx context.Context, name string) error {
 		if strings.Contains(err.Error(), "not found") {
 			return errors.Wrap(errtypes.ErrNotfound, err.Error())
 		}
+		return err
 	}
 
 	return nil

docs/commandline/pouch_create.md

@@ -59,6 +59,7 @@ e1d541722d68dc5d133cca9e7bd8fd9338603e1763096c8e853522b60d11f7b9
       --oom-kill-disable             Disable OOM Killer
       --oom-score-adj int            Tune host's OOM preferences (-1000 to 1000) (default -500)
       --pid string                   PID namespace to use
+      --pids-limit int               Set container pids limit, -1 for unlimited (default -1)
   -p, --port strings                 Set container ports mapping
       --privileged                   Give extended privileges to the container
       --quota-id string              Specified quota id, if id < 0, it means pouchd alloc a unique quota id

docs/commandline/pouch_run.md

@@ -74,6 +74,7 @@ crw-rw-rw-    1 root     root        1,   3 Jan  8 09:40 /dev/testnull
       --oom-kill-disable             Disable OOM Killer
       --oom-score-adj int            Tune host's OOM preferences (-1000 to 1000) (default -500)
       --pid string                   PID namespace to use
+      --pids-limit int               Set container pids limit, -1 for unlimited (default -1)
   -p, --port strings                 Set container ports mapping
       --privileged                   Give extended privileges to the container
       --quota-id string              Specified quota id, if id < 0, it means pouchd alloc a unique quota id

docs/commandline/pouch_upgrade.md

@@ -61,6 +61,7 @@ test1
       --oom-kill-disable             Disable OOM Killer
       --oom-score-adj int            Tune host's OOM preferences (-1000 to 1000) (default -500)
       --pid string                   PID namespace to use
+      --pids-limit int               Set container pids limit, -1 for unlimited (default -1)
   -p, --port strings                 Set container ports mapping
       --privileged                   Give extended privileges to the container
       --quota-id string              Specified quota id, if id < 0, it means pouchd alloc a unique quota id

docs/test/test.md

@@ -88,13 +88,24 @@ GOROOT=/usr/local/go
 GOPATH=/go
 ```
 
-Then copy or clone or link pouch source code to the GOPATH：
+Then copy or clone pouch source code to the GOPATH：
 
 ```
 # pwd
 /go/src/github.com/alibaba/pouch
 ```
 
+The following steps are also needed to make sure libnetwork package could be found:
+
+```
+BUILDPATH=/tmp/pouchbuild
+mkdir -p $BUILDPATH/src/github.com/docker
+cp -r /go/src/github.com/alibaba/pouch/extra/libnetwork $BUILDPATH/src/github.com/docker/libnetwork
+export GOPATH=$GOPATH:$BUILDPATH:$BUILDPATH/src/github.com/docker/libnetwork/Godeps/_workspace
+```
+
+And please notice that files in `/tmp` directory may be deleted after reboot.
+
 Now you could run unit test as following:
 
 ```