From fc2cae39ef635e01a2ddd650510a45613c440f5f Mon Sep 17 00:00:00 2001 From: baude Date: Mon, 9 Oct 2017 14:53:54 -0500 Subject: [PATCH] Initial fixes for cri-tests We now can pass 37/55 tests with this PR. Remaining tests include may be fixed with 1.8. [Fail] [k8s.io] Security Context bucket [It] runtime should support RunAsUserName [Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support HostPID [Fail] [k8s.io] PodSandbox runtime should support sysctls [It] should support unsafe sysctls [Fail] [k8s.io] PodSandbox runtime should support basic operations on PodSandbox [It] runtime should support removing PodSandbox [Conformance] [Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support portforward [Conformance] [Fail] [k8s.io] Security Context SeccompProfilePath [It] runtime should not support a custom seccomp profile without using localhost/ as a prefix [Fail] [k8s.io] Image Manager [It] listImage should get exactly 2 repoTags in the result image [Conformance] [Fail] [k8s.io] PodSandbox runtime should support sysctls [It] should support safe sysctls [Fail] [k8s.io] Security Context NoNewPrivs [It] should not allow privilege escalation when true [Fail] [k8s.io] Security Context SeccompProfilePath [It] runtime should support an seccomp profile that blocks setting hostname with SYS_ADMIN [Fail] [k8s.io] Container runtime should support mount propagation [It] mount with 'rslave' should support propagation from host to container [Fail] [k8s.io] Container runtime should support mount propagation [It] mount with 'rshared' should support propagation from host to container and vice versa [Fail] [k8s.io] Networking runtime should support networking [It] runtime should support port mapping with host port and container port [Conformance] [Fail] [k8s.io] Security Context SeccompProfilePath [It] should support seccomp localhost/profile on the container [Fail] [k8s.io] Container runtime should support log [It] runtime should support starting container with log [Conformance] [Fail] [k8s.io] Security Context bucket [It] runtime should support RunAsUser [Fail] [k8s.io] Security Context bucket [It] runtime should support SupplementalGroups [Fail] [k8s.io] Security Context SeccompProfilePath docker/default [It] should support seccomp docker/default on the container Signed-off-by: baude --- server/container_create.go | 2 +- server/container_list.go | 5 ++++- server/sandbox_run.go | 19 +++++++------------ 3 files changed, 12 insertions(+), 14 deletions(-) diff --git a/server/container_create.go b/server/container_create.go index 6d93408c..8cab51e7 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -146,7 +146,7 @@ func resolveSymbolicLink(path string) (string, error) { func addDevices(sb *sandbox.Sandbox, containerConfig *pb.ContainerConfig, specgen *generate.Generator) error { sp := specgen.Spec() - if containerConfig.GetLinux().GetSecurityContext().Privileged { + if containerConfig.GetLinux().GetSecurityContext().GetPrivileged() { hostDevices, err := devices.HostDevices() if err != nil { return err diff --git a/server/container_list.go b/server/container_list.go index 995b7e1b..42204ae1 100644 --- a/server/container_list.go +++ b/server/container_list.go @@ -40,7 +40,10 @@ func (s *Server) ListContainers(ctx context.Context, req *pb.ListContainersReque if filter.Id != "" { id, err := s.CtrIDIndex().Get(filter.Id) if err != nil { - return nil, err + // If we don't find a container ID with a filter, it should not + // be considered an error. Log a warning and return an empty struct + logrus.Warn("unable to find container ID %s", filter.Id) + return &pb.ListContainersResponse{}, nil } c := s.ContainerServer.GetContainer(id) if c != nil { diff --git a/server/sandbox_run.go b/server/sandbox_run.go index 0bebef84..461ba052 100644 --- a/server/sandbox_run.go +++ b/server/sandbox_run.go @@ -254,7 +254,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest securityContext := req.GetConfig().GetLinux().GetSecurityContext() if securityContext == nil { - return nil, fmt.Errorf("no security context found") + logrus.Warn("no security context found in config.") } processLabel, mountLabel, err = getSELinuxLabels(securityContext.GetSelinuxOptions(), privileged) @@ -263,12 +263,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest } // Don't use SELinux separation with Host Pid or IPC Namespace or privileged. - namespaceOptions := securityContext.GetNamespaceOptions() - if namespaceOptions == nil { - return nil, fmt.Errorf("no namespace options found") - } - - if securityContext.GetNamespaceOptions().HostPid || securityContext.GetNamespaceOptions().HostIpc { + if securityContext.GetNamespaceOptions().GetHostPid() || securityContext.GetNamespaceOptions().GetHostIpc() { processLabel, mountLabel = "", "" } g.SetProcessSelinuxLabel(processLabel) @@ -276,7 +271,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest // create shm mount for the pod containers. var shmPath string - if namespaceOptions.HostIpc { + if securityContext.GetNamespaceOptions().GetHostIpc() { shmPath = "/dev/shm" } else { shmPath, err = setupShm(podContainer.RunDir, mountLabel) @@ -317,7 +312,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest return nil, err } - hostNetwork := namespaceOptions.HostNetwork + hostNetwork := securityContext.GetNamespaceOptions().GetHostNetwork() hostname, err := getHostname(id, req.GetConfig().Hostname, hostNetwork) if err != nil { @@ -352,7 +347,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest portMappings := convertPortMappings(req.GetConfig().GetPortMappings()) // setup cgroup settings - cgroupParent := req.GetConfig().GetLinux().CgroupParent + cgroupParent := req.GetConfig().GetLinux().GetCgroupParent() if cgroupParent != "" { if s.config.CgroupManager == oci.SystemdCgroupsManager { if len(cgroupParent) <= 6 || !strings.HasSuffix(path.Base(cgroupParent), ".slice") { @@ -451,14 +446,14 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest } } - if namespaceOptions.HostPid { + if securityContext.GetNamespaceOptions().GetHostPid() { err = g.RemoveLinuxNamespace("pid") if err != nil { return nil, err } } - if namespaceOptions.HostIpc { + if securityContext.GetNamespaceOptions().GetHostIpc() { err = g.RemoveLinuxNamespace("ipc") if err != nil { return nil, err