Remove no_pivot when creating container from CRI
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
This commit is contained in:
Maksym Pavlenko
parent
07c2ae12e1
commit
8bd82e355a
@ -38,7 +38,6 @@ func DefaultConfig() PluginConfig {
|
||||
ContainerdConfig: ContainerdConfig{
|
||||
Snapshotter: containerd.DefaultSnapshotter,
|
||||
DefaultRuntimeName: "runhcs-wcow-process",
|
||||
NoPivot: false,
|
||||
Runtimes: map[string]Runtime{
|
||||
"runhcs-wcow-process": {
|
||||
Type: "io.containerd.runhcs.v1",
|
||||
|
||||
@ -110,17 +110,12 @@ func (c *criService) StartContainer(ctx context.Context, r *runtime.StartContain
|
||||
return cntr.IO, nil
|
||||
}
|
||||
|
||||
ctrInfo, err := container.Info(ctx)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to get container info: %w", err)
|
||||
}
|
||||
|
||||
ociRuntime, err := c.getSandboxRuntime(sandbox.Config, sandbox.Metadata.RuntimeHandler)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to get sandbox runtime: %w", err)
|
||||
}
|
||||
|
||||
taskOpts := c.taskOpts(ctrInfo.Runtime.Name)
|
||||
var taskOpts []containerd.NewTaskOpts
|
||||
if ociRuntime.Path != "" {
|
||||
taskOpts = append(taskOpts, containerd.WithRuntimePath(ociRuntime.Path))
|
||||
}
|
||||
|
||||
@ -212,7 +212,7 @@ func (c *Controller) Start(ctx context.Context, id string) (cin sandbox.Controll
|
||||
// Create sandbox task in containerd.
|
||||
log.G(ctx).Tracef("Create sandbox container (id=%q, name=%q).", id, metadata.Name)
|
||||
|
||||
taskOpts := c.taskOpts(ociRuntime.Type)
|
||||
var taskOpts []containerd.NewTaskOpts
|
||||
if ociRuntime.Path != "" {
|
||||
taskOpts = append(taskOpts, containerd.WithRuntimePath(ociRuntime.Path))
|
||||
}
|
||||
|
||||
@ -22,9 +22,7 @@ import (
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
"github.com/containerd/containerd"
|
||||
"github.com/containerd/containerd/oci"
|
||||
"github.com/containerd/containerd/plugin"
|
||||
imagespec "github.com/opencontainers/image-spec/specs-go/v1"
|
||||
runtimespec "github.com/opencontainers/runtime-spec/specs-go"
|
||||
"github.com/opencontainers/selinux/go-selinux"
|
||||
@ -325,19 +323,3 @@ func (c *Controller) cleanupSandboxFiles(id string, config *runtime.PodSandboxCo
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// taskOpts generates task options for a (sandbox) container.
|
||||
func (c *Controller) taskOpts(runtimeType string) []containerd.NewTaskOpts {
|
||||
// TODO(random-liu): Remove this after shim v1 is deprecated.
|
||||
var taskOpts []containerd.NewTaskOpts
|
||||
|
||||
// c.config.NoPivot is only supported for RuntimeLinuxV1 = "io.containerd.runtime.v1.linux" legacy linux runtime
|
||||
// and is not supported for RuntimeRuncV1 = "io.containerd.runc.v1" or RuntimeRuncV2 = "io.containerd.runc.v2"
|
||||
// for RuncV1/2 no pivot is set under the containerd.runtimes.runc.options config see
|
||||
// https://github.com/containerd/containerd/blob/v1.3.2/runtime/v2/runc/options/oci.pb.go#L26
|
||||
if c.config.NoPivot && runtimeType == plugin.RuntimeLinuxV1 {
|
||||
taskOpts = append(taskOpts, containerd.WithNoPivotRoot)
|
||||
}
|
||||
|
||||
return taskOpts
|
||||
}
|
||||
|
||||
@ -19,7 +19,6 @@
|
||||
package podsandbox
|
||||
|
||||
import (
|
||||
"github.com/containerd/containerd"
|
||||
"github.com/containerd/containerd/oci"
|
||||
"github.com/containerd/containerd/pkg/cri/annotations"
|
||||
imagespec "github.com/opencontainers/image-spec/specs-go/v1"
|
||||
@ -49,8 +48,3 @@ func (c *Controller) setupSandboxFiles(id string, config *runtime.PodSandboxConf
|
||||
func (c *Controller) cleanupSandboxFiles(id string, config *runtime.PodSandboxConfig) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// taskOpts generates task options for a (sandbox) container.
|
||||
func (c *Controller) taskOpts(runtimeType string) []containerd.NewTaskOpts {
|
||||
return []containerd.NewTaskOpts{}
|
||||
}
|
||||
|
||||
@ -26,8 +26,6 @@ import (
|
||||
"github.com/stretchr/testify/assert"
|
||||
runtime "k8s.io/cri-api/pkg/apis/runtime/v1"
|
||||
|
||||
"github.com/containerd/containerd/pkg/cri/annotations"
|
||||
criconfig "github.com/containerd/containerd/pkg/cri/config"
|
||||
sandboxstore "github.com/containerd/containerd/pkg/cri/store/sandbox"
|
||||
)
|
||||
|
||||
@ -207,166 +205,3 @@ func TestHostAccessingSandbox(t *testing.T) {
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestGetSandboxRuntime(t *testing.T) {
|
||||
untrustedWorkloadRuntime := criconfig.Runtime{
|
||||
Type: "io.containerd.runtime.v1.linux",
|
||||
Engine: "untrusted-workload-runtime",
|
||||
Root: "",
|
||||
}
|
||||
|
||||
defaultRuntime := criconfig.Runtime{
|
||||
Type: "io.containerd.runtime.v1.linux",
|
||||
Engine: "default-runtime",
|
||||
Root: "",
|
||||
}
|
||||
|
||||
fooRuntime := criconfig.Runtime{
|
||||
Type: "io.containerd.runtime.v1.linux",
|
||||
Engine: "foo-bar",
|
||||
Root: "",
|
||||
}
|
||||
|
||||
for desc, test := range map[string]struct {
|
||||
sandboxConfig *runtime.PodSandboxConfig
|
||||
runtimeHandler string
|
||||
runtimes map[string]criconfig.Runtime
|
||||
expectErr bool
|
||||
expectedRuntime criconfig.Runtime
|
||||
}{
|
||||
"should return error if untrusted workload requires host access": {
|
||||
sandboxConfig: &runtime.PodSandboxConfig{
|
||||
Linux: &runtime.LinuxPodSandboxConfig{
|
||||
SecurityContext: &runtime.LinuxSandboxSecurityContext{
|
||||
Privileged: false,
|
||||
NamespaceOptions: &runtime.NamespaceOption{
|
||||
Network: runtime.NamespaceMode_NODE,
|
||||
Pid: runtime.NamespaceMode_NODE,
|
||||
Ipc: runtime.NamespaceMode_NODE,
|
||||
},
|
||||
},
|
||||
},
|
||||
Annotations: map[string]string{
|
||||
annotations.UntrustedWorkload: "true",
|
||||
},
|
||||
},
|
||||
runtimes: map[string]criconfig.Runtime{
|
||||
criconfig.RuntimeDefault: defaultRuntime,
|
||||
criconfig.RuntimeUntrusted: untrustedWorkloadRuntime,
|
||||
},
|
||||
expectErr: true,
|
||||
},
|
||||
"should use untrusted workload runtime for untrusted workload": {
|
||||
sandboxConfig: &runtime.PodSandboxConfig{
|
||||
Annotations: map[string]string{
|
||||
annotations.UntrustedWorkload: "true",
|
||||
},
|
||||
},
|
||||
runtimes: map[string]criconfig.Runtime{
|
||||
criconfig.RuntimeDefault: defaultRuntime,
|
||||
criconfig.RuntimeUntrusted: untrustedWorkloadRuntime,
|
||||
},
|
||||
expectedRuntime: untrustedWorkloadRuntime,
|
||||
},
|
||||
"should use default runtime for regular workload": {
|
||||
sandboxConfig: &runtime.PodSandboxConfig{},
|
||||
runtimes: map[string]criconfig.Runtime{
|
||||
criconfig.RuntimeDefault: defaultRuntime,
|
||||
},
|
||||
expectedRuntime: defaultRuntime,
|
||||
},
|
||||
"should use default runtime for trusted workload": {
|
||||
sandboxConfig: &runtime.PodSandboxConfig{
|
||||
Annotations: map[string]string{
|
||||
annotations.UntrustedWorkload: "false",
|
||||
},
|
||||
},
|
||||
runtimes: map[string]criconfig.Runtime{
|
||||
criconfig.RuntimeDefault: defaultRuntime,
|
||||
criconfig.RuntimeUntrusted: untrustedWorkloadRuntime,
|
||||
},
|
||||
expectedRuntime: defaultRuntime,
|
||||
},
|
||||
"should return error if untrusted workload runtime is required but not configured": {
|
||||
sandboxConfig: &runtime.PodSandboxConfig{
|
||||
Annotations: map[string]string{
|
||||
annotations.UntrustedWorkload: "true",
|
||||
},
|
||||
},
|
||||
runtimes: map[string]criconfig.Runtime{
|
||||
criconfig.RuntimeDefault: defaultRuntime,
|
||||
},
|
||||
expectErr: true,
|
||||
},
|
||||
"should use 'untrusted' runtime for untrusted workload": {
|
||||
sandboxConfig: &runtime.PodSandboxConfig{
|
||||
Annotations: map[string]string{
|
||||
annotations.UntrustedWorkload: "true",
|
||||
},
|
||||
},
|
||||
runtimes: map[string]criconfig.Runtime{
|
||||
criconfig.RuntimeDefault: defaultRuntime,
|
||||
criconfig.RuntimeUntrusted: untrustedWorkloadRuntime,
|
||||
},
|
||||
expectedRuntime: untrustedWorkloadRuntime,
|
||||
},
|
||||
"should use 'untrusted' runtime for untrusted workload & handler": {
|
||||
sandboxConfig: &runtime.PodSandboxConfig{
|
||||
Annotations: map[string]string{
|
||||
annotations.UntrustedWorkload: "true",
|
||||
},
|
||||
},
|
||||
runtimeHandler: "untrusted",
|
||||
runtimes: map[string]criconfig.Runtime{
|
||||
criconfig.RuntimeDefault: defaultRuntime,
|
||||
criconfig.RuntimeUntrusted: untrustedWorkloadRuntime,
|
||||
},
|
||||
expectedRuntime: untrustedWorkloadRuntime,
|
||||
},
|
||||
"should return an error if untrusted annotation with conflicting handler": {
|
||||
sandboxConfig: &runtime.PodSandboxConfig{
|
||||
Annotations: map[string]string{
|
||||
annotations.UntrustedWorkload: "true",
|
||||
},
|
||||
},
|
||||
runtimeHandler: "foo",
|
||||
runtimes: map[string]criconfig.Runtime{
|
||||
criconfig.RuntimeDefault: defaultRuntime,
|
||||
criconfig.RuntimeUntrusted: untrustedWorkloadRuntime,
|
||||
"foo": fooRuntime,
|
||||
},
|
||||
expectErr: true,
|
||||
},
|
||||
"should use correct runtime for a runtime handler": {
|
||||
sandboxConfig: &runtime.PodSandboxConfig{},
|
||||
runtimeHandler: "foo",
|
||||
runtimes: map[string]criconfig.Runtime{
|
||||
criconfig.RuntimeDefault: defaultRuntime,
|
||||
criconfig.RuntimeUntrusted: untrustedWorkloadRuntime,
|
||||
"foo": fooRuntime,
|
||||
},
|
||||
expectedRuntime: fooRuntime,
|
||||
},
|
||||
"should return error if runtime handler is required but not configured": {
|
||||
sandboxConfig: &runtime.PodSandboxConfig{},
|
||||
runtimeHandler: "bar",
|
||||
runtimes: map[string]criconfig.Runtime{
|
||||
criconfig.RuntimeDefault: defaultRuntime,
|
||||
"foo": fooRuntime,
|
||||
},
|
||||
expectErr: true,
|
||||
},
|
||||
} {
|
||||
t.Run(desc, func(t *testing.T) {
|
||||
cri := newControllerService()
|
||||
cri.config = criconfig.Config{
|
||||
PluginConfig: criconfig.DefaultConfig(),
|
||||
}
|
||||
cri.config.ContainerdConfig.DefaultRuntimeName = criconfig.RuntimeDefault
|
||||
cri.config.ContainerdConfig.Runtimes = test.runtimes
|
||||
r, err := cri.getSandboxRuntime(test.sandboxConfig, test.runtimeHandler)
|
||||
assert.Equal(t, test.expectErr, err != nil)
|
||||
assert.Equal(t, test.expectedRuntime, r)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
@ -20,7 +20,6 @@ import (
|
||||
"fmt"
|
||||
"strconv"
|
||||
|
||||
"github.com/containerd/containerd"
|
||||
"github.com/containerd/containerd/oci"
|
||||
imagespec "github.com/opencontainers/image-spec/specs-go/v1"
|
||||
runtimespec "github.com/opencontainers/runtime-spec/specs-go"
|
||||
@ -102,8 +101,3 @@ func (c *Controller) setupSandboxFiles(id string, config *runtime.PodSandboxConf
|
||||
func (c *Controller) cleanupSandboxFiles(id string, config *runtime.PodSandboxConfig) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// No task options needed for windows.
|
||||
func (c *Controller) taskOpts(runtimeType string) []containerd.NewTaskOpts {
|
||||
return nil
|
||||
}
|
||||
|
||||
@ -1,38 +0,0 @@
|
||||
/*
|
||||
Copyright The containerd Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package sbserver
|
||||
|
||||
import (
|
||||
"github.com/containerd/containerd"
|
||||
"github.com/containerd/containerd/plugin"
|
||||
)
|
||||
|
||||
// taskOpts generates task options for a (sandbox) container.
|
||||
func (c *criService) taskOpts(runtimeType string) []containerd.NewTaskOpts {
|
||||
// TODO(random-liu): Remove this after shim v1 is deprecated.
|
||||
var taskOpts []containerd.NewTaskOpts
|
||||
|
||||
// c.config.NoPivot is only supported for RuntimeLinuxV1 = "io.containerd.runtime.v1.linux" legacy linux runtime
|
||||
// and is not supported for RuntimeRuncV1 = "io.containerd.runc.v1" or RuntimeRuncV2 = "io.containerd.runc.v2"
|
||||
// for RuncV1/2 no pivot is set under the containerd.runtimes.runc.options config see
|
||||
// https://github.com/containerd/containerd/blob/v1.3.2/runtime/v2/runc/options/oci.pb.go#L26
|
||||
if c.config.NoPivot && runtimeType == plugin.RuntimeLinuxV1 {
|
||||
taskOpts = append(taskOpts, containerd.WithNoPivotRoot)
|
||||
}
|
||||
|
||||
return taskOpts
|
||||
}
|
||||
@ -1,28 +0,0 @@
|
||||
//go:build !windows && !linux
|
||||
|
||||
/*
|
||||
Copyright The containerd Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package sbserver
|
||||
|
||||
import (
|
||||
"github.com/containerd/containerd"
|
||||
)
|
||||
|
||||
// taskOpts generates task options for a (sandbox) container.
|
||||
func (c *criService) taskOpts(runtimeType string) []containerd.NewTaskOpts {
|
||||
return []containerd.NewTaskOpts{}
|
||||
}
|
||||
@ -1,26 +0,0 @@
|
||||
/*
|
||||
Copyright The containerd Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package sbserver
|
||||
|
||||
import (
|
||||
"github.com/containerd/containerd"
|
||||
)
|
||||
|
||||
// No task options needed for windows.
|
||||
func (c *criService) taskOpts(runtimeType string) []containerd.NewTaskOpts {
|
||||
return nil
|
||||
}
|
||||
@ -110,17 +110,12 @@ func (c *criService) StartContainer(ctx context.Context, r *runtime.StartContain
|
||||
return cntr.IO, nil
|
||||
}
|
||||
|
||||
ctrInfo, err := container.Info(ctx)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to get container info: %w", err)
|
||||
}
|
||||
|
||||
ociRuntime, err := c.getSandboxRuntime(sandbox.Config, sandbox.Metadata.RuntimeHandler)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to get sandbox runtime: %w", err)
|
||||
}
|
||||
|
||||
taskOpts := c.taskOpts(ctrInfo.Runtime.Name)
|
||||
var taskOpts []containerd.NewTaskOpts
|
||||
if ociRuntime.Path != "" {
|
||||
taskOpts = append(taskOpts, containerd.WithRuntimePath(ociRuntime.Path))
|
||||
}
|
||||
|
||||
@ -236,7 +236,7 @@ systemd_cgroup = true
|
||||
require.NoError(t, err)
|
||||
err = tree.Unmarshal(&nilOptsConfig)
|
||||
require.NoError(t, err)
|
||||
require.Len(t, nilOptsConfig.Runtimes, 3)
|
||||
require.Len(t, nilOptsConfig.Runtimes, 1)
|
||||
|
||||
tree, err = toml.Load(nonNilOpts)
|
||||
require.NoError(t, err)
|
||||
|
||||
@ -352,7 +352,7 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox
|
||||
log.G(ctx).Tracef("Create sandbox container (id=%q, name=%q).",
|
||||
id, name)
|
||||
|
||||
taskOpts := c.taskOpts(ociRuntime.Type)
|
||||
var taskOpts []containerd.NewTaskOpts
|
||||
if ociRuntime.Path != "" {
|
||||
taskOpts = append(taskOpts, containerd.WithRuntimePath(ociRuntime.Path))
|
||||
}
|
||||
|
||||
@ -22,9 +22,7 @@ import (
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
"github.com/containerd/containerd"
|
||||
"github.com/containerd/containerd/oci"
|
||||
"github.com/containerd/containerd/plugin"
|
||||
"github.com/containerd/containerd/snapshots"
|
||||
imagespec "github.com/opencontainers/image-spec/specs-go/v1"
|
||||
runtimespec "github.com/opencontainers/runtime-spec/specs-go"
|
||||
@ -344,22 +342,6 @@ func (c *criService) cleanupSandboxFiles(id string, config *runtime.PodSandboxCo
|
||||
return nil
|
||||
}
|
||||
|
||||
// taskOpts generates task options for a (sandbox) container.
|
||||
func (c *criService) taskOpts(runtimeType string) []containerd.NewTaskOpts {
|
||||
// TODO(random-liu): Remove this after shim v1 is deprecated.
|
||||
var taskOpts []containerd.NewTaskOpts
|
||||
|
||||
// c.config.NoPivot is only supported for RuntimeLinuxV1 = "io.containerd.runtime.v1.linux" legacy linux runtime
|
||||
// and is not supported for RuntimeRuncV1 = "io.containerd.runc.v1" or RuntimeRuncV2 = "io.containerd.runc.v2"
|
||||
// for RuncV1/2 no pivot is set under the containerd.runtimes.runc.options config see
|
||||
// https://github.com/containerd/containerd/blob/v1.3.2/runtime/v2/runc/options/oci.pb.go#L26
|
||||
if c.config.NoPivot && runtimeType == plugin.RuntimeLinuxV1 {
|
||||
taskOpts = append(taskOpts, containerd.WithNoPivotRoot)
|
||||
}
|
||||
|
||||
return taskOpts
|
||||
}
|
||||
|
||||
func (c *criService) updateNetNamespacePath(spec *runtimespec.Spec, nsPath string) {
|
||||
for i := range spec.Linux.Namespaces {
|
||||
if spec.Linux.Namespaces[i].Type == runtimespec.NetworkNamespace {
|
||||
|
||||
@ -19,7 +19,6 @@
|
||||
package server
|
||||
|
||||
import (
|
||||
"github.com/containerd/containerd"
|
||||
"github.com/containerd/containerd/oci"
|
||||
"github.com/containerd/containerd/pkg/cri/annotations"
|
||||
"github.com/containerd/containerd/snapshots"
|
||||
@ -51,11 +50,6 @@ func (c *criService) cleanupSandboxFiles(id string, config *runtime.PodSandboxCo
|
||||
return nil
|
||||
}
|
||||
|
||||
// taskOpts generates task options for a (sandbox) container.
|
||||
func (c *criService) taskOpts(runtimeType string) []containerd.NewTaskOpts {
|
||||
return []containerd.NewTaskOpts{}
|
||||
}
|
||||
|
||||
func (c *criService) updateNetNamespacePath(spec *runtimespec.Spec, nsPath string) {
|
||||
}
|
||||
|
||||
|
||||
@ -20,7 +20,6 @@ import (
|
||||
"fmt"
|
||||
"strconv"
|
||||
|
||||
"github.com/containerd/containerd"
|
||||
"github.com/containerd/containerd/oci"
|
||||
"github.com/containerd/containerd/snapshots"
|
||||
imagespec "github.com/opencontainers/image-spec/specs-go/v1"
|
||||
@ -104,11 +103,6 @@ func (c *criService) cleanupSandboxFiles(id string, config *runtime.PodSandboxCo
|
||||
return nil
|
||||
}
|
||||
|
||||
// No task options needed for windows.
|
||||
func (c *criService) taskOpts(runtimeType string) []containerd.NewTaskOpts {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c *criService) updateNetNamespacePath(spec *runtimespec.Spec, nsPath string) {
|
||||
spec.Windows.Network.NetworkNamespace = nsPath
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user