github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #4791 from crosbymichael/base-runtime-opts

Browse Source 
[cri] don't clear base security settings
This commit is contained in:
Wei Fu 2020-12-04 14:25:00 +08:00 committed by GitHub
commit cb8253eea3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
pkg/cri/server/container_create_linux.go
View File

@ -114,13 +114,20 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3
specOpts := []oci.SpecOpts{ specOpts := []oci.SpecOpts{
customopts.WithoutRunMount, customopts.WithoutRunMount,
customopts.WithoutDefaultSecuritySettings, }
// only clear the default security settings if the runtime does not have a custom
// base runtime spec spec. Admins can use this functionality to define
// default ulimits, seccomp, or other default settings.
if ociRuntime.BaseRuntimeSpec == "" {
specOpts = append(specOpts, customopts.WithoutDefaultSecuritySettings)
}
specOpts = append(specOpts,
customopts.WithRelativeRoot(relativeRootfsPath), customopts.WithRelativeRoot(relativeRootfsPath),
customopts.WithProcessArgs(config, imageConfig), customopts.WithProcessArgs(config, imageConfig),
oci.WithDefaultPathEnv, oci.WithDefaultPathEnv,
// this will be set based on the security context below // this will be set based on the security context below
oci.WithNewPrivileges, oci.WithNewPrivileges,
} )
if config.GetWorkingDir() != "" { if config.GetWorkingDir() != "" {
specOpts = append(specOpts, oci.WithProcessCwd(config.GetWorkingDir())) specOpts = append(specOpts, oci.WithProcessCwd(config.GetWorkingDir()))
} else if imageConfig.WorkingDir != "" { } else if imageConfig.WorkingDir != "" {