github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

cri/sbserver: Remap snapshots for sbserver too

Browse Source 
This is a port of 31a6449734 ("Add capability for snapshotters to
declare support for UID remapping") to sbserver.

This patch remaps the rootfs in the platform-specific if user namespaces
are in use, so the pod can read/write to the rootfs.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
This commit is contained in:
Rodrigo Campos 2023-07-07 18:47:07 +02:00
parent 508e6f6e03
commit 36a96d7f32
10 changed files with 82 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/cri/sbserver/container_create.go
View File

@ -206,7 +206,10 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta
log.G(ctx).Debugf("Container %q spec: %#+v", id, spew.NewFormatter(spec)) log.G(ctx).Debugf("Container %q spec: %#+v", id, spew.NewFormatter(spec))
// Grab any platform specific snapshotter opts. // Grab any platform specific snapshotter opts.
sOpts := snapshotterOpts(c.config.ContainerdConfig.Snapshotter, config) sOpts, err := snapshotterOpts(c.config.ContainerdConfig.Snapshotter, config)
if err != nil {
return nil, err
}
// Set snapshotter before any other options. // Set snapshotter before any other options.
opts := []containerd.NewContainerOpts{ opts := []containerd.NewContainerOpts{

5
pkg/cri/sbserver/container_create_linux.go
View File

@ -264,6 +264,7 @@ func appArmorProfileExists(profile string) (bool, error) {
} }
// snapshotterOpts returns any Linux specific snapshotter options for the rootfs snapshot // snapshotterOpts returns any Linux specific snapshotter options for the rootfs snapshot
func snapshotterOpts(snapshotterName string, config *runtime.ContainerConfig) []snapshots.Opt { func snapshotterOpts(snapshotterName string, config *runtime.ContainerConfig) ([]snapshots.Opt, error) {
return []snapshots.Opt{} nsOpts := config.GetLinux().GetSecurityContext().GetNamespaceOptions()
return snapshotterRemapOpts(nsOpts)
} }

4
pkg/cri/sbserver/container_create_other.go
View File

@ -31,6 +31,6 @@ func (c *criService) containerSpecOpts(config *runtime.ContainerConfig, imageCon
} }
// snapshotterOpts returns snapshotter options for the rootfs snapshot // snapshotterOpts returns snapshotter options for the rootfs snapshot
func snapshotterOpts(snapshotterName string, config *runtime.ContainerConfig) []snapshots.Opt { func snapshotterOpts(snapshotterName string, config *runtime.ContainerConfig) ([]snapshots.Opt, error) {
return []snapshots.Opt{} return []snapshots.Opt{}, nil
} }

4
pkg/cri/sbserver/container_create_windows.go
View File

@ -32,7 +32,7 @@ func (c *criService) containerSpecOpts(config *runtime.ContainerConfig, imageCon
} }
// snapshotterOpts returns any Windows specific snapshotter options for the r/w layer // snapshotterOpts returns any Windows specific snapshotter options for the r/w layer
func snapshotterOpts(snapshotterName string, config *runtime.ContainerConfig) []snapshots.Opt { func snapshotterOpts(snapshotterName string, config *runtime.ContainerConfig) ([]snapshots.Opt, error) {
var opts []snapshots.Opt var opts []snapshots.Opt
switch snapshotterName { switch snapshotterName {
@ -47,5 +47,5 @@ func snapshotterOpts(snapshotterName string, config *runtime.ContainerConfig) []
} }
} }
return opts return opts, nil
} }

21
pkg/cri/sbserver/helpers_linux.go
View File

@ -30,12 +30,15 @@ import (
"github.com/moby/sys/mountinfo" "github.com/moby/sys/mountinfo"
"github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-spec/specs-go"
"golang.org/x/sys/unix" "golang.org/x/sys/unix"
runtime "k8s.io/cri-api/pkg/apis/runtime/v1"
"github.com/containerd/containerd"
"github.com/containerd/containerd/log" "github.com/containerd/containerd/log"
"github.com/containerd/containerd/mount" "github.com/containerd/containerd/mount"
"github.com/containerd/containerd/pkg/apparmor" "github.com/containerd/containerd/pkg/apparmor"
"github.com/containerd/containerd/pkg/seccomp" "github.com/containerd/containerd/pkg/seccomp"
"github.com/containerd/containerd/pkg/seutil" "github.com/containerd/containerd/pkg/seutil"
"github.com/containerd/containerd/snapshots"
) )
// apparmorEnabled returns true if apparmor is enabled, supported by the host, // apparmorEnabled returns true if apparmor is enabled, supported by the host,
@ -181,3 +184,21 @@ func modifyProcessLabel(runtimeType string, spec *specs.Spec) error {
func isUnifiedCgroupsMode() bool { func isUnifiedCgroupsMode() bool {
return cgroups.Mode() == cgroups.Unified return cgroups.Mode() == cgroups.Unified
} }
func snapshotterRemapOpts(nsOpts *runtime.NamespaceOption) ([]snapshots.Opt, error) {
snapshotOpt := []snapshots.Opt{}
usernsOpts := nsOpts.GetUsernsOptions()
if usernsOpts == nil {
return snapshotOpt, nil
}
uids, gids, err := parseUsernsIDs(usernsOpts)
if err != nil {
return nil, fmt.Errorf("user namespace configuration: %w", err)
}
if usernsOpts.GetMode() == runtime.NamespaceMode_POD {
snapshotOpt = append(snapshotOpt, containerd.WithRemapperLabels(0, uids[0].HostID, 0, gids[0].HostID, uids[0].Size))
}
return snapshotOpt, nil
}

21
pkg/cri/sbserver/podsandbox/helpers_linux.go
View File

@ -28,10 +28,13 @@ import (
"syscall" "syscall"
"time" "time"
"github.com/containerd/containerd"
"github.com/containerd/containerd/log" "github.com/containerd/containerd/log"
"github.com/containerd/containerd/mount" "github.com/containerd/containerd/mount"
"github.com/containerd/containerd/pkg/seccomp" "github.com/containerd/containerd/pkg/seccomp"
"github.com/containerd/containerd/pkg/seutil" "github.com/containerd/containerd/pkg/seutil"
"github.com/containerd/containerd/snapshots"
"github.com/moby/sys/mountinfo" "github.com/moby/sys/mountinfo"
runtimespec "github.com/opencontainers/runtime-spec/specs-go" runtimespec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/selinux/go-selinux/label" "github.com/opencontainers/selinux/go-selinux/label"
@ -321,3 +324,21 @@ func parseUsernsIDs(userns *runtime.UserNamespace) (uids, gids []runtimespec.Lin
return uids, gids, nil return uids, gids, nil
} }
func snapshotterRemapOpts(nsOpts *runtime.NamespaceOption) ([]snapshots.Opt, error) {
snapshotOpt := []snapshots.Opt{}
usernsOpts := nsOpts.GetUsernsOptions()
if usernsOpts == nil {
return snapshotOpt, nil
}
uids, gids, err := parseUsernsIDs(usernsOpts)
if err != nil {
return nil, fmt.Errorf("user namespace configuration: %w", err)
}
if usernsOpts.GetMode() == runtime.NamespaceMode_POD {
snapshotOpt = append(snapshotOpt, containerd.WithRemapperLabels(0, uids[0].HostID, 0, gids[0].HostID, uids[0].Size))
}
return snapshotOpt, nil
}

10
pkg/cri/sbserver/podsandbox/sandbox_run.go
View File

@ -136,10 +136,16 @@ func (c *Controller) Start(ctx context.Context, id string) (cin sandbox.Controll
sandboxLabels := buildLabels(config.Labels, image.ImageSpec.Config.Labels, containerKindSandbox) sandboxLabels := buildLabels(config.Labels, image.ImageSpec.Config.Labels, containerKindSandbox)
snapshotterOpt := snapshots.WithLabels(snapshots.FilterInheritedLabels(config.Annotations)) snapshotterOpt := []snapshots.Opt{snapshots.WithLabels(snapshots.FilterInheritedLabels(config.Annotations))}
extraSOpts, err := sandboxSnapshotterOpts(config)
if err != nil {
return cin, err
}
snapshotterOpt = append(snapshotterOpt, extraSOpts...)
opts := []containerd.NewContainerOpts{ opts := []containerd.NewContainerOpts{
containerd.WithSnapshotter(c.runtimeSnapshotter(ctx, ociRuntime)), containerd.WithSnapshotter(c.runtimeSnapshotter(ctx, ociRuntime)),
customopts.WithNewSnapshot(id, containerdImage, snapshotterOpt), customopts.WithNewSnapshot(id, containerdImage, snapshotterOpt...),
containerd.WithSpec(spec, specOpts...), containerd.WithSpec(spec, specOpts...),
containerd.WithContainerLabels(sandboxLabels), containerd.WithContainerLabels(sandboxLabels),
containerd.WithContainerExtension(sandboxMetadataExtension, &metadata), containerd.WithContainerExtension(sandboxMetadataExtension, &metadata),

8
pkg/cri/sbserver/podsandbox/sandbox_run_linux.go
View File

@ -32,6 +32,7 @@ import (
"github.com/containerd/containerd/pkg/cri/annotations" "github.com/containerd/containerd/pkg/cri/annotations"
customopts "github.com/containerd/containerd/pkg/cri/opts" customopts "github.com/containerd/containerd/pkg/cri/opts"
"github.com/containerd/containerd/pkg/userns" "github.com/containerd/containerd/pkg/userns"
"github.com/containerd/containerd/snapshots"
) )
func (c *Controller) sandboxContainerSpec(id string, config *runtime.PodSandboxConfig, func (c *Controller) sandboxContainerSpec(id string, config *runtime.PodSandboxConfig,
@ -345,3 +346,10 @@ func (c *Controller) cleanupSandboxFiles(id string, config *runtime.PodSandboxCo
} }
return nil return nil
} }
// sandboxSnapshotterOpts generates any platform specific snapshotter options
// for a sandbox container.
func sandboxSnapshotterOpts(config *runtime.PodSandboxConfig) ([]snapshots.Opt, error) {
nsOpts := config.GetLinux().GetSecurityContext().GetNamespaceOptions()
return snapshotterRemapOpts(nsOpts)
}

7
pkg/cri/sbserver/podsandbox/sandbox_run_other.go
View File

@ -21,6 +21,7 @@ package podsandbox
import ( import (
"github.com/containerd/containerd/oci" "github.com/containerd/containerd/oci"
"github.com/containerd/containerd/pkg/cri/annotations" "github.com/containerd/containerd/pkg/cri/annotations"
"github.com/containerd/containerd/snapshots"
imagespec "github.com/opencontainers/image-spec/specs-go/v1" imagespec "github.com/opencontainers/image-spec/specs-go/v1"
runtimespec "github.com/opencontainers/runtime-spec/specs-go" runtimespec "github.com/opencontainers/runtime-spec/specs-go"
runtime "k8s.io/cri-api/pkg/apis/runtime/v1" runtime "k8s.io/cri-api/pkg/apis/runtime/v1"
@ -48,3 +49,9 @@ func (c *Controller) setupSandboxFiles(id string, config *runtime.PodSandboxConf
func (c *Controller) cleanupSandboxFiles(id string, config *runtime.PodSandboxConfig) error { func (c *Controller) cleanupSandboxFiles(id string, config *runtime.PodSandboxConfig) error {
return nil return nil
} }
// sandboxSnapshotterOpts generates any platform specific snapshotter options
// for a sandbox container.
func sandboxSnapshotterOpts(config *runtime.PodSandboxConfig) ([]snapshots.Opt, error) {
return []snapshots.Opt{}, nil
}

6
pkg/cri/sbserver/podsandbox/sandbox_run_windows.go
View File

@ -27,6 +27,7 @@ import (
"github.com/containerd/containerd/pkg/cri/annotations" "github.com/containerd/containerd/pkg/cri/annotations"
customopts "github.com/containerd/containerd/pkg/cri/opts" customopts "github.com/containerd/containerd/pkg/cri/opts"
"github.com/containerd/containerd/snapshots"
) )
func (c *Controller) sandboxContainerSpec(id string, config *runtime.PodSandboxConfig, func (c *Controller) sandboxContainerSpec(id string, config *runtime.PodSandboxConfig,
@ -101,3 +102,8 @@ func (c *Controller) setupSandboxFiles(id string, config *runtime.PodSandboxConf
func (c *Controller) cleanupSandboxFiles(id string, config *runtime.PodSandboxConfig) error { func (c *Controller) cleanupSandboxFiles(id string, config *runtime.PodSandboxConfig) error {
return nil return nil
} }
// No sandbox snapshotter options needed for windows.
func sandboxSnapshotterOpts(config *runtime.PodSandboxConfig) ([]snapshots.Opt, error) {
return []snapshots.Opt{}, nil
}