container_create: support seccomp docker/default annotation
Fixes the following Origin/Kube test: ``` • Failure [10.323 seconds] [k8s.io] Security Context [Feature:SecurityContext] /go/src/github.com/openshift/origin/vendor/k8s.io/kubernetes/test/e2e/framework/framework.go:619 should support seccomp alpha docker/default annotation [Feature:Seccomp] [It] /go/src/github.com/openshift/origin/vendor/k8s.io/kubernetes/test/e2e/security_context.go:133 Expected error: <*errors.errorString | 0xc420cbacf0>: { s: "expected \"2\" in container output: Expected\n <string>: Seccomp:\t0\n \nto contain substring\n <string>: 2", } expected "2" in container output: Expected <string>: Seccomp: 0 to contain substring <string>: 2 not to have occurred } ``` Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This commit is contained in:
parent
4fadbea75d
commit
e8cfe3b867
2 changed files with 41 additions and 7 deletions
|
@ -38,6 +38,7 @@ import (
|
|||
const (
|
||||
seccompUnconfined = "unconfined"
|
||||
seccompRuntimeDefault = "runtime/default"
|
||||
seccompDockerDefault = "docker/default"
|
||||
seccompLocalhostPrefix = "localhost/"
|
||||
|
||||
scopePrefix = "crio"
|
||||
|
@ -1033,18 +1034,13 @@ func (s *Server) setupSeccomp(specgen *generate.Generator, cname string, sbAnnot
|
|||
specgen.Spec().Linux.Seccomp = nil
|
||||
return nil
|
||||
}
|
||||
if profile == seccompRuntimeDefault {
|
||||
if profile == seccompRuntimeDefault || profile == seccompDockerDefault {
|
||||
return seccomp.LoadProfileFromStruct(s.seccompProfile, specgen)
|
||||
}
|
||||
if !strings.HasPrefix(profile, seccompLocalhostPrefix) {
|
||||
return fmt.Errorf("unknown seccomp profile option: %q", profile)
|
||||
}
|
||||
//file, err := ioutil.ReadFile(filepath.Join(s.seccompProfileRoot, strings.TrimPrefix(profile, seccompLocalhostPrefix)))
|
||||
//if err != nil {
|
||||
//return err
|
||||
//}
|
||||
// TODO(runcom): setup from provided node's seccomp profile
|
||||
// can't do this yet, see https://issues.k8s.io/36997
|
||||
// FIXME: https://github.com/kubernetes/kubernetes/issues/39128
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
|
@ -328,3 +328,41 @@ function teardown() {
|
|||
|
||||
skip "need https://issues.k8s.io/36997"
|
||||
}
|
||||
|
||||
# test running with ctr docker/default
|
||||
# test that we cannot run with a syscall blocked by the default seccomp profile
|
||||
@test "ctr seccomp profiles docker/default" {
|
||||
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
||||
enabled=$(is_seccomp_enabled)
|
||||
if [[ "$enabled" -eq 0 ]]; then
|
||||
skip "skip this test since seccomp is not enabled."
|
||||
fi
|
||||
|
||||
sed -e 's/"chmod",//' "$CRIO_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json
|
||||
sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json
|
||||
sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json
|
||||
|
||||
start_crio "$TESTDIR"/seccomp_profile1.json
|
||||
|
||||
sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/container\/k8s_testname2_seccomp2_redhat\.test\.crio_redhat-test-crio_0": "docker\/default"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp2.json
|
||||
run crioctl pod run --name seccomp2 --config "$TESTDIR"/seccomp2.json
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
pod_id="$output"
|
||||
run crioctl ctr create --name testname2 --config "$TESTDATA"/container_redis.json --pod "$pod_id"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
ctr_id="$output"
|
||||
run crioctl ctr start --id "$ctr_id"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
run crioctl ctr execsync --id "$ctr_id" chmod 777 .
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
[[ "$output" =~ "Exit code: 1" ]]
|
||||
[[ "$output" =~ "Operation not permitted" ]]
|
||||
|
||||
cleanup_ctrs
|
||||
cleanup_pods
|
||||
stop_crio
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue