github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Fix apparmor empty case.

Browse Source 
Signed-off-by: Lantao Liu <lantaol@google.com>
This commit is contained in:
Lantao Liu 2017-09-20 23:26:22 +00:00
parent 3647ff5976
commit dd3421c3c7
4 changed files with 27 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.travis.yml
View File

@ -42,6 +42,10 @@ before_script:
gcloud auth activate-service-account --key-file gcp-secret.json --project=k8s-cri-containerd; gcloud auth activate-service-account --key-file gcp-secret.json --project=k8s-cri-containerd;
fi fi
env:
# Travis trusty has disabled apparmor, so disable enable in our test.
- CRI_CONTAINERD_FLAGS="--enable-apparmor=false"
jobs: jobs:
include: include:
- stage: Build - stage: Build

9
cmd/cri-containerd/options/options.go
View File

@ -62,8 +62,11 @@ type Config struct {
StreamServerPort string `toml:"stream_server_port"` StreamServerPort string `toml:"stream_server_port"`
// CgroupPath is the path for the cgroup that cri-containerd is placed in. // CgroupPath is the path for the cgroup that cri-containerd is placed in.
CgroupPath string `toml:"cgroup_path"` CgroupPath string `toml:"cgroup_path"`
// EnableSelinux indicates to enable the selinux support // EnableSelinux indicates to enable the selinux support.
EnableSelinux bool `toml:"enable_selinux"` EnableSelinux bool `toml:"enable_selinux"`
// EnableAppArmor indicates to enable apparmor support. cri-containerd will
// apply default apparmor profile if apparmor is enabled.
EnableAppArmor bool `toml:"enable_apparmor"`
// SandboxImage is the image used by sandbox container. // SandboxImage is the image used by sandbox container.
SandboxImage string `toml:"sandbox_image"` SandboxImage string `toml:"sandbox_image"`
} }
@ -109,8 +112,10 @@ func (c *CRIContainerdOptions) AddFlags(fs *pflag.FlagSet) {
"10010", "The port streaming server is listening on.") "10010", "The port streaming server is listening on.")
fs.StringVar(&c.CgroupPath, "cgroup-path", fs.StringVar(&c.CgroupPath, "cgroup-path",
"", "The cgroup that cri-containerd is part of. By default cri-containerd is not placed in a cgroup.") "", "The cgroup that cri-containerd is part of. By default cri-containerd is not placed in a cgroup.")
fs.BoolVar(&c.EnableSelinux, "selinux-enabled", fs.BoolVar(&c.EnableSelinux, "enable-selinux",
false, "Enable selinux support.") false, "Enable selinux support.")
fs.BoolVar(&c.EnableAppArmor, "enable-apparmor",
true, "Enable apparmor support. cri-containerd will apply default apparmor profile when apparmor is enabled.")
fs.StringVar(&c.SandboxImage, "sandbox-image", fs.StringVar(&c.SandboxImage, "sandbox-image",
"gcr.io/google_containers/pause:3.0", "The image used by sandbox container.") "gcr.io/google_containers/pause:3.0", "The image used by sandbox container.")
fs.BoolVar(&c.PrintDefaultConfig, "default-config", fs.BoolVar(&c.PrintDefaultConfig, "default-config",

5
hack/test-utils.sh
View File

@ -16,6 +16,8 @@
ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"/.. ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"/..
. ${ROOT}/hack/versions . ${ROOT}/hack/versions
# CRI_CONTAINERD_FLAGS are the extra flags to use when start cri-containerd.
CRI_CONTAINERD_FLAGS=${CRI_CONTAINERD_FLAGS:-""}
# start_cri_containerd starts containerd and cri-containerd. # start_cri_containerd starts containerd and cri-containerd.
start_cri_containerd() { start_cri_containerd() {
@ -44,7 +46,8 @@ start_cri_containerd() {
done done
# Start cri-containerd # Start cri-containerd
sudo ${ROOT}/_output/cri-containerd --alsologtostderr --v 4 &> ${report_dir}/cri-containerd.log & sudo ${ROOT}/_output/cri-containerd --alsologtostderr --v 4 ${CRI_CONTAINERD_FLAGS} \
&> ${report_dir}/cri-containerd.log &
} }
# kill_cri_containerd kills containerd and cri-containerd. # kill_cri_containerd kills containerd and cri-containerd.

20
pkg/server/container_create.go
View File

@ -51,8 +51,6 @@ const (
runtimeDefault = "runtime/default" runtimeDefault = "runtime/default"
// appArmorDefaultProfileName is name to use when creating a default apparmor profile. // appArmorDefaultProfileName is name to use when creating a default apparmor profile.
appArmorDefaultProfileName = "cri-containerd.apparmor.d" appArmorDefaultProfileName = "cri-containerd.apparmor.d"
// appArmorEnabled is a flag for globally enabling/disabling apparmor profiles for containers.
appArmorEnabled = true // TODO (mikebrow): make these apparmor defaults configurable
) )
// CreateContainer creates a new container in the given PodSandbox. // CreateContainer creates a new container in the given PodSandbox.
@ -178,24 +176,30 @@ func (c *criContainerdService) CreateContainer(ctx context.Context, r *runtime.C
} }
var specOpts []containerd.SpecOpts var specOpts []containerd.SpecOpts
securityContext := config.GetLinux().GetSecurityContext()
// Set container username. This could only be done by containerd, because it needs // Set container username. This could only be done by containerd, because it needs
// access to the container rootfs. Pass user name to containerd, and let it overwrite // access to the container rootfs. Pass user name to containerd, and let it overwrite
// the spec for us. // the spec for us.
if uid := config.GetLinux().GetSecurityContext().GetRunAsUser(); uid != nil { if uid := securityContext.GetRunAsUser(); uid != nil {
specOpts = append(specOpts, containerd.WithUserID(uint32(uid.GetValue()))) specOpts = append(specOpts, containerd.WithUserID(uint32(uid.GetValue())))
} }
if username := config.GetLinux().GetSecurityContext().GetRunAsUsername(); username != "" { if username := securityContext.GetRunAsUsername(); username != "" {
specOpts = append(specOpts, containerd.WithUsername(username)) specOpts = append(specOpts, containerd.WithUsername(username))
} }
// Set apparmor profile, (privileged or not) if apparmor is enabled // Set apparmor profile, (privileged or not) if apparmor is enabled
if appArmorEnabled { if c.config.EnableAppArmor {
appArmorProf := config.GetLinux().GetSecurityContext().GetApparmorProfile() appArmorProf := securityContext.GetApparmorProfile()
switch appArmorProf { switch appArmorProf {
case runtimeDefault: case runtimeDefault:
// TODO (mikebrow): delete created apparmor default profile // TODO (mikebrow): delete created apparmor default profile
specOpts = append(specOpts, apparmor.WithDefaultProfile(appArmorDefaultProfileName)) specOpts = append(specOpts, apparmor.WithDefaultProfile(appArmorDefaultProfileName))
// TODO(random-liu): Should support "unconfined" after kubernetes#52395 lands.
case "": case "":
// TODO (mikebrow): handle no apparmor profile case see kubernetes/kubernetes#51746 // Based on kubernetes#51746, default apparmor profile should be applied
// for non-privileged container when apparmor is not specified.
if !securityContext.GetPrivileged() {
specOpts = append(specOpts, apparmor.WithDefaultProfile(appArmorDefaultProfileName))
}
default: default:
// Require and Trim default profile name prefix // Require and Trim default profile name prefix
if !strings.HasPrefix(appArmorProf, profileNamePrefix) { if !strings.HasPrefix(appArmorProf, profileNamePrefix) {
@ -298,7 +302,7 @@ func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint3
} }
if securityContext.GetPrivileged() { if securityContext.GetPrivileged() {
if !sandboxConfig.GetLinux().GetSecurityContext().GetPrivileged() { if !securityContext.GetPrivileged() {
return nil, fmt.Errorf("no privileged container allowed in sandbox") return nil, fmt.Errorf("no privileged container allowed in sandbox")
} }
if err := setOCIPrivileged(&g, config); err != nil { if err := setOCIPrivileged(&g, config); err != nil {