Merge pull request #992 from baude/cri_tests_sec
Initial fixes for cri-tests
This commit is contained in:
Daniel J Walsh
GitHub
commit
7b9a5c259e
3 changed files with 12 additions and 14 deletions
|
|
@ -146,7 +146,7 @@ func resolveSymbolicLink(path string) (string, error) {
|
||||||
|
|
||||||
func addDevices(sb *sandbox.Sandbox, containerConfig *pb.ContainerConfig, specgen *generate.Generator) error {
|
func addDevices(sb *sandbox.Sandbox, containerConfig *pb.ContainerConfig, specgen *generate.Generator) error {
|
||||||
sp := specgen.Spec()
|
sp := specgen.Spec()
|
||||||
if containerConfig.GetLinux().GetSecurityContext().Privileged {
|
if containerConfig.GetLinux().GetSecurityContext().GetPrivileged() {
|
||||||
hostDevices, err := devices.HostDevices()
|
hostDevices, err := devices.HostDevices()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
|
|
||||||
|
|
@ -40,7 +40,10 @@ func (s *Server) ListContainers(ctx context.Context, req *pb.ListContainersReque
|
||||||
if filter.Id != "" {
|
if filter.Id != "" {
|
||||||
id, err := s.CtrIDIndex().Get(filter.Id)
|
id, err := s.CtrIDIndex().Get(filter.Id)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
// If we don't find a container ID with a filter, it should not
|
||||||
|
// be considered an error. Log a warning and return an empty struct
|
||||||
|
logrus.Warn("unable to find container ID %s", filter.Id)
|
||||||
|
return &pb.ListContainersResponse{}, nil
|
||||||
}
|
}
|
||||||
c := s.ContainerServer.GetContainer(id)
|
c := s.ContainerServer.GetContainer(id)
|
||||||
if c != nil {
|
if c != nil {
|
||||||
|
|
|
||||||
|
|
@ -254,7 +254,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
||||||
|
|
||||||
securityContext := req.GetConfig().GetLinux().GetSecurityContext()
|
securityContext := req.GetConfig().GetLinux().GetSecurityContext()
|
||||||
if securityContext == nil {
|
if securityContext == nil {
|
||||||
return nil, fmt.Errorf("no security context found")
|
logrus.Warn("no security context found in config.")
|
||||||
}
|
}
|
||||||
|
|
||||||
processLabel, mountLabel, err = getSELinuxLabels(securityContext.GetSelinuxOptions(), privileged)
|
processLabel, mountLabel, err = getSELinuxLabels(securityContext.GetSelinuxOptions(), privileged)
|
||||||
|
|
@ -263,12 +263,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
||||||
}
|
}
|
||||||
|
|
||||||
// Don't use SELinux separation with Host Pid or IPC Namespace or privileged.
|
// Don't use SELinux separation with Host Pid or IPC Namespace or privileged.
|
||||||
namespaceOptions := securityContext.GetNamespaceOptions()
|
if securityContext.GetNamespaceOptions().GetHostPid() || securityContext.GetNamespaceOptions().GetHostIpc() {
|
||||||
if namespaceOptions == nil {
|
|
||||||
return nil, fmt.Errorf("no namespace options found")
|
|
||||||
}
|
|
||||||
|
|
||||||
if securityContext.GetNamespaceOptions().HostPid || securityContext.GetNamespaceOptions().HostIpc {
|
|
||||||
processLabel, mountLabel = "", ""
|
processLabel, mountLabel = "", ""
|
||||||
}
|
}
|
||||||
g.SetProcessSelinuxLabel(processLabel)
|
g.SetProcessSelinuxLabel(processLabel)
|
||||||
|
|
@ -276,7 +271,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
||||||
|
|
||||||
// create shm mount for the pod containers.
|
// create shm mount for the pod containers.
|
||||||
var shmPath string
|
var shmPath string
|
||||||
if namespaceOptions.HostIpc {
|
if securityContext.GetNamespaceOptions().GetHostIpc() {
|
||||||
shmPath = "/dev/shm"
|
shmPath = "/dev/shm"
|
||||||
} else {
|
} else {
|
||||||
shmPath, err = setupShm(podContainer.RunDir, mountLabel)
|
shmPath, err = setupShm(podContainer.RunDir, mountLabel)
|
||||||
|
|
@ -317,7 +312,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
hostNetwork := namespaceOptions.HostNetwork
|
hostNetwork := securityContext.GetNamespaceOptions().GetHostNetwork()
|
||||||
|
|
||||||
hostname, err := getHostname(id, req.GetConfig().Hostname, hostNetwork)
|
hostname, err := getHostname(id, req.GetConfig().Hostname, hostNetwork)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
@ -352,7 +347,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
||||||
portMappings := convertPortMappings(req.GetConfig().GetPortMappings())
|
portMappings := convertPortMappings(req.GetConfig().GetPortMappings())
|
||||||
|
|
||||||
// setup cgroup settings
|
// setup cgroup settings
|
||||||
cgroupParent := req.GetConfig().GetLinux().CgroupParent
|
cgroupParent := req.GetConfig().GetLinux().GetCgroupParent()
|
||||||
if cgroupParent != "" {
|
if cgroupParent != "" {
|
||||||
if s.config.CgroupManager == oci.SystemdCgroupsManager {
|
if s.config.CgroupManager == oci.SystemdCgroupsManager {
|
||||||
if len(cgroupParent) <= 6 || !strings.HasSuffix(path.Base(cgroupParent), ".slice") {
|
if len(cgroupParent) <= 6 || !strings.HasSuffix(path.Base(cgroupParent), ".slice") {
|
||||||
|
|
@ -451,14 +446,14 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if namespaceOptions.HostPid {
|
if securityContext.GetNamespaceOptions().GetHostPid() {
|
||||||
err = g.RemoveLinuxNamespace("pid")
|
err = g.RemoveLinuxNamespace("pid")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if namespaceOptions.HostIpc {
|
if securityContext.GetNamespaceOptions().GetHostIpc() {
|
||||||
err = g.RemoveLinuxNamespace("ipc")
|
err = g.RemoveLinuxNamespace("ipc")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue