Support selinux options/label

Support selinux optios/label Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>
2017-08-23 21:33:43 +08:00
parent c311f10a77
commit 0c3304e006
14 changed files with 1294 additions and 5 deletions
--- a/cmd/cri-containerd/cri_containerd.go
+++ b/cmd/cri-containerd/cri_containerd.go
@@ -20,6 +20,7 @@ import (
 	"os"

 	"github.com/golang/glog"
+	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/spf13/pflag"

 	"github.com/kubernetes-incubator/cri-containerd/cmd/cri-containerd/options"
@@ -37,6 +38,10 @@ func main() {
 		os.Exit(0)
 	}

+	if !o.EnableSelinux {
+		selinux.SetDisabled()
+	}
+
 	glog.V(2).Infof("Run cri-containerd grpc server on socket %q", o.SocketPath)
 	service, err := server.NewCRIContainerdService(
 		o.ContainerdEndpoint,
--- a/cmd/cri-containerd/options/options.go
+++ b/cmd/cri-containerd/options/options.go
@@ -46,6 +46,8 @@ type CRIContainerdOptions struct {
 	StreamServerPort string
 	// CgroupPath is the path for the cgroup that cri-containerd is placed in.
 	CgroupPath string
+	// EnableSelinux indicates to enable the selinux support
+	EnableSelinux bool
 }

 // NewCRIContainerdOptions returns a reference to CRIContainerdOptions
@@ -74,6 +76,8 @@ func (c *CRIContainerdOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&c.StreamServerPort, "stream-port",
 		"10010", "The port streaming server is listening on.")
 	fs.StringVar(&c.CgroupPath, "cgroup-path", "", "The cgroup that cri-containerd is part of. By default cri-containerd is not placed in a cgroup")
+	fs.BoolVar(&c.EnableSelinux, "selinux-enabled",
+		false, "Enable selinux support.")
 }

 // InitFlags must be called after adding all cli options flags are defined and