144 lines
4.4 KiB
Go
144 lines
4.4 KiB
Go
// +build !windows
|
|
|
|
/*
|
|
Copyright The containerd Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package server
|
|
|
|
import (
|
|
"fmt"
|
|
"os"
|
|
"path"
|
|
"path/filepath"
|
|
"regexp"
|
|
"strings"
|
|
|
|
runcapparmor "github.com/opencontainers/runc/libcontainer/apparmor"
|
|
runcseccomp "github.com/opencontainers/runc/libcontainer/seccomp"
|
|
"github.com/opencontainers/selinux/go-selinux/label"
|
|
"github.com/pkg/errors"
|
|
runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
|
|
)
|
|
|
|
const (
|
|
// defaultSandboxOOMAdj is default omm adj for sandbox container. (kubernetes#47938).
|
|
defaultSandboxOOMAdj = -998
|
|
// defaultShmSize is the default size of the sandbox shm.
|
|
defaultShmSize = int64(1024 * 1024 * 64)
|
|
// relativeRootfsPath is the rootfs path relative to bundle path.
|
|
relativeRootfsPath = "rootfs"
|
|
// According to http://man7.org/linux/man-pages/man5/resolv.conf.5.html:
|
|
// "The search list is currently limited to six domains with a total of 256 characters."
|
|
maxDNSSearches = 6
|
|
// devShm is the default path of /dev/shm.
|
|
devShm = "/dev/shm"
|
|
// etcHosts is the default path of /etc/hosts file.
|
|
etcHosts = "/etc/hosts"
|
|
// etcHostname is the default path of /etc/hostname file.
|
|
etcHostname = "/etc/hostname"
|
|
// resolvConfPath is the abs path of resolv.conf on host or container.
|
|
resolvConfPath = "/etc/resolv.conf"
|
|
// hostnameEnv is the key for HOSTNAME env.
|
|
hostnameEnv = "HOSTNAME"
|
|
)
|
|
|
|
// getCgroupsPath generates container cgroups path.
|
|
func getCgroupsPath(cgroupsParent, id string) string {
|
|
base := path.Base(cgroupsParent)
|
|
if strings.HasSuffix(base, ".slice") {
|
|
// For a.slice/b.slice/c.slice, base is c.slice.
|
|
// runc systemd cgroup path format is "slice:prefix:name".
|
|
return strings.Join([]string{base, "cri-containerd", id}, ":")
|
|
}
|
|
return filepath.Join(cgroupsParent, id)
|
|
}
|
|
|
|
// getSandboxHostname returns the hostname file path inside the sandbox root directory.
|
|
func (c *criService) getSandboxHostname(id string) string {
|
|
return filepath.Join(c.getSandboxRootDir(id), "hostname")
|
|
}
|
|
|
|
// getSandboxHosts returns the hosts file path inside the sandbox root directory.
|
|
func (c *criService) getSandboxHosts(id string) string {
|
|
return filepath.Join(c.getSandboxRootDir(id), "hosts")
|
|
}
|
|
|
|
// getResolvPath returns resolv.conf filepath for specified sandbox.
|
|
func (c *criService) getResolvPath(id string) string {
|
|
return filepath.Join(c.getSandboxRootDir(id), "resolv.conf")
|
|
}
|
|
|
|
// getSandboxDevShm returns the shm file path inside the sandbox root directory.
|
|
func (c *criService) getSandboxDevShm(id string) string {
|
|
return filepath.Join(c.getVolatileSandboxRootDir(id), "shm")
|
|
}
|
|
|
|
func initSelinuxOpts(selinuxOpt *runtime.SELinuxOption) (string, string, error) {
|
|
if selinuxOpt == nil {
|
|
return "", "", nil
|
|
}
|
|
|
|
// Should ignored selinuxOpts if they are incomplete.
|
|
if selinuxOpt.GetUser() == "" ||
|
|
selinuxOpt.GetRole() == "" ||
|
|
selinuxOpt.GetType() == "" {
|
|
return "", "", nil
|
|
}
|
|
|
|
// make sure the format of "level" is correct.
|
|
ok, err := checkSelinuxLevel(selinuxOpt.GetLevel())
|
|
if err != nil || !ok {
|
|
return "", "", err
|
|
}
|
|
|
|
labelOpts := fmt.Sprintf("%s:%s:%s:%s",
|
|
selinuxOpt.GetUser(),
|
|
selinuxOpt.GetRole(),
|
|
selinuxOpt.GetType(),
|
|
selinuxOpt.GetLevel())
|
|
|
|
options, err := label.DupSecOpt(labelOpts)
|
|
if err != nil {
|
|
return "", "", err
|
|
}
|
|
return label.InitLabels(options)
|
|
}
|
|
|
|
func checkSelinuxLevel(level string) (bool, error) {
|
|
if len(level) == 0 {
|
|
return true, nil
|
|
}
|
|
|
|
matched, err := regexp.MatchString(`^s\d(-s\d)??(:c\d{1,4}((.c\d{1,4})?,c\d{1,4})*(.c\d{1,4})?(,c\d{1,4}(.c\d{1,4})?)*)?$`, level)
|
|
if err != nil || !matched {
|
|
return false, errors.Wrapf(err, "the format of 'level' %q is not correct", level)
|
|
}
|
|
return true, nil
|
|
}
|
|
|
|
func (c *criService) apparmorEnabled() bool {
|
|
return runcapparmor.IsEnabled() && !c.config.DisableApparmor
|
|
}
|
|
|
|
func (c *criService) seccompEnabled() bool {
|
|
return runcseccomp.IsEnabled()
|
|
}
|
|
|
|
// openLogFile opens/creates a container log file.
|
|
func openLogFile(path string) (*os.File, error) {
|
|
return os.OpenFile(path, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0640)
|
|
}
|