Merge pull request #518 from Random-Liu/fix-privileged-caps

Fix privileged caps

pkg/server/container_create.go

@@ -279,7 +279,7 @@ func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint3
 	if err != nil {
 		return nil, err
 	}
-	g := generate.NewFromSpec(spec)
+	g := newSpecGenerator(spec)
 
 	// Set the relative path to the rootfs of the container from containerd's
 	// pre-defined directory.

pkg/server/container_execsync.go

@@ -26,7 +26,6 @@ import (
 	containerdio "github.com/containerd/containerd/cio"
 	"github.com/containerd/containerd/errdefs"
 	"github.com/golang/glog"
-	"github.com/opencontainers/runtime-tools/generate"
 	"golang.org/x/net/context"
 	"golang.org/x/sys/unix"
 	"k8s.io/client-go/tools/remotecommand"
@@ -100,7 +99,7 @@ func (c *criContainerdService) execInContainer(ctx context.Context, id string, o
 		return nil, fmt.Errorf("failed to load task: %v", err)
 	}
 	if opts.tty {
-		g := generate.NewFromSpec(spec)
+		g := newSpecGenerator(spec)
 		g.AddProcessEnv("TERM", "xterm")
 		spec = g.Spec()
 	}

pkg/server/container_update_resources.go

@@ -26,7 +26,6 @@ import (
 	"github.com/containerd/typeurl"
 	"github.com/golang/glog"
 	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
-	"github.com/opencontainers/runtime-tools/generate"
 	"golang.org/x/net/context"
 	"k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime"
 
@@ -133,7 +132,7 @@ func updateOCILinuxResource(spec *runtimespec.Spec, new *runtime.LinuxContainerR
 	if err := util.DeepCopy(&cloned, spec); err != nil {
 		return nil, fmt.Errorf("failed to deep copy: %v", err)
 	}
-	g := generate.NewFromSpec(&cloned)
+	g := newSpecGenerator(&cloned)
 
 	if new.GetCpuPeriod() != 0 {
 		g.SetLinuxResourcesCPUPeriod(uint64(new.GetCpuPeriod()))

pkg/server/helpers.go

@@ -32,7 +32,9 @@ import (
 	imagedigest "github.com/opencontainers/go-digest"
 	"github.com/opencontainers/image-spec/identity"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
+	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"golang.org/x/net/context"
@@ -397,3 +399,10 @@ func buildLabels(configLabels map[string]string, containerType string) map[strin
 	labels[containerKindLabel] = containerType
 	return labels
 }
+
+// newSpecGenerator creates a new spec generator for the runtime spec.
+func newSpecGenerator(spec *runtimespec.Spec) generate.Generator {
+	g := generate.NewFromSpec(spec)
+	g.HostSpecific = true
+	return g
+}

pkg/server/sandbox_run.go

@@ -30,7 +30,6 @@ import (
 	"github.com/golang/glog"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
 	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
-	"github.com/opencontainers/runtime-tools/generate"
 	"golang.org/x/net/context"
 	"golang.org/x/sys/unix"
 	"k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime"
@@ -240,7 +239,7 @@ func (c *criContainerdService) generateSandboxContainerSpec(id string, config *r
 	if err != nil {
 		return nil, err
 	}
-	g := generate.NewFromSpec(spec)
+	g := newSpecGenerator(spec)
 
 	// Apply default config from image config.
 	if err := addImageEnvs(&g, imageConfig.Env); err != nil {