github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #1209 from Random-Liu/fix-proc-mount-support

Browse Source 
Fix proc mount support.
This commit is contained in:
Lantao Liu 2019-07-31 23:23:04 -07:00 committed by GitHub
commit fe5eb76cb4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 15 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/config.md
View File

@ -79,6 +79,10 @@ version = 2
# max_concurrent_downloads restricts the number of concurrent downloads for each image. # max_concurrent_downloads restricts the number of concurrent downloads for each image.
max_concurrent_downloads = 3 max_concurrent_downloads = 3
# disable_proc_mount disables Kubernetes ProcMount support. This MUST be set to `true`
# when using containerd with Kubernetes <=1.11.
disable_proc_mount = false
# 'plugins."io.containerd.grpc.v1.cri".containerd' contains config related to containerd # 'plugins."io.containerd.grpc.v1.cri".containerd' contains config related to containerd
[plugins."io.containerd.grpc.v1.cri".containerd] [plugins."io.containerd.grpc.v1.cri".containerd]

4
pkg/config/config.go
View File

@ -179,6 +179,9 @@ type PluginConfig struct {
RestrictOOMScoreAdj bool `toml:"restrict_oom_score_adj" json:"restrictOOMScoreAdj"` RestrictOOMScoreAdj bool `toml:"restrict_oom_score_adj" json:"restrictOOMScoreAdj"`
// MaxConcurrentDownloads restricts the number of concurrent downloads for each image. // MaxConcurrentDownloads restricts the number of concurrent downloads for each image.
MaxConcurrentDownloads int `toml:"max_concurrent_downloads" json:"maxConcurrentDownloads"` MaxConcurrentDownloads int `toml:"max_concurrent_downloads" json:"maxConcurrentDownloads"`
// DisableProcMount disables Kubernetes ProcMount support. This MUST be set to `true`
// when using containerd with Kubernetes <=1.11.
DisableProcMount bool `toml:"disable_proc_mount" json:"disableProcMount"`
} }
// X509KeyPairStreaming contains the x509 configuration for streaming // X509KeyPairStreaming contains the x509 configuration for streaming
@ -245,6 +248,7 @@ func DefaultConfig() PluginConfig {
}, },
}, },
MaxConcurrentDownloads: 3, MaxConcurrentDownloads: 3,
DisableProcMount: false,
} }
} }

20
pkg/server/container_create.go
View File

@ -366,20 +366,14 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
} }
specOpts = append(specOpts, customopts.WithMounts(c.os, config, extraMounts, mountLabel)) specOpts = append(specOpts, customopts.WithMounts(c.os, config, extraMounts, mountLabel))
// Apply masked paths if specified. if !c.config.DisableProcMount {
// When `MaskedPaths` is not specified, keep runtime default for backward compatibility; // Apply masked paths if specified.
// When `MaskedPaths` is specified, but length is zero, clear masked path list. // Note: If the container is privileged, then we clear any masked paths later on in the call to setOCIPrivileged()
// Note: If the container is privileged, then we clear any masked paths later on in the call to setOCIPrivileged() specOpts = append(specOpts, oci.WithMaskedPaths(securityContext.GetMaskedPaths()))
if maskedPaths := securityContext.GetMaskedPaths(); maskedPaths != nil {
specOpts = append(specOpts, oci.WithMaskedPaths(maskedPaths))
}
// Apply readonly paths if specified. // Apply readonly paths if specified.
// Note: If the container is privileged, then we clear any readonly paths later on in the call to setOCIPrivileged() // Note: If the container is privileged, then we clear any readonly paths later on in the call to setOCIPrivileged()
specOpts = append(specOpts, oci.WithReadonlyPaths(securityContext.GetReadonlyPaths()))
// Apply readonly paths if specified.
if roPaths := securityContext.GetReadonlyPaths(); roPaths != nil {
specOpts = append(specOpts, oci.WithReadonlyPaths(roPaths))
} }
if securityContext.GetPrivileged() { if securityContext.GetPrivileged() {