oci: Support for the host privileged runtime path

We add a privileged flag to the container and sandbox structures and can now select the appropriate runtime path for any container operations depending on that flag. Here again, the default runtime will be used for non privileged containers and for privileged ones in case there are no privileged runtime defined. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-02-21 11:51:16 +01:00 · 2017-02-21 11:51:16 +01:00 · eab6b00ea6
commit eab6b00ea6
parent 2fc4d0cac1
3 changed files with 30 additions and 20 deletions
--- a/oci/oci.go
+++ b/oci/oci.go
@ -34,24 +34,26 @@ const (
 )
 // New creates a new Runtime with options provided
-func New(runtimePath string, conmonPath string, conmonEnv []string, cgroupManager string) (*Runtime, error) {
+func New(runtimePath string, runtimeHostPrivilegedPath string, conmonPath string, conmonEnv []string, cgroupManager string) (*Runtime, error) {
 	r := &Runtime{
-		name:          filepath.Base(runtimePath),
+		name:           filepath.Base(runtimePath),
-		path:          runtimePath,
+		path:           runtimePath,
-		conmonPath:    conmonPath,
+		privilegedPath: runtimeHostPrivilegedPath,
-		conmonEnv:     conmonEnv,
+		conmonPath:     conmonPath,
-		cgroupManager: cgroupManager,
+		conmonEnv:      conmonEnv,
 		cgroupManager:  cgroupManager,
 	}
 	return r, nil
 }
 // Runtime stores the information about a oci runtime
 type Runtime struct {
-	name          string
+	name           string
-	path          string
+	path           string
-	conmonPath    string
+	privilegedPath string
-	conmonEnv     []string
+	conmonPath     string
-	cgroupManager string
+	conmonEnv      []string
 	cgroupManager  string
 }
 // syncInfo is used to return data from monitor process to daemon
@ -69,8 +71,14 @@ func (r *Runtime) Name() string {
 	return r.name
 }
-// Path returns the full path the OCI Runtime executable
+// Path returns the full path the OCI Runtime executable.
-func (r *Runtime) Path() string {
+// Depending if the container is privileged, it will return
 // the privileged runtime or not.
 func (r *Runtime) Path(c *Container) string {
 	if c.privileged && r.privilegedPath != "" {
 		return r.privilegedPath
 	}
 	return r.path
 }
@ -107,7 +115,7 @@ func (r *Runtime) CreateContainer(c *Container) error {
 		args = append(args, "-s")
 	}
 	args = append(args, "-c", c.name)
-	args = append(args, "-r", r.path)
+	args = append(args, "-r", r.Path(c))
 	args = append(args, "-b", c.bundlePath)
 	args = append(args, "-p", filepath.Join(c.bundlePath, "pidfile"))
 	if c.terminal {
@ -149,7 +157,7 @@ func (r *Runtime) CreateContainer(c *Container) error {
 func (r *Runtime) StartContainer(c *Container) error {
 	c.opLock.Lock()
 	defer c.opLock.Unlock()
-	if err := utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, r.path, "start", c.name); err != nil {
+	if err := utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, r.Path(c), "start", c.name); err != nil {
 		return err
 	}
 	c.state.Started = time.Now()
@ -209,7 +217,7 @@ func (r *Runtime) ExecSync(c *Container, command []string, timeout int64) (resp
 	var args []string
 	args = append(args, "-c", c.name)
-	args = append(args, "-r", r.path)
+	args = append(args, "-r", r.Path(c))
 	args = append(args, "-p", pidFile.Name())
 	args = append(args, "-e")
 	if c.terminal {
@ -341,7 +349,7 @@ func (r *Runtime) ExecSync(c *Container, command []string, timeout int64) (resp
 func (r *Runtime) StopContainer(c *Container) error {
 	c.opLock.Lock()
 	defer c.opLock.Unlock()
-	if err := utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, r.path, "kill", c.name, "TERM"); err != nil {
+	if err := utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, r.Path(c), "kill", c.name, "TERM"); err != nil {
 		return err
 	}
 	i := 0
@ -369,14 +377,14 @@ func (r *Runtime) StopContainer(c *Container) error {
 func (r *Runtime) DeleteContainer(c *Container) error {
 	c.opLock.Lock()
 	defer c.opLock.Unlock()
-	return utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, r.path, "delete", c.name)
+	return utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, r.Path(c), "delete", c.name)
 }
 // UpdateStatus refreshes the status of the container.
 func (r *Runtime) UpdateStatus(c *Container) error {
 	c.opLock.Lock()
 	defer c.opLock.Unlock()
-	out, err := exec.Command(r.path, "state", c.name).CombinedOutput()
+	out, err := exec.Command(r.Path(c), "state", c.name).CombinedOutput()
 	if err != nil {
 		return fmt.Errorf("error getting container state for %s: %s: %q", c.name, err, out)
 	}
@ -426,6 +434,7 @@ type Container struct {
 	sandbox     string
 	netns       ns.NetNS
 	terminal    bool
 	privileged  bool
 	state       *ContainerState
 	metadata    *pb.ContainerMetadata
 	opLock      sync.Mutex
--- a/server/sandbox.go
+++ b/server/sandbox.go
@ -139,6 +139,7 @@ type sandbox struct {
 	metadata       *pb.PodSandboxMetadata
 	shmPath        string
 	cgroupParent   string
 	privileged     bool
 }
 const (
--- a/server/server.go
+++ b/server/server.go
@ -452,7 +452,7 @@ func New(config *Config) (*Server, error) {
 		return nil, err
 	}
-	r, err := oci.New(config.Runtime, config.Conmon, config.ConmonEnv, config.CgroupManager)
+	r, err := oci.New(config.Runtime, config.RuntimeHostPrivileged, config.Conmon, config.ConmonEnv, config.CgroupManager)
 	if err != nil {
 		return nil, err
 	}