add seccomp support

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-11-23 10:41:48 +01:00 · 2016-11-23 10:41:48 +01:00 · 78ee03a8fc
commit 78ee03a8fc
parent 1bd0ba8516
90 changed files with 4745 additions and 629 deletions
--- a/cmd/client/container.go
+++ b/cmd/client/container.go
@ -329,6 +329,8 @@ func CreateContainer(client pb.RuntimeServiceClient, opts createOptions) error {
 	r, err := client.CreateContainer(context.Background(), &pb.CreateContainerRequest{
 		PodSandboxId: &opts.podID,
 		Config:       config,
+		// TODO(runcom): this is missing PodSandboxConfig!!!
+		// we should/could find a way to retrieve it from the fs and set it here
 	})
 	if err != nil {
 		return err
--- a/cmd/server/config.go
+++ b/cmd/server/config.go
@ -11,9 +11,10 @@ import (
 )

 const (
-	ocidRoot   = "/var/lib/ocid"
-	conmonPath = "/usr/libexec/ocid/conmon"
-	pausePath  = "/usr/libexec/ocid/pause"
+	ocidRoot           = "/var/lib/ocid"
+	conmonPath         = "/usr/libexec/ocid/conmon"
+	pausePath          = "/usr/libexec/ocid/pause"
+	seccompProfilePath = "/etc/ocid/seccomp.json"
 )

 var commentedConfigTemplate = template.Must(template.New("config").Parse(`
@ -59,6 +60,10 @@ conmon_env = [
 # on the host.
 selinux = {{ .SELinux }}

+# seccomp_profile is the seccomp json profile path which is used as the
+# default for the runtime.
+seccomp_profile = "{{ .SeccompProfile }}"
+
 # The "ocid.image" table contains settings pertaining to the
 # management of OCI images.
 [ocid.image]
@ -89,7 +94,8 @@ func DefaultConfig() *server.Config {
 			ConmonEnv: []string{
 				"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
 			},
-			SELinux: selinux.SelinuxEnabled(),
+			SELinux:        selinux.SelinuxEnabled(),
+			SeccompProfile: seccompProfilePath,
 		},
 		ImageConfig: server.ImageConfig{
 			Pause:    pausePath,
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@ -14,7 +14,7 @@ import (
 	"k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime"
 )

-const ociConfigPath = "/etc/ocid.conf"
+const ociConfigPath = "/etc/ocid/ocid.conf"

 func mergeConfig(config *server.Config, ctx *cli.Context) error {
 	// Don't parse the config if the user explicitly set it to "".
@ -56,6 +56,9 @@ func mergeConfig(config *server.Config, ctx *cli.Context) error {
 	if ctx.GlobalIsSet("selinux") {
 		config.SELinux = ctx.GlobalBool("selinux")
 	}
+	if ctx.GlobalIsSet("seccomp-profile") {
+		config.SeccompProfile = ctx.GlobalString("seccomp-profile")
+	}
 	return nil
 }

@ -128,6 +131,10 @@ func main() {
 			Name:  "sandboxdir",
 			Usage: "ocid pod sandbox dir",
 		},
+		cli.StringFlag{
+			Name:  "seccomp-profile",
+			Usage: "default seccomp profile path",
+		},
 		cli.BoolFlag{
 			Name:  "selinux",
 			Usage: "enable selinux support",