container_create: handle cap add/drop ALL

Kubelet can send cap add/drop ALL. Handle that in CRI-O as well. Also, this PR is re-vendoring runtime-tools to fix capabilities add to add caps to _all_ caps set **and** fix a shared memory issue (caps set were initialized with the same slice, if one modifies one slice, it's reflected on the other slices, the vendoring fixes this as well) Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-06 13:25:19 +02:00 · 2017-09-06 13:25:19 +02:00 · af0a494251
commit af0a494251
parent 7f4f630b98
25 changed files with 2057 additions and 283 deletions
--- a/vendor/github.com/opencontainers/runtime-tools/generate/generate.go
+++ b/vendor/github.com/opencontainers/runtime-tools/generate/generate.go
@ -744,6 +744,38 @@ func (g *Generator) ClearPreStartHooks() {
 func (g *Generator) AddPreStartHook(path string, args []string) {
 	g.initSpecHooks()
 	hook := rspec.Hook{Path: path, Args: args}
+	for i, hook := range g.spec.Hooks.Prestart {
+		if hook.Path == path {
+			g.spec.Hooks.Prestart[i] = hook
+			return
+		}
+	}
+	g.spec.Hooks.Prestart = append(g.spec.Hooks.Prestart, hook)
+}
+
+// AddPreStartHookEnv adds envs of a prestart hook into g.spec.Hooks.Prestart.
+func (g *Generator) AddPreStartHookEnv(path string, envs []string) {
+	g.initSpecHooks()
+	for i, hook := range g.spec.Hooks.Prestart {
+		if hook.Path == path {
+			g.spec.Hooks.Prestart[i].Env = envs
+			return
+		}
+	}
+	hook := rspec.Hook{Path: path, Env: envs}
+	g.spec.Hooks.Prestart = append(g.spec.Hooks.Prestart, hook)
+}
+
+// AddPreStartHookTimeout adds timeout of a prestart hook into g.spec.Hooks.Prestart.
+func (g *Generator) AddPreStartHookTimeout(path string, timeout int) {
+	g.initSpecHooks()
+	for i, hook := range g.spec.Hooks.Prestart {
+		if hook.Path == path {
+			g.spec.Hooks.Prestart[i].Timeout = &timeout
+			return
+		}
+	}
+	hook := rspec.Hook{Path: path, Timeout: &timeout}
 	g.spec.Hooks.Prestart = append(g.spec.Hooks.Prestart, hook)
 }

@ -762,6 +794,38 @@ func (g *Generator) ClearPostStopHooks() {
 func (g *Generator) AddPostStopHook(path string, args []string) {
 	g.initSpecHooks()
 	hook := rspec.Hook{Path: path, Args: args}
+	for i, hook := range g.spec.Hooks.Poststop {
+		if hook.Path == path {
+			g.spec.Hooks.Poststop[i] = hook
+			return
+		}
+	}
+	g.spec.Hooks.Poststop = append(g.spec.Hooks.Poststop, hook)
+}
+
+// AddPostStopHookEnv adds envs of a poststop hook into g.spec.Hooks.Poststop.
+func (g *Generator) AddPostStopHookEnv(path string, envs []string) {
+	g.initSpecHooks()
+	for i, hook := range g.spec.Hooks.Poststop {
+		if hook.Path == path {
+			g.spec.Hooks.Poststop[i].Env = envs
+			return
+		}
+	}
+	hook := rspec.Hook{Path: path, Env: envs}
+	g.spec.Hooks.Poststop = append(g.spec.Hooks.Poststop, hook)
+}
+
+// AddPostStopHookTimeout adds timeout of a poststop hook into g.spec.Hooks.Poststop.
+func (g *Generator) AddPostStopHookTimeout(path string, timeout int) {
+	g.initSpecHooks()
+	for i, hook := range g.spec.Hooks.Poststop {
+		if hook.Path == path {
+			g.spec.Hooks.Poststop[i].Timeout = &timeout
+			return
+		}
+	}
+	hook := rspec.Hook{Path: path, Timeout: &timeout}
 	g.spec.Hooks.Poststop = append(g.spec.Hooks.Poststop, hook)
 }

@ -780,6 +844,38 @@ func (g *Generator) ClearPostStartHooks() {
 func (g *Generator) AddPostStartHook(path string, args []string) {
 	g.initSpecHooks()
 	hook := rspec.Hook{Path: path, Args: args}
+	for i, hook := range g.spec.Hooks.Poststart {
+		if hook.Path == path {
+			g.spec.Hooks.Poststart[i] = hook
+			return
+		}
+	}
+	g.spec.Hooks.Poststart = append(g.spec.Hooks.Poststart, hook)
+}
+
+// AddPostStartHookEnv adds envs of a poststart hook into g.spec.Hooks.Poststart.
+func (g *Generator) AddPostStartHookEnv(path string, envs []string) {
+	g.initSpecHooks()
+	for i, hook := range g.spec.Hooks.Poststart {
+		if hook.Path == path {
+			g.spec.Hooks.Poststart[i].Env = envs
+			return
+		}
+	}
+	hook := rspec.Hook{Path: path, Env: envs}
+	g.spec.Hooks.Poststart = append(g.spec.Hooks.Poststart, hook)
+}
+
+// AddPostStartHookTimeout adds timeout of a poststart hook into g.spec.Hooks.Poststart.
+func (g *Generator) AddPostStartHookTimeout(path string, timeout int) {
+	g.initSpecHooks()
+	for i, hook := range g.spec.Hooks.Poststart {
+		if hook.Path == path {
+			g.spec.Hooks.Poststart[i].Timeout = &timeout
+			return
+		}
+	}
+	hook := rspec.Hook{Path: path, Timeout: &timeout}
 	g.spec.Hooks.Poststart = append(g.spec.Hooks.Poststart, hook)
 }

@ -860,11 +956,12 @@ func (g *Generator) SetupPrivileged(privileged bool) {
 		}
 		g.initSpecLinux()
 		g.initSpecProcessCapabilities()
-		g.spec.Process.Capabilities.Bounding = finalCapList
-		g.spec.Process.Capabilities.Effective = finalCapList
-		g.spec.Process.Capabilities.Inheritable = finalCapList
-		g.spec.Process.Capabilities.Permitted = finalCapList
-		g.spec.Process.Capabilities.Ambient = finalCapList
+		g.ClearProcessCapabilities()
+		g.spec.Process.Capabilities.Bounding = append(g.spec.Process.Capabilities.Bounding, finalCapList...)
+		g.spec.Process.Capabilities.Effective = append(g.spec.Process.Capabilities.Effective, finalCapList...)
+		g.spec.Process.Capabilities.Inheritable = append(g.spec.Process.Capabilities.Inheritable, finalCapList...)
+		g.spec.Process.Capabilities.Permitted = append(g.spec.Process.Capabilities.Permitted, finalCapList...)
+		g.spec.Process.Capabilities.Ambient = append(g.spec.Process.Capabilities.Ambient, finalCapList...)
 		g.spec.Process.SelinuxLabel = ""
 		g.spec.Process.ApparmorProfile = ""
 		g.spec.Linux.Seccomp = nil
@ -892,40 +989,60 @@ func (g *Generator) AddProcessCapability(c string) error {

 	g.initSpecProcessCapabilities()

+	var foundBounding bool
 	for _, cap := range g.spec.Process.Capabilities.Bounding {
 		if strings.ToUpper(cap) == cp {
-			return nil
+			foundBounding = true
+			break
 		}
 	}
-	g.spec.Process.Capabilities.Bounding = append(g.spec.Process.Capabilities.Bounding, cp)
+	if !foundBounding {
+		g.spec.Process.Capabilities.Bounding = append(g.spec.Process.Capabilities.Bounding, cp)
+	}

+	var foundEffective bool
 	for _, cap := range g.spec.Process.Capabilities.Effective {
 		if strings.ToUpper(cap) == cp {
-			return nil
+			foundEffective = true
+			break
 		}
 	}
-	g.spec.Process.Capabilities.Effective = append(g.spec.Process.Capabilities.Effective, cp)
+	if !foundEffective {
+		g.spec.Process.Capabilities.Effective = append(g.spec.Process.Capabilities.Effective, cp)
+	}

+	var foundInheritable bool
 	for _, cap := range g.spec.Process.Capabilities.Inheritable {
 		if strings.ToUpper(cap) == cp {
-			return nil
+			foundInheritable = true
+			break
 		}
 	}
-	g.spec.Process.Capabilities.Inheritable = append(g.spec.Process.Capabilities.Inheritable, cp)
+	if !foundInheritable {
+		g.spec.Process.Capabilities.Inheritable = append(g.spec.Process.Capabilities.Inheritable, cp)
+	}

+	var foundPermitted bool
 	for _, cap := range g.spec.Process.Capabilities.Permitted {
 		if strings.ToUpper(cap) == cp {
-			return nil
+			foundPermitted = true
+			break
 		}
 	}
-	g.spec.Process.Capabilities.Permitted = append(g.spec.Process.Capabilities.Permitted, cp)
+	if !foundPermitted {
+		g.spec.Process.Capabilities.Permitted = append(g.spec.Process.Capabilities.Permitted, cp)
+	}

+	var foundAmbient bool
 	for _, cap := range g.spec.Process.Capabilities.Ambient {
 		if strings.ToUpper(cap) == cp {
-			return nil
+			foundAmbient = true
+			break
 		}
 	}
-	g.spec.Process.Capabilities.Ambient = append(g.spec.Process.Capabilities.Ambient, cp)
+	if !foundAmbient {
+		g.spec.Process.Capabilities.Ambient = append(g.spec.Process.Capabilities.Ambient, cp)
+	}

 	return nil
 }
@ -939,33 +1056,39 @@ func (g *Generator) DropProcessCapability(c string) error {

 	g.initSpecProcessCapabilities()

+	// we don't care about order...and this is way faster...
+	removeFunc := func(s []string, i int) []string {
+		s[i] = s[len(s)-1]
+		return s[:len(s)-1]
+	}
+
 	for i, cap := range g.spec.Process.Capabilities.Bounding {
 		if strings.ToUpper(cap) == cp {
-			g.spec.Process.Capabilities.Bounding = append(g.spec.Process.Capabilities.Bounding[:i], g.spec.Process.Capabilities.Bounding[i+1:]...)
+			g.spec.Process.Capabilities.Bounding = removeFunc(g.spec.Process.Capabilities.Bounding, i)
 		}
 	}

 	for i, cap := range g.spec.Process.Capabilities.Effective {
 		if strings.ToUpper(cap) == cp {
-			g.spec.Process.Capabilities.Effective = append(g.spec.Process.Capabilities.Effective[:i], g.spec.Process.Capabilities.Effective[i+1:]...)
+			g.spec.Process.Capabilities.Effective = removeFunc(g.spec.Process.Capabilities.Effective, i)
 		}
 	}

 	for i, cap := range g.spec.Process.Capabilities.Inheritable {
 		if strings.ToUpper(cap) == cp {
-			g.spec.Process.Capabilities.Inheritable = append(g.spec.Process.Capabilities.Inheritable[:i], g.spec.Process.Capabilities.Inheritable[i+1:]...)
+			g.spec.Process.Capabilities.Inheritable = removeFunc(g.spec.Process.Capabilities.Inheritable, i)
 		}
 	}

 	for i, cap := range g.spec.Process.Capabilities.Permitted {
 		if strings.ToUpper(cap) == cp {
-			g.spec.Process.Capabilities.Permitted = append(g.spec.Process.Capabilities.Permitted[:i], g.spec.Process.Capabilities.Permitted[i+1:]...)
+			g.spec.Process.Capabilities.Permitted = removeFunc(g.spec.Process.Capabilities.Permitted, i)
 		}
 	}

 	for i, cap := range g.spec.Process.Capabilities.Ambient {
 		if strings.ToUpper(cap) == cp {
-			g.spec.Process.Capabilities.Ambient = append(g.spec.Process.Capabilities.Ambient[:i], g.spec.Process.Capabilities.Ambient[i+1:]...)
+			g.spec.Process.Capabilities.Ambient = removeFunc(g.spec.Process.Capabilities.Ambient, i)
 		}
 	}