add seccomp support
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This commit is contained in:
parent
1bd0ba8516
commit
78ee03a8fc
90 changed files with 4745 additions and 629 deletions
|
@ -329,6 +329,8 @@ func CreateContainer(client pb.RuntimeServiceClient, opts createOptions) error {
|
|||
r, err := client.CreateContainer(context.Background(), &pb.CreateContainerRequest{
|
||||
PodSandboxId: &opts.podID,
|
||||
Config: config,
|
||||
// TODO(runcom): this is missing PodSandboxConfig!!!
|
||||
// we should/could find a way to retrieve it from the fs and set it here
|
||||
})
|
||||
if err != nil {
|
||||
return err
|
||||
|
|
|
@ -11,9 +11,10 @@ import (
|
|||
)
|
||||
|
||||
const (
|
||||
ocidRoot = "/var/lib/ocid"
|
||||
conmonPath = "/usr/libexec/ocid/conmon"
|
||||
pausePath = "/usr/libexec/ocid/pause"
|
||||
ocidRoot = "/var/lib/ocid"
|
||||
conmonPath = "/usr/libexec/ocid/conmon"
|
||||
pausePath = "/usr/libexec/ocid/pause"
|
||||
seccompProfilePath = "/etc/ocid/seccomp.json"
|
||||
)
|
||||
|
||||
var commentedConfigTemplate = template.Must(template.New("config").Parse(`
|
||||
|
@ -59,6 +60,10 @@ conmon_env = [
|
|||
# on the host.
|
||||
selinux = {{ .SELinux }}
|
||||
|
||||
# seccomp_profile is the seccomp json profile path which is used as the
|
||||
# default for the runtime.
|
||||
seccomp_profile = "{{ .SeccompProfile }}"
|
||||
|
||||
# The "ocid.image" table contains settings pertaining to the
|
||||
# management of OCI images.
|
||||
[ocid.image]
|
||||
|
@ -89,7 +94,8 @@ func DefaultConfig() *server.Config {
|
|||
ConmonEnv: []string{
|
||||
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
|
||||
},
|
||||
SELinux: selinux.SelinuxEnabled(),
|
||||
SELinux: selinux.SelinuxEnabled(),
|
||||
SeccompProfile: seccompProfilePath,
|
||||
},
|
||||
ImageConfig: server.ImageConfig{
|
||||
Pause: pausePath,
|
||||
|
|
|
@ -14,7 +14,7 @@ import (
|
|||
"k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime"
|
||||
)
|
||||
|
||||
const ociConfigPath = "/etc/ocid.conf"
|
||||
const ociConfigPath = "/etc/ocid/ocid.conf"
|
||||
|
||||
func mergeConfig(config *server.Config, ctx *cli.Context) error {
|
||||
// Don't parse the config if the user explicitly set it to "".
|
||||
|
@ -56,6 +56,9 @@ func mergeConfig(config *server.Config, ctx *cli.Context) error {
|
|||
if ctx.GlobalIsSet("selinux") {
|
||||
config.SELinux = ctx.GlobalBool("selinux")
|
||||
}
|
||||
if ctx.GlobalIsSet("seccomp-profile") {
|
||||
config.SeccompProfile = ctx.GlobalString("seccomp-profile")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
|
@ -128,6 +131,10 @@ func main() {
|
|||
Name: "sandboxdir",
|
||||
Usage: "ocid pod sandbox dir",
|
||||
},
|
||||
cli.StringFlag{
|
||||
Name: "seccomp-profile",
|
||||
Usage: "default seccomp profile path",
|
||||
},
|
||||
cli.BoolFlag{
|
||||
Name: "selinux",
|
||||
Usage: "enable selinux support",
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue