vbatts/cri-o
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge pull request #962 from kinvolk/dongsu/fix-panic-run-podsandbox

Browse source 
server: fix 2 panics in RunPodSandbox
This commit is contained in:
Daniel J Walsh 2017-10-02 09:18:06 -04:00 committed by GitHub
commit e5749088b2
1 changed files with 23 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
server/sandbox_run.go
View file

@ -221,10 +221,13 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
labels := req.GetConfig().GetLabels() labels := req.GetConfig().GetLabels()
// Add special container name label for the infra container // Add special container name label for the infra container
labels[types.KubernetesContainerNameLabel] = leaky.PodInfraContainerName labelsJSON := []byte{}
labelsJSON, err := json.Marshal(labels) if labels != nil {
if err != nil { labels[types.KubernetesContainerNameLabel] = leaky.PodInfraContainerName
return nil, err labelsJSON, err = json.Marshal(labels)
if err != nil {
return nil, err
}
} }
// add annotations // add annotations
@ -249,13 +252,23 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
privileged := s.privilegedSandbox(req) privileged := s.privilegedSandbox(req)
processLabel, mountLabel, err = getSELinuxLabels(req.GetConfig().GetLinux().GetSecurityContext().GetSelinuxOptions(), privileged) securityContext := req.GetConfig().GetLinux().GetSecurityContext()
if securityContext == nil {
return nil, fmt.Errorf("no security context found")
}
processLabel, mountLabel, err = getSELinuxLabels(securityContext.GetSelinuxOptions(), privileged)
if err != nil { if err != nil {
return nil, err return nil, err
} }
// Don't use SELinux separation with Host Pid or IPC Namespace or privileged. // Don't use SELinux separation with Host Pid or IPC Namespace or privileged.
if req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostPid || req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostIpc { namespaceOptions := securityContext.GetNamespaceOptions()
if namespaceOptions == nil {
return nil, fmt.Errorf("no namespace options found")
}
if securityContext.GetNamespaceOptions().HostPid || securityContext.GetNamespaceOptions().HostIpc {
processLabel, mountLabel = "", "" processLabel, mountLabel = "", ""
} }
g.SetProcessSelinuxLabel(processLabel) g.SetProcessSelinuxLabel(processLabel)
@ -263,7 +276,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
// create shm mount for the pod containers. // create shm mount for the pod containers.
var shmPath string var shmPath string
if req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostIpc { if namespaceOptions.HostIpc {
shmPath = "/dev/shm" shmPath = "/dev/shm"
} else { } else {
shmPath, err = setupShm(podContainer.RunDir, mountLabel) shmPath, err = setupShm(podContainer.RunDir, mountLabel)
@ -304,7 +317,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
return nil, err return nil, err
} }
hostNetwork := req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostNetwork hostNetwork := namespaceOptions.HostNetwork
hostname, err := getHostname(id, req.GetConfig().Hostname, hostNetwork) hostname, err := getHostname(id, req.GetConfig().Hostname, hostNetwork)
if err != nil { if err != nil {
@ -438,14 +451,14 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
} }
} }
if req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostPid { if namespaceOptions.HostPid {
err = g.RemoveLinuxNamespace("pid") err = g.RemoveLinuxNamespace("pid")
if err != nil { if err != nil {
return nil, err return nil, err
} }
} }
if req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostIpc { if namespaceOptions.HostIpc {
err = g.RemoveLinuxNamespace("ipc") err = g.RemoveLinuxNamespace("ipc")
if err != nil { if err != nil {
return nil, err return nil, err