add seccomp support

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This commit is contained in:
Antonio Murdaca 2016-11-23 10:41:48 +01:00
parent 1bd0ba8516
commit 78ee03a8fc
No known key found for this signature in database
GPG key ID: B2BEAD150DE936B9
90 changed files with 4745 additions and 629 deletions

View file

@ -329,6 +329,8 @@ func CreateContainer(client pb.RuntimeServiceClient, opts createOptions) error {
r, err := client.CreateContainer(context.Background(), &pb.CreateContainerRequest{
PodSandboxId: &opts.podID,
Config: config,
// TODO(runcom): this is missing PodSandboxConfig!!!
// we should/could find a way to retrieve it from the fs and set it here
})
if err != nil {
return err

View file

@ -11,9 +11,10 @@ import (
)
const (
ocidRoot = "/var/lib/ocid"
conmonPath = "/usr/libexec/ocid/conmon"
pausePath = "/usr/libexec/ocid/pause"
ocidRoot = "/var/lib/ocid"
conmonPath = "/usr/libexec/ocid/conmon"
pausePath = "/usr/libexec/ocid/pause"
seccompProfilePath = "/etc/ocid/seccomp.json"
)
var commentedConfigTemplate = template.Must(template.New("config").Parse(`
@ -59,6 +60,10 @@ conmon_env = [
# on the host.
selinux = {{ .SELinux }}
# seccomp_profile is the seccomp json profile path which is used as the
# default for the runtime.
seccomp_profile = "{{ .SeccompProfile }}"
# The "ocid.image" table contains settings pertaining to the
# management of OCI images.
[ocid.image]
@ -89,7 +94,8 @@ func DefaultConfig() *server.Config {
ConmonEnv: []string{
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
},
SELinux: selinux.SelinuxEnabled(),
SELinux: selinux.SelinuxEnabled(),
SeccompProfile: seccompProfilePath,
},
ImageConfig: server.ImageConfig{
Pause: pausePath,

View file

@ -14,7 +14,7 @@ import (
"k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime"
)
const ociConfigPath = "/etc/ocid.conf"
const ociConfigPath = "/etc/ocid/ocid.conf"
func mergeConfig(config *server.Config, ctx *cli.Context) error {
// Don't parse the config if the user explicitly set it to "".
@ -56,6 +56,9 @@ func mergeConfig(config *server.Config, ctx *cli.Context) error {
if ctx.GlobalIsSet("selinux") {
config.SELinux = ctx.GlobalBool("selinux")
}
if ctx.GlobalIsSet("seccomp-profile") {
config.SeccompProfile = ctx.GlobalString("seccomp-profile")
}
return nil
}
@ -128,6 +131,10 @@ func main() {
Name: "sandboxdir",
Usage: "ocid pod sandbox dir",
},
cli.StringFlag{
Name: "seccomp-profile",
Usage: "default seccomp profile path",
},
cli.BoolFlag{
Name: "selinux",
Usage: "enable selinux support",