From 467f9e0e8a10097b793726bf89aeaa661a2e4007 Mon Sep 17 00:00:00 2001 From: Lantao Liu Date: Fri, 26 Jul 2019 13:48:05 -0700 Subject: [PATCH] Fix proc mount support. Signed-off-by: Lantao Liu --- docs/config.md | 4 ++++ pkg/config/config.go | 4 ++++ pkg/server/container_create.go | 20 +++++++------------- 3 files changed, 15 insertions(+), 13 deletions(-) diff --git a/docs/config.md b/docs/config.md index d0cece963..eafd19864 100644 --- a/docs/config.md +++ b/docs/config.md @@ -79,6 +79,10 @@ version = 2 # max_concurrent_downloads restricts the number of concurrent downloads for each image. max_concurrent_downloads = 3 + # disable_proc_mount disables Kubernetes ProcMount support. This MUST be set to `true` + # when using containerd with Kubernetes <=1.11. + disable_proc_mount = false + # 'plugins."io.containerd.grpc.v1.cri".containerd' contains config related to containerd [plugins."io.containerd.grpc.v1.cri".containerd] diff --git a/pkg/config/config.go b/pkg/config/config.go index 57dde5540..54e965428 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -179,6 +179,9 @@ type PluginConfig struct { RestrictOOMScoreAdj bool `toml:"restrict_oom_score_adj" json:"restrictOOMScoreAdj"` // MaxConcurrentDownloads restricts the number of concurrent downloads for each image. MaxConcurrentDownloads int `toml:"max_concurrent_downloads" json:"maxConcurrentDownloads"` + // DisableProcMount disables Kubernetes ProcMount support. This MUST be set to `true` + // when using containerd with Kubernetes <=1.11. + DisableProcMount bool `toml:"disable_proc_mount" json:"disableProcMount"` } // X509KeyPairStreaming contains the x509 configuration for streaming @@ -245,6 +248,7 @@ func DefaultConfig() PluginConfig { }, }, MaxConcurrentDownloads: 3, + DisableProcMount: false, } } diff --git a/pkg/server/container_create.go b/pkg/server/container_create.go index 315a95fdd..c6d1f987f 100644 --- a/pkg/server/container_create.go +++ b/pkg/server/container_create.go @@ -366,20 +366,14 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP } specOpts = append(specOpts, customopts.WithMounts(c.os, config, extraMounts, mountLabel)) - // Apply masked paths if specified. - // When `MaskedPaths` is not specified, keep runtime default for backward compatibility; - // When `MaskedPaths` is specified, but length is zero, clear masked path list. - // Note: If the container is privileged, then we clear any masked paths later on in the call to setOCIPrivileged() - if maskedPaths := securityContext.GetMaskedPaths(); maskedPaths != nil { - specOpts = append(specOpts, oci.WithMaskedPaths(maskedPaths)) - } + if !c.config.DisableProcMount { + // Apply masked paths if specified. + // Note: If the container is privileged, then we clear any masked paths later on in the call to setOCIPrivileged() + specOpts = append(specOpts, oci.WithMaskedPaths(securityContext.GetMaskedPaths())) - // Apply readonly paths if specified. - // Note: If the container is privileged, then we clear any readonly paths later on in the call to setOCIPrivileged() - - // Apply readonly paths if specified. - if roPaths := securityContext.GetReadonlyPaths(); roPaths != nil { - specOpts = append(specOpts, oci.WithReadonlyPaths(roPaths)) + // Apply readonly paths if specified. + // Note: If the container is privileged, then we clear any readonly paths later on in the call to setOCIPrivileged() + specOpts = append(specOpts, oci.WithReadonlyPaths(securityContext.GetReadonlyPaths())) } if securityContext.GetPrivileged() {