From 145c343273785d5686f7e4293bfa7f1d87d2ce90 Mon Sep 17 00:00:00 2001 From: Lee Verberne Date: Wed, 30 Aug 2017 17:28:58 +0200 Subject: [PATCH 1/2] Revert to using isolated PID namespaces in Docker A shared PID namespace were enabled by default in the 1.7 when running with a supported Docker runtime, but a Docker version that supports a shared namespace was not qualified for use. Release 1.8 will qualify a docker version supporting shared PID, but we don't want to cause disruption for container images which expect always to have PID 1. --- cmd/kubelet/app/options/container_runtime.go | 1 + 1 file changed, 1 insertion(+) diff --git a/cmd/kubelet/app/options/container_runtime.go b/cmd/kubelet/app/options/container_runtime.go index 926be8bca3f..38fa4ef06ea 100644 --- a/cmd/kubelet/app/options/container_runtime.go +++ b/cmd/kubelet/app/options/container_runtime.go @@ -108,6 +108,7 @@ func NewContainerRuntimeOptions() *ContainerRuntimeOptions { DockerEndpoint: dockerEndpoint, DockershimRootDirectory: "/var/lib/dockershim", DockerExecHandlerName: "native", + DockerDisableSharedPID: true, PodSandboxImage: defaultPodSandboxImage, ImagePullProgressDeadline: metav1.Duration{Duration: 1 * time.Minute}, RktAPIEndpoint: defaultRktAPIServiceEndpoint, From 765374ce03213f789559314200175aba1d47c48f Mon Sep 17 00:00:00 2001 From: Lee Verberne Date: Fri, 1 Sep 2017 23:43:13 +0200 Subject: [PATCH 2/2] Explicitly enable docker shared-pid for e2e_node This also renames isSharedPIDNamespaceEnabled() to isSharedPIDNamespaceSupported() to be more accurate. --- test/e2e_node/docker_test.go | 6 +++--- test/e2e_node/docker_util.go | 4 ++-- test/e2e_node/services/kubelet.go | 1 + 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/test/e2e_node/docker_test.go b/test/e2e_node/docker_test.go index fa5ed68e621..59e5686dae9 100644 --- a/test/e2e_node/docker_test.go +++ b/test/e2e_node/docker_test.go @@ -40,11 +40,11 @@ var _ = framework.KubeDescribe("Docker features [Feature:Docker]", func() { It("processes in different containers of the same pod should be able to see each other", func() { // TODO(yguo0905): Change this test to run unless the runtime is // Docker and its version is <1.13. - By("Check whether shared PID namespace is enabled.") - isEnabled, err := isSharedPIDNamespaceEnabled() + By("Check whether shared PID namespace is supported.") + isEnabled, err := isSharedPIDNamespaceSupported() framework.ExpectNoError(err) if !isEnabled { - framework.Skipf("Skipped because shared PID namespace is not enabled.") + framework.Skipf("Skipped because shared PID namespace is not supported by this docker version.") } By("Create a pod with two containers.") diff --git a/test/e2e_node/docker_util.go b/test/e2e_node/docker_util.go index 625733daf5a..8a87607e993 100644 --- a/test/e2e_node/docker_util.go +++ b/test/e2e_node/docker_util.go @@ -43,9 +43,9 @@ func getDockerAPIVersion() (semver.Version, error) { return semver.MustParse(version.APIVersion + ".0"), nil } -// isSharedPIDNamespaceEnabled returns true if the Docker version is 1.13.1+ +// isSharedPIDNamespaceSupported returns true if the Docker version is 1.13.1+ // (API version 1.26+), and false otherwise. -func isSharedPIDNamespaceEnabled() (bool, error) { +func isSharedPIDNamespaceSupported() (bool, error) { version, err := getDockerAPIVersion() if err != nil { return false, err diff --git a/test/e2e_node/services/kubelet.go b/test/e2e_node/services/kubelet.go index 9cbc9d5ba1c..3f8de017b32 100644 --- a/test/e2e_node/services/kubelet.go +++ b/test/e2e_node/services/kubelet.go @@ -155,6 +155,7 @@ func (e *E2EServices) startKubelet() (*server, error) { "--serialize-image-pulls", "false", "--pod-manifest-path", manifestPath, "--file-check-frequency", "10s", // Check file frequently so tests won't wait too long + "--docker-disable-shared-pid=false", // Assign a fixed CIDR to the node because there is no node controller. // // Note: this MUST be in sync with with the IP in