From 815bb7652b25dc69a2584e1b7f41278a4cd2d81e Mon Sep 17 00:00:00 2001 From: Mrunal Patel Date: Thu, 19 Oct 2017 15:23:41 -0700 Subject: [PATCH] sandbox: Use first class sysctls instead of annotations Signed-off-by: Mrunal Patel Signed-off-by: Antonio Murdaca --- server/sandbox_run.go | 11 +---- test/pod.bats | 2 +- test/testdata/sandbox_config.json | 2 - test/testdata/sandbox_config_hostnet.json | 1 - test/testdata/sandbox_config_hostport.json | 2 - test/testdata/sandbox_config_selinux.json | 2 - test/testdata/sandbox_config_sysctl.json | 54 ++++++++++++++++++++++ test/testdata/template_sandbox_config.json | 2 - 8 files changed, 57 insertions(+), 19 deletions(-) create mode 100644 test/testdata/sandbox_config_sysctl.json diff --git a/server/sandbox_run.go b/server/sandbox_run.go index 35f18e85..bdda96b3 100644 --- a/server/sandbox_run.go +++ b/server/sandbox_run.go @@ -398,15 +398,8 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest } // extract linux sysctls from annotations and pass down to oci runtime - safe, unsafe, err := SysctlsFromPodAnnotations(kubeAnnotations) - if err != nil { - return nil, err - } - for _, sysctl := range safe { - g.AddLinuxSysctl(sysctl.Name, sysctl.Value) - } - for _, sysctl := range unsafe { - g.AddLinuxSysctl(sysctl.Name, sysctl.Value) + for key, value := range req.GetConfig().GetLinux().GetSysctls() { + g.AddLinuxSysctl(key, value) } // Set OOM score adjust of the infra container to be very low diff --git a/test/pod.bats b/test/pod.bats index 2b583790..2d52bc67 100644 --- a/test/pod.bats +++ b/test/pod.bats @@ -210,7 +210,7 @@ function teardown() { @test "pass pod sysctls to runtime" { start_crio - run crioctl pod run --config "$TESTDATA"/sandbox_config.json + run crioctl pod run --config "$TESTDATA"/sandbox_config_sysctl.json echo "$output" [ "$status" -eq 0 ] pod_id="$output" diff --git a/test/testdata/sandbox_config.json b/test/testdata/sandbox_config.json index 57e211bd..31230202 100644 --- a/test/testdata/sandbox_config.json +++ b/test/testdata/sandbox_config.json @@ -28,8 +28,6 @@ }, "annotations": { "owner": "hmeng", - "security.alpha.kubernetes.io/sysctls": "kernel.shm_rmid_forced=1,net.ipv4.ip_local_port_range=1024 65000", - "security.alpha.kubernetes.io/unsafe-sysctls": "kernel.msgmax=8192" , "security.alpha.kubernetes.io/seccomp/pod": "unconfined" }, "linux": { diff --git a/test/testdata/sandbox_config_hostnet.json b/test/testdata/sandbox_config_hostnet.json index 99a7560d..767a91f9 100644 --- a/test/testdata/sandbox_config_hostnet.json +++ b/test/testdata/sandbox_config_hostnet.json @@ -32,7 +32,6 @@ }, "annotations": { "owner": "hmeng", - "security.alpha.kubernetes.io/unsafe-sysctls": "kernel.msgmax=8192" , "security.alpha.kubernetes.io/seccomp/pod": "unconfined" }, "linux": { diff --git a/test/testdata/sandbox_config_hostport.json b/test/testdata/sandbox_config_hostport.json index 5feda866..2a45de01 100644 --- a/test/testdata/sandbox_config_hostport.json +++ b/test/testdata/sandbox_config_hostport.json @@ -38,8 +38,6 @@ }, "annotations": { "owner": "hmeng", - "security.alpha.kubernetes.io/sysctls": "kernel.shm_rmid_forced=1,net.ipv4.ip_local_port_range=1024 65000", - "security.alpha.kubernetes.io/unsafe-sysctls": "kernel.msgmax=8192" , "security.alpha.kubernetes.io/seccomp/pod": "unconfined" }, "linux": { diff --git a/test/testdata/sandbox_config_selinux.json b/test/testdata/sandbox_config_selinux.json index 916a10ec..5d1a097b 100644 --- a/test/testdata/sandbox_config_selinux.json +++ b/test/testdata/sandbox_config_selinux.json @@ -28,8 +28,6 @@ }, "annotations": { "owner": "hmeng", - "security.alpha.kubernetes.io/sysctls": "kernel.shm_rmid_forced=1,net.ipv4.ip_local_port_range=1024 65000", - "security.alpha.kubernetes.io/unsafe-sysctls": "kernel.msgmax=8192" , "security.alpha.kubernetes.io/seccomp/pod": "unconfined" }, "linux": { diff --git a/test/testdata/sandbox_config_sysctl.json b/test/testdata/sandbox_config_sysctl.json new file mode 100644 index 00000000..a02fec7f --- /dev/null +++ b/test/testdata/sandbox_config_sysctl.json @@ -0,0 +1,54 @@ +{ + "metadata": { + "name": "podsandbox1", + "uid": "redhat-test-crio", + "namespace": "redhat.test.crio", + "attempt": 1 + }, + "hostname": "crioctl_host", + "log_directory": "", + "dns_config": { + "searches": [ + "8.8.8.8" + ] + }, + "port_mappings": [], + "resources": { + "cpu": { + "limits": 3, + "requests": 2 + }, + "memory": { + "limits": 50000000, + "requests": 2000000 + } + }, + "labels": { + "group": "test" + }, + "annotations": { + "owner": "hmeng", + "security.alpha.kubernetes.io/seccomp/pod": "unconfined" + }, + "linux": { + "sysctls": { + "kernel.shm_rmid_forced": "1", + "net.ipv4.ip_local_port_range": "1024 65000", + "kernel.msgmax": "8192" + }, + "cgroup_parent": "/Burstable/pod_123-456", + "security_context": { + "namespace_options": { + "host_network": false, + "host_pid": false, + "host_ipc": false + }, + "selinux_options": { + "user": "system_u", + "role": "system_r", + "type": "svirt_lxc_net_t", + "level": "s0:c4,c5" + } + } + } +} diff --git a/test/testdata/template_sandbox_config.json b/test/testdata/template_sandbox_config.json index f43ffb0d..732c9da4 100644 --- a/test/testdata/template_sandbox_config.json +++ b/test/testdata/template_sandbox_config.json @@ -28,8 +28,6 @@ }, "annotations": { "owner": "hmeng", - "security.alpha.kubernetes.io/sysctls": "kernel.shm_rmid_forced=1,net.ipv4.ip_local_port_range=1024 65000", - "security.alpha.kubernetes.io/unsafe-sysctls": "kernel.msgmax=8192" , "security.alpha.kubernetes.io/seccomp/pod": "unconfined" }, "linux": {