vbatts/cri-o
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge pull request #491 from runcom/fix-caps-set

Browse source 
server: fix set caps on container create
This commit is contained in:
Mrunal Patel 2017-05-05 11:32:35 -07:00 committed by GitHub
commit 2da250d652
8 changed files with 89 additions and 125 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
server/container_create.go
View file

@ -400,11 +400,17 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
} }
capabilities := linux.GetSecurityContext().GetCapabilities() capabilities := linux.GetSecurityContext().GetCapabilities()
toCAPPrefixed := func(cap string) string {
if !strings.HasPrefix(strings.ToLower(cap), "cap_") {
return "CAP_" + cap
}
return cap
}
if capabilities != nil { if capabilities != nil {
addCaps := capabilities.AddCapabilities addCaps := capabilities.AddCapabilities
if addCaps != nil { if addCaps != nil {
for _, cap := range addCaps { for _, cap := range addCaps {
if err := specgen.AddProcessCapability(cap); err != nil { if err := specgen.AddProcessCapability(toCAPPrefixed(cap)); err != nil {
return nil, err return nil, err
} }
} }
@ -413,7 +419,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
dropCaps := capabilities.DropCapabilities dropCaps := capabilities.DropCapabilities
if dropCaps != nil { if dropCaps != nil {
for _, cap := range dropCaps { for _, cap := range dropCaps {
if err := specgen.DropProcessCapability(cap); err != nil { if err := specgen.DropProcessCapability(toCAPPrefixed(cap)); err != nil {
return nil, err return nil, err
} }
} }

10
test/helpers.bash
View file

@ -68,7 +68,7 @@ PATH=$PATH:$TESTDIR
# Make sure we have a copy of the redis:latest image. # Make sure we have a copy of the redis:latest image.
if ! [ -d "$ARTIFACTS_PATH"/redis-image ]; then if ! [ -d "$ARTIFACTS_PATH"/redis-image ]; then
mkdir -p "$ARTIFACTS_PATH"/redis-image mkdir -p "$ARTIFACTS_PATH"/redis-image
if ! "$COPYIMG_BINARY" --import-from=docker://redis --export-to=dir:"$ARTIFACTS_PATH"/redis-image --signature-policy="$INTEGRATION_ROOT"/policy.json ; then if ! "$COPYIMG_BINARY" --import-from=docker://redis:alpine --export-to=dir:"$ARTIFACTS_PATH"/redis-image --signature-policy="$INTEGRATION_ROOT"/policy.json ; then
echo "Error pulling docker://redis" echo "Error pulling docker://redis"
rm -fr "$ARTIFACTS_PATH"/redis-image rm -fr "$ARTIFACTS_PATH"/redis-image
exit 1 exit 1
@ -145,7 +145,7 @@ function start_ocid() {
if ! [ "$3" = "--no-pause-image" ] ; then if ! [ "$3" = "--no-pause-image" ] ; then
"$BIN2IMG_BINARY" --root "$TESTDIR/ocid" $STORAGE_OPTS --runroot "$TESTDIR/ocid-run" --source-binary "$PAUSE_BINARY" "$BIN2IMG_BINARY" --root "$TESTDIR/ocid" $STORAGE_OPTS --runroot "$TESTDIR/ocid-run" --source-binary "$PAUSE_BINARY"
fi fi
"$COPYIMG_BINARY" --root "$TESTDIR/ocid" $STORAGE_OPTS --runroot "$TESTDIR/ocid-run" --image-name=redis --import-from=dir:"$ARTIFACTS_PATH"/redis-image --add-name=docker://docker.io/library/redis:latest --signature-policy="$INTEGRATION_ROOT"/policy.json "$COPYIMG_BINARY" --root "$TESTDIR/ocid" $STORAGE_OPTS --runroot "$TESTDIR/ocid-run" --image-name=redis:alpine --import-from=dir:"$ARTIFACTS_PATH"/redis-image --add-name=docker://docker.io/library/redis:alpine --signature-policy="$INTEGRATION_ROOT"/policy.json
"$OCID_BINARY" --conmon "$CONMON_BINARY" --listen "$OCID_SOCKET" --runtime "$RUNTIME_BINARY" --root "$TESTDIR/ocid" --runroot "$TESTDIR/ocid-run" $STORAGE_OPTS --seccomp-profile "$seccomp" --apparmor-profile "$apparmor" --cni-config-dir "$OCID_CNI_CONFIG" --signature-policy "$INTEGRATION_ROOT"/policy.json --config /dev/null config >$OCID_CONFIG "$OCID_BINARY" --conmon "$CONMON_BINARY" --listen "$OCID_SOCKET" --runtime "$RUNTIME_BINARY" --root "$TESTDIR/ocid" --runroot "$TESTDIR/ocid-run" $STORAGE_OPTS --seccomp-profile "$seccomp" --apparmor-profile "$apparmor" --cni-config-dir "$OCID_CNI_CONFIG" --signature-policy "$INTEGRATION_ROOT"/policy.json --config /dev/null config >$OCID_CONFIG
# Prepare the CNI configuration files, we're running with non host networking by default # Prepare the CNI configuration files, we're running with non host networking by default
@ -154,11 +154,11 @@ function start_ocid() {
"$OCID_BINARY" --debug --config "$OCID_CONFIG" & OCID_PID=$! "$OCID_BINARY" --debug --config "$OCID_CONFIG" & OCID_PID=$!
wait_until_reachable wait_until_reachable
run ocic image status --id=redis run ocic image status --id=redis:alpine
if [ "$status" -ne 0 ] ; then if [ "$status" -ne 0 ] ; then
ocic image pull redis:latest ocic image pull redis:alpine
fi fi
REDIS_IMAGEID=$(ocic image status --id=redis | head -1 | sed -e "s/ID: //g") REDIS_IMAGEID=$(ocic image status --id=redis:alpine | head -1 | sed -e "s/ID: //g")
run ocic image status --id=busybox run ocic image status --id=busybox
if [ "$status" -ne 0 ] ; then if [ "$status" -ne 0 ] ; then
ocic image pull busybox:latest ocic image pull busybox:latest

14
test/testdata/container_config.json vendored
View file

@ -4,7 +4,7 @@
"attempt": 1 "attempt": 1
}, },
"image": { "image": {
"image": "docker://redis:latest" "image": "redis:alpine"
}, },
"command": [ "command": [
"/bin/ls" "/bin/ls"
@ -51,13 +51,13 @@
"memory_limit_in_bytes": 88000000, "memory_limit_in_bytes": 88000000,
"oom_score_adj": 30 "oom_score_adj": 30
}, },
"security_context": {
"capabilities": { "capabilities": {
"add_capabilities": [ "add_capabilities": [
"setuid", "setuid",
"setgid" "setgid"
], ],
"drop_capabilities": [ "drop_capabilities": [
"audit_write",
"audit_read" "audit_read"
] ]
}, },
@ -66,15 +66,7 @@
"role": "system_r", "role": "system_r",
"type": "container_t", "type": "container_t",
"level": "s0:c4,c5" "level": "s0:c4,c5"
}, }
"user": {
"uid": 5,
"gid": 300,
"additional_gids": [
400,
401,
402
]
} }
} }
} }

16
test/testdata/container_config_by_imageid.json vendored
View file

@ -7,11 +7,9 @@
"image": "%VALUE%" "image": "%VALUE%"
}, },
"command": [ "command": [
"/bin/bash"
],
"args": [
"/bin/ls" "/bin/ls"
], ],
"args": [],
"working_dir": "/", "working_dir": "/",
"envs": [ "envs": [
{ {
@ -53,13 +51,13 @@
"memory_limit_in_bytes": 88000000, "memory_limit_in_bytes": 88000000,
"oom_score_adj": 30 "oom_score_adj": 30
}, },
"security_context": {
"capabilities": { "capabilities": {
"add_capabilities": [ "add_capabilities": [
"setuid", "setuid",
"setgid" "setgid"
], ],
"drop_capabilities": [ "drop_capabilities": [
"audit_write",
"audit_read" "audit_read"
] ]
}, },
@ -68,15 +66,7 @@
"role": "system_r", "role": "system_r",
"type": "container_t", "type": "container_t",
"level": "s0:c4,c5" "level": "s0:c4,c5"
}, }
"user": {
"uid": 5,
"gid": 300,
"additional_gids": [
400,
401,
402
]
} }
} }
} }

14
test/testdata/container_config_logging.json vendored
View file

@ -4,7 +4,7 @@
"attempt": 1 "attempt": 1
}, },
"image": { "image": {
"image": "docker://busybox:latest" "image": "busybox:latest"
}, },
"command": [ "command": [
"/bin/sh", "-c" "/bin/sh", "-c"
@ -53,13 +53,13 @@
"memory_limit_in_bytes": 88000000, "memory_limit_in_bytes": 88000000,
"oom_score_adj": 30 "oom_score_adj": 30
}, },
"security_context": {
"capabilities": { "capabilities": {
"add_capabilities": [ "add_capabilities": [
"setuid", "setuid",
"setgid" "setgid"
], ],
"drop_capabilities": [ "drop_capabilities": [
"audit_write",
"audit_read" "audit_read"
] ]
}, },
@ -68,15 +68,7 @@
"role": "system_r", "role": "system_r",
"type": "container_t", "type": "container_t",
"level": "s0:c4,c5" "level": "s0:c4,c5"
}, }
"user": {
"uid": 5,
"gid": 300,
"additional_gids": [
400,
401,
402
]
} }
} }
} }

14
test/testdata/container_config_seccomp.json vendored
View file

@ -4,7 +4,7 @@
"attempt": 1 "attempt": 1
}, },
"image": { "image": {
"image": "docker://redis:latest" "image": "redis:alpine"
}, },
"command": [ "command": [
"/bin/bash" "/bin/bash"
@ -53,13 +53,13 @@
"memory_limit_in_bytes": 88000000, "memory_limit_in_bytes": 88000000,
"oom_score_adj": 30 "oom_score_adj": 30
}, },
"security_context": {
"capabilities": { "capabilities": {
"add_capabilities": [ "add_capabilities": [
"setuid", "setuid",
"setgid" "setgid"
], ],
"drop_capabilities": [ "drop_capabilities": [
"audit_write",
"audit_read" "audit_read"
] ]
}, },
@ -68,15 +68,7 @@
"role": "system_r", "role": "system_r",
"type": "svirt_lxc_net_t", "type": "svirt_lxc_net_t",
"level": "s0:c4-c5" "level": "s0:c4-c5"
}, }
"user": {
"uid": 5,
"gid": 300,
"additional_gids": [
400,
401,
402
]
} }
} }
} }

8
test/testdata/container_exit_test.json vendored
View file

@ -18,11 +18,5 @@
"log_path": "", "log_path": "",
"stdin": false, "stdin": false,
"stdin_once": false, "stdin_once": false,
"tty": false, "tty": false
"linux": {
"user": {
"uid": 0,
"gid": 0
}
}
} }

8
test/testdata/container_redis.json vendored
View file

@ -3,7 +3,7 @@
"name": "podsandbox1-redis" "name": "podsandbox1-redis"
}, },
"image": { "image": {
"image": "docker://redis:latest" "image": "redis:alpine"
}, },
"args": [ "args": [
"docker-entrypoint.sh", "docker-entrypoint.sh",
@ -51,14 +51,12 @@
"memory_limit_in_bytes": 88000000, "memory_limit_in_bytes": 88000000,
"oom_score_adj": 30 "oom_score_adj": 30
}, },
"security_context": {
"capabilities": { "capabilities": {
"add_capabilities": [ "add_capabilities": [
"sys_admin" "sys_admin"
] ]
}, }
"user": {
"uid": 0,
"gid": 0
} }
} }
} }