github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Improve apparmor and selinux support.

Browse Source 
Signed-off-by: Lantao Liu <lantaol@google.com>
This commit is contained in:
Lantao Liu 2017-09-22 04:59:01 +00:00
parent 10df5f71a7
commit dd967cde8c
7 changed files with 96 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.travis.yml
View File

@ -42,10 +42,6 @@ before_script:
gcloud auth activate-service-account --key-file gcp-secret.json --project=k8s-cri-containerd; gcloud auth activate-service-account --key-file gcp-secret.json --project=k8s-cri-containerd;
fi fi
env:
# Travis trusty has disabled apparmor, so disable enable in our test.
- CRI_CONTAINERD_FLAGS="--enable-apparmor=false"
jobs: jobs:
include: include:
- stage: Build - stage: Build

29
Makefile
View File

@ -12,22 +12,20 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
GO ?= go GO := go
EPOCH_TEST_COMMIT ?= f9e02affccd51702191e5312665a16045ffef8ab EPOCH_TEST_COMMIT := f9e02affccd51702191e5312665a16045ffef8ab
PROJECT := github.com/kubernetes-incubator/cri-containerd PROJECT := github.com/kubernetes-incubator/cri-containerd
BINDIR ?= ${DESTDIR}/usr/local/bin BINDIR := ${DESTDIR}/usr/local/bin
BUILD_DIR ?= _output BUILD_DIR := _output
# VERSION is derived from the current tag for HEAD plus amends. Version is used # VERSION is derived from the current tag for HEAD plus amends. Version is used
# to set/overide the criContainerdVersion variable in the verison package for # to set/overide the criContainerdVersion variable in the verison package for
# cri-containerd. # cri-containerd.
VERSION := $(shell git describe --tags --dirty) VERSION := $(shell git describe --tags --dirty)
# strip the first char of the tag if it's a `v` # strip the first char of the tag if it's a `v`
VERSION := $(VERSION:v%=%) VERSION := $(VERSION:v%=%)
TARBALL ?= cri-containerd-$(VERSION).tar.gz TARBALL := cri-containerd-$(VERSION).tar.gz
ifdef BUILD_TAGS BUILD_TAGS := apparmor
BUILD_TAGS := -tags $(BUILD_TAGS) GO_LDFLAGS := -X $(PROJECT)/pkg/version.criContainerdVersion=$(VERSION)
endif
GO_LDFLAGS := -ldflags '-X $(PROJECT)/pkg/version.criContainerdVersion=$(VERSION)'
SOURCES := $(shell find . -name '*.go') SOURCES := $(shell find . -name '*.go')
all: binaries all: binaries
@ -71,11 +69,16 @@ boiler:
$(BUILD_DIR)/cri-containerd: $(SOURCES) $(BUILD_DIR)/cri-containerd: $(SOURCES)
$(GO) build -o $@ \ $(GO) build -o $@ \
$(BUILD_TAGS) $(GO_LDFLAGS) $(GO_GCFLAGS) \ -tags '$(BUILD_TAGS)' \
-ldflags '$(GO_LDFLAGS)' \
-gcflags '$(GO_GCFLAGS)' \
$(PROJECT)/cmd/cri-containerd $(PROJECT)/cmd/cri-containerd
test: test:
go test -timeout=10m -race ./pkg/... $(BUILD_TAGS) $(GO_LDFLAGS) $(GO_GCFLAGS) go test -timeout=10m -race ./pkg/... \
-tags '$(BUILD_TAGS)' \
-ldflags '$(GO_LDFLAGS)' \
-gcflags '$(GO_GCFLAGS)'
test-cri: binaries test-cri: binaries
@./hack/test-cri.sh @./hack/test-cri.sh
@ -88,7 +91,7 @@ clean:
binaries: $(BUILD_DIR)/cri-containerd binaries: $(BUILD_DIR)/cri-containerd
static-binaries: GO_LDFLAGS += --ldflags '-extldflags "-fno-PIC -static"' static-binaries: GO_LDFLAGS += -extldflags "-fno-PIC -static"
static-binaries: $(BUILD_DIR)/cri-containerd static-binaries: $(BUILD_DIR)/cri-containerd
install: binaries install: binaries
@ -103,7 +106,7 @@ $(BUILD_DIR)/$(TARBALL): $(BUILD_DIR)/cri-containerd hack/versions
release: $(BUILD_DIR)/$(TARBALL) release: $(BUILD_DIR)/$(TARBALL)
push: $(BUILD_DIR)/$(TARBALL) push: $(BUILD_DIR)/$(TARBALL)
@@BUILD_DIR=$(BUILD_DIR) TARBALL=$(TARBALL) ./hack/push.sh @BUILD_DIR=$(BUILD_DIR) TARBALL=$(TARBALL) ./hack/push.sh
.PHONY: install.deps .PHONY: install.deps

14
cmd/cri-containerd/cri_containerd.go
View File

@ -51,9 +51,7 @@ func main() {
os.Exit(0) os.Exit(0)
} }
if !o.EnableSelinux { validateConfig(o)
selinux.SetDisabled()
}
glog.V(2).Infof("Run cri-containerd grpc server on socket %q", o.SocketPath) glog.V(2).Infof("Run cri-containerd grpc server on socket %q", o.SocketPath)
s, err := server.NewCRIContainerdService(o.Config) s, err := server.NewCRIContainerdService(o.Config)
@ -68,3 +66,13 @@ func main() {
glog.Exitf("Failed to run cri-containerd grpc server: %v", err) glog.Exitf("Failed to run cri-containerd grpc server: %v", err)
} }
} }
func validateConfig(o *options.CRIContainerdOptions) {
if o.EnableSelinux {
if !selinux.GetEnabled() {
glog.Warning("Selinux is not supported")
}
} else {
selinux.SetDisabled()
}
}

5
cmd/cri-containerd/options/options.go
View File

@ -64,9 +64,6 @@ type Config struct {
CgroupPath string `toml:"cgroup_path"` CgroupPath string `toml:"cgroup_path"`
// EnableSelinux indicates to enable the selinux support. // EnableSelinux indicates to enable the selinux support.
EnableSelinux bool `toml:"enable_selinux"` EnableSelinux bool `toml:"enable_selinux"`
// EnableAppArmor indicates to enable apparmor support. cri-containerd will
// apply default apparmor profile if apparmor is enabled.
EnableAppArmor bool `toml:"enable_apparmor"`
// SandboxImage is the image used by sandbox container. // SandboxImage is the image used by sandbox container.
SandboxImage string `toml:"sandbox_image"` SandboxImage string `toml:"sandbox_image"`
} }
@ -114,8 +111,6 @@ func (c *CRIContainerdOptions) AddFlags(fs *pflag.FlagSet) {
"", "The cgroup that cri-containerd is part of. By default cri-containerd is not placed in a cgroup.") "", "The cgroup that cri-containerd is part of. By default cri-containerd is not placed in a cgroup.")
fs.BoolVar(&c.EnableSelinux, "enable-selinux", fs.BoolVar(&c.EnableSelinux, "enable-selinux",
false, "Enable selinux support.") false, "Enable selinux support.")
fs.BoolVar(&c.EnableAppArmor, "enable-apparmor",
true, "Enable apparmor support. cri-containerd will apply default apparmor profile when apparmor is enabled.")
fs.StringVar(&c.SandboxImage, "sandbox-image", fs.StringVar(&c.SandboxImage, "sandbox-image",
"gcr.io/google_containers/pause:3.0", "The image used by sandbox container.") "gcr.io/google_containers/pause:3.0", "The image used by sandbox container.")
fs.BoolVar(&c.PrintDefaultConfig, "default-config", fs.BoolVar(&c.PrintDefaultConfig, "default-config",

9
pkg/server/container_create.go
View File

@ -30,6 +30,7 @@ import (
"github.com/docker/docker/pkg/mount" "github.com/docker/docker/pkg/mount"
"github.com/golang/glog" "github.com/golang/glog"
imagespec "github.com/opencontainers/image-spec/specs-go/v1" imagespec "github.com/opencontainers/image-spec/specs-go/v1"
runcapparmor "github.com/opencontainers/runc/libcontainer/apparmor"
"github.com/opencontainers/runc/libcontainer/devices" "github.com/opencontainers/runc/libcontainer/devices"
runtimespec "github.com/opencontainers/runtime-spec/specs-go" runtimespec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate" "github.com/opencontainers/runtime-tools/generate"
@ -201,8 +202,14 @@ func (c *criContainerdService) CreateContainer(ctx context.Context, r *runtime.C
specOpts = append(specOpts, containerd.WithUsername(username)) specOpts = append(specOpts, containerd.WithUsername(username))
} }
// Set apparmor profile, (privileged or not) if apparmor is enabled // Set apparmor profile, (privileged or not) if apparmor is enabled
if c.config.EnableAppArmor {
appArmorProf := securityContext.GetApparmorProfile() appArmorProf := securityContext.GetApparmorProfile()
if !runcapparmor.IsEnabled() {
// Should fail loudly if user try to specify apparmor profile
// but we don't support it.
if appArmorProf != "" {
return nil, fmt.Errorf("apparmor is not supported")
}
} else {
switch appArmorProf { switch appArmorProf {
case runtimeDefault: case runtimeDefault:
// TODO (mikebrow): delete created apparmor default profile // TODO (mikebrow): delete created apparmor default profile

39
vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor.go generated vendored Normal file
View File

@ -0,0 +1,39 @@
// +build apparmor,linux
package apparmor
// #cgo LDFLAGS: -lapparmor
// #include <sys/apparmor.h>
// #include <stdlib.h>
import "C"
import (
"fmt"
"io/ioutil"
"os"
"unsafe"
)
// IsEnabled returns true if apparmor is enabled for the host.
func IsEnabled() bool {
if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil && os.Getenv("container") == "" {
if _, err = os.Stat("/sbin/apparmor_parser"); err == nil {
buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled")
return err == nil && len(buf) > 1 && buf[0] == 'Y'
}
}
return false
}
// ApplyProfile will apply the profile with the specified name to the process after
// the next exec.
func ApplyProfile(name string) error {
if name == "" {
return nil
}
cName := C.CString(name)
defer C.free(unsafe.Pointer(cName))
if _, err := C.aa_change_onexec(cName); err != nil {
return fmt.Errorf("apparmor failed to apply profile: %s", err)
}
return nil
}

20
vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_disabled.go generated vendored Normal file
View File

@ -0,0 +1,20 @@
// +build !apparmor !linux
package apparmor
import (
"errors"
)
var ErrApparmorNotEnabled = errors.New("apparmor: config provided but apparmor not supported")
func IsEnabled() bool {
return false
}
func ApplyProfile(name string) error {
if name != "" {
return ErrApparmorNotEnabled
}
return nil
}