From 2ec696be41212ebf975c9b092b771d318e0f98a2 Mon Sep 17 00:00:00 2001 From: Samuel Ortiz Date: Tue, 21 Feb 2017 18:19:06 +0100 Subject: [PATCH] server: Set sandbox and container privileged flags The sandbox privileged flag is set to true only if either the pod configuration privileged flag is set to true or when any of the pod namespaces are the host ones. A container inherit its privileged flag from its sandbox, and will be run by the privileged runtime only if it's set to true. In other words, the privileged runtime (when defined) will be when one of the below conditions is true: - The sandbox will be asked to run at least one privileged container. - The sandbox requires access to either the host IPC or networking namespaces. Signed-off-by: Samuel Ortiz --- oci/oci.go | 3 ++- server/container_create.go | 2 +- server/sandbox_run.go | 32 +++++++++++++++++++++++++++++++- server/server.go | 8 ++++++-- 4 files changed, 40 insertions(+), 5 deletions(-) diff --git a/oci/oci.go b/oci/oci.go index e6e4a158..83f8a72f 100644 --- a/oci/oci.go +++ b/oci/oci.go @@ -450,7 +450,7 @@ type ContainerState struct { } // NewContainer creates a container object. -func NewContainer(id string, name string, bundlePath string, logPath string, netns ns.NetNS, labels map[string]string, annotations map[string]string, image *pb.ImageSpec, metadata *pb.ContainerMetadata, sandbox string, terminal bool) (*Container, error) { +func NewContainer(id string, name string, bundlePath string, logPath string, netns ns.NetNS, labels map[string]string, annotations map[string]string, image *pb.ImageSpec, metadata *pb.ContainerMetadata, sandbox string, terminal bool, privileged bool) (*Container, error) { c := &Container{ id: id, name: name, @@ -460,6 +460,7 @@ func NewContainer(id string, name string, bundlePath string, logPath string, net sandbox: sandbox, netns: netns, terminal: terminal, + privileged: privileged, metadata: metadata, annotations: annotations, image: image, diff --git a/server/container_create.go b/server/container_create.go index 8a98115d..857adb8b 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -384,7 +384,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, return nil, err } - container, err := oci.NewContainer(containerID, containerName, containerInfo.RunDir, logPath, sb.netNs(), labels, annotations, imageSpec, metadata, sb.id, containerConfig.Tty) + container, err := oci.NewContainer(containerID, containerName, containerInfo.RunDir, logPath, sb.netNs(), labels, annotations, imageSpec, metadata, sb.id, containerConfig.Tty, sb.privileged) if err != nil { return nil, err } diff --git a/server/sandbox_run.go b/server/sandbox_run.go index 7cff2f3e..2dfe012f 100644 --- a/server/sandbox_run.go +++ b/server/sandbox_run.go @@ -17,6 +17,32 @@ import ( pb "k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime" ) +// privilegedSandbox returns true if the sandbox configuration +// requires additional host privileges for the sandbox. +func (s *Server) privilegedSandbox(req *pb.RunPodSandboxRequest) bool { + securityContext := req.GetConfig().GetLinux().GetSecurityContext() + if securityContext == nil { + return false + } + + if securityContext.Privileged { + return true + } + + namespaceOptions := securityContext.GetNamespaceOptions() + if namespaceOptions == nil { + return false + } + + if namespaceOptions.HostNetwork || + namespaceOptions.HostPid || + namespaceOptions.HostIpc { + return true + } + + return false +} + func (s *Server) runContainer(container *oci.Container) error { if err := s.runtime.CreateContainer(container); err != nil { return err @@ -218,6 +244,8 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest } }() + privileged := s.privilegedSandbox(req) + g.AddAnnotation("ocid/metadata", string(metadataJSON)) g.AddAnnotation("ocid/labels", string(labelsJSON)) g.AddAnnotation("ocid/annotations", string(annotationsJSON)) @@ -228,6 +256,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest g.AddAnnotation("ocid/container_name", containerName) g.AddAnnotation("ocid/container_id", id) g.AddAnnotation("ocid/shm_path", shmPath) + g.AddAnnotation("ocid/privileged_runtime", fmt.Sprintf("%v", privileged)) sb := &sandbox{ id: id, @@ -240,6 +269,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest mountLabel: mountLabel, metadata: metadata, shmPath: shmPath, + privileged: privileged, } s.addSandbox(sb) @@ -344,7 +374,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest return nil, fmt.Errorf("failed to write runtime configuration for pod sandbox %s(%s): %v", sb.name, id, err) } - container, err := oci.NewContainer(id, containerName, podContainer.RunDir, logDir, sb.netNs(), labels, annotations, nil, nil, id, false) + container, err := oci.NewContainer(id, containerName, podContainer.RunDir, logDir, sb.netNs(), labels, annotations, nil, nil, id, false, sb.privileged) if err != nil { return nil, err } diff --git a/server/server.go b/server/server.go index 0856b931..be7307a0 100644 --- a/server/server.go +++ b/server/server.go @@ -105,7 +105,7 @@ func (s *Server) loadContainer(id string) error { return err } - ctr, err := oci.NewContainer(id, name, containerPath, m.Annotations["ocid/log_path"], sb.netNs(), labels, annotations, img, &metadata, sb.id, tty) + ctr, err := oci.NewContainer(id, name, containerPath, m.Annotations["ocid/log_path"], sb.netNs(), labels, annotations, img, &metadata, sb.id, tty, sb.privileged) if err != nil { return err } @@ -173,6 +173,8 @@ func (s *Server) loadSandbox(id string) error { return err } + privileged := m.Annotations["ocid/privileged_runtime"] == "true" + sb := &sandbox{ id: id, name: name, @@ -184,6 +186,7 @@ func (s *Server) loadSandbox(id string) error { annotations: annotations, metadata: &metadata, shmPath: m.Annotations["ocid/shm_path"], + privileged: privileged, } // We add a netNS only if we can load a permanent one. @@ -223,7 +226,8 @@ func (s *Server) loadSandbox(id string) error { s.releaseContainerName(cname) } }() - scontainer, err := oci.NewContainer(m.Annotations["ocid/container_id"], cname, sandboxPath, sandboxPath, sb.netNs(), labels, annotations, nil, nil, id, false) + + scontainer, err := oci.NewContainer(m.Annotations["ocid/container_id"], cname, sandboxPath, sandboxPath, sb.netNs(), labels, annotations, nil, nil, id, false, privileged) if err != nil { return err }