Enable per pod PID namespace setting

If the pid namespace mode is set to POD, then the container's namespace
should be set to the namespace of the pod infra container.

Signed-off-by: umohnani8 <umohnani@redhat.com>
This commit is contained in:
umohnani8 2018-02-28 16:41:11 -05:00
parent e5fdb6bc9e
commit 156e21ddf9
8 changed files with 8 additions and 35 deletions

View file

@ -114,9 +114,6 @@ default_mounts = [
# pids_limit is the number of processes allowed in a container # pids_limit is the number of processes allowed in a container
pids_limit = {{ .PidsLimit }} pids_limit = {{ .PidsLimit }}
# enable using a shared PID namespace for containers in a pod
enable_shared_pid_namespace = {{ .EnableSharedPIDNamespace }}
# log_size_max is the max limit for the container log size in bytes. # log_size_max is the max limit for the container log size in bytes.
# Negative values indicate that no limit is imposed. # Negative values indicate that no limit is imposed.
log_size_max = {{ .LogSizeMax }} log_size_max = {{ .LogSizeMax }}

View file

@ -131,9 +131,6 @@ func mergeConfig(config *server.Config, ctx *cli.Context) error {
if ctx.GlobalIsSet("pids-limit") { if ctx.GlobalIsSet("pids-limit") {
config.PidsLimit = ctx.GlobalInt64("pids-limit") config.PidsLimit = ctx.GlobalInt64("pids-limit")
} }
if ctx.GlobalIsSet("enable-shared-pid-namespace") {
config.EnableSharedPIDNamespace = ctx.GlobalBool("enable-shared-pid-namespace")
}
if ctx.GlobalIsSet("log-size-max") { if ctx.GlobalIsSet("log-size-max") {
config.LogSizeMax = ctx.GlobalInt64("log-size-max") config.LogSizeMax = ctx.GlobalInt64("log-size-max")
} }
@ -299,10 +296,6 @@ func main() {
Value: lib.DefaultPidsLimit, Value: lib.DefaultPidsLimit,
Usage: "maximum number of processes allowed in a container", Usage: "maximum number of processes allowed in a container",
}, },
cli.BoolFlag{
Name: "enable-shared-pid-namespace",
Usage: "enable using a shared PID namespace for containers in a pod",
},
cli.Int64Flag{ cli.Int64Flag{
Name: "log-size-max", Name: "log-size-max",
Value: lib.DefaultLogSizeMax, Value: lib.DefaultLogSizeMax,

View file

@ -94,8 +94,6 @@ crio [GLOBAL OPTIONS] config [OPTIONS]
**--pids-limit**="": Maximum number of processes allowed in a container (default: 1024) **--pids-limit**="": Maximum number of processes allowed in a container (default: 1024)
**--enable-shared-pid-namespace**="": Enable using a shared PID namespace for containers in a pod (default: false)
**--root**="": The crio root dir (default: "/var/lib/containers/storage") **--root**="": The crio root dir (default: "/var/lib/containers/storage")
**--registry**="": Registry host which will be prepended to unqualified images, can be specified multiple times **--registry**="": Registry host which will be prepended to unqualified images, can be specified multiple times

View file

@ -87,9 +87,6 @@ Example:
**pids_limit**="" **pids_limit**=""
Maximum number of processes allowed in a container (default: 1024) Maximum number of processes allowed in a container (default: 1024)
**enable_shared_pid_namespace**=""
Enable using a shared PID namespace for containers in a pod (default: false)
**runtime**="" **runtime**=""
OCI runtime path (default: "/usr/bin/runc") OCI runtime path (default: "/usr/bin/runc")

View file

@ -121,9 +121,6 @@ type RuntimeConfig struct {
// NoPivot instructs the runtime to not use `pivot_root`, but instead use `MS_MOVE` // NoPivot instructs the runtime to not use `pivot_root`, but instead use `MS_MOVE`
NoPivot bool `toml:"no_pivot"` NoPivot bool `toml:"no_pivot"`
// EnableSharePidNamespace instructs the runtime to enable share pid namespace
EnableSharedPIDNamespace bool `toml:"enable_shared_pid_namespace"`
// Conmon is the path to conmon binary, used for managing the runtime. // Conmon is the path to conmon binary, used for managing the runtime.
Conmon string `toml:"conmon"` Conmon string `toml:"conmon"`

View file

@ -1000,7 +1000,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
if containerConfig.GetLinux().GetSecurityContext().GetNamespaceOptions().GetPid() == pb.NamespaceMode_NODE { if containerConfig.GetLinux().GetSecurityContext().GetNamespaceOptions().GetPid() == pb.NamespaceMode_NODE {
// kubernetes PodSpec specify to use Host PID namespace // kubernetes PodSpec specify to use Host PID namespace
specgen.RemoveLinuxNamespace(string(rspec.PIDNamespace)) specgen.RemoveLinuxNamespace(string(rspec.PIDNamespace))
} else if s.config.EnableSharedPIDNamespace { } else if containerConfig.GetLinux().GetSecurityContext().GetNamespaceOptions().GetPid() == pb.NamespaceMode_POD {
// share Pod PID namespace // share Pod PID namespace
pidNsPath := fmt.Sprintf("/proc/%d/ns/pid", podInfraState.Pid) pidNsPath := fmt.Sprintf("/proc/%d/ns/pid", podInfraState.Pid)
if err := specgen.AddOrReplaceLinuxNamespace(string(rspec.PIDNamespace), pidNsPath); err != nil { if err := specgen.AddOrReplaceLinuxNamespace(string(rspec.PIDNamespace), pidNsPath); err != nil {

View file

@ -56,8 +56,6 @@ IMAGE_VOLUMES=${IMAGE_VOLUMES:-mkdir}
PIDS_LIMIT=${PIDS_LIMIT:-1024} PIDS_LIMIT=${PIDS_LIMIT:-1024}
# Log size max limit # Log size max limit
LOG_SIZE_MAX_LIMIT=${LOG_SIZE_MAX_LIMIT:--1} LOG_SIZE_MAX_LIMIT=${LOG_SIZE_MAX_LIMIT:--1}
# enable share container pid namespace
ENABLE_SHARED_PID_NAMESPACE=${ENABLE_SHARED_PID_NAMESPACE:-false}
TESTDIR=$(mktemp -d) TESTDIR=$(mktemp -d)
@ -217,7 +215,7 @@ function start_crio() {
"$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTIONS --runroot "$TESTDIR/crio-run" --image-name=docker.io/mrunalp/image-volume-test:latest --import-from=dir:"$ARTIFACTS_PATH"/image-volume-test-image --signature-policy="$INTEGRATION_ROOT"/policy.json "$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTIONS --runroot "$TESTDIR/crio-run" --image-name=docker.io/mrunalp/image-volume-test:latest --import-from=dir:"$ARTIFACTS_PATH"/image-volume-test-image --signature-policy="$INTEGRATION_ROOT"/policy.json
"$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTIONS --runroot "$TESTDIR/crio-run" --image-name=docker.io/library/busybox:latest --import-from=dir:"$ARTIFACTS_PATH"/busybox-image --signature-policy="$INTEGRATION_ROOT"/policy.json "$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTIONS --runroot "$TESTDIR/crio-run" --image-name=docker.io/library/busybox:latest --import-from=dir:"$ARTIFACTS_PATH"/busybox-image --signature-policy="$INTEGRATION_ROOT"/policy.json
"$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTIONS --runroot "$TESTDIR/crio-run" --image-name=docker.io/runcom/stderr-test:latest --import-from=dir:"$ARTIFACTS_PATH"/stderr-test --signature-policy="$INTEGRATION_ROOT"/policy.json "$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTIONS --runroot "$TESTDIR/crio-run" --image-name=docker.io/runcom/stderr-test:latest --import-from=dir:"$ARTIFACTS_PATH"/stderr-test --signature-policy="$INTEGRATION_ROOT"/policy.json
"$CRIO_BINARY" ${DEFAULT_MOUNTS_OPTS} ${HOOKS_OPTS} --conmon "$CONMON_BINARY" --listen "$CRIO_SOCKET" --cgroup-manager "$CGROUP_MANAGER" --registry "docker.io" --runtime "$RUNTIME_BINARY" --root "$TESTDIR/crio" --runroot "$TESTDIR/crio-run" $STORAGE_OPTIONS --seccomp-profile "$seccomp" --apparmor-profile "$apparmor" --cni-config-dir "$CRIO_CNI_CONFIG" --cni-plugin-dir "$CRIO_CNI_PLUGIN" --signature-policy "$INTEGRATION_ROOT"/policy.json --image-volumes "$IMAGE_VOLUMES" --pids-limit "$PIDS_LIMIT" --enable-shared-pid-namespace=${ENABLE_SHARED_PID_NAMESPACE} --log-size-max "$LOG_SIZE_MAX_LIMIT" --config /dev/null config >$CRIO_CONFIG "$CRIO_BINARY" ${DEFAULT_MOUNTS_OPTS} ${HOOKS_OPTS} --conmon "$CONMON_BINARY" --listen "$CRIO_SOCKET" --cgroup-manager "$CGROUP_MANAGER" --registry "docker.io" --runtime "$RUNTIME_BINARY" --root "$TESTDIR/crio" --runroot "$TESTDIR/crio-run" $STORAGE_OPTIONS --seccomp-profile "$seccomp" --apparmor-profile "$apparmor" --cni-config-dir "$CRIO_CNI_CONFIG" --cni-plugin-dir "$CRIO_CNI_PLUGIN" --signature-policy "$INTEGRATION_ROOT"/policy.json --image-volumes "$IMAGE_VOLUMES" --pids-limit "$PIDS_LIMIT" --log-size-max "$LOG_SIZE_MAX_LIMIT" --config /dev/null config >$CRIO_CONFIG
# Prepare the CNI configuration files, we're running with non host networking by default # Prepare the CNI configuration files, we're running with non host networking by default
if [[ -n "$4" ]]; then if [[ -n "$4" ]]; then

View file

@ -6,14 +6,15 @@ function teardown() {
cleanup_test cleanup_test
} }
function pid_namespace_test() { @test "pid_namespace_mode_pod_test" {
start_crio start_crio
pidNamespaceMode=$(cat "$TESTDATA"/sandbox_config.json | python -c 'import json,sys;obj=json.load(sys.stdin);obj["linux"]["security_context"]["namespace_options"]["pid"] = 0; json.dump(obj, sys.stdout)')
run crictl runp "$TESTDATA"/sandbox_config.json echo "$pidNamespaceMode" > "$TESTDIR"/sandbox_pidnamespacemode_config.json
run crictl runp "$TESTDIR"/sandbox_pidnamespacemode_config.json
echo "$output" echo "$output"
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
pod_id="$output" pod_id="$output"
run crictl create "$pod_id" "$TESTDATA"/container_redis.json "$TESTDATA"/sandbox_config.json run crictl create "$pod_id" "$TESTDATA"/container_redis.json "$TESTDIR"/sandbox_pidnamespacemode_config.json
echo "$output" echo "$output"
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
ctr_id="$output" ctr_id="$output"
@ -23,7 +24,7 @@ function pid_namespace_test() {
run crictl exec --sync "$ctr_id" cat /proc/1/cmdline run crictl exec --sync "$ctr_id" cat /proc/1/cmdline
echo "$output" echo "$output"
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
[[ "$output" =~ "${EXPECTED_INIT:-redis}" ]] [[ "$output" =~ pause ]]
run crictl stopp "$pod_id" run crictl stopp "$pod_id"
echo "$output" echo "$output"
@ -35,11 +36,3 @@ function pid_namespace_test() {
cleanup_pods cleanup_pods
stop_crio stop_crio
} }
@test "pod disable shared pid namespace" {
ENABLE_SHARED_PID_NAMESPACE=false pid_namespace_test
}
@test "pod enable shared pid namespace" {
ENABLE_SHARED_PID_NAMESPACE=true EXPECTED_INIT=pause pid_namespace_test
}