github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Use SpecOpts from new oci package

Browse Source 
Signed-off-by: Daniel Nephin <dnephin@gmail.com>
This commit is contained in:
Daniel Nephin 2017-11-28 14:18:45 -05:00
parent bf5f17ac1e
commit 85d3bf0660
4 changed files with 14 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
hack/versions
View File

@ -1,5 +1,5 @@
RUNC_VERSION=74a17296470088de3805e138d3d87c62e613dfc4 RUNC_VERSION=74a17296470088de3805e138d3d87c62e613dfc4
CNI_VERSION=v0.6.0 CNI_VERSION=v0.6.0
CONTAINERD_VERSION=70e0c8443ff15dcbd2ad8e0d07ed087fc2a83e05 CONTAINERD_VERSION=9e04cff8e9e3a1bf13c088cb3db1c368e93b33ea
CRITOOL_VERSION=4cd2b047a26a2ef01bbd02ee55f7d70d8825ebb5 CRITOOL_VERSION=4cd2b047a26a2ef01bbd02ee55f7d70d8825ebb5
KUBERNETES_VERSION=164317879bcd810b97e5ebf1c8df041770f2ff1b KUBERNETES_VERSION=164317879bcd810b97e5ebf1c8df041770f2ff1b

13
pkg/server/container_create.go
View File

@ -30,6 +30,7 @@ import (
"github.com/containerd/containerd/linux/runctypes" "github.com/containerd/containerd/linux/runctypes"
"github.com/containerd/containerd/mount" "github.com/containerd/containerd/mount"
"github.com/containerd/containerd/namespaces" "github.com/containerd/containerd/namespaces"
"github.com/containerd/containerd/oci"
"github.com/containerd/typeurl" "github.com/containerd/typeurl"
"github.com/davecgh/go-spew/spew" "github.com/davecgh/go-spew/spew"
"github.com/golang/glog" "github.com/golang/glog"
@ -188,16 +189,16 @@ func (c *criContainerdService) CreateContainer(ctx context.Context, r *runtime.C
} }
}() }()
var specOpts []containerd.SpecOpts var specOpts []oci.SpecOpts
securityContext := config.GetLinux().GetSecurityContext() securityContext := config.GetLinux().GetSecurityContext()
// Set container username. This could only be done by containerd, because it needs // Set container username. This could only be done by containerd, because it needs
// access to the container rootfs. Pass user name to containerd, and let it overwrite // access to the container rootfs. Pass user name to containerd, and let it overwrite
// the spec for us. // the spec for us.
if uid := securityContext.GetRunAsUser(); uid != nil { if uid := securityContext.GetRunAsUser(); uid != nil {
specOpts = append(specOpts, containerd.WithUserID(uint32(uid.GetValue()))) specOpts = append(specOpts, oci.WithUserID(uint32(uid.GetValue())))
} }
if username := securityContext.GetRunAsUsername(); username != "" { if username := securityContext.GetRunAsUsername(); username != "" {
specOpts = append(specOpts, containerd.WithUsername(username)) specOpts = append(specOpts, oci.WithUsername(username))
} }
apparmorSpecOpts, err := generateApparmorSpecOpts( apparmorSpecOpts, err := generateApparmorSpecOpts(
@ -724,7 +725,7 @@ func setOCINamespaces(g *generate.Generator, namespaces *runtime.NamespaceOption
func defaultRuntimeSpec(id string) (*runtimespec.Spec, error) { func defaultRuntimeSpec(id string) (*runtimespec.Spec, error) {
// GenerateSpec needs namespace. // GenerateSpec needs namespace.
ctx := namespaces.WithNamespace(context.Background(), k8sContainerdNamespace) ctx := namespaces.WithNamespace(context.Background(), k8sContainerdNamespace)
spec, err := containerd.GenerateSpec(ctx, nil, &containers.Container{ID: id}) spec, err := oci.GenerateSpec(ctx, nil, &containers.Container{ID: id})
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -751,7 +752,7 @@ func defaultRuntimeSpec(id string) (*runtimespec.Spec, error) {
} }
// generateSeccompSpecOpts generates containerd SpecOpts for seccomp. // generateSeccompSpecOpts generates containerd SpecOpts for seccomp.
func generateSeccompSpecOpts(seccompProf string, privileged, seccompEnabled bool) (containerd.SpecOpts, error) { func generateSeccompSpecOpts(seccompProf string, privileged, seccompEnabled bool) (oci.SpecOpts, error) {
if privileged { if privileged {
// Do not set seccomp profile when container is privileged // Do not set seccomp profile when container is privileged
return nil, nil return nil, nil
@ -784,7 +785,7 @@ func generateSeccompSpecOpts(seccompProf string, privileged, seccompEnabled bool
} }
// generateApparmorSpecOpts generates containerd SpecOpts for apparmor. // generateApparmorSpecOpts generates containerd SpecOpts for apparmor.
func generateApparmorSpecOpts(apparmorProf string, privileged, apparmorEnabled bool) (containerd.SpecOpts, error) { func generateApparmorSpecOpts(apparmorProf string, privileged, apparmorEnabled bool) (oci.SpecOpts, error) {
if !apparmorEnabled { if !apparmorEnabled {
// Should fail loudly if user try to specify apparmor profile // Should fail loudly if user try to specify apparmor profile
// but we don't support it. // but we don't support it.

6
pkg/server/container_create_test.go
View File

@ -21,10 +21,10 @@ import (
"reflect" "reflect"
"testing" "testing"
"github.com/containerd/containerd"
"github.com/containerd/containerd/contrib/apparmor" "github.com/containerd/containerd/contrib/apparmor"
"github.com/containerd/containerd/contrib/seccomp" "github.com/containerd/containerd/contrib/seccomp"
"github.com/containerd/containerd/mount" "github.com/containerd/containerd/mount"
"github.com/containerd/containerd/oci"
imagespec "github.com/opencontainers/image-spec/specs-go/v1" imagespec "github.com/opencontainers/image-spec/specs-go/v1"
runtimespec "github.com/opencontainers/runtime-spec/specs-go" runtimespec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate" "github.com/opencontainers/runtime-tools/generate"
@ -722,7 +722,7 @@ func TestGenerateSeccompSpecOpts(t *testing.T) {
profile string profile string
privileged bool privileged bool
disable bool disable bool
specOpts containerd.SpecOpts specOpts oci.SpecOpts
expectErr bool expectErr bool
}{ }{
"should return error if seccomp is specified when seccomp is not supported": { "should return error if seccomp is specified when seccomp is not supported": {
@ -783,7 +783,7 @@ func TestGenerateApparmorSpecOpts(t *testing.T) {
profile string profile string
privileged bool privileged bool
disable bool disable bool
specOpts containerd.SpecOpts specOpts oci.SpecOpts
expectErr bool expectErr bool
}{ }{
"should return error if apparmor is specified when apparmor is not supported": { "should return error if apparmor is specified when apparmor is not supported": {

5
pkg/server/sandbox_run.go
View File

@ -24,6 +24,7 @@ import (
"github.com/containerd/containerd" "github.com/containerd/containerd"
containerdio "github.com/containerd/containerd/cio" containerdio "github.com/containerd/containerd/cio"
"github.com/containerd/containerd/linux/runctypes" "github.com/containerd/containerd/linux/runctypes"
"github.com/containerd/containerd/oci"
"github.com/containerd/typeurl" "github.com/containerd/typeurl"
"github.com/cri-o/ocicni/pkg/ocicni" "github.com/cri-o/ocicni/pkg/ocicni"
"github.com/golang/glog" "github.com/golang/glog"
@ -128,9 +129,9 @@ func (c *criContainerdService) RunPodSandbox(ctx context.Context, r *runtime.Run
} }
glog.V(4).Infof("Sandbox container spec: %+v", spec) glog.V(4).Infof("Sandbox container spec: %+v", spec)
var specOpts []containerd.SpecOpts var specOpts []oci.SpecOpts
if uid := securityContext.GetRunAsUser(); uid != nil { if uid := securityContext.GetRunAsUser(); uid != nil {
specOpts = append(specOpts, containerd.WithUserID(uint32(uid.GetValue()))) specOpts = append(specOpts, oci.WithUserID(uint32(uid.GetValue())))
} }
seccompSpecOpts, err := generateSeccompSpecOpts( seccompSpecOpts, err := generateSeccompSpecOpts(