Merge pull request #917 from runcom/fixes-rc3-0

Fix Origin test and update kube to v1.7.6
2017-09-25 14:55:42 -07:00 · 2017-09-25 14:55:42 -07:00 · db0bd66fca
commit db0bd66fca
parent a8ee86b1cc 3dd043c581
22 changed files with 1019 additions and 923 deletions
--- a/server/container_create.go
+++ b/server/container_create.go
@ -38,6 +38,7 @@ import (
 const (
 	seccompUnconfined      = "unconfined"
 	seccompRuntimeDefault  = "runtime/default"
+	seccompDockerDefault   = "docker/default"
 	seccompLocalhostPrefix = "localhost/"

 	scopePrefix           = "crio"
@ -65,6 +66,11 @@ func addOCIBindMounts(mountLabel string, containerConfig *pb.ContainerConfig, sp
 			}
 		}

+		src, err := resolveSymbolicLink(src)
+		if err != nil {
+			return nil, fmt.Errorf("failed to resolve symlink %q: %v", src, err)
+		}
+
 		options := []string{"rw"}
 		if mount.Readonly {
 			options = []string{"ro"}
@ -519,12 +525,25 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 	specgen.HostSpecific = true
 	specgen.ClearProcessRlimits()

+	var readOnlyRootfs bool
+	var privileged bool
+	if containerConfig.GetLinux().GetSecurityContext() != nil {
+		if containerConfig.GetLinux().GetSecurityContext().Privileged {
+			privileged = true
+		}
+
+		if containerConfig.GetLinux().GetSecurityContext().ReadonlyRootfs {
+			readOnlyRootfs = true
+			specgen.SetRootReadonly(true)
+		}
+	}
+
 	mountLabel := sb.MountLabel()
 	processLabel := sb.ProcessLabel()
 	selinuxConfig := containerConfig.GetLinux().GetSecurityContext().GetSelinuxOptions()
 	if selinuxConfig != nil {
 		var err error
-		processLabel, mountLabel, err = getSELinuxLabels(selinuxConfig)
+		processLabel, mountLabel, err = getSELinuxLabels(selinuxConfig, privileged)
 		if err != nil {
 			return nil, err
 		}
@ -564,19 +583,6 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 		}
 	}

-	var readOnlyRootfs bool
-	var privileged bool
-	if containerConfig.GetLinux().GetSecurityContext() != nil {
-		if containerConfig.GetLinux().GetSecurityContext().Privileged {
-			privileged = true
-		}
-
-		if containerConfig.GetLinux().GetSecurityContext().ReadonlyRootfs {
-			readOnlyRootfs = true
-			specgen.SetRootReadonly(true)
-		}
-	}
-
 	// set this container's apparmor profile if it is set by sandbox
 	if s.appArmorEnabled && !privileged {
 		appArmorProfileName := s.getAppArmorProfileName(sb.Annotations(), metadata.Name)
@ -667,6 +673,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 		if privileged {
 			// this is setting correct capabilities as well for privileged mode
 			specgen.SetupPrivileged(true)
+			setOCIBindMountsPrivileged(&specgen)
 		} else {
 			toCAPPrefixed := func(cap string) string {
 				if !strings.HasPrefix(strings.ToLower(cap), "cap_") {
@ -714,10 +721,9 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 					}
 				}
 			}
-			specgen.SetProcessSelinuxLabel(processLabel)
 		}
-
-		specgen.SetLinuxMountLabel(sb.MountLabel())
+		specgen.SetProcessSelinuxLabel(processLabel)
+		specgen.SetLinuxMountLabel(mountLabel)

 		if containerConfig.GetLinux().GetSecurityContext() != nil &&
 			!containerConfig.GetLinux().GetSecurityContext().Privileged {
@ -885,13 +891,13 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 	}
 	specgen.AddAnnotation(annotations.Annotations, string(kubeAnnotationsJSON))

+	metaname := metadata.Name
 	if !privileged {
-		if err = s.setupSeccomp(&specgen, containerName, sb.Annotations()); err != nil {
+		if err = s.setupSeccomp(&specgen, metaname, sb.Annotations()); err != nil {
 			return nil, err
 		}
 	}

-	metaname := metadata.Name
 	attempt := metadata.Attempt
 	containerInfo, err := s.StorageRuntimeServer().CreateContainer(s.ImageContext(),
 		sb.Name(), sb.ID(),
@ -1017,9 +1023,9 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 }

 func (s *Server) setupSeccomp(specgen *generate.Generator, cname string, sbAnnotations map[string]string) error {
-	profile, ok := sbAnnotations["security.alpha.kubernetes.io/seccomp/container/"+cname]
+	profile, ok := sbAnnotations["container.seccomp.security.alpha.kubernetes.io/"+cname]
 	if !ok {
-		profile, ok = sbAnnotations["security.alpha.kubernetes.io/seccomp/pod"]
+		profile, ok = sbAnnotations["seccomp.security.alpha.kubernetes.io/pod"]
 		if !ok {
 			// running w/o seccomp, aka unconfined
 			profile = seccompUnconfined
@ -1036,18 +1042,13 @@ func (s *Server) setupSeccomp(specgen *generate.Generator, cname string, sbAnnot
 		specgen.Spec().Linux.Seccomp = nil
 		return nil
 	}
-	if profile == seccompRuntimeDefault {
+	if profile == seccompRuntimeDefault || profile == seccompDockerDefault {
 		return seccomp.LoadProfileFromStruct(s.seccompProfile, specgen)
 	}
 	if !strings.HasPrefix(profile, seccompLocalhostPrefix) {
 		return fmt.Errorf("unknown seccomp profile option: %q", profile)
 	}
-	//file, err := ioutil.ReadFile(filepath.Join(s.seccompProfileRoot, strings.TrimPrefix(profile, seccompLocalhostPrefix)))
-	//if err != nil {
-	//return err
-	//}
-	// TODO(runcom): setup from provided node's seccomp profile
-	// can't do this yet, see https://issues.k8s.io/36997
+	// FIXME: https://github.com/kubernetes/kubernetes/issues/39128
 	return nil
 }

@ -1109,3 +1110,28 @@ func getUserInfo(rootfs string, userName string) (uint32, uint32, []uint32, erro

 	return uid, gid, additionalGids, nil
 }
+
+func setOCIBindMountsPrivileged(g *generate.Generator) {
+	spec := g.Spec()
+	// clear readonly for /sys and cgroup
+	for i, m := range spec.Mounts {
+		if spec.Mounts[i].Destination == "/sys" && !spec.Root.Readonly {
+			clearReadOnly(&spec.Mounts[i])
+		}
+		if m.Type == "cgroup" {
+			clearReadOnly(&spec.Mounts[i])
+		}
+	}
+	spec.Linux.ReadonlyPaths = nil
+	spec.Linux.MaskedPaths = nil
+}
+
+func clearReadOnly(m *rspec.Mount) {
+	var opt []string
+	for _, o := range m.Options {
+		if o != "ro" {
+			opt = append(opt, o)
+		}
+	}
+	m.Options = opt
+}