Add MCS label support

Carry of #1246

Signed-off-by: Darren Shepherd <darren@rancher.com>
Signed-off-by: Michael Crosby <michael@thepasture.io>
This commit is contained in:
Darren Shepherd
2019-08-23 23:58:37 -07:00
committed by Michael Crosby
parent 40071878d7
commit 24209b91bf
23 changed files with 416 additions and 88 deletions

View File

@@ -61,6 +61,8 @@ type Metadata struct {
RuntimeHandler string
// CNIresult resulting configuration for attached network namespace interfaces
CNIResult *cni.CNIResult
// ProcessLabel is the SELinux process label for the container
ProcessLabel string
}
// MarshalJSON encodes Metadata into bytes in json format.

View File

@@ -20,6 +20,7 @@ import (
"sync"
"github.com/containerd/containerd"
"github.com/containerd/cri/pkg/store/label"
"github.com/docker/docker/pkg/truncindex"
"github.com/containerd/cri/pkg/netns"
@@ -62,13 +63,15 @@ type Store struct {
lock sync.RWMutex
sandboxes map[string]Sandbox
idIndex *truncindex.TruncIndex
labels *label.Store
}
// NewStore creates a sandbox store.
func NewStore() *Store {
func NewStore(labels *label.Store) *Store {
return &Store{
sandboxes: make(map[string]Sandbox),
idIndex: truncindex.NewTruncIndex([]string{}),
labels: labels,
}
}
@@ -79,6 +82,9 @@ func (s *Store) Add(sb Sandbox) error {
if _, ok := s.sandboxes[sb.ID]; ok {
return store.ErrAlreadyExist
}
if err := s.labels.Reserve(sb.ProcessLabel); err != nil {
return err
}
if err := s.idIndex.Add(sb.ID); err != nil {
return err
}
@@ -125,6 +131,7 @@ func (s *Store) Delete(id string) {
// So we need to return if there are error.
return
}
s.labels.Release(s.sandboxes[id].ProcessLabel)
s.idIndex.Delete(id) // nolint: errcheck
delete(s.sandboxes, id)
}

View File

@@ -19,6 +19,7 @@ package sandbox
import (
"testing"
"github.com/containerd/cri/pkg/store/label"
assertlib "github.com/stretchr/testify/assert"
runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
@@ -109,7 +110,7 @@ func TestSandboxStore(t *testing.T) {
Status{State: StateUnknown},
)
assert := assertlib.New(t)
s := NewStore()
s := NewStore(label.NewStore())
t.Logf("should be able to add sandbox")
for _, sb := range sandboxes {