Merge pull request #917 from runcom/fixes-rc3-0
Fix Origin test and update kube to v1.7.6
This commit is contained in:
Mrunal Patel
GitHub
commit
db0bd66fca
22 changed files with 1019 additions and 923 deletions
|
|
@ -38,6 +38,7 @@ import (
|
|||
const (
|
||||
seccompUnconfined = "unconfined"
|
||||
seccompRuntimeDefault = "runtime/default"
|
||||
seccompDockerDefault = "docker/default"
|
||||
seccompLocalhostPrefix = "localhost/"
|
||||
|
||||
scopePrefix = "crio"
|
||||
|
|
@ -65,6 +66,11 @@ func addOCIBindMounts(mountLabel string, containerConfig *pb.ContainerConfig, sp
|
|||
}
|
||||
}
|
||||
|
||||
src, err := resolveSymbolicLink(src)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to resolve symlink %q: %v", src, err)
|
||||
}
|
||||
|
||||
options := []string{"rw"}
|
||||
if mount.Readonly {
|
||||
options = []string{"ro"}
|
||||
|
|
@ -519,12 +525,25 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
specgen.HostSpecific = true
|
||||
specgen.ClearProcessRlimits()
|
||||
|
||||
var readOnlyRootfs bool
|
||||
var privileged bool
|
||||
if containerConfig.GetLinux().GetSecurityContext() != nil {
|
||||
if containerConfig.GetLinux().GetSecurityContext().Privileged {
|
||||
privileged = true
|
||||
}
|
||||
|
||||
if containerConfig.GetLinux().GetSecurityContext().ReadonlyRootfs {
|
||||
readOnlyRootfs = true
|
||||
specgen.SetRootReadonly(true)
|
||||
}
|
||||
}
|
||||
|
||||
mountLabel := sb.MountLabel()
|
||||
processLabel := sb.ProcessLabel()
|
||||
selinuxConfig := containerConfig.GetLinux().GetSecurityContext().GetSelinuxOptions()
|
||||
if selinuxConfig != nil {
|
||||
var err error
|
||||
processLabel, mountLabel, err = getSELinuxLabels(selinuxConfig)
|
||||
processLabel, mountLabel, err = getSELinuxLabels(selinuxConfig, privileged)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -564,19 +583,6 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
}
|
||||
}
|
||||
|
||||
var readOnlyRootfs bool
|
||||
var privileged bool
|
||||
if containerConfig.GetLinux().GetSecurityContext() != nil {
|
||||
if containerConfig.GetLinux().GetSecurityContext().Privileged {
|
||||
privileged = true
|
||||
}
|
||||
|
||||
if containerConfig.GetLinux().GetSecurityContext().ReadonlyRootfs {
|
||||
readOnlyRootfs = true
|
||||
specgen.SetRootReadonly(true)
|
||||
}
|
||||
}
|
||||
|
||||
// set this container's apparmor profile if it is set by sandbox
|
||||
if s.appArmorEnabled && !privileged {
|
||||
appArmorProfileName := s.getAppArmorProfileName(sb.Annotations(), metadata.Name)
|
||||
|
|
@ -667,6 +673,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
if privileged {
|
||||
// this is setting correct capabilities as well for privileged mode
|
||||
specgen.SetupPrivileged(true)
|
||||
setOCIBindMountsPrivileged(&specgen)
|
||||
} else {
|
||||
toCAPPrefixed := func(cap string) string {
|
||||
if !strings.HasPrefix(strings.ToLower(cap), "cap_") {
|
||||
|
|
@ -714,10 +721,9 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
}
|
||||
}
|
||||
}
|
||||
specgen.SetProcessSelinuxLabel(processLabel)
|
||||
}
|
||||
|
||||
specgen.SetLinuxMountLabel(sb.MountLabel())
|
||||
specgen.SetProcessSelinuxLabel(processLabel)
|
||||
specgen.SetLinuxMountLabel(mountLabel)
|
||||
|
||||
if containerConfig.GetLinux().GetSecurityContext() != nil &&
|
||||
!containerConfig.GetLinux().GetSecurityContext().Privileged {
|
||||
|
|
@ -885,13 +891,13 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
}
|
||||
specgen.AddAnnotation(annotations.Annotations, string(kubeAnnotationsJSON))
|
||||
|
||||
metaname := metadata.Name
|
||||
if !privileged {
|
||||
if err = s.setupSeccomp(&specgen, containerName, sb.Annotations()); err != nil {
|
||||
if err = s.setupSeccomp(&specgen, metaname, sb.Annotations()); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
metaname := metadata.Name
|
||||
attempt := metadata.Attempt
|
||||
containerInfo, err := s.StorageRuntimeServer().CreateContainer(s.ImageContext(),
|
||||
sb.Name(), sb.ID(),
|
||||
|
|
@ -1017,9 +1023,9 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
}
|
||||
|
||||
func (s *Server) setupSeccomp(specgen *generate.Generator, cname string, sbAnnotations map[string]string) error {
|
||||
profile, ok := sbAnnotations["security.alpha.kubernetes.io/seccomp/container/"+cname]
|
||||
profile, ok := sbAnnotations["container.seccomp.security.alpha.kubernetes.io/"+cname]
|
||||
if !ok {
|
||||
profile, ok = sbAnnotations["security.alpha.kubernetes.io/seccomp/pod"]
|
||||
profile, ok = sbAnnotations["seccomp.security.alpha.kubernetes.io/pod"]
|
||||
if !ok {
|
||||
// running w/o seccomp, aka unconfined
|
||||
profile = seccompUnconfined
|
||||
|
|
@ -1036,18 +1042,13 @@ func (s *Server) setupSeccomp(specgen *generate.Generator, cname string, sbAnnot
|
|||
specgen.Spec().Linux.Seccomp = nil
|
||||
return nil
|
||||
}
|
||||
if profile == seccompRuntimeDefault {
|
||||
if profile == seccompRuntimeDefault || profile == seccompDockerDefault {
|
||||
return seccomp.LoadProfileFromStruct(s.seccompProfile, specgen)
|
||||
}
|
||||
if !strings.HasPrefix(profile, seccompLocalhostPrefix) {
|
||||
return fmt.Errorf("unknown seccomp profile option: %q", profile)
|
||||
}
|
||||
//file, err := ioutil.ReadFile(filepath.Join(s.seccompProfileRoot, strings.TrimPrefix(profile, seccompLocalhostPrefix)))
|
||||
//if err != nil {
|
||||
//return err
|
||||
//}
|
||||
// TODO(runcom): setup from provided node's seccomp profile
|
||||
// can't do this yet, see https://issues.k8s.io/36997
|
||||
// FIXME: https://github.com/kubernetes/kubernetes/issues/39128
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
@ -1109,3 +1110,28 @@ func getUserInfo(rootfs string, userName string) (uint32, uint32, []uint32, erro
|
|||
|
||||
return uid, gid, additionalGids, nil
|
||||
}
|
||||
|
||||
func setOCIBindMountsPrivileged(g *generate.Generator) {
|
||||
spec := g.Spec()
|
||||
// clear readonly for /sys and cgroup
|
||||
for i, m := range spec.Mounts {
|
||||
if spec.Mounts[i].Destination == "/sys" && !spec.Root.Readonly {
|
||||
clearReadOnly(&spec.Mounts[i])
|
||||
}
|
||||
if m.Type == "cgroup" {
|
||||
clearReadOnly(&spec.Mounts[i])
|
||||
}
|
||||
}
|
||||
spec.Linux.ReadonlyPaths = nil
|
||||
spec.Linux.MaskedPaths = nil
|
||||
}
|
||||
|
||||
func clearReadOnly(m *rspec.Mount) {
|
||||
var opt []string
|
||||
for _, o := range m.Options {
|
||||
if o != "ro" {
|
||||
opt = append(opt, o)
|
||||
}
|
||||
}
|
||||
m.Options = opt
|
||||
}
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ func (s *Server) networkStart(hostNetwork bool, sb *sandbox.Sandbox) (string, er
|
|||
return s.BindAddress(), nil
|
||||
}
|
||||
|
||||
podNetwork := newPodNetwork(sb.Namespace(), sb.KubeName(), sb.ID(), sb.NetNsPath())
|
||||
podNetwork := newPodNetwork(sb)
|
||||
err := s.netPlugin.SetUpPod(podNetwork)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("failed to create pod network sandbox %s(%s): %v", sb.Name(), sb.ID(), err)
|
||||
|
|
@ -59,7 +59,7 @@ func (s *Server) networkStop(hostNetwork bool, sb *sandbox.Sandbox) error {
|
|||
sb.Name(), sb.ID(), err)
|
||||
}
|
||||
|
||||
podNetwork := newPodNetwork(sb.Namespace(), sb.KubeName(), sb.ID(), sb.NetNsPath())
|
||||
podNetwork := newPodNetwork(sb)
|
||||
if err := s.netPlugin.TearDownPod(podNetwork); err != nil {
|
||||
logrus.Warnf("failed to destroy network for pod sandbox %s(%s): %v",
|
||||
sb.Name(), sb.ID(), err)
|
||||
|
|
|
|||
|
|
@ -247,16 +247,20 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
|||
return nil, fmt.Errorf("requested logDir for sbox id %s is a relative path: %s", id, logDir)
|
||||
}
|
||||
|
||||
// Don't use SELinux separation with Host Pid or IPC Namespace,
|
||||
if !req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostPid && !req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostIpc {
|
||||
processLabel, mountLabel, err = getSELinuxLabels(req.GetConfig().GetLinux().GetSecurityContext().GetSelinuxOptions())
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
g.SetProcessSelinuxLabel(processLabel)
|
||||
g.SetLinuxMountLabel(mountLabel)
|
||||
privileged := s.privilegedSandbox(req)
|
||||
|
||||
processLabel, mountLabel, err = getSELinuxLabels(req.GetConfig().GetLinux().GetSecurityContext().GetSelinuxOptions(), privileged)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Don't use SELinux separation with Host Pid or IPC Namespace or privileged.
|
||||
if req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostPid || req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostIpc {
|
||||
processLabel, mountLabel = "", ""
|
||||
}
|
||||
g.SetProcessSelinuxLabel(processLabel)
|
||||
g.SetLinuxMountLabel(mountLabel)
|
||||
|
||||
// create shm mount for the pod containers.
|
||||
var shmPath string
|
||||
if req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostIpc {
|
||||
|
|
@ -308,7 +312,6 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
|||
}
|
||||
g.SetHostname(hostname)
|
||||
|
||||
privileged := s.privilegedSandbox(req)
|
||||
trusted := s.trustedSandbox(req)
|
||||
g.AddAnnotation(annotations.Metadata, string(metadataJSON))
|
||||
g.AddAnnotation(annotations.Labels, string(labelsJSON))
|
||||
|
|
@ -557,7 +560,10 @@ func (s *Server) setPodSandboxMountLabel(id, mountLabel string) error {
|
|||
return s.StorageRuntimeServer().SetContainerMetadata(id, storageMetadata)
|
||||
}
|
||||
|
||||
func getSELinuxLabels(selinuxOptions *pb.SELinuxOption) (processLabel string, mountLabel string, err error) {
|
||||
func getSELinuxLabels(selinuxOptions *pb.SELinuxOption, privileged bool) (processLabel string, mountLabel string, err error) {
|
||||
if privileged {
|
||||
return "", "", nil
|
||||
}
|
||||
labels := []string{}
|
||||
if selinuxOptions != nil {
|
||||
if selinuxOptions.User != "" {
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ import (
|
|||
specs "github.com/opencontainers/runtime-spec/specs-go"
|
||||
"github.com/opencontainers/runtime-tools/generate"
|
||||
libseccomp "github.com/seccomp/libseccomp-golang"
|
||||
"github.com/sirupsen/logrus"
|
||||
"golang.org/x/sys/unix"
|
||||
)
|
||||
|
||||
|
|
@ -24,6 +25,7 @@ func IsEnabled() bool {
|
|||
enabled = true
|
||||
}
|
||||
}
|
||||
logrus.Debugf("seccomp status: %v", enabled)
|
||||
return enabled
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@ import (
|
|||
"strings"
|
||||
|
||||
"github.com/cri-o/ocicni/pkg/ocicni"
|
||||
"github.com/kubernetes-incubator/cri-o/libkpod/sandbox"
|
||||
"github.com/opencontainers/runtime-tools/validate"
|
||||
"github.com/syndtr/gocapability/capability"
|
||||
)
|
||||
|
|
@ -149,12 +150,12 @@ func SysctlsFromPodAnnotation(annotation string) ([]Sysctl, error) {
|
|||
return sysctls, nil
|
||||
}
|
||||
|
||||
func newPodNetwork(namespace, name, id, netns string) ocicni.PodNetwork {
|
||||
func newPodNetwork(sb *sandbox.Sandbox) ocicni.PodNetwork {
|
||||
return ocicni.PodNetwork{
|
||||
Name: name,
|
||||
Namespace: namespace,
|
||||
ID: id,
|
||||
NetNS: netns,
|
||||
Name: sb.KubeName(),
|
||||
Namespace: sb.Namespace(),
|
||||
ID: sb.ID(),
|
||||
NetNS: sb.NetNsPath(),
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue