Initial fixes for cri-tests

We now can pass 37/55 tests with this PR.  Remaining tests include may be fixed
with 1.8.

[Fail] [k8s.io] Security Context bucket [It] runtime should support RunAsUserName
[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support HostPID
[Fail] [k8s.io] PodSandbox runtime should support sysctls [It] should support unsafe sysctls
[Fail] [k8s.io] PodSandbox runtime should support basic operations on PodSandbox [It] runtime should support removing PodSandbox [Conformance]
[Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support portforward [Conformance]
[Fail] [k8s.io] Security Context SeccompProfilePath [It] runtime should not support a custom seccomp profile without using localhost/ as a prefix
[Fail] [k8s.io] Image Manager [It] listImage should get exactly 2 repoTags in the result image [Conformance]
[Fail] [k8s.io] PodSandbox runtime should support sysctls [It] should support safe sysctls
[Fail] [k8s.io] Security Context NoNewPrivs [It] should not allow privilege escalation when true
[Fail] [k8s.io] Security Context SeccompProfilePath [It] runtime should support an seccomp profile that blocks setting hostname with SYS_ADMIN
[Fail] [k8s.io] Container runtime should support mount propagation [It] mount with 'rslave' should support propagation from host to container
[Fail] [k8s.io] Container runtime should support mount propagation [It] mount with 'rshared' should support propagation from host to container and vice versa
[Fail] [k8s.io] Networking runtime should support networking [It] runtime should support port mapping with host port and container port [Conformance]
[Fail] [k8s.io] Security Context SeccompProfilePath [It] should support seccomp localhost/profile on the container
[Fail] [k8s.io] Container runtime should support log [It] runtime should support starting container with log [Conformance]
[Fail] [k8s.io] Security Context bucket [It] runtime should support RunAsUser
[Fail] [k8s.io] Security Context bucket [It] runtime should support SupplementalGroups
[Fail] [k8s.io] Security Context SeccompProfilePath docker/default [It] should support seccomp docker/default on the container

Signed-off-by: baude <bbaude@redhat.com>

server/container_create.go

@@ -146,7 +146,7 @@ func resolveSymbolicLink(path string) (string, error) {
 
 func addDevices(sb *sandbox.Sandbox, containerConfig *pb.ContainerConfig, specgen *generate.Generator) error {
 	sp := specgen.Spec()
-	if containerConfig.GetLinux().GetSecurityContext().Privileged {
+	if containerConfig.GetLinux().GetSecurityContext().GetPrivileged() {
 		hostDevices, err := devices.HostDevices()
 		if err != nil {
 			return err

server/container_list.go

@@ -40,7 +40,10 @@ func (s *Server) ListContainers(ctx context.Context, req *pb.ListContainersReque
 	if filter.Id != "" {
 		id, err := s.CtrIDIndex().Get(filter.Id)
 		if err != nil {
-			return nil, err
+			// If we don't find a container ID with a filter, it should not
+			// be considered an error.  Log a warning and return an empty struct
+			logrus.Warn("unable to find container ID %s", filter.Id)
+			return &pb.ListContainersResponse{}, nil
 		}
 		c := s.ContainerServer.GetContainer(id)
 		if c != nil {

server/sandbox_run.go

@@ -254,7 +254,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
 
 	securityContext := req.GetConfig().GetLinux().GetSecurityContext()
 	if securityContext == nil {
-		return nil, fmt.Errorf("no security context found")
+		logrus.Warn("no security context found in config.")
 	}
 
 	processLabel, mountLabel, err = getSELinuxLabels(securityContext.GetSelinuxOptions(), privileged)
@@ -263,12 +263,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
 	}
 
 	// Don't use SELinux separation with Host Pid or IPC Namespace or privileged.
-	namespaceOptions := securityContext.GetNamespaceOptions()
-	if namespaceOptions == nil {
-		return nil, fmt.Errorf("no namespace options found")
-	}
-
-	if securityContext.GetNamespaceOptions().HostPid || securityContext.GetNamespaceOptions().HostIpc {
+	if securityContext.GetNamespaceOptions().GetHostPid() || securityContext.GetNamespaceOptions().GetHostIpc() {
 		processLabel, mountLabel = "", ""
 	}
 	g.SetProcessSelinuxLabel(processLabel)
@@ -276,7 +271,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
 
 	// create shm mount for the pod containers.
 	var shmPath string
-	if namespaceOptions.HostIpc {
+	if securityContext.GetNamespaceOptions().GetHostIpc() {
 		shmPath = "/dev/shm"
 	} else {
 		shmPath, err = setupShm(podContainer.RunDir, mountLabel)
@@ -317,7 +312,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
 		return nil, err
 	}
 
-	hostNetwork := namespaceOptions.HostNetwork
+	hostNetwork := securityContext.GetNamespaceOptions().GetHostNetwork()
 
 	hostname, err := getHostname(id, req.GetConfig().Hostname, hostNetwork)
 	if err != nil {
@@ -352,7 +347,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
 	portMappings := convertPortMappings(req.GetConfig().GetPortMappings())
 
 	// setup cgroup settings
-	cgroupParent := req.GetConfig().GetLinux().CgroupParent
+	cgroupParent := req.GetConfig().GetLinux().GetCgroupParent()
 	if cgroupParent != "" {
 		if s.config.CgroupManager == oci.SystemdCgroupsManager {
 			if len(cgroupParent) <= 6 || !strings.HasSuffix(path.Base(cgroupParent), ".slice") {
@@ -451,14 +446,14 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
 		}
 	}
 
-	if namespaceOptions.HostPid {
+	if securityContext.GetNamespaceOptions().GetHostPid() {
 		err = g.RemoveLinuxNamespace("pid")
 		if err != nil {
 			return nil, err
 		}
 	}
 
-	if namespaceOptions.HostIpc {
+	if securityContext.GetNamespaceOptions().GetHostIpc() {
 		err = g.RemoveLinuxNamespace("ipc")
 		if err != nil {
 			return nil, err