oci: respect process spec on exec
This patch fixes exec to use the original (start-time) process exec configuration. Otherwise, we were creating a brand new spec process w/o additional groups for instance. Spotted while integrating CRI-O with cri-test...The test was failing with: ``` • Failure [10.640 seconds] [k8s.io] Security Context /home/amurdaca/go/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:72 bucket /home/amurdaca/go/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:407 runtime should support SupplementalGroups [It] /home/amurdaca/go/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:272 Expected <[]string | len:1, cap:1>: ["0"] to contain element matching <string>: 1234 ``` Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This commit is contained in:
parent
0914a7a667
commit
c316e5d8cf
5 changed files with 18 additions and 5 deletions
|
@ -388,6 +388,7 @@ func (c *ContainerServer) LoadSandbox(id string) error {
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
scontainer.SetSpec(&m)
|
||||
scontainer.SetMountPoint(m.Annotations[annotations.MountPoint])
|
||||
|
||||
if m.Annotations[annotations.Volumes] != "" {
|
||||
|
@ -511,6 +512,7 @@ func (c *ContainerServer) LoadContainer(id string) error {
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
ctr.SetSpec(&m)
|
||||
ctr.SetMountPoint(m.Annotations[annotations.MountPoint])
|
||||
|
||||
c.ContainerStateFromDisk(ctr)
|
||||
|
|
|
@ -48,6 +48,7 @@ type Container struct {
|
|||
imageRef string
|
||||
volumes []ContainerVolume
|
||||
mountPoint string
|
||||
spec *specs.Spec
|
||||
}
|
||||
|
||||
// ContainerVolume is a bind mount for the container.
|
||||
|
@ -99,6 +100,16 @@ func NewContainer(id string, name string, bundlePath string, logPath string, net
|
|||
return c, nil
|
||||
}
|
||||
|
||||
// SetSpec loads the OCI spec in the container struct
|
||||
func (c *Container) SetSpec(s *specs.Spec) {
|
||||
c.spec = s
|
||||
}
|
||||
|
||||
// Spec returns a copy of the spec for the container
|
||||
func (c *Container) Spec() specs.Spec {
|
||||
return *c.spec
|
||||
}
|
||||
|
||||
// GetStopSignal returns the container's own stop signal configured from the
|
||||
// image configuration or the default one.
|
||||
func (c *Container) GetStopSignal() string {
|
||||
|
|
|
@ -435,11 +435,9 @@ func (r *Runtime) ExecSync(c *Container, command []string, timeout int64) (resp
|
|||
}
|
||||
args = append(args, "-l", logPath)
|
||||
|
||||
pspec := rspec.Process{
|
||||
Env: r.conmonEnv,
|
||||
Args: command,
|
||||
Cwd: "/",
|
||||
}
|
||||
pspec := c.Spec().Process
|
||||
pspec.Env = append(pspec.Env, r.conmonEnv...)
|
||||
pspec.Args = command
|
||||
processJSON, err := json.Marshal(pspec)
|
||||
if err != nil {
|
||||
return nil, ExecSyncError{
|
||||
|
|
|
@ -1042,6 +1042,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
container.SetSpec(specgen.Spec())
|
||||
container.SetMountPoint(mountPoint)
|
||||
|
||||
for _, cv := range containerVolumes {
|
||||
|
|
|
@ -488,6 +488,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
|||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
container.SetSpec(g.Spec())
|
||||
container.SetMountPoint(mountPoint)
|
||||
|
||||
sb.SetInfraContainer(container)
|
||||
|
|
Loading…
Reference in a new issue