From 2080744963da8bc7cd75930ea03c04d7e9c8edef Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Fri, 29 Sep 2017 16:16:38 +0200 Subject: [PATCH 1/2] server: fix panic when assigning entry to nil map When running cri-tests with cri-o, I found out that cri-o panicked immediately with the following message. Fix it by accessing to the labels map only if it's non-nil. ``` panic: assignment to entry in nil map goroutine 57 [running]: .../cri-o/server.(*Server).RunPodSandbox(0xc42048e000, 0x7efcad4cd400, 0xc42066ec90, 0xc4201703d0, 0x0, 0x0, 0x0) .../cri-o/server/sandbox_run.go:225 +0xda5 .../cri-o/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime ._RuntimeService_RunPodSandbox_Handler(0x21793e0, 0xc42048e000, 0x7efcad4cd400, 0xc42066ec90, 0xc4204fe780, 0x0, 0x0, 0x0, 0x0, 0x0) .../cri-o/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime/api.pb.go:3645 +0x279 .../cri-o/vendor/google.golang.org/grpc.(*Server).processUnaryRPC(0xc420 09e3c0, 0x33e79c0, 0xc4203d1950, 0xc42080a000, 0xc4202bb980, 0x33b1d58, 0xc42066ec60, 0x0, 0x0) .../cri-o/vendor/google.golang.org/grpc/server.go:638 +0x99c ``` Signed-off-by: Dongsu Park --- server/sandbox_run.go | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/server/sandbox_run.go b/server/sandbox_run.go index 4b832843..23e8b7e4 100644 --- a/server/sandbox_run.go +++ b/server/sandbox_run.go @@ -221,10 +221,13 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest labels := req.GetConfig().GetLabels() // Add special container name label for the infra container - labels[types.KubernetesContainerNameLabel] = leaky.PodInfraContainerName - labelsJSON, err := json.Marshal(labels) - if err != nil { - return nil, err + labelsJSON := []byte{} + if labels != nil { + labels[types.KubernetesContainerNameLabel] = leaky.PodInfraContainerName + labelsJSON, err = json.Marshal(labels) + if err != nil { + return nil, err + } } // add annotations From 644a4af377309bd9d3aad8df0d8a65677b0d52dd Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Fri, 29 Sep 2017 16:44:43 +0200 Subject: [PATCH 2/2] server: handle cases of securityContext, namespaceOptions being nil Both GetSecurityContext() and GetNamespaceOptions() can return nil. In these cases, cri-o will panic like this: ``` panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x1 pc=0x1cc43f6] goroutine 66 [running]: .../cri-o/server.(*Server).RunPodSandbox(0xc42060e300, 0x7f611d37a0b8, 0xc420207e60, 0xc42015e318, 0x0, 0x0, 0x0) .../cri-o/server/sandbox_run.go:261 +0xfe6 .../cri-o/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime._RuntimeService_RunPodSandbox_Handler(0x2180920, 0xc42060e300, 0x7f611d37a0b8, 0xc420207e60, 0xc420505950, 0x0, 0x0, 0x0, 0x64ed0d, 0xc42064bc80) .../cri-o/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime/api.pb.go:3645 +0x279 .../cri-o/vendor/google.golang.org/grpc.(*Server).processUnaryRPC(0xc4200a4240, 0x33f28e0, 0xc4204b0360, 0xc42074a870, 0xc420476de0, 0x33bcd38, 0xc420207e30, 0x0, 0x0) ``` Signed-off-by: Dongsu Park --- server/sandbox_run.go | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/server/sandbox_run.go b/server/sandbox_run.go index 23e8b7e4..0bebef84 100644 --- a/server/sandbox_run.go +++ b/server/sandbox_run.go @@ -252,13 +252,23 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest privileged := s.privilegedSandbox(req) - processLabel, mountLabel, err = getSELinuxLabels(req.GetConfig().GetLinux().GetSecurityContext().GetSelinuxOptions(), privileged) + securityContext := req.GetConfig().GetLinux().GetSecurityContext() + if securityContext == nil { + return nil, fmt.Errorf("no security context found") + } + + processLabel, mountLabel, err = getSELinuxLabels(securityContext.GetSelinuxOptions(), privileged) if err != nil { return nil, err } // Don't use SELinux separation with Host Pid or IPC Namespace or privileged. - if req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostPid || req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostIpc { + namespaceOptions := securityContext.GetNamespaceOptions() + if namespaceOptions == nil { + return nil, fmt.Errorf("no namespace options found") + } + + if securityContext.GetNamespaceOptions().HostPid || securityContext.GetNamespaceOptions().HostIpc { processLabel, mountLabel = "", "" } g.SetProcessSelinuxLabel(processLabel) @@ -266,7 +276,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest // create shm mount for the pod containers. var shmPath string - if req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostIpc { + if namespaceOptions.HostIpc { shmPath = "/dev/shm" } else { shmPath, err = setupShm(podContainer.RunDir, mountLabel) @@ -307,7 +317,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest return nil, err } - hostNetwork := req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostNetwork + hostNetwork := namespaceOptions.HostNetwork hostname, err := getHostname(id, req.GetConfig().Hostname, hostNetwork) if err != nil { @@ -441,14 +451,14 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest } } - if req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostPid { + if namespaceOptions.HostPid { err = g.RemoveLinuxNamespace("pid") if err != nil { return nil, err } } - if req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostIpc { + if namespaceOptions.HostIpc { err = g.RemoveLinuxNamespace("ipc") if err != nil { return nil, err