The pause container is creating an AVC since the /dev/null device
is not labeled correctly. Looks like we are only setting the label of
the process not the label of the content inside of the container.
This change will label content in the pause container correctly and
eliminate the AVC.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
golint has figured out an optimization that is blocking other pull requests.
This fixes the golint issue.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The sandbox privileged flag is set to true only if either the
pod configuration privileged flag is set to true or when any
of the pod namespaces are the host ones.
A container inherit its privileged flag from its sandbox, and
will be run by the privileged runtime only if it's set to true.
In other words, the privileged runtime (when defined) will be
when one of the below conditions is true:
- The sandbox will be asked to run at least one privileged container.
- The sandbox requires access to either the host IPC or networking
namespaces.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
We add a privileged flag to the container and sandbox structures
and can now select the appropriate runtime path for any container
operations depending on that flag.
Here again, the default runtime will be used for non privileged
containers and for privileged ones in case there are no privileged
runtime defined.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Not all runtimes are able to handle some of the kubelet
security context options, in particular the ones granting
host privileges to containers.
By adding a host privileged runtime path configuration, we
allow ocid to use a different runtime for host privileged
operations like e.g. host namespaces access.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Note that crio-logo-source is the full Inkscape SVG source and crio-logo.svg
is an SVGO-optimized version of just the white bg version of the logo.
Issue: #370
Signed-off-by: Máirín Duffy <duffy@redhat.com>
container-storage-setup (Formerly docker-storage-setup) is being converted to
run with container runtimes outside of docker. Specifically we want to use it
with CRI-O/ocid. It does not know anything about the container runtimes it
is generating options for, so it generates them based on the storage CLI of
docker. I see no reason to have the storage option for ocid to be different
and we can just depracate the option for now.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
go install acts incredibly weirdly and rarely does what you want, not to
mention that it's just bad for distribution build setups. Switch back to
go build, which works properly and doesn't have half as many issues.
Fixes: 6c9628cdb1 ("Build and install from GOPATH")
Signed-off-by: Aleksa Sarai <asarai@suse.de>
When looking for the image to use for creating a container, there's no
need to attempt parsing the ID a second time, and doing so can create
confusing error messages.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>