server: handle cases of securityContext, namespaceOptions being nil
Both GetSecurityContext() and GetNamespaceOptions() can return nil.
In these cases, cri-o will panic like this:
```
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x1 pc=0x1cc43f6]
goroutine 66 [running]:
.../cri-o/server.(*Server).RunPodSandbox(0xc42060e300, 0x7f611d37a0b8,
0xc420207e60, 0xc42015e318, 0x0, 0x0, 0x0)
.../cri-o/server/sandbox_run.go:261 +0xfe6
.../cri-o/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime._RuntimeService_RunPodSandbox_Handler(0x2180920,
0xc42060e300, 0x7f611d37a0b8, 0xc420207e60, 0xc420505950, 0x0, 0x0, 0x0,
0x64ed0d, 0xc42064bc80)
.../cri-o/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime/api.pb.go:3645 +0x279
.../cri-o/vendor/google.golang.org/grpc.(*Server).processUnaryRPC(0xc4200a4240,
0x33f28e0, 0xc4204b0360, 0xc42074a870, 0xc420476de0, 0x33bcd38, 0xc420207e30, 0x0, 0x0)
```
Signed-off-by: Dongsu Park <dongsu@kinvolk.io>
This commit is contained in:
Dongsu Park
parent
2080744963
commit
644a4af377
1 changed files with 16 additions and 6 deletions
|
|
@ -252,13 +252,23 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
|||
|
||||
privileged := s.privilegedSandbox(req)
|
||||
|
||||
processLabel, mountLabel, err = getSELinuxLabels(req.GetConfig().GetLinux().GetSecurityContext().GetSelinuxOptions(), privileged)
|
||||
securityContext := req.GetConfig().GetLinux().GetSecurityContext()
|
||||
if securityContext == nil {
|
||||
return nil, fmt.Errorf("no security context found")
|
||||
}
|
||||
|
||||
processLabel, mountLabel, err = getSELinuxLabels(securityContext.GetSelinuxOptions(), privileged)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Don't use SELinux separation with Host Pid or IPC Namespace or privileged.
|
||||
if req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostPid || req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostIpc {
|
||||
namespaceOptions := securityContext.GetNamespaceOptions()
|
||||
if namespaceOptions == nil {
|
||||
return nil, fmt.Errorf("no namespace options found")
|
||||
}
|
||||
|
||||
if securityContext.GetNamespaceOptions().HostPid || securityContext.GetNamespaceOptions().HostIpc {
|
||||
processLabel, mountLabel = "", ""
|
||||
}
|
||||
g.SetProcessSelinuxLabel(processLabel)
|
||||
|
|
@ -266,7 +276,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
|||
|
||||
// create shm mount for the pod containers.
|
||||
var shmPath string
|
||||
if req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostIpc {
|
||||
if namespaceOptions.HostIpc {
|
||||
shmPath = "/dev/shm"
|
||||
} else {
|
||||
shmPath, err = setupShm(podContainer.RunDir, mountLabel)
|
||||
|
|
@ -307,7 +317,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
|||
return nil, err
|
||||
}
|
||||
|
||||
hostNetwork := req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostNetwork
|
||||
hostNetwork := namespaceOptions.HostNetwork
|
||||
|
||||
hostname, err := getHostname(id, req.GetConfig().Hostname, hostNetwork)
|
||||
if err != nil {
|
||||
|
|
@ -441,14 +451,14 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
|||
}
|
||||
}
|
||||
|
||||
if req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostPid {
|
||||
if namespaceOptions.HostPid {
|
||||
err = g.RemoveLinuxNamespace("pid")
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
if req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostIpc {
|
||||
if namespaceOptions.HostIpc {
|
||||
err = g.RemoveLinuxNamespace("ipc")
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
|
|||
Loading…
Reference in a new issue