Merge pull request #962 from kinvolk/dongsu/fix-panic-run-podsandbox

server: fix 2 panics in RunPodSandbox
This commit is contained in:
Daniel J Walsh 2017-10-02 09:18:06 -04:00 committed by GitHub
commit e5749088b2

View file

@ -221,11 +221,14 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
labels := req.GetConfig().GetLabels() labels := req.GetConfig().GetLabels()
// Add special container name label for the infra container // Add special container name label for the infra container
labelsJSON := []byte{}
if labels != nil {
labels[types.KubernetesContainerNameLabel] = leaky.PodInfraContainerName labels[types.KubernetesContainerNameLabel] = leaky.PodInfraContainerName
labelsJSON, err := json.Marshal(labels) labelsJSON, err = json.Marshal(labels)
if err != nil { if err != nil {
return nil, err return nil, err
} }
}
// add annotations // add annotations
kubeAnnotations := req.GetConfig().GetAnnotations() kubeAnnotations := req.GetConfig().GetAnnotations()
@ -249,13 +252,23 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
privileged := s.privilegedSandbox(req) privileged := s.privilegedSandbox(req)
processLabel, mountLabel, err = getSELinuxLabels(req.GetConfig().GetLinux().GetSecurityContext().GetSelinuxOptions(), privileged) securityContext := req.GetConfig().GetLinux().GetSecurityContext()
if securityContext == nil {
return nil, fmt.Errorf("no security context found")
}
processLabel, mountLabel, err = getSELinuxLabels(securityContext.GetSelinuxOptions(), privileged)
if err != nil { if err != nil {
return nil, err return nil, err
} }
// Don't use SELinux separation with Host Pid or IPC Namespace or privileged. // Don't use SELinux separation with Host Pid or IPC Namespace or privileged.
if req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostPid || req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostIpc { namespaceOptions := securityContext.GetNamespaceOptions()
if namespaceOptions == nil {
return nil, fmt.Errorf("no namespace options found")
}
if securityContext.GetNamespaceOptions().HostPid || securityContext.GetNamespaceOptions().HostIpc {
processLabel, mountLabel = "", "" processLabel, mountLabel = "", ""
} }
g.SetProcessSelinuxLabel(processLabel) g.SetProcessSelinuxLabel(processLabel)
@ -263,7 +276,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
// create shm mount for the pod containers. // create shm mount for the pod containers.
var shmPath string var shmPath string
if req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostIpc { if namespaceOptions.HostIpc {
shmPath = "/dev/shm" shmPath = "/dev/shm"
} else { } else {
shmPath, err = setupShm(podContainer.RunDir, mountLabel) shmPath, err = setupShm(podContainer.RunDir, mountLabel)
@ -304,7 +317,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
return nil, err return nil, err
} }
hostNetwork := req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostNetwork hostNetwork := namespaceOptions.HostNetwork
hostname, err := getHostname(id, req.GetConfig().Hostname, hostNetwork) hostname, err := getHostname(id, req.GetConfig().Hostname, hostNetwork)
if err != nil { if err != nil {
@ -438,14 +451,14 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
} }
} }
if req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostPid { if namespaceOptions.HostPid {
err = g.RemoveLinuxNamespace("pid") err = g.RemoveLinuxNamespace("pid")
if err != nil { if err != nil {
return nil, err return nil, err
} }
} }
if req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostIpc { if namespaceOptions.HostIpc {
err = g.RemoveLinuxNamespace("ipc") err = g.RemoveLinuxNamespace("ipc")
if err != nil { if err != nil {
return nil, err return nil, err