diff --git a/Makefile b/Makefile index 4df37f71..2d719955 100644 --- a/Makefile +++ b/Makefile @@ -16,7 +16,7 @@ ETCDIR ?= ${DESTDIR}/etc ETCDIR_OCID ?= ${ETCDIR}/ocid GO_MD2MAN ?= $(shell which go-md2man) export GOPATH := ${CURDIR}/vendor -BUILDTAGS := selinux seccomp apparmor +BUILDTAGS := selinux seccomp all: binaries ocid.conf docs diff --git a/README.md b/README.md index ad96afcb..c232356a 100644 --- a/README.md +++ b/README.md @@ -67,6 +67,21 @@ make BUILDTAGS="" sudo make install ``` +#### Build Tags + +`cri-o` supports optional build tags for compiling support of various features. +To add build tags to the make option the `BUILDTAGS` variable must be set. + +```bash +make BUILDTAGS='seccomp apparmor' +``` + +| Build Tag | Feature | Dependency | +|-----------|------------------------------------|-------------| +| seccomp | syscall filtering | libseccomp | +| selinux | selinux process and mount labeling | | +| apparmor | apparmor profile support | libapparmor | + ### Running pods and containers #### Start the server diff --git a/server/apparmor/aaparser.go b/server/apparmor/aaparser.go index 2c068697..7f0f02ac 100644 --- a/server/apparmor/aaparser.go +++ b/server/apparmor/aaparser.go @@ -1,3 +1,5 @@ +// +build apparmor + package apparmor import ( @@ -35,7 +37,7 @@ func cmd(dir string, arg ...string) (string, error) { output, err := c.CombinedOutput() if err != nil { - return "", fmt.Errorf("running `%s %s` failed with output: %s\nerror: %v", c.Path, strings.Join(c.Args, " "), string(output), err) + return "", fmt.Errorf("running `%s %s` failed with output: %s\nerror: %v", c.Path, strings.Join(c.Args, " "), output, err) } return string(output), nil diff --git a/server/apparmor/apparmor.go b/server/apparmor/apparmor.go index 1f1b66fe..32c778c1 100644 --- a/server/apparmor/apparmor.go +++ b/server/apparmor/apparmor.go @@ -1,3 +1,5 @@ +// +build apparmor + package apparmor import ( @@ -7,6 +9,7 @@ import ( "os" "path" "strings" + "time" "github.com/Sirupsen/logrus" "github.com/docker/docker/utils/templates" @@ -27,6 +30,9 @@ const ( ProfileRuntimeDefault = "runtime/default" // ProfileNamePrefix is the prefix for specifying profiles loaded on the node. ProfileNamePrefix = "localhost/" + + // readConfigTimeout is the timeout of reading apparmor profiles. + readConfigTimeout = 10 ) // profileData holds information about the given profile for generation. @@ -46,7 +52,7 @@ func InstallDefaultAppArmorProfile() { if err := InstallDefault(defaultApparmorProfile); err != nil { // Allow daemon to run if loading failed, but are active // (possibly through another run, manually, or via system startup) - if err := IsLoaded(defaultApparmorProfile); err != nil { + if !IsLoaded(defaultApparmorProfile) { logrus.Errorf("AppArmor enabled on system but the %s profile could not be loaded.", defaultApparmorProfile) } } @@ -75,38 +81,43 @@ func InstallDefault(name string) error { if err != nil { return err } - profilePath := f.Name() - defer f.Close() if err := p.generateDefault(f); err != nil { return err } - if err := LoadProfile(profilePath); err != nil { - return err - } - - return nil + return LoadProfile(f.Name()) } // IsLoaded checks if a passed profile has been loaded into the kernel. -func IsLoaded(name string) error { +func IsLoaded(name string) bool { file, err := os.Open("/sys/kernel/security/apparmor/profiles") if err != nil { - return err + return false } defer file.Close() - r := bufio.NewReader(file) - for { - p, err := r.ReadString('\n') - if err != nil { - return err - } - if strings.HasPrefix(p, name+" ") { - return nil + ch := make(chan bool, 1) + + go func() { + r := bufio.NewReader(file) + for { + p, err := r.ReadString('\n') + if err != nil { + ch <- false + } + if strings.HasPrefix(p, name+" ") { + ch <- true + } } + }() + + select { + case <-time.After(time.Duration(readConfigTimeout) * time.Second): + return false + case enabled := <-ch: + return enabled } } @@ -133,10 +144,7 @@ func (p *profileData) generateDefault(out io.Writer) error { } p.Version = ver - if err := compiled.Execute(out, p); err != nil { - return err - } - return nil + return compiled.Execute(out, p) } // macrosExists checks if the passed macro exists. diff --git a/server/apparmor/apparmor_unsupported.go b/server/apparmor/apparmor_unsupported.go new file mode 100644 index 00000000..ea9b6d08 --- /dev/null +++ b/server/apparmor/apparmor_unsupported.go @@ -0,0 +1,27 @@ +// +build !apparmor + +package apparmor + +const ( + // ContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container profile. + ContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/" + + // ProfileRuntimeDefault is he profile specifying the runtime default. + ProfileRuntimeDefault = "runtime/default" + // ProfileNamePrefix is the prefix for specifying profiles loaded on the node. + ProfileNamePrefix = "localhost/" +) + +// IsEnabled returns false, when build without apparmor build tag. +func IsEnabled() bool { + return false +} + +// InstallDefaultAppArmorProfile dose nothing, when build without apparmor build tag. +func InstallDefaultAppArmorProfile() { +} + +// GetProfileNameFromPodAnnotations dose nothing, when build without apparmor build tag. +func GetProfileNameFromPodAnnotations(annotations map[string]string, containerName string) string { + return "" +} diff --git a/server/apparmor/template.go b/server/apparmor/template.go index e611b492..6656ff61 100644 --- a/server/apparmor/template.go +++ b/server/apparmor/template.go @@ -1,3 +1,5 @@ +// +build apparmor + package apparmor // baseTemplate defines the default apparmor profile for containers. diff --git a/server/container_create.go b/server/container_create.go index 9c0bd07c..f0cf96d2 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -397,6 +397,5 @@ func (s *Server) getAppArmorProfileName(annotations map[string]string, ctrName s return s.appArmorProfile } - profileName := strings.TrimPrefix(profile, apparmor.ProfileNamePrefix) - return profileName + return strings.TrimPrefix(profile, apparmor.ProfileNamePrefix) } diff --git a/test/apparmor.bats b/test/apparmor.bats index 4b656133..97e9ac9d 100644 --- a/test/apparmor.bats +++ b/test/apparmor.bats @@ -7,13 +7,19 @@ function teardown() { } # 1. test running with loading the default apparmor profile. -# test that we can run with the default apparomr profile which will not block touching a file in `.` -@test "load default apparomr profile and run a container with it" { +# test that we can run with the default apparmor profile which will not block touching a file in `.` +@test "load default apparmor profile and run a container with it" { # this test requires docker, thus it can't yet be run in a container if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here skip "cannot yet run this test in a container, use sudo make localintegration" fi + # this test requires apparmor, so skip this test if apparmor is not enabled. + enabled=is_apparmor_enabled + if [[ "$enabled" =~ "0" ]]; then + skip "skip this test since apparmor is not enabled." + fi + start_ocid sed -e 's/%VALUE%/,"container\.apparmor\.security\.beta\.kubernetes\.io\/testname1": "runtime\/default"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/apparmor1.json @@ -26,8 +32,6 @@ function teardown() { echo "$output" [ "$status" -eq 0 ] ctr_id="$output" - run ocic ctr start --id "$ctr_id" - echo "$output" [ "$status" -eq 0 ] run ocic ctr execsync --id "$ctr_id" touch test.txt echo "$output" @@ -41,16 +45,22 @@ function teardown() { # 2. test running with loading a specific apparmor profile as ocid default apparmor profile. # test that we can run with a specific apparmor profile which will block touching a file in `.` as ocid default apparmor profile. -@test "load a specific apparomr profile as default apparmor and run a container with it" { +@test "load a specific apparmor profile as default apparmor and run a container with it" { # this test requires docker, thus it can't yet be run in a container if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here skip "cannot yet run this test in a container, use sudo make localintegration" fi - load_apparmor_test_profile - start_ocid_with_apparmor_profile_name "$APPARMOR_TEST_PROFILE_NAME" + # this test requires apparmor, so skip this test if apparmor is not enabled. + enabled=is_apparmor_enabled + if [[ "$enabled" =~ "0" ]]; then + skip "skip this test since apparmor is not enabled." + fi - sed -e 's/%VALUE%/,"container\.apparmor\.security\.beta\.kubernetes\.io\/testname2": "apparmor_test_deny_write"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/apparmor2.json + load_apparmor_test_profile + start_ocid "" "$APPARMOR_TEST_PROFILE_NAME" + + sed -e 's/%VALUE%/,"container\.apparmor\.security\.beta\.kubernetes\.io\/testname2": "apparmor-test-deny-write"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/apparmor2.json run ocic pod create --name apparmor2 --config "$TESTDIR"/apparmor2.json echo "$output" @@ -60,8 +70,6 @@ function teardown() { echo "$output" [ "$status" -eq 0 ] ctr_id="$output" - run ocic ctr start --id "$ctr_id" - echo "$output" [ "$status" -eq 0 ] run ocic ctr execsync --id "$ctr_id" touch test.txt echo "$output" @@ -76,16 +84,22 @@ function teardown() { # 3. test running with loading a specific apparmor profile but not as ocid default apparmor profile. # test that we can run with a specific apparmor profile which will block touching a file in `.` -@test "load default apparomr profile and run a container with another apparmor profile" { +@test "load default apparmor profile and run a container with another apparmor profile" { # this test requires docker, thus it can't yet be run in a container if [ "$TRAVIS" = "true" ]; then # instead of $TRAVIS, add a function is_containerized to skip here skip "cannot yet run this test in a container, use sudo make localintegration" fi + # this test requires apparmor, so skip this test if apparmor is not enabled. + enabled=is_apparmor_enabled + if [[ "$enabled" =~ "0" ]]; then + skip "skip this test since apparmor is not enabled." + fi + load_apparmor_test_profile start_ocid - sed -e 's/%VALUE%/,"container\.apparmor\.security\.beta\.kubernetes\.io\/testname3": "apparmor_test_deny_write"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/apparmor3.json + sed -e 's/%VALUE%/,"container\.apparmor\.security\.beta\.kubernetes\.io\/testname3": "apparmor-test-deny-write"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/apparmor3.json run ocic pod create --name apparmor3 --config "$TESTDIR"/apparmor3.json echo "$output" @@ -95,8 +109,6 @@ function teardown() { echo "$output" [ "$status" -eq 0 ] ctr_id="$output" - run ocic ctr start --id "$ctr_id" - echo "$output" [ "$status" -eq 0 ] run ocic ctr execsync --id "$ctr_id" touch test.txt echo "$output" @@ -109,7 +121,7 @@ function teardown() { remove_apparmor_test_profile } -# 1. test running with wrong apparmor profile name. +# 4. test running with wrong apparmor profile name. # test that we can will fail when running a ctr with rong apparmor profile name. @test "run a container with wrong apparmor profile name" { # this test requires docker, thus it can't yet be run in a container @@ -117,6 +129,12 @@ function teardown() { skip "cannot yet run this test in a container, use sudo make localintegration" fi + # this test requires apparmor, so skip this test if apparmor is not enabled. + enabled=is_apparmor_enabled + if [[ "$enabled" =~ "0" ]]; then + skip "skip this test since apparmor is not enabled." + fi + start_ocid sed -e 's/%VALUE%/,"container\.apparmor\.security\.beta\.kubernetes\.io\/testname4": "not-exists"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/apparmor4.json diff --git a/test/helpers.bash b/test/helpers.bash index 54895fee..9db9e839 100644 --- a/test/helpers.bash +++ b/test/helpers.bash @@ -20,7 +20,7 @@ PAUSE_BINARY=${PAUSE_BINARY:-${OCID_ROOT}/cri-o/pause/pause} # Path of the default seccomp profile. SECCOMP_PROFILE=${SECCOMP_PROFILE:-${OCID_ROOT}/cri-o/seccomp.json} # Name of the default apparmor profile. -APPARMOR_DEFAULT_PROFILE=${SECCOMP_PROFILE:-ocid-default} +APPARMOR_PROFILE=${APPARMOR_PROFILE:-ocid-default} # Path of the runc binary. RUNC_PATH=$(command -v runc || true) RUNC_BINARY=${RUNC_PATH:-/usr/local/sbin/runc} @@ -29,7 +29,11 @@ APPARMOR_PARSER_BINARY=${APPARMOR_PARSER_BINARY:-/sbin/apparmor_parser} # Path of the apparmor profile for test. APPARMOR_TEST_PROFILE_PATH=${APPARMOR_TEST_PROFILE_PATH:-${TESTDATA}/apparmor_test_deny_write} # Name of the apparmor profile for test. -APPARMOR_TEST_PROFILE_NAME=${APPARMOR_TEST_PROFILE_NAME:-apparmor_test_deny_write} +APPARMOR_TEST_PROFILE_NAME=${APPARMOR_TEST_PROFILE_NAME:-apparmor-test-deny-write} +# Path of boot config. +BOOT_CONFIG_FILE_PATH=${BOOT_CONFIG_FILE_PATH:-/boot/config-`uname -r`} +# Path of apparmor parameters file. +APPARMOR_PARAMETERS_FILE_PATH=${APPARMOR_PARAMETERS_FILE_PATH:-/sys/module/apparmor/parameters/enabled} TESTDIR=$(mktemp -d) if [ -e /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then @@ -88,19 +92,19 @@ function wait_until_reachable() { # Start ocid. function start_ocid() { - "$OCID_BINARY" --conmon "$CONMON_BINARY" --pause "$PAUSE_BINARY" --listen "$OCID_SOCKET" --runtime "$RUNC_BINARY" --root "$TESTDIR/ocid" --sandboxdir "$TESTDIR/sandboxes" --containerdir "$TESTDIR/ocid/containers" --seccomp-profile "$SECCOMP_PROFILE" --apparmor-profile "$APPARMOR_PROFILE" config >$OCID_CONFIG - "$OCID_BINARY" --debug --config "$OCID_CONFIG" & OCID_PID=$! - wait_until_reachable -} + if [[ -n "$1" ]]; then + seccomp="$1" + else + seccomp="$SECCOMP_PROFILE" + fi -function start_ocid_with_seccomp_path() { - "$OCID_BINARY" --conmon "$CONMON_BINARY" --pause "$PAUSE_BINARY" --listen "$OCID_SOCKET" --runtime "$RUNC_BINARY" --root "$TESTDIR/ocid" --sandboxdir "$TESTDIR/sandboxes" --containerdir "$TESTDIR/ocid/containers" --seccomp-profile "$1" --apparmor-profile "$APPARMOR_PROFILE" config >$OCID_CONFIG - "$OCID_BINARY" --debug --config "$OCID_CONFIG" & OCID_PID=$! - wait_until_reachable -} + if [[ -n "$2" ]]; then + apparmor="$2" + else + apparmor="$APPARMOR_PROFILE" + fi -function start_ocid_with_apparmor_profile_name() { - "$OCID_BINARY" --conmon "$CONMON_BINARY" --pause "$PAUSE_BINARY" --listen "$OCID_SOCKET" --runtime "$RUNC_BINARY" --root "$TESTDIR/ocid" --sandboxdir "$TESTDIR/sandboxes" --containerdir "$TESTDIR/ocid/containers" --seccomp-profile "$SECCOMP_PROFILE" --apparmor-profile "$1" config >$OCID_CONFIG + "$OCID_BINARY" --conmon "$CONMON_BINARY" --pause "$PAUSE_BINARY" --listen "$OCID_SOCKET" --runtime "$RUNC_BINARY" --root "$TESTDIR/ocid" --sandboxdir "$TESTDIR/sandboxes" --containerdir "$TESTDIR/ocid/containers" --seccomp-profile "$seccomp" --apparmor-profile "$apparmor" config >$OCID_CONFIG "$OCID_BINARY" --debug --config "$OCID_CONFIG" & OCID_PID=$! wait_until_reachable } @@ -151,3 +155,29 @@ function load_apparmor_test_profile() { function remove_apparmor_test_profile() { "$APPARMOR_PARSER_BINARY" -R "$APPARMOR_TEST_PROFILE_PATH" } + +function is_seccomp_enabled() { + if [[ -f "$BOOT_CONFIG_FILE_PATH" ]]; then + out=$(cat "$BOOT_CONFIG_FILE_PATH" | grep CONFIG_SECCOMP=) + if [[ "$out" =~ "CONFIG_SECCOMP=y" ]]; then + echo 1 + else + echo 0 + fi + else + echo 0 + fi +} + +function is_apparmor_enabled() { + if [[ -f "$APPARMOR_PARAMETERS_FILE_PATH" ]]; then + out=$(cat "$APPARMOR_PARAMETERS_FILE_PATH") + if [[ "$out" =~ "Y" ]]; then + echo 1 + else + echo 0 + fi + else + echo 0 + fi +} diff --git a/test/seccomp.bats b/test/seccomp.bats index 8c25f3de..d7aed036 100644 --- a/test/seccomp.bats +++ b/test/seccomp.bats @@ -14,10 +14,17 @@ function teardown() { skip "cannot yet run this test in a container, use sudo make localintegration" fi + # this test requires seccomp, so skip this test if seccomp is not enabled. + enabled=is_seccomp_enabled + if [[ "$enabled" =~ "0" ]]; then + skip "skip this test since seccomp is not enabled." + fi + sed -e 's/"chmod",//' "$OCID_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json - start_ocid_with_seccomp_path "$TESTDIR"/seccomp_profile1.json + + start_ocid "$TESTDIR"/seccomp_profile1.json sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/container\/redhat\.test\.ocid-seccomp1-1-testname-0": "unconfined"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp1.json run ocic pod create --name seccomp1 --config "$TESTDIR"/seccomp1.json @@ -48,10 +55,17 @@ function teardown() { skip "cannot yet run this test in a container, use sudo make localintegration" fi + # this test requires seccomp, so skip this test if seccomp is not enabled. + enabled=is_seccomp_enabled + if [[ "$enabled" =~ "0" ]]; then + skip "skip this test since seccomp is not enabled." + fi + sed -e 's/"chmod",//' "$OCID_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json - start_ocid_with_seccomp_path "$TESTDIR"/seccomp_profile1.json + + start_ocid "$TESTDIR"/seccomp_profile1.json sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/container\/redhat\.test\.ocid-seccomp2-1-testname2-0": "runtime\/default"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp2.json run ocic pod create --name seccomp2 --config "$TESTDIR"/seccomp2.json @@ -82,10 +96,17 @@ function teardown() { skip "cannot yet run this test in a container, use sudo make localintegration" fi + # this test requires seccomp, so skip this test if seccomp is not enabled. + enabled=is_seccomp_enabled + if [[ "$enabled" =~ "0" ]]; then + skip "skip this test since seccomp is not enabled." + fi + sed -e 's/"chmod",//' "$OCID_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json - start_ocid_with_seccomp_path "$TESTDIR"/seccomp_profile1.json + + start_ocid "$TESTDIR"/seccomp_profile1.json sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/container\/redhat\.test\.ocid-seccomp3-1-testname3-1": "notgood"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp3.json run ocic pod create --name seccomp3 --config "$TESTDIR"/seccomp3.json @@ -111,10 +132,17 @@ function teardown() { skip "cannot yet run this test in a container, use sudo make localintegration" fi + # this test requires seccomp, so skip this test if seccomp is not enabled. + enabled=is_seccomp_enabled + if [[ "$enabled" =~ "0" ]]; then + skip "skip this test since seccomp is not enabled." + fi + #sed -e 's/"chmod",//' "$OCID_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json #sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json #sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json - #start_ocid_with_seccomp_path "$TESTDIR"/seccomp_profile1.json + + #start_ocid "$TESTDIR"/seccomp_profile1.json skip "need https://issues.k8s.io/36997" } @@ -129,10 +157,17 @@ function teardown() { skip "cannot yet run this test in a container, use sudo make localintegration" fi + # this test requires seccomp, so skip this test if seccomp is not enabled. + enabled=is_seccomp_enabled + if [[ "$enabled" =~ "0" ]]; then + skip "skip this test since seccomp is not enabled." + fi + sed -e 's/"chmod",//' "$OCID_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json - start_ocid_with_seccomp_path "$TESTDIR"/seccomp_profile1.json + + start_ocid "$TESTDIR"/seccomp_profile1.json sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/container\/redhat\.test\.ocid-seccomp2-1-testname2-0-not-exists": "unconfined", "security\.alpha\.kubernetes\.io\/seccomp\/pod": "runtime\/default"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp5.json run ocic pod create --name seccomp5 --config "$TESTDIR"/seccomp5.json @@ -166,10 +201,17 @@ function teardown() { skip "cannot yet run this test in a container, use sudo make localintegration" fi + # this test requires seccomp, so skip this test if seccomp is not enabled. + enabled=is_seccomp_enabled + if [[ "$enabled" =~ "0" ]]; then + skip "skip this test since seccomp is not enabled." + fi + sed -e 's/"chmod",//' "$OCID_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json - start_ocid_with_seccomp_path "$TESTDIR"/seccomp_profile1.json + + start_ocid "$TESTDIR"/seccomp_profile1.json sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/container\/redhat\.test\.ocid-seccomp6-1-testname6-0-not-exists": "runtime-default"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp6.json run ocic pod create --name seccomp6 --config "$TESTDIR"/seccomp6.json @@ -200,10 +242,17 @@ function teardown() { skip "cannot yet run this test in a container, use sudo make localintegration" fi + # this test requires seccomp, so skip this test if seccomp is not enabled. + enabled=is_seccomp_enabled + if [[ "$enabled" =~ "0" ]]; then + skip "skip this test since seccomp is not enabled." + fi + sed -e 's/"chmod",//' "$OCID_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json - start_ocid_with_seccomp_path "$TESTDIR"/seccomp_profile1.json + + start_ocid "$TESTDIR"/seccomp_profile1.json sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/pod": "unconfined"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp1.json run ocic pod create --name seccomp1 --config "$TESTDIR"/seccomp1.json @@ -234,10 +283,17 @@ function teardown() { skip "cannot yet run this test in a container, use sudo make localintegration" fi + # this test requires seccomp, so skip this test if seccomp is not enabled. + enabled=is_seccomp_enabled + if [[ "$enabled" =~ "0" ]]; then + skip "skip this test since seccomp is not enabled." + fi + sed -e 's/"chmod",//' "$OCID_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json - start_ocid_with_seccomp_path "$TESTDIR"/seccomp_profile1.json + + start_ocid "$TESTDIR"/seccomp_profile1.json sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/pod": "runtime\/default"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp2.json run ocic pod create --name seccomp2 --config "$TESTDIR"/seccomp2.json @@ -268,10 +324,17 @@ function teardown() { skip "cannot yet run this test in a container, use sudo make localintegration" fi + # this test requires seccomp, so skip this test if seccomp is not enabled. + enabled=is_seccomp_enabled + if [[ "$enabled" =~ "0" ]]; then + skip "skip this test since seccomp is not enabled." + fi + sed -e 's/"chmod",//' "$OCID_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json - start_ocid_with_seccomp_path "$TESTDIR"/seccomp_profile1.json + + start_ocid "$TESTDIR"/seccomp_profile1.json # 3. test running with pod wrong profile name sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/pod": "notgood"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp3.json @@ -298,10 +361,17 @@ function teardown() { skip "cannot yet run this test in a container, use sudo make localintegration" fi + # this test requires seccomp, so skip this test if seccomp is not enabled. + enabled=is_seccomp_enabled + if [[ "$enabled" =~ "0" ]]; then + skip "skip this test since seccomp is not enabled." + fi + #sed -e 's/"chmod",//' "$OCID_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json #sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json #sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json - #start_ocid_with_seccomp_path "$TESTDIR"/seccomp_profile1.json + + #start_ocid "$TESTDIR"/seccomp_profile1.json skip "need https://issues.k8s.io/36997" }