github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #1472 from mxpv/profile

Browse Source 
Add config flag to default empty seccomp profile
This commit is contained in:
Wei Fu 2020-05-11 10:16:00 +08:00 committed by GitHub
commit 8252e54f93
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 41 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/config.md
View File

@ -78,6 +78,10 @@ version = 2
# when using containerd with Kubernetes <=1.11. # when using containerd with Kubernetes <=1.11.
disable_proc_mount = false disable_proc_mount = false
# unsetSeccompProfile is the profile containerd/cri will use if the provided seccomp profile is
# unset (`""`) for a container (default is `unconfined`)
unset_seccomp_profile = ""
# 'plugins."io.containerd.grpc.v1.cri".containerd' contains config related to containerd # 'plugins."io.containerd.grpc.v1.cri".containerd' contains config related to containerd
[plugins."io.containerd.grpc.v1.cri".containerd] [plugins."io.containerd.grpc.v1.cri".containerd]

3
pkg/config/config.go
View File

@ -225,6 +225,9 @@ type PluginConfig struct {
// DisableProcMount disables Kubernetes ProcMount support. This MUST be set to `true` // DisableProcMount disables Kubernetes ProcMount support. This MUST be set to `true`
// when using containerd with Kubernetes <=1.11. // when using containerd with Kubernetes <=1.11.
DisableProcMount bool `toml:"disable_proc_mount" json:"disableProcMount"` DisableProcMount bool `toml:"disable_proc_mount" json:"disableProcMount"`
// UnsetSeccompProfile is the profile containerd/cri will use If the provided seccomp profile is
// unset (`""`) for a container (default is `unconfined`)
UnsetSeccompProfile string `toml:"unset_seccomp_profile" json:"unsetSeccompProfile"`
} }
// X509KeyPairStreaming contains the x509 configuration for streaming // X509KeyPairStreaming contains the x509 configuration for streaming

7
pkg/server/container_create_unix.go
View File

@ -286,7 +286,7 @@ func (c *criService) containerSpecOpts(config *runtime.ContainerConfig, imageCon
specOpts = append(specOpts, apparmorSpecOpts) specOpts = append(specOpts, apparmorSpecOpts)
} }
seccompSpecOpts, err := generateSeccompSpecOpts( seccompSpecOpts, err := c.generateSeccompSpecOpts(
securityContext.GetSeccompProfilePath(), securityContext.GetSeccompProfilePath(),
securityContext.GetPrivileged(), securityContext.GetPrivileged(),
c.seccompEnabled()) c.seccompEnabled())
@ -300,11 +300,14 @@ func (c *criService) containerSpecOpts(config *runtime.ContainerConfig, imageCon
} }
// generateSeccompSpecOpts generates containerd SpecOpts for seccomp. // generateSeccompSpecOpts generates containerd SpecOpts for seccomp.
func generateSeccompSpecOpts(seccompProf string, privileged, seccompEnabled bool) (oci.SpecOpts, error) { func (c *criService) generateSeccompSpecOpts(seccompProf string, privileged, seccompEnabled bool) (oci.SpecOpts, error) {
if privileged { if privileged {
// Do not set seccomp profile when container is privileged // Do not set seccomp profile when container is privileged
return nil, nil return nil, nil
} }
if seccompProf == "" {
seccompProf = c.config.UnsetSeccompProfile
}
// Set seccomp profile // Set seccomp profile
if seccompProf == runtimeDefault || seccompProf == dockerDefault { if seccompProf == runtimeDefault || seccompProf == dockerDefault {
// use correct default profile (Eg. if not configured otherwise, the default is docker/default) // use correct default profile (Eg. if not configured otherwise, the default is docker/default)

17
pkg/server/container_create_unix_test.go
View File

@ -20,6 +20,7 @@ package server
import ( import (
"context" "context"
"fmt"
"os" "os"
"path/filepath" "path/filepath"
"reflect" "reflect"
@ -784,6 +785,7 @@ func TestGenerateSeccompSpecOpts(t *testing.T) {
disable bool disable bool
specOpts oci.SpecOpts specOpts oci.SpecOpts
expectErr bool expectErr bool
defaultProfile string
}{ }{
"should return error if seccomp is specified when seccomp is not supported": { "should return error if seccomp is specified when seccomp is not supported": {
profile: runtimeDefault, profile: runtimeDefault,
@ -824,9 +826,19 @@ func TestGenerateSeccompSpecOpts(t *testing.T) {
profile: "test-profile", profile: "test-profile",
expectErr: true, expectErr: true,
}, },
"should use default profile when seccomp is empty": {
defaultProfile: profileNamePrefix + "test-profile",
specOpts: seccomp.WithProfile("test-profile"),
},
"should fallback to docker/default when seccomp is empty and default is runtime/default": {
defaultProfile: runtimeDefault,
specOpts: seccomp.WithDefaultProfile(),
},
} { } {
t.Logf("TestCase %q", desc) t.Run(fmt.Sprintf("TestCase %q", desc), func(t *testing.T) {
specOpts, err := generateSeccompSpecOpts(test.profile, test.privileged, !test.disable) cri := &criService{}
cri.config.UnsetSeccompProfile = test.defaultProfile
specOpts, err := cri.generateSeccompSpecOpts(test.profile, test.privileged, !test.disable)
assert.Equal(t, assert.Equal(t,
reflect.ValueOf(test.specOpts).Pointer(), reflect.ValueOf(test.specOpts).Pointer(),
reflect.ValueOf(specOpts).Pointer()) reflect.ValueOf(specOpts).Pointer())
@ -835,6 +847,7 @@ func TestGenerateSeccompSpecOpts(t *testing.T) {
} else { } else {
assert.NoError(t, err) assert.NoError(t, err)
} }
})
} }
} }

2
pkg/server/sandbox_run_unix.go
View File

@ -161,7 +161,7 @@ func (c *criService) sandboxContainerSpecOpts(config *runtime.PodSandboxConfig,
securityContext = config.GetLinux().GetSecurityContext() securityContext = config.GetLinux().GetSecurityContext()
specOpts []oci.SpecOpts specOpts []oci.SpecOpts
) )
seccompSpecOpts, err := generateSeccompSpecOpts( seccompSpecOpts, err := c.generateSeccompSpecOpts(
securityContext.GetSeccompProfilePath(), securityContext.GetSeccompProfilePath(),
securityContext.GetPrivileged(), securityContext.GetPrivileged(),
c.seccompEnabled()) c.seccompEnabled())