github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

only relabel cri managed host mounts

Browse Source 
Co-authored-by: Samuel Karp <skarp@amazon.com>
Signed-off-by: Michael Crosby <michael@thepasture.io>
Signed-off-by: Samuel Karp <skarp@amazon.com>
This commit is contained in:
Michael Crosby
2021-11-09 19:45:40 +00:00
committed by Samuel Karp
parent 432ddecaae
commit 9b0303913f
3 changed files with 57 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
pkg/cri/opts/spec_linux.go
View File

@@ -224,30 +224,6 @@ func WithMounts(osi osinterface.OS, config *runtime.ContainerConfig, extra []*ru
} }
} }
const (
etcHosts = "/etc/hosts"
etcHostname = "/etc/hostname"
resolvConfPath = "/etc/resolv.conf"
)
// WithRelabeledContainerMounts relabels the default container mounts for files in /etc
func WithRelabeledContainerMounts(mountLabel string) oci.SpecOpts {
return func(ctx context.Context, client oci.Client, _ *containers.Container, s *runtimespec.Spec) (err error) {
if mountLabel == "" {
return nil
}
for _, m := range s.Mounts {
switch m.Destination {
case etcHosts, etcHostname, resolvConfPath:
if err := label.Relabel(m.Source, mountLabel, false); err != nil {
return err
}
}
}
return nil
}
}
// Ensure mount point on which path is mounted, is shared. // Ensure mount point on which path is mounted, is shared.
func ensureShared(path string, lookupMount func(string) (mount.Info, error)) error { func ensureShared(path string, lookupMount func(string) (mount.Info, error)) error {
mountInfo, err := lookupMount(path) mountInfo, err := lookupMount(path)

23
pkg/cri/server/container_create_linux.go
View File

@@ -68,18 +68,20 @@ func (c *criService) containerMounts(sandboxID string, config *runtime.Container
hostpath := c.getSandboxHostname(sandboxID) hostpath := c.getSandboxHostname(sandboxID)
if _, err := c.os.Stat(hostpath); err == nil { if _, err := c.os.Stat(hostpath); err == nil {
mounts = append(mounts, &runtime.Mount{ mounts = append(mounts, &runtime.Mount{
ContainerPath: etcHostname, ContainerPath: etcHostname,
HostPath: hostpath, HostPath: hostpath,
Readonly: securityContext.GetReadonlyRootfs(), Readonly: securityContext.GetReadonlyRootfs(),
SelinuxRelabel: true,
}) })
} }
} }
if !isInCRIMounts(etcHosts, config.GetMounts()) { if !isInCRIMounts(etcHosts, config.GetMounts()) {
mounts = append(mounts, &runtime.Mount{ mounts = append(mounts, &runtime.Mount{
ContainerPath: etcHosts, ContainerPath: etcHosts,
HostPath: c.getSandboxHosts(sandboxID), HostPath: c.getSandboxHosts(sandboxID),
Readonly: securityContext.GetReadonlyRootfs(), Readonly: securityContext.GetReadonlyRootfs(),
SelinuxRelabel: true,
}) })
} }
@@ -87,9 +89,10 @@ func (c *criService) containerMounts(sandboxID string, config *runtime.Container
// TODO: Need to figure out whether we should always mount it as read-only // TODO: Need to figure out whether we should always mount it as read-only
if !isInCRIMounts(resolvConfPath, config.GetMounts()) { if !isInCRIMounts(resolvConfPath, config.GetMounts()) {
mounts = append(mounts, &runtime.Mount{ mounts = append(mounts, &runtime.Mount{
ContainerPath: resolvConfPath, ContainerPath: resolvConfPath,
HostPath: c.getResolvPath(sandboxID), HostPath: c.getResolvPath(sandboxID),
Readonly: securityContext.GetReadonlyRootfs(), Readonly: securityContext.GetReadonlyRootfs(),
SelinuxRelabel: true,
}) })
} }
@@ -192,7 +195,7 @@ func (c *criService) containerSpec(
} }
}() }()
specOpts = append(specOpts, customopts.WithMounts(c.os, config, extraMounts, mountLabel), customopts.WithRelabeledContainerMounts(mountLabel)) specOpts = append(specOpts, customopts.WithMounts(c.os, config, extraMounts, mountLabel))
if !c.config.DisableProcMount { if !c.config.DisableProcMount {
// Change the default masked/readonly paths to empty slices // Change the default masked/readonly paths to empty slices

77
pkg/cri/server/container_create_linux_test.go
View File

@@ -452,19 +452,22 @@ func TestContainerMounts(t *testing.T) {
}, },
expectedMounts: []*runtime.Mount{ expectedMounts: []*runtime.Mount{
{ {
ContainerPath: "/etc/hostname", ContainerPath: "/etc/hostname",
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"), HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
Readonly: true, Readonly: true,
SelinuxRelabel: true,
}, },
{ {
ContainerPath: "/etc/hosts", ContainerPath: "/etc/hosts",
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"), HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
Readonly: true, Readonly: true,
SelinuxRelabel: true,
}, },
{ {
ContainerPath: resolvConfPath, ContainerPath: resolvConfPath,
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"), HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
Readonly: true, Readonly: true,
SelinuxRelabel: true,
}, },
{ {
ContainerPath: "/dev/shm", ContainerPath: "/dev/shm",
@@ -478,19 +481,22 @@ func TestContainerMounts(t *testing.T) {
securityContext: &runtime.LinuxContainerSecurityContext{}, securityContext: &runtime.LinuxContainerSecurityContext{},
expectedMounts: []*runtime.Mount{ expectedMounts: []*runtime.Mount{
{ {
ContainerPath: "/etc/hostname", ContainerPath: "/etc/hostname",
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"), HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
Readonly: false, Readonly: false,
SelinuxRelabel: true,
}, },
{ {
ContainerPath: "/etc/hosts", ContainerPath: "/etc/hosts",
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"), HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
Readonly: false, Readonly: false,
SelinuxRelabel: true,
}, },
{ {
ContainerPath: resolvConfPath, ContainerPath: resolvConfPath,
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"), HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
Readonly: false, Readonly: false,
SelinuxRelabel: true,
}, },
{ {
ContainerPath: "/dev/shm", ContainerPath: "/dev/shm",
@@ -506,19 +512,22 @@ func TestContainerMounts(t *testing.T) {
}, },
expectedMounts: []*runtime.Mount{ expectedMounts: []*runtime.Mount{
{ {
ContainerPath: "/etc/hostname", ContainerPath: "/etc/hostname",
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"), HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
Readonly: false, Readonly: false,
SelinuxRelabel: true,
}, },
{ {
ContainerPath: "/etc/hosts", ContainerPath: "/etc/hosts",
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"), HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
Readonly: false, Readonly: false,
SelinuxRelabel: true,
}, },
{ {
ContainerPath: resolvConfPath, ContainerPath: resolvConfPath,
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"), HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
Readonly: false, Readonly: false,
SelinuxRelabel: true,
}, },
{ {
ContainerPath: "/dev/shm", ContainerPath: "/dev/shm",
@@ -557,14 +566,16 @@ func TestContainerMounts(t *testing.T) {
securityContext: &runtime.LinuxContainerSecurityContext{}, securityContext: &runtime.LinuxContainerSecurityContext{},
expectedMounts: []*runtime.Mount{ expectedMounts: []*runtime.Mount{
{ {
ContainerPath: "/etc/hosts", ContainerPath: "/etc/hosts",
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"), HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
Readonly: false, Readonly: false,
SelinuxRelabel: true,
}, },
{ {
ContainerPath: resolvConfPath, ContainerPath: resolvConfPath,
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"), HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
Readonly: false, Readonly: false,
SelinuxRelabel: true,
}, },
{ {
ContainerPath: "/dev/shm", ContainerPath: "/dev/shm",