Initial fixes for cri-tests
We now can pass 37/55 tests with this PR. Remaining tests include may be fixed with 1.8. [Fail] [k8s.io] Security Context bucket [It] runtime should support RunAsUserName [Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support HostPID [Fail] [k8s.io] PodSandbox runtime should support sysctls [It] should support unsafe sysctls [Fail] [k8s.io] PodSandbox runtime should support basic operations on PodSandbox [It] runtime should support removing PodSandbox [Conformance] [Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support portforward [Conformance] [Fail] [k8s.io] Security Context SeccompProfilePath [It] runtime should not support a custom seccomp profile without using localhost/ as a prefix [Fail] [k8s.io] Image Manager [It] listImage should get exactly 2 repoTags in the result image [Conformance] [Fail] [k8s.io] PodSandbox runtime should support sysctls [It] should support safe sysctls [Fail] [k8s.io] Security Context NoNewPrivs [It] should not allow privilege escalation when true [Fail] [k8s.io] Security Context SeccompProfilePath [It] runtime should support an seccomp profile that blocks setting hostname with SYS_ADMIN [Fail] [k8s.io] Container runtime should support mount propagation [It] mount with 'rslave' should support propagation from host to container [Fail] [k8s.io] Container runtime should support mount propagation [It] mount with 'rshared' should support propagation from host to container and vice versa [Fail] [k8s.io] Networking runtime should support networking [It] runtime should support port mapping with host port and container port [Conformance] [Fail] [k8s.io] Security Context SeccompProfilePath [It] should support seccomp localhost/profile on the container [Fail] [k8s.io] Container runtime should support log [It] runtime should support starting container with log [Conformance] [Fail] [k8s.io] Security Context bucket [It] runtime should support RunAsUser [Fail] [k8s.io] Security Context bucket [It] runtime should support SupplementalGroups [Fail] [k8s.io] Security Context SeccompProfilePath docker/default [It] should support seccomp docker/default on the container Signed-off-by: baude <bbaude@redhat.com>
This commit is contained in:
baude
parent
825f7f290b
commit
fc2cae39ef
3 changed files with 12 additions and 14 deletions
|
|
@ -146,7 +146,7 @@ func resolveSymbolicLink(path string) (string, error) {
|
||||||
|
|
||||||
func addDevices(sb *sandbox.Sandbox, containerConfig *pb.ContainerConfig, specgen *generate.Generator) error {
|
func addDevices(sb *sandbox.Sandbox, containerConfig *pb.ContainerConfig, specgen *generate.Generator) error {
|
||||||
sp := specgen.Spec()
|
sp := specgen.Spec()
|
||||||
if containerConfig.GetLinux().GetSecurityContext().Privileged {
|
if containerConfig.GetLinux().GetSecurityContext().GetPrivileged() {
|
||||||
hostDevices, err := devices.HostDevices()
|
hostDevices, err := devices.HostDevices()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
|
|
||||||
|
|
@ -40,7 +40,10 @@ func (s *Server) ListContainers(ctx context.Context, req *pb.ListContainersReque
|
||||||
if filter.Id != "" {
|
if filter.Id != "" {
|
||||||
id, err := s.CtrIDIndex().Get(filter.Id)
|
id, err := s.CtrIDIndex().Get(filter.Id)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
// If we don't find a container ID with a filter, it should not
|
||||||
|
// be considered an error. Log a warning and return an empty struct
|
||||||
|
logrus.Warn("unable to find container ID %s", filter.Id)
|
||||||
|
return &pb.ListContainersResponse{}, nil
|
||||||
}
|
}
|
||||||
c := s.ContainerServer.GetContainer(id)
|
c := s.ContainerServer.GetContainer(id)
|
||||||
if c != nil {
|
if c != nil {
|
||||||
|
|
|
||||||
|
|
@ -254,7 +254,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
||||||
|
|
||||||
securityContext := req.GetConfig().GetLinux().GetSecurityContext()
|
securityContext := req.GetConfig().GetLinux().GetSecurityContext()
|
||||||
if securityContext == nil {
|
if securityContext == nil {
|
||||||
return nil, fmt.Errorf("no security context found")
|
logrus.Warn("no security context found in config.")
|
||||||
}
|
}
|
||||||
|
|
||||||
processLabel, mountLabel, err = getSELinuxLabels(securityContext.GetSelinuxOptions(), privileged)
|
processLabel, mountLabel, err = getSELinuxLabels(securityContext.GetSelinuxOptions(), privileged)
|
||||||
|
|
@ -263,12 +263,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
||||||
}
|
}
|
||||||
|
|
||||||
// Don't use SELinux separation with Host Pid or IPC Namespace or privileged.
|
// Don't use SELinux separation with Host Pid or IPC Namespace or privileged.
|
||||||
namespaceOptions := securityContext.GetNamespaceOptions()
|
if securityContext.GetNamespaceOptions().GetHostPid() || securityContext.GetNamespaceOptions().GetHostIpc() {
|
||||||
if namespaceOptions == nil {
|
|
||||||
return nil, fmt.Errorf("no namespace options found")
|
|
||||||
}
|
|
||||||
|
|
||||||
if securityContext.GetNamespaceOptions().HostPid || securityContext.GetNamespaceOptions().HostIpc {
|
|
||||||
processLabel, mountLabel = "", ""
|
processLabel, mountLabel = "", ""
|
||||||
}
|
}
|
||||||
g.SetProcessSelinuxLabel(processLabel)
|
g.SetProcessSelinuxLabel(processLabel)
|
||||||
|
|
@ -276,7 +271,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
||||||
|
|
||||||
// create shm mount for the pod containers.
|
// create shm mount for the pod containers.
|
||||||
var shmPath string
|
var shmPath string
|
||||||
if namespaceOptions.HostIpc {
|
if securityContext.GetNamespaceOptions().GetHostIpc() {
|
||||||
shmPath = "/dev/shm"
|
shmPath = "/dev/shm"
|
||||||
} else {
|
} else {
|
||||||
shmPath, err = setupShm(podContainer.RunDir, mountLabel)
|
shmPath, err = setupShm(podContainer.RunDir, mountLabel)
|
||||||
|
|
@ -317,7 +312,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
hostNetwork := namespaceOptions.HostNetwork
|
hostNetwork := securityContext.GetNamespaceOptions().GetHostNetwork()
|
||||||
|
|
||||||
hostname, err := getHostname(id, req.GetConfig().Hostname, hostNetwork)
|
hostname, err := getHostname(id, req.GetConfig().Hostname, hostNetwork)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
@ -352,7 +347,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
||||||
portMappings := convertPortMappings(req.GetConfig().GetPortMappings())
|
portMappings := convertPortMappings(req.GetConfig().GetPortMappings())
|
||||||
|
|
||||||
// setup cgroup settings
|
// setup cgroup settings
|
||||||
cgroupParent := req.GetConfig().GetLinux().CgroupParent
|
cgroupParent := req.GetConfig().GetLinux().GetCgroupParent()
|
||||||
if cgroupParent != "" {
|
if cgroupParent != "" {
|
||||||
if s.config.CgroupManager == oci.SystemdCgroupsManager {
|
if s.config.CgroupManager == oci.SystemdCgroupsManager {
|
||||||
if len(cgroupParent) <= 6 || !strings.HasSuffix(path.Base(cgroupParent), ".slice") {
|
if len(cgroupParent) <= 6 || !strings.HasSuffix(path.Base(cgroupParent), ".slice") {
|
||||||
|
|
@ -451,14 +446,14 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if namespaceOptions.HostPid {
|
if securityContext.GetNamespaceOptions().GetHostPid() {
|
||||||
err = g.RemoveLinuxNamespace("pid")
|
err = g.RemoveLinuxNamespace("pid")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if namespaceOptions.HostIpc {
|
if securityContext.GetNamespaceOptions().GetHostIpc() {
|
||||||
err = g.RemoveLinuxNamespace("ipc")
|
err = g.RemoveLinuxNamespace("ipc")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue