Commit graph

160 commits

Author SHA1 Message Date
Antonio Murdaca
a0157078ad
sandbox: fix sandbox logPath when crio restarts
We weren't setting the logPath of the sandbox when restoring sandboxes
and containers upon a crio restarts. That means that if you restart
CRI-O you get sandboxes with empty logPath. That means that when you're
starting a container in a restored sandbox you get a relative logPath
for the container:

sandboxLogPath: "/var/something"
- restore
sandboxLogPath: ""
- create container foo
containerLogPath: "foo_attempt.log"

With this patch we actually get an absolute path (which is correct):

sandboxLogPath: "/var/something"
- restore
sandboxLogPath: "/var/something"
- create container foo
containerLogPath: "/var/something/foo_attempt.log"

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2018-02-09 15:54:47 +01:00
Antonio Murdaca
cf37995d30
container_create: only bind mount /etc/hosts if not provided by k8s
k8s already mounts /etc/hosts from /var/lib/kubelet/pods/<ID>/etc-hosts
even for host network. We shouldn't play with it unless we're running
from crictl for instance.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2018-01-24 15:06:41 +01:00
Mrunal Patel
ed40d645cd
Merge pull request #1255 from runcom/panics-grpc-getters
server: use grpc getters to avoid panics
2018-01-23 07:43:08 -08:00
W. Trevor King
523326b7ba server/container_create: Factor out setupCapabilities helper
Having a separate function holding the details of this makes reading
createSandboxContainer easier.

While I was moving the code, I've also cleaned up two things:

* The nil capabilities check is now earlier, where before it had been
  between the ALL handling and the non-ALL handling.

* I've added a capPrefixed variable to avoid having multiple
  toCAPPrefixed calls per capability.

Signed-off-by: W. Trevor King <wking@tremily.us>
2018-01-19 11:52:45 -08:00
Antonio Murdaca
8c190a683c
server: use grpc getters to avoid panics
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2018-01-12 16:14:29 +01:00
Daniel J Walsh
23d20c9db5 Allow additional arguments to be passed into hooks
If a packager wants to be able to support addititional arguments on his
hook this will allow them to setup the configuration with these arguments.

For example this would allow a hook developer to add support for a --debug
flag to change the level of debugging in his hook.

In order to complete this task, I had to vendor in the latest
github.com://opencontainers/runtime-tools, which caused me to have to fix a
Mount and Capability interface calls

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2018-01-09 13:44:16 -05:00
Antonio Murdaca
de0be63495
container_create: set cpuset cpus|mems
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-12-20 19:20:57 +01:00
Nalin Dahyabhai
893aa4e8c7 Be more diligent about cleaning up failed-to-create containers
If server/Server.createSandboxContainer() fails after calling
server/Server.StorageRuntimeServer().CreateContainer(), cleanup logic in
server/Server.CreateContainer() won't try to clean it up, but we still
need to clean up the on-disk container and its layer.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-12-14 14:23:53 -05:00
Nalin Dahyabhai
f3b7065bd8 Return image references from the storage package
The image's canonical reference is a name with a digest of the image's
manifest, so in imageService.ImageStatus() and
imageService.ListImages(), divide the image's name list into tagged and
digested values, and if we have names, add canonical versions.

In Server.ContainerStatus(), return the image name as it was given to us
as the image, and the image digested reference as the image reference.

In Server.ListImages(), be sure to only return tagged names in the
RepoTags field.  In Server.ImageStatus(), also return canonical
references in the RepoDigests field.

In Server.PullImage(), be sure that we consistently return the same
image reference for an image, whether we ended up pulling it or not.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-12-14 14:23:52 -05:00
Daniel J Walsh
b9ffd277b9
Merge pull request #1192 from runcom/no-libkpod
libkpod -> lib rename
2017-12-01 08:44:44 -05:00
Mrunal Patel
2cae11ba35 Merge pull request #1189 from runcom/fix-apparmor-master
container_create: fix apparmor from container config
2017-11-30 08:56:46 -10:00
Antonio Murdaca
b8bba70f99
libkpod -> lib rename
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-11-30 17:08:26 +01:00
Antonio Murdaca
c8aad704dd
container_create: fix apparmor from container config
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-11-30 16:12:16 +01:00
Antonio Murdaca
902acca4af
container_create: correctly set image and kube envs
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-11-30 12:28:50 +01:00
Antonio Murdaca
87f1ae214f
image_pull: fix image resolver
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-11-28 23:53:18 +01:00
Antonio Murdaca
a75362dca0
Add /proc/scsi to masked paths
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-11-22 12:25:43 +01:00
Mrunal Patel
946307e5c2 Make pid namespace sharing optional and disabled by default
We reverse the logic so that pid ns sharing is disabled by default.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-11-18 06:47:06 -08:00
Wei Wei
702ab3ee3a share pid namespace for Pod container
Signed-off-by: Wei Wei <weiwei.inf@gmail.com>
2017-11-17 09:56:33 +08:00
Antonio Murdaca
586eda8245
container_create: set the seccomp profile in the container object
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-11-12 17:51:32 +01:00
Antonio Murdaca
33f699bad4
server: validate labels size to avoid dos
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-11-12 01:54:19 +01:00
Antonio Murdaca
b959f8996d
server: add prometheus metrics for CRI operations
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-11-09 16:51:00 +01:00
Mrunal Patel
3f9e539bde
Merge pull request #1117 from runcom/setup-cwd
container_create: setup cwd for containers
2017-11-04 05:21:26 -07:00
Antonio Murdaca
140f85df72
container_create: setup cwd for containers
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-11-03 19:23:44 +01:00
Mrunal Patel
fa1ad4f54e Add HOSTNAME env var to container
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-11-02 10:24:56 -07:00
Mrunal Patel
4e2c6911ad
container: Don't add rprivate to all mounts
This fixes the mount propagation tests

Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-11-02 16:07:52 +01:00
Antonio Murdaca
7d7024999b
sandbox, ctrs: fixup seccomp for 1.8
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-11-02 16:07:52 +01:00
Antonio Murdaca
c70198617f
container_create: set mount propagation
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-11-02 16:07:51 +01:00
Antonio Murdaca
e41ba62b19
container_create: honor no_new_privs
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-11-02 16:07:51 +01:00
Antonio Murdaca
15afc4d3de
container_create: sort mounts before adding them to the spec
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-10-29 12:31:18 +01:00
Antonio Murdaca
c316e5d8cf
oci: respect process spec on exec
This patch fixes exec to use the original (start-time) process exec
configuration. Otherwise, we were creating a brand new spec process w/o
additional groups for instance.
Spotted while integrating CRI-O with cri-test...The test was failing
with:
```
• Failure [10.640 seconds]
[k8s.io] Security Context
/home/amurdaca/go/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:72
  bucket
  /home/amurdaca/go/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:407
    runtime should support SupplementalGroups [It]
    /home/amurdaca/go/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:272

    Expected
        <[]string | len:1, cap:1>: ["0"]
    to contain element matching
        <string>: 1234
```

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-10-24 22:39:17 +02:00
Antonio Murdaca
da725f3e5f
fix host pid handling for containers and share uts ns
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-10-19 21:13:28 +02:00
umohnani8
a11b1f953d Fixed logic flaw in the secrets mounts
Tested on a REHL box and found out that the mounts were not showing up
Had a logic flaw, where if the mount was "host:container"
Was setting the mount source to "host" and destination to "ctrRunDir/container"
When instead, the mount source should be "ctrRunDir/container" and destination "container"
with the data copied from "host" to "ctrRunDir/container"

Signed-off-by: umohnani8 <umohnani@redhat.com>
2017-10-17 13:08:42 -04:00
Daniel J Walsh
7b9a5c259e Merge pull request #992 from baude/cri_tests_sec
Initial fixes for cri-tests
2017-10-13 19:15:08 -04:00
baude
fc2cae39ef Initial fixes for cri-tests
We now can pass 37/55 tests with this PR.  Remaining tests include may be fixed
with 1.8.

[Fail] [k8s.io] Security Context bucket [It] runtime should support RunAsUserName
[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support HostPID
[Fail] [k8s.io] PodSandbox runtime should support sysctls [It] should support unsafe sysctls
[Fail] [k8s.io] PodSandbox runtime should support basic operations on PodSandbox [It] runtime should support removing PodSandbox [Conformance]
[Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support portforward [Conformance]
[Fail] [k8s.io] Security Context SeccompProfilePath [It] runtime should not support a custom seccomp profile without using localhost/ as a prefix
[Fail] [k8s.io] Image Manager [It] listImage should get exactly 2 repoTags in the result image [Conformance]
[Fail] [k8s.io] PodSandbox runtime should support sysctls [It] should support safe sysctls
[Fail] [k8s.io] Security Context NoNewPrivs [It] should not allow privilege escalation when true
[Fail] [k8s.io] Security Context SeccompProfilePath [It] runtime should support an seccomp profile that blocks setting hostname with SYS_ADMIN
[Fail] [k8s.io] Container runtime should support mount propagation [It] mount with 'rslave' should support propagation from host to container
[Fail] [k8s.io] Container runtime should support mount propagation [It] mount with 'rshared' should support propagation from host to container and vice versa
[Fail] [k8s.io] Networking runtime should support networking [It] runtime should support port mapping with host port and container port [Conformance]
[Fail] [k8s.io] Security Context SeccompProfilePath [It] should support seccomp localhost/profile on the container
[Fail] [k8s.io] Container runtime should support log [It] runtime should support starting container with log [Conformance]
[Fail] [k8s.io] Security Context bucket [It] runtime should support RunAsUser
[Fail] [k8s.io] Security Context bucket [It] runtime should support SupplementalGroups
[Fail] [k8s.io] Security Context SeccompProfilePath docker/default [It] should support seccomp docker/default on the container

Signed-off-by: baude <bbaude@redhat.com>
2017-10-13 08:36:14 -05:00
umohnani8
d1aea31786 Follow up changes on secrets patch
Deleted mounts.conf file and moved the secrets mount paths
to a list (default-mounts) in crio.conf

Signed-off-by: umohnani8 <umohnani@redhat.com>
2017-10-12 15:10:07 -04:00
umohnani8
d5b5028cb9 Add secrets patch to crio
Allows the user to define secret paths in /etc/containers/mounts.conf
These are then volume mounted into the container

Signed-off-by: umohnani8 <umohnani@redhat.com>
2017-10-11 20:00:38 -04:00
Mrunal Patel
db0bd66fca Merge pull request #917 from runcom/fixes-rc3-0
Fix Origin test and update kube to v1.7.6
2017-09-25 14:55:42 -07:00
Antonio Murdaca
6c871769b4
server: more fixes for selinux and privileged mode
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-25 21:08:11 +02:00
Antonio Murdaca
7b0bde4362
container_create: fix seccomp annotations
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-25 21:08:11 +02:00
Antonio Murdaca
59c0218a9c
container_create: follow symlink for mount host path
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-25 21:08:11 +02:00
Antonio Murdaca
e8cfe3b867
container_create: support seccomp docker/default annotation
Fixes the following Origin/Kube test:

```
• Failure [10.323 seconds]
[k8s.io] Security Context [Feature:SecurityContext]
/go/src/github.com/openshift/origin/vendor/k8s.io/kubernetes/test/e2e/framework/framework.go:619
  should support seccomp alpha docker/default annotation
[Feature:Seccomp] [It]
  /go/src/github.com/openshift/origin/vendor/k8s.io/kubernetes/test/e2e/security_context.go:133

  Expected error:
      <*errors.errorString | 0xc420cbacf0>: {
          s: "expected \"2\" in container output: Expected\n
<string>: Seccomp:\t0\n    \nto contain substring\n    <string>: 2",
      }
      expected "2" in container output: Expected
          <string>: Seccomp:	0

      to contain substring
          <string>: 2
  not to have occurred
}
```

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-25 21:08:11 +02:00
Mrunal Patel
50baca10e9 Add crio annotations to container endpoint
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-09-25 11:59:40 -07:00
Antonio Murdaca
a11b8cd8ec
sandbox, ctr: SELinux fixes
server: fix selinux labels for pod and containers

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

sandbox: set selinux labels from request, not defaults

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

container_create: use sandbox's selinux if container's nil

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

sandbox: correctly init selinux labels

First, we weren't correctly initializing selinux labels. If any of
(level, user, role, type) was missing from kube selinux options, we
were erroring out. This is wrong as kube sends just `level=s0`
sometimes and docker itself allows `--security-opt label=level:s0`.
This patch directly initializes selinux labels, correctly, and adds a
test to verify it.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

test: testdata: use container_runtime_t selinux type

RHEL SELinux policy doesn't have `container_t` type but we're using it
in our fixtures. That means Fedora integration tests pass because
`container_t` is in Fedora's container policy but RHEL is broken.
Fix it by using `container_runtime_t` which is aliased in Fedora policy
to `container_t`.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-17 22:40:17 +02:00
Antonio Murdaca
ec42a40936
server: use grpc getters
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-17 10:19:32 +02:00
Antonio Murdaca
9ec518491f
server: correctly set hostname
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-17 10:19:31 +02:00
Antonio Murdaca
b8a6d358e7 Merge pull request #562 from rhatdan/hooks
Add support for running oci-hooks
2017-09-07 19:06:01 +02:00
Antonio Murdaca
e5b5ffdeac Merge pull request #846 from mrunalp/fix_cgroup_config
Fix cgroup config
2017-09-07 19:04:25 +02:00
Antonio Murdaca
af0a494251
container_create: handle cap add/drop ALL
Kubelet can send cap add/drop ALL. Handle that in CRI-O as well.
Also, this PR is re-vendoring runtime-tools to fix capabilities add to
add caps to _all_ caps set **and** fix a shared memory issue (caps set
were initialized with the same slice, if one modifies one slice, it's
reflected on the other slices, the vendoring fixes this as well)

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-07 16:43:33 +02:00
Antonio Murdaca
e8553a124d
container_create: better handling of devices
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-07 10:13:22 +02:00
Antonio Murdaca
b7b57e8731
container_create: Add TERM=xterm when tty=true
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-07 10:13:22 +02:00