Address comments
Signed-off-by: Lantao Liu <lantaol@google.com>
This commit is contained in:
Lantao Liu
parent
21233b22be
commit
4231473df3
@ -30,9 +30,7 @@ import (
|
|||||||
"github.com/docker/docker/pkg/mount"
|
"github.com/docker/docker/pkg/mount"
|
||||||
"github.com/golang/glog"
|
"github.com/golang/glog"
|
||||||
imagespec "github.com/opencontainers/image-spec/specs-go/v1"
|
imagespec "github.com/opencontainers/image-spec/specs-go/v1"
|
||||||
runcapparmor "github.com/opencontainers/runc/libcontainer/apparmor"
|
|
||||||
"github.com/opencontainers/runc/libcontainer/devices"
|
"github.com/opencontainers/runc/libcontainer/devices"
|
||||||
runcseccomp "github.com/opencontainers/runc/libcontainer/seccomp"
|
|
||||||
runtimespec "github.com/opencontainers/runtime-spec/specs-go"
|
runtimespec "github.com/opencontainers/runtime-spec/specs-go"
|
||||||
"github.com/opencontainers/runtime-tools/generate"
|
"github.com/opencontainers/runtime-tools/generate"
|
||||||
"github.com/opencontainers/runtime-tools/validate"
|
"github.com/opencontainers/runtime-tools/validate"
|
||||||
@ -202,7 +200,7 @@ func (c *criContainerdService) CreateContainer(ctx context.Context, r *runtime.C
|
|||||||
apparmorSpecOpts, err := generateApparmorSpecOpts(
|
apparmorSpecOpts, err := generateApparmorSpecOpts(
|
||||||
securityContext.GetApparmorProfile(),
|
securityContext.GetApparmorProfile(),
|
||||||
securityContext.GetPrivileged(),
|
securityContext.GetPrivileged(),
|
||||||
runcapparmor.IsEnabled())
|
c.apparmorEnabled)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("failed to generate apparmor spec opts: %v", err)
|
return nil, fmt.Errorf("failed to generate apparmor spec opts: %v", err)
|
||||||
}
|
}
|
||||||
@ -213,7 +211,7 @@ func (c *criContainerdService) CreateContainer(ctx context.Context, r *runtime.C
|
|||||||
seccompSpecOpts, err := generateSeccompSpecOpts(
|
seccompSpecOpts, err := generateSeccompSpecOpts(
|
||||||
securityContext.GetSeccompProfilePath(),
|
securityContext.GetSeccompProfilePath(),
|
||||||
securityContext.GetPrivileged(),
|
securityContext.GetPrivileged(),
|
||||||
runcseccomp.IsEnabled())
|
c.seccompEnabled)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("failed to generate seccomp spec opts: %v", err)
|
return nil, fmt.Errorf("failed to generate seccomp spec opts: %v", err)
|
||||||
}
|
}
|
||||||
@ -730,11 +728,23 @@ func defaultRuntimeSpec() (*runtimespec.Spec, error) {
|
|||||||
mounts = append(mounts, mount)
|
mounts = append(mounts, mount)
|
||||||
}
|
}
|
||||||
spec.Mounts = mounts
|
spec.Mounts = mounts
|
||||||
|
|
||||||
|
// Make sure no default seccomp/apparmor is specified
|
||||||
|
if spec.Process != nil {
|
||||||
|
spec.Process.ApparmorProfile = ""
|
||||||
|
}
|
||||||
|
if spec.Linux != nil {
|
||||||
|
spec.Linux.Seccomp = nil
|
||||||
|
}
|
||||||
return spec, nil
|
return spec, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// generateSeccompSpecOpts generates containerd SpecOpts for seccomp.
|
// generateSeccompSpecOpts generates containerd SpecOpts for seccomp.
|
||||||
func generateSeccompSpecOpts(seccompProf string, privileged, seccompEnabled bool) (containerd.SpecOpts, error) {
|
func generateSeccompSpecOpts(seccompProf string, privileged, seccompEnabled bool) (containerd.SpecOpts, error) {
|
||||||
|
if privileged {
|
||||||
|
// Do not set seccomp profile when container is privileged
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
// Set seccomp profile
|
// Set seccomp profile
|
||||||
if seccompProf == runtimeDefault || seccompProf == dockerDefault {
|
if seccompProf == runtimeDefault || seccompProf == dockerDefault {
|
||||||
// use correct default profile (Eg. if not configured otherwise, the default is docker/default)
|
// use correct default profile (Eg. if not configured otherwise, the default is docker/default)
|
||||||
@ -746,10 +756,6 @@ func generateSeccompSpecOpts(seccompProf string, privileged, seccompEnabled bool
|
|||||||
}
|
}
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
if privileged {
|
|
||||||
// Do not set seccomp profile when container is privileged
|
|
||||||
return nil, nil
|
|
||||||
}
|
|
||||||
switch seccompProf {
|
switch seccompProf {
|
||||||
case "", unconfinedProfile:
|
case "", unconfinedProfile:
|
||||||
// Do not set seccomp profile.
|
// Do not set seccomp profile.
|
||||||
|
|||||||
@ -26,7 +26,6 @@ import (
|
|||||||
"github.com/cri-o/ocicni/pkg/ocicni"
|
"github.com/cri-o/ocicni/pkg/ocicni"
|
||||||
"github.com/golang/glog"
|
"github.com/golang/glog"
|
||||||
imagespec "github.com/opencontainers/image-spec/specs-go/v1"
|
imagespec "github.com/opencontainers/image-spec/specs-go/v1"
|
||||||
runcseccomp "github.com/opencontainers/runc/libcontainer/seccomp"
|
|
||||||
runtimespec "github.com/opencontainers/runtime-spec/specs-go"
|
runtimespec "github.com/opencontainers/runtime-spec/specs-go"
|
||||||
"github.com/opencontainers/runtime-tools/generate"
|
"github.com/opencontainers/runtime-tools/generate"
|
||||||
"golang.org/x/net/context"
|
"golang.org/x/net/context"
|
||||||
@ -133,7 +132,7 @@ func (c *criContainerdService) RunPodSandbox(ctx context.Context, r *runtime.Run
|
|||||||
seccompSpecOpts, err := generateSeccompSpecOpts(
|
seccompSpecOpts, err := generateSeccompSpecOpts(
|
||||||
securityContext.GetSeccompProfilePath(),
|
securityContext.GetSeccompProfilePath(),
|
||||||
securityContext.GetPrivileged(),
|
securityContext.GetPrivileged(),
|
||||||
runcseccomp.IsEnabled())
|
c.seccompEnabled)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("failed to generate seccomp spec opts: %v", err)
|
return nil, fmt.Errorf("failed to generate seccomp spec opts: %v", err)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -31,6 +31,8 @@ import (
|
|||||||
"github.com/containerd/containerd/plugin"
|
"github.com/containerd/containerd/plugin"
|
||||||
"github.com/cri-o/ocicni/pkg/ocicni"
|
"github.com/cri-o/ocicni/pkg/ocicni"
|
||||||
"github.com/golang/glog"
|
"github.com/golang/glog"
|
||||||
|
runcapparmor "github.com/opencontainers/runc/libcontainer/apparmor"
|
||||||
|
runcseccomp "github.com/opencontainers/runc/libcontainer/seccomp"
|
||||||
"golang.org/x/net/context"
|
"golang.org/x/net/context"
|
||||||
"google.golang.org/grpc"
|
"google.golang.org/grpc"
|
||||||
"k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime"
|
"k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime"
|
||||||
@ -66,6 +68,10 @@ type criContainerdService struct {
|
|||||||
config options.Config
|
config options.Config
|
||||||
// imageFSUUID is the device uuid of image filesystem.
|
// imageFSUUID is the device uuid of image filesystem.
|
||||||
imageFSUUID string
|
imageFSUUID string
|
||||||
|
// apparmorEnabled indicates whether apparmor is enabled.
|
||||||
|
apparmorEnabled bool
|
||||||
|
// seccompEnabled indicates whether seccomp is enabled.
|
||||||
|
seccompEnabled bool
|
||||||
// server is the grpc server.
|
// server is the grpc server.
|
||||||
server *grpc.Server
|
server *grpc.Server
|
||||||
// os is an interface for all required os operations.
|
// os is an interface for all required os operations.
|
||||||
@ -117,6 +123,8 @@ func NewCRIContainerdService(config options.Config) (CRIContainerdService, error
|
|||||||
|
|
||||||
c := &criContainerdService{
|
c := &criContainerdService{
|
||||||
config: config,
|
config: config,
|
||||||
|
apparmorEnabled: runcapparmor.IsEnabled(),
|
||||||
|
seccompEnabled: runcseccomp.IsEnabled(),
|
||||||
os: osinterface.RealOS{},
|
os: osinterface.RealOS{},
|
||||||
sandboxStore: sandboxstore.NewStore(),
|
sandboxStore: sandboxstore.NewStore(),
|
||||||
containerStore: containerstore.NewStore(),
|
containerStore: containerstore.NewStore(),
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user