add seccomp support

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-11-23 10:41:48 +01:00 · 2016-11-23 10:41:48 +01:00 · 78ee03a8fc
commit 78ee03a8fc
parent 1bd0ba8516
90 changed files with 4745 additions and 629 deletions
--- a/test/testdata/container_config_seccomp.json
+++ b/test/testdata/container_config_seccomp.json
@ -0,0 +1,82 @@
+{
+	"metadata": {
+		"name": "container1",
+		"attempt": 1
+	},
+	"image": {
+		"image": "docker://redis:latest"
+	},
+	"command": [
+		"/bin/bash"
+	],
+	"args": [
+		"/bin/chmod", "777", "."
+	],
+	"working_dir": "/",
+	"envs": [
+		{
+			"key": "PATH",
+			"value": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+		},
+		{
+			"key": "TERM",
+			"value": "xterm"
+		},
+		{
+			"key": "TESTDIR",
+			"value": "test/dir1"
+		},
+		{
+			"key": "TESTFILE",
+			"value": "test/file1"
+		}
+	],
+	"labels": {
+		"type": "small",
+		"batch": "no"
+	},
+	"annotations": {
+		"owner": "dragon",
+		"daemon": "ocid"
+	},
+	"privileged": true,
+	"readonly_rootfs": true,
+	"log_path": "container.log",
+	"stdin": false,
+	"stdin_once": false,
+	"tty": false,
+	"linux": {
+		"resources": {
+			"cpu_period": 10000,
+			"cpu_quota": 20000,
+			"cpu_shares": 512,
+			"memory_limit_in_bytes": 88000000,
+			"oom_score_adj": 30
+		},
+		"capabilities": {
+			"add_capabilities": [
+				"setuid",
+				"setgid"
+			],
+			"drop_capabilities": [
+				"audit_write",
+				"audit_read"
+			]
+		},
+		"selinux_options": {
+			"user": "system_u",
+			"role": "system_r",
+			"type": "svirt_lxc_net_t",
+			"level": "s0:c4-c5"
+		},
+		"user": {
+			"uid": 5,
+			"gid": 300,
+			"additional_gids": [
+				400,
+				401,
+				402
+			]
+		}
+	}
+}
--- a/test/testdata/sandbox_config.json
+++ b/test/testdata/sandbox_config.json
@ -48,7 +48,8 @@
 	"annotations": {
 		"owner": "hmeng",
 		"security.alpha.kubernetes.io/sysctls": "kernel.shm_rmid_forced=1,net.ipv4.ip_local_port_range=1024 65000",
-		"security.alpha.kubernetes.io/unsafe-sysctls": "kernel.msgmax=8192" 
+		"security.alpha.kubernetes.io/unsafe-sysctls": "kernel.msgmax=8192" ,
+		"security.alpha.kubernetes.io/seccomp/pod": "unconfined"
 	},
 	"linux": {
 		"cgroup_parent": "podsandbox1.slice:container:infra",
--- a/test/testdata/sandbox_config_seccomp.json
+++ b/test/testdata/sandbox_config_seccomp.json
@ -0,0 +1,60 @@
+{
+	"metadata": {
+		"name": "podsandbox1",
+		"uid": "redhat-test-ocid",
+		"namespace": "redhat.test.ocid",
+		"attempt": 1
+	},
+	"hostname": "ocic_host",
+	"log_directory": ".",
+	"dns_options": {
+		"servers": [
+			"server1.redhat.com",
+			"server2.redhat.com"
+		],
+		"searches": [
+			"8.8.8.8"
+		]
+	},
+	"port_mappings": [
+		{
+			"name": "port_map1",
+			"protocol": 1,
+			"container_port": 80,
+			"host_port": 4888,
+			"host_ip": "192.168.0.33"
+		},
+		{
+			"name": "port_map2",
+			"protocol": 2,
+			"container_port": 81,
+			"host_port": 4889,
+			"host_ip": "192.168.0.33"
+		}
+	],
+	"resources": {
+		"cpu": {
+			"limits": 3,
+			"requests": 2
+		},
+		"memory": {
+			"limits": 50000000,
+			"requests": 2000000
+		}
+	},
+	"labels": {
+		"group": "test"
+	},
+	"annotations": {
+		"owner": "hmeng"
+		%VALUE%
+	},
+	"linux": {
+		"cgroup_parent": "podsandbox1.slice:container:infra",
+		"namespace_options": {
+			"host_network": false,
+			"host_pid": false,
+			"host_ipc": false
+		}
+	}
+}