Support privileged #51
Conversation
|
Will take a look tomorrow, and let's try to get it merged this week. |
Random-Liu
left a comment
Random-Liu
left a comment
There was a problem hiding this comment.
Still reviewing. Will finish today.
pkg/server/container_start.go
Outdated
| "github.com/opencontainers/runtime-tools/generate" | ||
| "github.com/opencontainers/runtime-tools/validate" | ||
| "github.com/syndtr/gocapability/capability" | ||
|
|
pkg/server/container_start.go
Outdated
|
|
||
| // TODO(random-liu): [P1] Set device mapping. | ||
| // Ref https://github.com/moby/moby/blob/master/oci/devices_linux.go. | ||
| if err := addDevices(&g, config.GetDevices(), securityContext.GetPrivileged()); err != nil { |
There was a problem hiding this comment.
nit: addOCIDevices? Follow the convention.
pkg/server/container_start.go
Outdated
| for _, device := range devs { | ||
| dev, err := devices.DeviceFromPath(device.HostPath, device.Permissions) | ||
| if err != nil { | ||
| return fmt.Errorf("failed to add device: %v", err) |
There was a problem hiding this comment.
nit: Directly return error here, or add description for the other error.
pkg/server/container_start.go
Outdated
| } | ||
| } | ||
| return nil | ||
|
|
| } | ||
|
|
||
| addOCIBindMounts(&g, config.GetMounts()) | ||
| securityContext := config.GetLinux().GetSecurityContext() |
There was a problem hiding this comment.
nit: I feel like it would be better to add a function setOCIPrivileged, use setOCIPrivileged if privileged is set, and use other functions if not.
This groups all privileged logic together, which makes it more clear what privilege a privileged container has.
Maybe add a TODO for now.
pkg/server/container_start.go
Outdated
| GID: &dev.Gid, | ||
| } | ||
| g.AddDevice(rd) | ||
| spec.Linux.Resources.Devices = append(spec.Linux.Resources.Devices, runtimespec.LinuxDeviceCgroup{ |
There was a problem hiding this comment.
Not related to this PR. Don't know why runtime-tools doesn't support this, maybe we could fix it in the future. :)
| } | ||
| func setOCICapabilities(g *generate.Generator, capabilities *runtime.Capability, privileged bool) error { | ||
| if privileged { | ||
| // Add all capabilities in privileged mode. |
There was a problem hiding this comment.
There was a problem hiding this comment.
This is my original thought. It is strange why runtime-tools support only cap.
There was a problem hiding this comment.
if privileged {
g.SetupPrivileged(true)
return
}
/*
Other code
*/
pkg/server/container_start.go
Outdated
| if err := g.AddProcessCapability(c); err != nil { | ||
| return err | ||
| for _, c := range capabilities.GetAddCapabilities() { | ||
| if err := g.AddProcessCapability(c); err != nil { |
There was a problem hiding this comment.
We need to do fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())) for the CAP passed via CRI.
We don't have the CAP_ prefix in Kubernetes/CRI.
pkg/server/container_start.go
Outdated
| if err := g.DropProcessCapability(c); err != nil { | ||
| return err | ||
| for _, c := range capabilities.GetDropCapabilities() { | ||
| if err := g.DropProcessCapability(c); err != nil { |
|
@heartlock We need test for privileged mode and device mapping. However, We may want to add Other than this, please see the comments above. |
pkg/server/container_start.go
Outdated
| spec.Process.Capabilities.Effective = finalCapList | ||
| spec.Process.Capabilities.Inheritable = finalCapList | ||
| spec.Process.Capabilities.Permitted = finalCapList | ||
| spec.Process.Capabilities.Ambient = finalCapList |
There was a problem hiding this comment.
return here, so we don't need the else. Reducing indent is always prefered.
pkg/server/container_start.go
Outdated
| // TODO(random-liu): [P1] Apply selinux label | ||
| g.AddBindMount(src, dst, options) | ||
| } | ||
| if privileged { |
There was a problem hiding this comment.
I mean:
if !privileged {
return
}
// or else
/*
clearReadyOnly...
*/
This reduces indent of the "clear read only code", which is a preferred coding style.
pkg/server/container_start.go
Outdated
| Access: "rwm", | ||
| }, | ||
| } | ||
| } else { |
There was a problem hiding this comment.
if privileged {
/* set privileged */
return
}
/* other code */
pkg/server/container_start.go
Outdated
| } | ||
| if privileged { | ||
| spec := g.Spec() | ||
| // clear readonly for /sys and cgroup |
There was a problem hiding this comment.
Let's at least add unit test for this behavior, and leave out the others. But please add TODO for adding test for device mapping code.
|
@heartlock Please address comments and rebase your PR. Thanks. |
|
@Random-Liu will do today. |
heartlock
force-pushed
the
support-privileged
branch
2 times, most recently
from
6a35bf5 to
1227911
Compare
|
|
||
| // Add extra mounts first so that CRI specified mounts can override. | ||
| addOCIBindMounts(&g, append(extraMounts, config.GetMounts()...)) | ||
| addOCIBindMounts(&g, append(extraMounts, config.GetMounts()...), securityContext.GetPrivileged()) |
There was a problem hiding this comment.
Why add bind mounts twice? Seems to be error caused by rebase.
There was a problem hiding this comment.
My fault! Forgot to delete previous one.
pkg/server/container_start.go
Outdated
| // TODO(random-liu): [P1] Apply selinux label | ||
| g.AddBindMount(src, dst, options) | ||
| } | ||
| if privileged { |
There was a problem hiding this comment.
I mean:
if !privileged {
return
}
// or else
/*
clearReadyOnly...
*/
This reduces indent of the "clear read only code", which is a preferred coding style.
| } | ||
| func setOCICapabilities(g *generate.Generator, capabilities *runtime.Capability, privileged bool) error { | ||
| if privileged { | ||
| // Add all capabilities in privileged mode. |
There was a problem hiding this comment.
if privileged {
g.SetupPrivileged(true)
return
}
/*
Other code
*/
pkg/server/container_start.go
Outdated
| if err := g.AddProcessCapability(c); err != nil { | ||
| return err | ||
| for _, c := range capabilities.GetAddCapabilities() { | ||
| if err := g.AddProcessCapability(c); err != nil { |
pkg/server/container_start.go
Outdated
| Access: "rwm", | ||
| }, | ||
| } | ||
| } else { |
There was a problem hiding this comment.
if privileged {
/* set privileged */
return
}
/* other code */
Signed-off-by: heartlock <[email protected]>
Signed-off-by: heartlock <[email protected]>
heartlock
force-pushed
the
support-privileged
branch
from
1227911 to
73fbe90
Compare
|
LGTM except #51 (comment) and #51 (comment). Will merge this one first and send another PR to address those 2. |
Support privileged
add support for container stats on windows
4 participants
When
privilegedis true:ref: #29 @Random-Liu Ready for review.