adds support for AppArmor
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
This commit is contained in:
Mike Brown
@@ -14,6 +14,7 @@ install:
|
|||||||
- sudo apt-get install btrfs-tools
|
- sudo apt-get install btrfs-tools
|
||||||
- sudo apt-get install libseccomp2/trusty-backports
|
- sudo apt-get install libseccomp2/trusty-backports
|
||||||
- sudo apt-get install libseccomp-dev/trusty-backports
|
- sudo apt-get install libseccomp-dev/trusty-backports
|
||||||
|
- sudo apt-get install libapparmor-dev
|
||||||
- sudo apt-get install socat
|
- sudo apt-get install socat
|
||||||
- docker run --rm -v /usr/local/bin:/target jpetazzo/nsenter
|
- docker run --rm -v /usr/local/bin:/target jpetazzo/nsenter
|
||||||
|
|
||||||
|
|||||||
2
Makefile
2
Makefile
@@ -42,7 +42,7 @@ help:
|
|||||||
@echo " * 'clean' - Clean artifacts"
|
@echo " * 'clean' - Clean artifacts"
|
||||||
@echo " * 'verify' - Execute the source code verification tools"
|
@echo " * 'verify' - Execute the source code verification tools"
|
||||||
@echo " * 'install.tools' - Install tools used by verify"
|
@echo " * 'install.tools' - Install tools used by verify"
|
||||||
@echo " * 'install.deps' - Install dependencies of cri-containerd (containerd, runc, cni)"
|
@echo " * 'install.deps' - Install dependencies of cri-containerd (containerd, runc, cni) Note: BUILDTAGS defaults to 'seccomp apparmor' for runc build"
|
||||||
@echo " * 'uninstall' - Remove installed binaries from system locations"
|
@echo " * 'uninstall' - Remove installed binaries from system locations"
|
||||||
@echo " * 'version' - Print current cri-containerd release version"
|
@echo " * 'version' - Print current cri-containerd release version"
|
||||||
|
|
||||||
|
|||||||
@@ -26,9 +26,12 @@ will also do our best to update `cri-containerd` to the latest releases of these
|
|||||||
specifications as appropriate.
|
specifications as appropriate.
|
||||||
### Install Dependencies
|
### Install Dependencies
|
||||||
1. Install runc dependencies.
|
1. Install runc dependencies.
|
||||||
* runc requires installation of the libsecomp development library appropriate for your distribution. `libseccomp-dev` (Ubuntu, Debian) / `libseccomp-devel` (Fedora, CentOS, RHEL). On releases of Ubuntu <=Trusty and Debian <=jessie a backport version of
|
* runc requires installation of the libsecomp development library appropriate
|
||||||
`libsecomp-dev` is required. See [travis.yml](.travis.yml) for an example on
|
for your distribution. `libseccomp-dev` (Ubuntu, Debian) / `libseccomp-devel`
|
||||||
trusty.
|
(Fedora, CentOS, RHEL). On releases of Ubuntu <=Trusty and Debian <=jessie a
|
||||||
|
backport version of `libsecomp-dev` is required. See [travis.yml](.travis.yml)
|
||||||
|
for an example on trusty. To use apparmor on Debian, Ubuntu, and related
|
||||||
|
distributions runc requires the installation of `libapparmor-dev`.
|
||||||
2. Install containerd dependencies.
|
2. Install containerd dependencies.
|
||||||
* containerd requires installation of a btrfs development library. `btrfs-tools`(Ubuntu, Debian) / `btrfs-progs-devel`(Fedora, CentOS, RHEL)
|
* containerd requires installation of a btrfs development library. `btrfs-tools`(Ubuntu, Debian) / `btrfs-progs-devel`(Fedora, CentOS, RHEL)
|
||||||
3. Install other dependencies:
|
3. Install other dependencies:
|
||||||
|
|||||||
@@ -41,7 +41,8 @@ go get -d ${RUNC_PKG}/...
|
|||||||
cd ${GOPATH}/src/${RUNC_PKG}
|
cd ${GOPATH}/src/${RUNC_PKG}
|
||||||
git fetch --all
|
git fetch --all
|
||||||
git checkout ${RUNC_VERSION}
|
git checkout ${RUNC_VERSION}
|
||||||
make
|
BUILDTAGS=${BUILDTAGS:-seccomp apparmor}
|
||||||
|
make BUILDTAGS="$BUILDTAGS"
|
||||||
sudo make install
|
sudo make install
|
||||||
which runc
|
which runc
|
||||||
|
|
||||||
|
|||||||
@@ -20,7 +20,6 @@ source $(dirname "${BASH_SOURCE[0]}")/test-utils.sh
|
|||||||
|
|
||||||
DEFAULT_SKIP="\[Flaky\]|\[Slow\]|\[Serial\]"
|
DEFAULT_SKIP="\[Flaky\]|\[Slow\]|\[Serial\]"
|
||||||
DEFAULT_SKIP+="|querying\s\/stats\/summary"
|
DEFAULT_SKIP+="|querying\s\/stats\/summary"
|
||||||
DEFAULT_SKIP+="|AppArmor"
|
|
||||||
DEFAULT_SKIP+="|pull\sfrom\sprivate\sregistry\swith\ssecret"
|
DEFAULT_SKIP+="|pull\sfrom\sprivate\sregistry\swith\ssecret"
|
||||||
|
|
||||||
# FOCUS focuses the test to run.
|
# FOCUS focuses the test to run.
|
||||||
|
|||||||
@@ -22,6 +22,7 @@ import (
|
|||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/containerd/containerd"
|
"github.com/containerd/containerd"
|
||||||
|
"github.com/containerd/containerd/contrib/apparmor"
|
||||||
"github.com/golang/glog"
|
"github.com/golang/glog"
|
||||||
imagespec "github.com/opencontainers/image-spec/specs-go/v1"
|
imagespec "github.com/opencontainers/image-spec/specs-go/v1"
|
||||||
"github.com/opencontainers/runc/libcontainer/devices"
|
"github.com/opencontainers/runc/libcontainer/devices"
|
||||||
@@ -37,6 +38,17 @@ import (
|
|||||||
"github.com/kubernetes-incubator/cri-containerd/pkg/util"
|
"github.com/kubernetes-incubator/cri-containerd/pkg/util"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
// profileNamePrefix is the prefix for loading profiles on a localhost. Eg. AppArmor localhost/profileName.
|
||||||
|
profileNamePrefix = "localhost/" // TODO (mikebrow): get localhost/ & runtime/default from CRI kubernetes/kubernetes#51747
|
||||||
|
// runtimeDefault indicates that we should use or create a runtime default apparmor profile.
|
||||||
|
runtimeDefault = "runtime/default"
|
||||||
|
// appArmorDefaultProfileName is name to use when creating a default apparmor profile.
|
||||||
|
appArmorDefaultProfileName = "cri-containerd.apparmor.d"
|
||||||
|
// appArmorEnabled is a flag for globally enabling/disabling apparmor profiles for containers.
|
||||||
|
appArmorEnabled = true // TODO (mikebrow): make these apparmor defaults configurable
|
||||||
|
)
|
||||||
|
|
||||||
// CreateContainer creates a new container in the given PodSandbox.
|
// CreateContainer creates a new container in the given PodSandbox.
|
||||||
func (c *criContainerdService) CreateContainer(ctx context.Context, r *runtime.CreateContainerRequest) (_ *runtime.CreateContainerResponse, retErr error) {
|
func (c *criContainerdService) CreateContainer(ctx context.Context, r *runtime.CreateContainerRequest) (_ *runtime.CreateContainerResponse, retErr error) {
|
||||||
config := r.GetConfig()
|
config := r.GetConfig()
|
||||||
@@ -156,6 +168,23 @@ func (c *criContainerdService) CreateContainer(ctx context.Context, r *runtime.C
|
|||||||
if username := config.GetLinux().GetSecurityContext().GetRunAsUsername(); username != "" {
|
if username := config.GetLinux().GetSecurityContext().GetRunAsUsername(); username != "" {
|
||||||
specOpts = append(specOpts, containerd.WithUsername(username))
|
specOpts = append(specOpts, containerd.WithUsername(username))
|
||||||
}
|
}
|
||||||
|
// Set apparmor profile, (privileged or not) if apparmor is enabled
|
||||||
|
if appArmorEnabled {
|
||||||
|
appArmorProf := config.GetLinux().GetSecurityContext().GetApparmorProfile()
|
||||||
|
switch appArmorProf {
|
||||||
|
case runtimeDefault:
|
||||||
|
// TODO (mikebrow): delete created apparmor default profile
|
||||||
|
specOpts = append(specOpts, apparmor.WithDefaultProfile(appArmorDefaultProfileName))
|
||||||
|
case "":
|
||||||
|
// TODO (mikebrow): handle no apparmor profile case see kubernetes/kubernetes#51746
|
||||||
|
default:
|
||||||
|
// Require and Trim default profile name prefix
|
||||||
|
if !strings.HasPrefix(appArmorProf, profileNamePrefix) {
|
||||||
|
return nil, fmt.Errorf("invalid apparmor profile %q", appArmorProf)
|
||||||
|
}
|
||||||
|
specOpts = append(specOpts, apparmor.WithProfile(strings.TrimPrefix(appArmorProf, profileNamePrefix)))
|
||||||
|
}
|
||||||
|
}
|
||||||
opts = append(opts,
|
opts = append(opts,
|
||||||
containerd.WithSpec(spec, specOpts...),
|
containerd.WithSpec(spec, specOpts...),
|
||||||
containerd.WithRuntime(defaultRuntime, nil),
|
containerd.WithRuntime(defaultRuntime, nil),
|
||||||
@@ -264,9 +293,7 @@ func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint3
|
|||||||
return nil, fmt.Errorf("failed to set capabilities %+v: %v",
|
return nil, fmt.Errorf("failed to set capabilities %+v: %v",
|
||||||
securityContext.GetCapabilities(), err)
|
securityContext.GetCapabilities(), err)
|
||||||
}
|
}
|
||||||
|
// TODO(random-liu): [P2] Add seccomp not privileged only.
|
||||||
// TODO(random-liu): [P2] Add apparmor and seccomp.
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
g.SetProcessSelinuxLabel(processLabel)
|
g.SetProcessSelinuxLabel(processLabel)
|
||||||
@@ -275,7 +302,7 @@ func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint3
|
|||||||
// TODO: Figure out whether we should set no new privilege for sandbox container by default
|
// TODO: Figure out whether we should set no new privilege for sandbox container by default
|
||||||
g.SetProcessNoNewPrivileges(securityContext.GetNoNewPrivs())
|
g.SetProcessNoNewPrivileges(securityContext.GetNoNewPrivs())
|
||||||
|
|
||||||
// TODO(random-liu): [P1] Set selinux options.
|
// TODO(random-liu): [P1] Set selinux options (privileged or not).
|
||||||
|
|
||||||
g.SetRootReadonly(securityContext.GetReadonlyRootfs())
|
g.SetRootReadonly(securityContext.GetReadonlyRootfs())
|
||||||
|
|
||||||
|
|||||||
@@ -294,7 +294,9 @@ func (c *criContainerdService) generateSandboxContainerSpec(id string, config *r
|
|||||||
g.AddLinuxSysctl(key, value)
|
g.AddLinuxSysctl(key, value)
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO(random-liu): [P2] Set apparmor and seccomp from annotations.
|
// TODO(random-liu): [P2] Set seccomp
|
||||||
|
|
||||||
|
// Note: LinuxSandboxSecurityContext does not currently provide an apparmor profile
|
||||||
|
|
||||||
g.SetLinuxResourcesCPUShares(uint64(defaultSandboxCPUshares))
|
g.SetLinuxResourcesCPUShares(uint64(defaultSandboxCPUshares))
|
||||||
g.SetProcessOOMScoreAdj(int(defaultSandboxOOMAdj))
|
g.SetProcessOOMScoreAdj(int(defaultSandboxOOMAdj))
|
||||||
|
|||||||
Reference in New Issue
Block a user