github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

runtime: Add trusted runtime option

Browse Source 
Some CRI compatible runtimes may not support provileged operations.
Specifically hypervisor based runtimes (like kata-containers, cc-runtime
and runv) do not support privileged operations like:

- Provide access to the host namespaces
- Create fully privileged containers with access to host devices

Hypervisor based runtimes create container workloads within virtual machines.
When a running host privileged containers using them,
they wont provide support to requested the privileged opertations.

This commits add the new options to define two runtimes:

Trusted runtime : Used when a privileged container is requested.
Default runtime : for non-privileged workloads.

A container that belongs to a privileged pod will inherent this property
an will be created with the trusted runtime.

- Add options to define trusted runtime
- Add logic to decide if a sanbox is trusted
- Export annotation containers below to a trusted sandbox

Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
This commit is contained in:
Jose Carlos Venegas Munoz
2018-03-12 00:24:14 -06:00
parent 013ab03a53
commit ca16bd601a
5 changed files with 89 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
pkg/server/container_create.go
View File

@@ -87,6 +87,9 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta
}
sandboxPid := s.Pid()
trusted := sandbox.Config.Annotations[annotations.PrivilegedSandbox] == "true"
containerRuntime := c.getRuntime(trusted)
// Generate unique id and name for the container and reserve the name.
// Reserve the container name to avoid concurrent `CreateContainer` request creating
// the same container.
@@ -227,10 +230,10 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta
opts = append(opts,
containerd.WithSpec(spec, specOpts...),
containerd.WithRuntime(
c.config.ContainerdConfig.Runtime,
containerRuntime.Type,
&runctypes.RuncOptions{
Runtime: c.config.ContainerdConfig.RuntimeEngine,
RuntimeRoot: c.config.ContainerdConfig.RuntimeRoot,
Runtime: containerRuntime.Engine,
RuntimeRoot: containerRuntime.Root,
SystemdCgroup: c.config.SystemdCgroup}), // TODO (mikebrow): add CriuPath when we add support for pause
containerd.WithContainerLabels(containerLabels),
containerd.WithContainerExtension(containerMetadataExtension, &meta))