From 715785950c3388d54b4a9b81e71d311883be2c5a Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Fri, 5 May 2017 14:49:02 +0200 Subject: [PATCH 1/2] test: use redis:alpine Signed-off-by: Antonio Murdaca --- test/helpers.bash | 10 +++++----- test/testdata/container_config.json | 2 +- test/testdata/container_config_by_imageid.json | 4 +--- test/testdata/container_config_seccomp.json | 2 +- test/testdata/container_redis.json | 2 +- 5 files changed, 9 insertions(+), 11 deletions(-) diff --git a/test/helpers.bash b/test/helpers.bash index 722e1dee..7844916b 100644 --- a/test/helpers.bash +++ b/test/helpers.bash @@ -68,7 +68,7 @@ PATH=$PATH:$TESTDIR # Make sure we have a copy of the redis:latest image. if ! [ -d "$ARTIFACTS_PATH"/redis-image ]; then mkdir -p "$ARTIFACTS_PATH"/redis-image - if ! "$COPYIMG_BINARY" --import-from=docker://redis --export-to=dir:"$ARTIFACTS_PATH"/redis-image --signature-policy="$INTEGRATION_ROOT"/policy.json ; then + if ! "$COPYIMG_BINARY" --import-from=docker://redis:alpine --export-to=dir:"$ARTIFACTS_PATH"/redis-image --signature-policy="$INTEGRATION_ROOT"/policy.json ; then echo "Error pulling docker://redis" rm -fr "$ARTIFACTS_PATH"/redis-image exit 1 @@ -145,7 +145,7 @@ function start_ocid() { if ! [ "$3" = "--no-pause-image" ] ; then "$BIN2IMG_BINARY" --root "$TESTDIR/ocid" $STORAGE_OPTS --runroot "$TESTDIR/ocid-run" --source-binary "$PAUSE_BINARY" fi - "$COPYIMG_BINARY" --root "$TESTDIR/ocid" $STORAGE_OPTS --runroot "$TESTDIR/ocid-run" --image-name=redis --import-from=dir:"$ARTIFACTS_PATH"/redis-image --add-name=docker://docker.io/library/redis:latest --signature-policy="$INTEGRATION_ROOT"/policy.json + "$COPYIMG_BINARY" --root "$TESTDIR/ocid" $STORAGE_OPTS --runroot "$TESTDIR/ocid-run" --image-name=redis:alpine --import-from=dir:"$ARTIFACTS_PATH"/redis-image --add-name=docker://docker.io/library/redis:alpine --signature-policy="$INTEGRATION_ROOT"/policy.json "$OCID_BINARY" --conmon "$CONMON_BINARY" --listen "$OCID_SOCKET" --runtime "$RUNTIME_BINARY" --root "$TESTDIR/ocid" --runroot "$TESTDIR/ocid-run" $STORAGE_OPTS --seccomp-profile "$seccomp" --apparmor-profile "$apparmor" --cni-config-dir "$OCID_CNI_CONFIG" --signature-policy "$INTEGRATION_ROOT"/policy.json --config /dev/null config >$OCID_CONFIG # Prepare the CNI configuration files, we're running with non host networking by default @@ -154,11 +154,11 @@ function start_ocid() { "$OCID_BINARY" --debug --config "$OCID_CONFIG" & OCID_PID=$! wait_until_reachable - run ocic image status --id=redis + run ocic image status --id=redis:alpine if [ "$status" -ne 0 ] ; then - ocic image pull redis:latest + ocic image pull redis:alpine fi - REDIS_IMAGEID=$(ocic image status --id=redis | head -1 | sed -e "s/ID: //g") + REDIS_IMAGEID=$(ocic image status --id=redis:alpine | head -1 | sed -e "s/ID: //g") run ocic image status --id=busybox if [ "$status" -ne 0 ] ; then ocic image pull busybox:latest diff --git a/test/testdata/container_config.json b/test/testdata/container_config.json index 3ab8fb8d..9b09a0d5 100644 --- a/test/testdata/container_config.json +++ b/test/testdata/container_config.json @@ -4,7 +4,7 @@ "attempt": 1 }, "image": { - "image": "docker://redis:latest" + "image": "redis:alpine" }, "command": [ "/bin/ls" diff --git a/test/testdata/container_config_by_imageid.json b/test/testdata/container_config_by_imageid.json index 5c87e7a5..1062c7e2 100644 --- a/test/testdata/container_config_by_imageid.json +++ b/test/testdata/container_config_by_imageid.json @@ -7,11 +7,9 @@ "image": "%VALUE%" }, "command": [ - "/bin/bash" - ], - "args": [ "/bin/ls" ], + "args": [], "working_dir": "/", "envs": [ { diff --git a/test/testdata/container_config_seccomp.json b/test/testdata/container_config_seccomp.json index 027c25e1..948944b0 100644 --- a/test/testdata/container_config_seccomp.json +++ b/test/testdata/container_config_seccomp.json @@ -4,7 +4,7 @@ "attempt": 1 }, "image": { - "image": "docker://redis:latest" + "image": "redis:alpine" }, "command": [ "/bin/bash" diff --git a/test/testdata/container_redis.json b/test/testdata/container_redis.json index 839ca746..96a22ac9 100644 --- a/test/testdata/container_redis.json +++ b/test/testdata/container_redis.json @@ -3,7 +3,7 @@ "name": "podsandbox1-redis" }, "image": { - "image": "docker://redis:latest" + "image": "redis:alpine" }, "args": [ "docker-entrypoint.sh", From 139b16bac2eff3942b3f5295bf1966d5bfda6f79 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Fri, 5 May 2017 12:14:34 +0200 Subject: [PATCH 2/2] server: fix set caps on container create Signed-off-by: Antonio Murdaca --- server/container_create.go | 10 ++++- test/testdata/container_config.json | 40 +++++++----------- .../testdata/container_config_by_imageid.json | 40 +++++++----------- test/testdata/container_config_logging.json | 42 ++++++++----------- test/testdata/container_config_seccomp.json | 40 +++++++----------- test/testdata/container_exit_test.json | 8 +--- test/testdata/container_redis.json | 14 +++---- 7 files changed, 80 insertions(+), 114 deletions(-) diff --git a/server/container_create.go b/server/container_create.go index a25c8c83..38fc3c6f 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -400,11 +400,17 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, } capabilities := linux.GetSecurityContext().GetCapabilities() + toCAPPrefixed := func(cap string) string { + if !strings.HasPrefix(strings.ToLower(cap), "cap_") { + return "CAP_" + cap + } + return cap + } if capabilities != nil { addCaps := capabilities.AddCapabilities if addCaps != nil { for _, cap := range addCaps { - if err := specgen.AddProcessCapability(cap); err != nil { + if err := specgen.AddProcessCapability(toCAPPrefixed(cap)); err != nil { return nil, err } } @@ -413,7 +419,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, dropCaps := capabilities.DropCapabilities if dropCaps != nil { for _, cap := range dropCaps { - if err := specgen.DropProcessCapability(cap); err != nil { + if err := specgen.DropProcessCapability(toCAPPrefixed(cap)); err != nil { return nil, err } } diff --git a/test/testdata/container_config.json b/test/testdata/container_config.json index 9b09a0d5..fecc72eb 100644 --- a/test/testdata/container_config.json +++ b/test/testdata/container_config.json @@ -51,30 +51,22 @@ "memory_limit_in_bytes": 88000000, "oom_score_adj": 30 }, - "capabilities": { - "add_capabilities": [ - "setuid", - "setgid" - ], - "drop_capabilities": [ - "audit_write", - "audit_read" - ] - }, - "selinux_options": { - "user": "system_u", - "role": "system_r", - "type": "container_t", - "level": "s0:c4,c5" - }, - "user": { - "uid": 5, - "gid": 300, - "additional_gids": [ - 400, - 401, - 402 - ] + "security_context": { + "capabilities": { + "add_capabilities": [ + "setuid", + "setgid" + ], + "drop_capabilities": [ + "audit_read" + ] + }, + "selinux_options": { + "user": "system_u", + "role": "system_r", + "type": "container_t", + "level": "s0:c4,c5" + } } } } diff --git a/test/testdata/container_config_by_imageid.json b/test/testdata/container_config_by_imageid.json index 1062c7e2..7bed4b4f 100644 --- a/test/testdata/container_config_by_imageid.json +++ b/test/testdata/container_config_by_imageid.json @@ -51,30 +51,22 @@ "memory_limit_in_bytes": 88000000, "oom_score_adj": 30 }, - "capabilities": { - "add_capabilities": [ - "setuid", - "setgid" - ], - "drop_capabilities": [ - "audit_write", - "audit_read" - ] - }, - "selinux_options": { - "user": "system_u", - "role": "system_r", - "type": "container_t", - "level": "s0:c4,c5" - }, - "user": { - "uid": 5, - "gid": 300, - "additional_gids": [ - 400, - 401, - 402 - ] + "security_context": { + "capabilities": { + "add_capabilities": [ + "setuid", + "setgid" + ], + "drop_capabilities": [ + "audit_read" + ] + }, + "selinux_options": { + "user": "system_u", + "role": "system_r", + "type": "container_t", + "level": "s0:c4,c5" + } } } } diff --git a/test/testdata/container_config_logging.json b/test/testdata/container_config_logging.json index 2d48747c..018f9539 100644 --- a/test/testdata/container_config_logging.json +++ b/test/testdata/container_config_logging.json @@ -4,7 +4,7 @@ "attempt": 1 }, "image": { - "image": "docker://busybox:latest" + "image": "busybox:latest" }, "command": [ "/bin/sh", "-c" @@ -53,30 +53,22 @@ "memory_limit_in_bytes": 88000000, "oom_score_adj": 30 }, - "capabilities": { - "add_capabilities": [ - "setuid", - "setgid" - ], - "drop_capabilities": [ - "audit_write", - "audit_read" - ] - }, - "selinux_options": { - "user": "system_u", - "role": "system_r", - "type": "container_t", - "level": "s0:c4,c5" - }, - "user": { - "uid": 5, - "gid": 300, - "additional_gids": [ - 400, - 401, - 402 - ] + "security_context": { + "capabilities": { + "add_capabilities": [ + "setuid", + "setgid" + ], + "drop_capabilities": [ + "audit_read" + ] + }, + "selinux_options": { + "user": "system_u", + "role": "system_r", + "type": "container_t", + "level": "s0:c4,c5" + } } } } diff --git a/test/testdata/container_config_seccomp.json b/test/testdata/container_config_seccomp.json index 948944b0..e62be3c1 100644 --- a/test/testdata/container_config_seccomp.json +++ b/test/testdata/container_config_seccomp.json @@ -53,30 +53,22 @@ "memory_limit_in_bytes": 88000000, "oom_score_adj": 30 }, - "capabilities": { - "add_capabilities": [ - "setuid", - "setgid" - ], - "drop_capabilities": [ - "audit_write", - "audit_read" - ] - }, - "selinux_options": { - "user": "system_u", - "role": "system_r", - "type": "svirt_lxc_net_t", - "level": "s0:c4-c5" - }, - "user": { - "uid": 5, - "gid": 300, - "additional_gids": [ - 400, - 401, - 402 - ] + "security_context": { + "capabilities": { + "add_capabilities": [ + "setuid", + "setgid" + ], + "drop_capabilities": [ + "audit_read" + ] + }, + "selinux_options": { + "user": "system_u", + "role": "system_r", + "type": "svirt_lxc_net_t", + "level": "s0:c4-c5" + } } } } diff --git a/test/testdata/container_exit_test.json b/test/testdata/container_exit_test.json index bca99fb7..6ead905a 100644 --- a/test/testdata/container_exit_test.json +++ b/test/testdata/container_exit_test.json @@ -18,11 +18,5 @@ "log_path": "", "stdin": false, "stdin_once": false, - "tty": false, - "linux": { - "user": { - "uid": 0, - "gid": 0 - } - } + "tty": false } diff --git a/test/testdata/container_redis.json b/test/testdata/container_redis.json index 96a22ac9..7c63a3c3 100644 --- a/test/testdata/container_redis.json +++ b/test/testdata/container_redis.json @@ -51,14 +51,12 @@ "memory_limit_in_bytes": 88000000, "oom_score_adj": 30 }, - "capabilities": { - "add_capabilities": [ - "sys_admin" - ] - }, - "user": { - "uid": 0, - "gid": 0 + "security_context": { + "capabilities": { + "add_capabilities": [ + "sys_admin" + ] + } } } }