Make the profile configurable
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
This commit is contained in:
Xianglin Gao
parent
1f863846f5
commit
26645c90ac
6 changed files with 43 additions and 25 deletions
|
|
@ -11,10 +11,11 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
ocidRoot = "/var/lib/ocid"
|
ocidRoot = "/var/lib/ocid"
|
||||||
conmonPath = "/usr/libexec/ocid/conmon"
|
conmonPath = "/usr/libexec/ocid/conmon"
|
||||||
pausePath = "/usr/libexec/ocid/pause"
|
pausePath = "/usr/libexec/ocid/pause"
|
||||||
seccompProfilePath = "/etc/ocid/seccomp.json"
|
seccompProfilePath = "/etc/ocid/seccomp.json"
|
||||||
|
apparmorProfileName = "crio-default"
|
||||||
)
|
)
|
||||||
|
|
||||||
var commentedConfigTemplate = template.Must(template.New("config").Parse(`
|
var commentedConfigTemplate = template.Must(template.New("config").Parse(`
|
||||||
|
|
@ -64,6 +65,10 @@ selinux = {{ .SELinux }}
|
||||||
# default for the runtime.
|
# default for the runtime.
|
||||||
seccomp_profile = "{{ .SeccompProfile }}"
|
seccomp_profile = "{{ .SeccompProfile }}"
|
||||||
|
|
||||||
|
# apparmor_profile is the apparmor profile name which is used as the
|
||||||
|
# default for the runtime.
|
||||||
|
apparmor_profile = "{{ .ApparmorProfile }}"
|
||||||
|
|
||||||
# The "ocid.image" table contains settings pertaining to the
|
# The "ocid.image" table contains settings pertaining to the
|
||||||
# management of OCI images.
|
# management of OCI images.
|
||||||
[ocid.image]
|
[ocid.image]
|
||||||
|
|
@ -94,8 +99,9 @@ func DefaultConfig() *server.Config {
|
||||||
ConmonEnv: []string{
|
ConmonEnv: []string{
|
||||||
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
|
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
|
||||||
},
|
},
|
||||||
SELinux: selinux.SelinuxEnabled(),
|
SELinux: selinux.SelinuxEnabled(),
|
||||||
SeccompProfile: seccompProfilePath,
|
SeccompProfile: seccompProfilePath,
|
||||||
|
ApparmorProfile: apparmorProfileName,
|
||||||
},
|
},
|
||||||
ImageConfig: server.ImageConfig{
|
ImageConfig: server.ImageConfig{
|
||||||
Pause: pausePath,
|
Pause: pausePath,
|
||||||
|
|
|
||||||
|
|
@ -59,6 +59,9 @@ func mergeConfig(config *server.Config, ctx *cli.Context) error {
|
||||||
if ctx.GlobalIsSet("seccomp-profile") {
|
if ctx.GlobalIsSet("seccomp-profile") {
|
||||||
config.SeccompProfile = ctx.GlobalString("seccomp-profile")
|
config.SeccompProfile = ctx.GlobalString("seccomp-profile")
|
||||||
}
|
}
|
||||||
|
if ctx.GlobalIsSet("apparmor-profile") {
|
||||||
|
config.ApparmorProfile = ctx.GlobalString("apparmor-profile")
|
||||||
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -135,6 +138,10 @@ func main() {
|
||||||
Name: "seccomp-profile",
|
Name: "seccomp-profile",
|
||||||
Usage: "default seccomp profile path",
|
Usage: "default seccomp profile path",
|
||||||
},
|
},
|
||||||
|
cli.StringFlag{
|
||||||
|
Name: "apparmor-profile",
|
||||||
|
Usage: "default apparmor profile name (default: \"crio-default\")",
|
||||||
|
},
|
||||||
cli.BoolFlag{
|
cli.BoolFlag{
|
||||||
Name: "selinux",
|
Name: "selinux",
|
||||||
Usage: "enable selinux support",
|
Usage: "enable selinux support",
|
||||||
|
|
|
||||||
|
|
@ -57,24 +57,6 @@ func IsEnabled() bool {
|
||||||
return apparmor.IsEnabled()
|
return apparmor.IsEnabled()
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetAppArmorProfileName gets the profile name for the given container.
|
|
||||||
func GetAppArmorProfileName(annotations map[string]string, ctrName string) string {
|
|
||||||
profile := GetProfileNameFromPodAnnotations(annotations, ctrName)
|
|
||||||
|
|
||||||
if profile == "" {
|
|
||||||
return ""
|
|
||||||
}
|
|
||||||
|
|
||||||
if profile == ProfileRuntimeDefault {
|
|
||||||
// If the value is runtime/default, then return default profile.
|
|
||||||
logrus.Infof("get default profile name")
|
|
||||||
return defaultApparmorProfile
|
|
||||||
}
|
|
||||||
|
|
||||||
profileName := strings.TrimPrefix(profile, ProfileNamePrefix)
|
|
||||||
return profileName
|
|
||||||
}
|
|
||||||
|
|
||||||
// GetProfileNameFromPodAnnotations gets the name of the profile to use with container from
|
// GetProfileNameFromPodAnnotations gets the name of the profile to use with container from
|
||||||
// pod annotations
|
// pod annotations
|
||||||
func GetProfileNameFromPodAnnotations(annotations map[string]string, containerName string) string {
|
func GetProfileNameFromPodAnnotations(annotations map[string]string, containerName string) string {
|
||||||
|
|
|
||||||
|
|
@ -68,6 +68,10 @@ type RuntimeConfig struct {
|
||||||
// SeccompProfile is the seccomp json profile path which is used as the
|
// SeccompProfile is the seccomp json profile path which is used as the
|
||||||
// default for the runtime.
|
// default for the runtime.
|
||||||
SeccompProfile string `toml:"seccomp_profile"`
|
SeccompProfile string `toml:"seccomp_profile"`
|
||||||
|
|
||||||
|
// ApparmorProfile is the apparmor profile name which is used as the
|
||||||
|
// default for the runtime.
|
||||||
|
ApparmorProfile string `toml:"apparmor_profile"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// ImageConfig represents the "ocid.image" TOML config table.
|
// ImageConfig represents the "ocid.image" TOML config table.
|
||||||
|
|
|
||||||
|
|
@ -186,7 +186,7 @@ func (s *Server) createSandboxContainer(containerID string, containerName string
|
||||||
|
|
||||||
// set this container's apparmor profile if it is set by sandbox
|
// set this container's apparmor profile if it is set by sandbox
|
||||||
if s.appArmorEnabled {
|
if s.appArmorEnabled {
|
||||||
appArmorProfileName := apparmor.GetAppArmorProfileName(sb.annotations, metadata.GetName())
|
appArmorProfileName := s.getAppArmorProfileName(sb.annotations, metadata.GetName())
|
||||||
if appArmorProfileName != "" {
|
if appArmorProfileName != "" {
|
||||||
specgen.SetProcessApparmorProfile(appArmorProfileName)
|
specgen.SetProcessApparmorProfile(appArmorProfileName)
|
||||||
}
|
}
|
||||||
|
|
@ -383,3 +383,20 @@ func (s *Server) generateContainerIDandName(podName string, name string, attempt
|
||||||
}
|
}
|
||||||
return id, name, err
|
return id, name, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// getAppArmorProfileName gets the profile name for the given container.
|
||||||
|
func (s *Server) getAppArmorProfileName(annotations map[string]string, ctrName string) string {
|
||||||
|
profile := apparmor.GetProfileNameFromPodAnnotations(annotations, ctrName)
|
||||||
|
|
||||||
|
if profile == "" {
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
|
||||||
|
if profile == apparmor.ProfileRuntimeDefault {
|
||||||
|
// If the value is runtime/default, then return default profile.
|
||||||
|
return s.appArmorProfile
|
||||||
|
}
|
||||||
|
|
||||||
|
profileName := strings.TrimPrefix(profile, apparmor.ProfileNamePrefix)
|
||||||
|
return profileName
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -42,6 +42,7 @@ type Server struct {
|
||||||
seccompProfile seccomp.Seccomp
|
seccompProfile seccomp.Seccomp
|
||||||
|
|
||||||
appArmorEnabled bool
|
appArmorEnabled bool
|
||||||
|
appArmorProfile string
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *Server) loadContainer(id string) error {
|
func (s *Server) loadContainer(id string) error {
|
||||||
|
|
@ -300,6 +301,7 @@ func New(config *Config) (*Server, error) {
|
||||||
if s.appArmorEnabled {
|
if s.appArmorEnabled {
|
||||||
apparmor.InstallDefaultAppArmorProfile()
|
apparmor.InstallDefaultAppArmorProfile()
|
||||||
}
|
}
|
||||||
|
s.appArmorProfile = config.ApparmorProfile
|
||||||
|
|
||||||
s.podIDIndex = truncindex.NewTruncIndex([]string{})
|
s.podIDIndex = truncindex.NewTruncIndex([]string{})
|
||||||
s.podNameIndex = registrar.NewRegistrar()
|
s.podNameIndex = registrar.NewRegistrar()
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue