diff options
| -rw-r--r-- | .cirrus.yml | 4 | ||||
| -rw-r--r-- | cmd/podman/common/create.go | 10 | ||||
| -rwxr-xr-x | contrib/cirrus/integration_test.sh | 2 | ||||
| -rw-r--r-- | go.mod | 2 | ||||
| -rw-r--r-- | go.sum | 2 | ||||
| -rw-r--r-- | libpod/pod.go | 5 | ||||
| -rw-r--r-- | libpod/pod_api.go | 2 | ||||
| -rw-r--r-- | pkg/specgen/config_linux.go | 93 | ||||
| -rw-r--r-- | pkg/specgen/generate/container.go | 2 | ||||
| -rw-r--r-- | pkg/specgen/generate/container_create.go | 2 | ||||
| -rw-r--r-- | pkg/specgen/generate/namespaces.go | 4 | ||||
| -rw-r--r-- | pkg/specgen/generate/oci.go | 4 | ||||
| -rw-r--r-- | vendor/github.com/seccomp/containers-golang/seccomp.json | 106 | ||||
| -rw-r--r-- | vendor/github.com/seccomp/containers-golang/seccomp_default_linux.go | 84 | ||||
| -rw-r--r-- | vendor/modules.txt | 2 |
15 files changed, 212 insertions, 112 deletions
diff --git a/.cirrus.yml b/.cirrus.yml index 292f83951..58c7cd871 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -134,8 +134,7 @@ gating_task: # not break. It also verifies all sub-commands have man pages. build_script: - '/usr/local/bin/entrypoint.sh podman |& ${TIMESTAMP}' - # FIXME - #- 'cd $GOSRC && ./hack/podman-commands.sh |& ${TIMESTAMP}' + - 'cd $GOSRC && ./hack/podman-commands.sh |& ${TIMESTAMP}' # N/B: need 'clean' so some committed files are re-generated. - '/usr/local/bin/entrypoint.sh clean podman-remote |& ${TIMESTAMP}' - '/usr/local/bin/entrypoint.sh clean podman xref_helpmsgs_manpages BUILDTAGS="exclude_graphdriver_devicemapper selinux seccomp" |& ${TIMESTAMP}' @@ -512,7 +511,6 @@ special_testing_rootless_task: special_testing_in_podman_task: - skip: $CI == 'true' alias: "special_testing_in_podman" depends_on: - "gating" diff --git a/cmd/podman/common/create.go b/cmd/podman/common/create.go index 7086dc839..4d4dea0d2 100644 --- a/cmd/podman/common/create.go +++ b/cmd/podman/common/create.go @@ -50,7 +50,7 @@ func GetCreateFlags(cf *ContainerCLIOpts) *pflag.FlagSet { "Drop capabilities from the container", ) createFlags.String( - "cgroupns", containerConfig.CgroupNS(), + "cgroupns", "", "cgroup namespace to use", ) createFlags.StringVar( @@ -244,7 +244,7 @@ func GetCreateFlags(cf *ContainerCLIOpts) *pflag.FlagSet { "Keep STDIN open even if not attached", ) createFlags.String( - "ipc", containerConfig.IPCNS(), + "ipc", "", "IPC namespace to use", ) createFlags.StringVar( @@ -325,7 +325,7 @@ func GetCreateFlags(cf *ContainerCLIOpts) *pflag.FlagSet { ) // markFlagHidden(createFlags, "override-os") createFlags.String( - "pid", containerConfig.PidNS(), + "pid", "", "PID namespace to use", ) createFlags.Int64Var( @@ -454,11 +454,11 @@ func GetCreateFlags(cf *ContainerCLIOpts) *pflag.FlagSet { "Username or UID (format: <name|uid>[:<group|gid>])", ) createFlags.String( - "userns", containerConfig.Containers.UserNS, + "userns", "", "User namespace to use", ) createFlags.String( - "uts", containerConfig.Containers.UTSNS, + "uts", "", "UTS namespace to use", ) createFlags.StringArrayVar( diff --git a/contrib/cirrus/integration_test.sh b/contrib/cirrus/integration_test.sh index c92f123fd..1aef678d4 100755 --- a/contrib/cirrus/integration_test.sh +++ b/contrib/cirrus/integration_test.sh @@ -18,7 +18,7 @@ cd "$GOSRC" case "$SPECIALMODE" in in_podman) - ${CONTAINER_RUNTIME} run --rm --privileged --net=host \ + ${CONTAINER_RUNTIME} run --rm --privileged --net=host --cgroupns=host \ -v $GOSRC:$GOSRC:Z \ --workdir $GOSRC \ -e "CGROUP_MANAGER=cgroupfs" \ @@ -47,7 +47,7 @@ require ( github.com/pkg/errors v0.9.1 github.com/pmezard/go-difflib v1.0.0 github.com/rootless-containers/rootlesskit v0.9.5 - github.com/seccomp/containers-golang v0.4.1 + github.com/seccomp/containers-golang v0.5.0 github.com/sirupsen/logrus v1.6.0 github.com/spf13/cobra v0.0.7 github.com/spf13/pflag v1.0.5 @@ -407,6 +407,8 @@ github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8 h1:2c1EFnZHIPCW8q github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4= github.com/seccomp/containers-golang v0.4.1 h1:6hsmsP8Y9T6PWKJELqAkRWkc6Te60+zK64avkjInd44= github.com/seccomp/containers-golang v0.4.1/go.mod h1:5fP9lgyYyklJ8fg8Geq193G1QLe0ikf34z+hZKIjmnE= +github.com/seccomp/containers-golang v0.5.0 h1:uUMOZIz/7TUiEO6h4ursAJY5JT55AzYiN/X5GOj9rvY= +github.com/seccomp/containers-golang v0.5.0/go.mod h1:5fP9lgyYyklJ8fg8Geq193G1QLe0ikf34z+hZKIjmnE= github.com/seccomp/libseccomp-golang v0.9.1 h1:NJjM5DNFOs0s3kYE1WUOr6G8V97sdt46rlXTMfXGWBo= github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= diff --git a/libpod/pod.go b/libpod/pod.go index 34ceef5ef..8afaa6052 100644 --- a/libpod/pod.go +++ b/libpod/pod.go @@ -171,6 +171,11 @@ func (p *Pod) SharesCgroup() bool { return p.config.UsePodCgroupNS } +// Hostname returns the hostname of the pod. +func (p *Pod) Hostname() string { + return p.config.Hostname +} + // CgroupPath returns the path to the pod's CGroup func (p *Pod) CgroupPath() (string, error) { p.lock.Lock() diff --git a/libpod/pod_api.go b/libpod/pod_api.go index 0be9f2573..e2c4b515d 100644 --- a/libpod/pod_api.go +++ b/libpod/pod_api.go @@ -490,7 +490,7 @@ func (p *Pod) Inspect() (*define.InspectPodData, error) { Namespace: p.Namespace(), Created: p.CreatedTime(), State: podState, - Hostname: "", + Hostname: p.config.Hostname, Labels: p.Labels(), CreateCgroup: false, CgroupParent: p.CgroupParent(), diff --git a/pkg/specgen/config_linux.go b/pkg/specgen/config_linux.go deleted file mode 100644 index 82a371492..000000000 --- a/pkg/specgen/config_linux.go +++ /dev/null @@ -1,93 +0,0 @@ -package specgen - -//func createBlockIO() (*spec.LinuxBlockIO, error) { -// var ret *spec.LinuxBlockIO -// bio := &spec.LinuxBlockIO{} -// if c.Resources.BlkioWeight > 0 { -// ret = bio -// bio.Weight = &c.Resources.BlkioWeight -// } -// if len(c.Resources.BlkioWeightDevice) > 0 { -// var lwds []spec.LinuxWeightDevice -// ret = bio -// for _, i := range c.Resources.BlkioWeightDevice { -// wd, err := ValidateweightDevice(i) -// if err != nil { -// return ret, errors.Wrapf(err, "invalid values for blkio-weight-device") -// } -// wdStat, err := GetStatFromPath(wd.Path) -// if err != nil { -// return ret, errors.Wrapf(err, "error getting stat from path %q", wd.Path) -// } -// lwd := spec.LinuxWeightDevice{ -// Weight: &wd.Weight, -// } -// lwd.Major = int64(unix.Major(wdStat.Rdev)) -// lwd.Minor = int64(unix.Minor(wdStat.Rdev)) -// lwds = append(lwds, lwd) -// } -// bio.WeightDevice = lwds -// } -// if len(c.Resources.DeviceReadBps) > 0 { -// ret = bio -// readBps, err := makeThrottleArray(c.Resources.DeviceReadBps, bps) -// if err != nil { -// return ret, err -// } -// bio.ThrottleReadBpsDevice = readBps -// } -// if len(c.Resources.DeviceWriteBps) > 0 { -// ret = bio -// writeBpds, err := makeThrottleArray(c.Resources.DeviceWriteBps, bps) -// if err != nil { -// return ret, err -// } -// bio.ThrottleWriteBpsDevice = writeBpds -// } -// if len(c.Resources.DeviceReadIOps) > 0 { -// ret = bio -// readIOps, err := makeThrottleArray(c.Resources.DeviceReadIOps, iops) -// if err != nil { -// return ret, err -// } -// bio.ThrottleReadIOPSDevice = readIOps -// } -// if len(c.Resources.DeviceWriteIOps) > 0 { -// ret = bio -// writeIOps, err := makeThrottleArray(c.Resources.DeviceWriteIOps, iops) -// if err != nil { -// return ret, err -// } -// bio.ThrottleWriteIOPSDevice = writeIOps -// } -// return ret, nil -//} - -//func makeThrottleArray(throttleInput []string, rateType int) ([]spec.LinuxThrottleDevice, error) { -// var ( -// ltds []spec.LinuxThrottleDevice -// t *throttleDevice -// err error -// ) -// for _, i := range throttleInput { -// if rateType == bps { -// t, err = validateBpsDevice(i) -// } else { -// t, err = validateIOpsDevice(i) -// } -// if err != nil { -// return []spec.LinuxThrottleDevice{}, err -// } -// ltdStat, err := GetStatFromPath(t.path) -// if err != nil { -// return ltds, errors.Wrapf(err, "error getting stat from path %q", t.path) -// } -// ltd := spec.LinuxThrottleDevice{ -// Rate: t.rate, -// } -// ltd.Major = int64(unix.Major(ltdStat.Rdev)) -// ltd.Minor = int64(unix.Minor(ltdStat.Rdev)) -// ltds = append(ltds, ltd) -// } -// return ltds, nil -//} diff --git a/pkg/specgen/generate/container.go b/pkg/specgen/generate/container.go index a217125f4..3d70571d5 100644 --- a/pkg/specgen/generate/container.go +++ b/pkg/specgen/generate/container.go @@ -194,7 +194,7 @@ func finishThrottleDevices(s *specgen.SpecGenerator) error { s.ResourceLimits.BlockIO.ThrottleReadIOPSDevice = append(s.ResourceLimits.BlockIO.ThrottleReadIOPSDevice, v) } } - if iops := s.ThrottleWriteBpsDevice; len(iops) > 0 { + if iops := s.ThrottleWriteIOPSDevice; len(iops) > 0 { for k, v := range iops { statT := unix.Stat_t{} if err := unix.Stat(k, &statT); err != nil { diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go index 7ddfed339..de398d1e3 100644 --- a/pkg/specgen/generate/container_create.go +++ b/pkg/specgen/generate/container_create.go @@ -114,7 +114,7 @@ func MakeContainer(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGener } options = append(options, libpod.WithExitCommand(exitCommandArgs)) - runtimeSpec, err := SpecGenToOCI(ctx, s, rt, rtc, newImage, finalMounts) + runtimeSpec, err := SpecGenToOCI(ctx, s, rt, rtc, newImage, finalMounts, pod) if err != nil { return nil, err } diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go index 138d9e0cd..ffa96a5cf 100644 --- a/pkg/specgen/generate/namespaces.go +++ b/pkg/specgen/generate/namespaces.go @@ -265,7 +265,7 @@ func GenerateNamespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt return toReturn, nil } -func specConfigureNamespaces(s *specgen.SpecGenerator, g *generate.Generator, rt *libpod.Runtime) error { +func specConfigureNamespaces(s *specgen.SpecGenerator, g *generate.Generator, rt *libpod.Runtime, pod *libpod.Pod) error { // PID switch s.PidNS.NSMode { case specgen.Path: @@ -326,6 +326,8 @@ func specConfigureNamespaces(s *specgen.SpecGenerator, g *generate.Generator, rt hostname := s.Hostname if hostname == "" { switch { + case s.UtsNS.NSMode == specgen.FromPod: + hostname = pod.Hostname() case s.UtsNS.NSMode == specgen.FromContainer: utsCtr, err := rt.LookupContainer(s.UtsNS.Value) if err != nil { diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go index 11b18e2d0..266abd28d 100644 --- a/pkg/specgen/generate/oci.go +++ b/pkg/specgen/generate/oci.go @@ -118,7 +118,7 @@ func makeCommand(ctx context.Context, s *specgen.SpecGenerator, img *image.Image return finalCommand, nil } -func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runtime, rtc *config.Config, newImage *image.Image, mounts []spec.Mount) (*spec.Spec, error) { +func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runtime, rtc *config.Config, newImage *image.Image, mounts []spec.Mount, pod *libpod.Pod) (*spec.Spec, error) { var ( inUserNS bool ) @@ -300,7 +300,7 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt } // NAMESPACES - if err := specConfigureNamespaces(s, &g, rt); err != nil { + if err := specConfigureNamespaces(s, &g, rt, pod); err != nil { return nil, err } configSpec := g.Config diff --git a/vendor/github.com/seccomp/containers-golang/seccomp.json b/vendor/github.com/seccomp/containers-golang/seccomp.json index 4c84d981f..06b39024a 100644 --- a/vendor/github.com/seccomp/containers-golang/seccomp.json +++ b/vendor/github.com/seccomp/containers-golang/seccomp.json @@ -317,7 +317,6 @@ "signalfd", "signalfd4", "sigreturn", - "socket", "socketcall", "socketpair", "splice", @@ -769,6 +768,111 @@ ] }, "excludes": {} + }, + { + "names": [ + "socket" + ], + "action": "SCMP_ACT_ERRNO", + "args": [ + { + "index": 0, + "value": 16, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + }, + { + "index": 2, + "value": 9, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_AUDIT_WRITE" + ] + }, + "errnoRet": 22 + }, + { + "names": [ + "socket" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 2, + "value": 9, + "valueTwo": 0, + "op": "SCMP_CMP_NE" + } + ], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_AUDIT_WRITE" + ] + } + }, + { + "names": [ + "socket" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 16, + "valueTwo": 0, + "op": "SCMP_CMP_NE" + } + ], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_AUDIT_WRITE" + ] + } + }, + { + "names": [ + "socket" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 2, + "value": 9, + "valueTwo": 0, + "op": "SCMP_CMP_NE" + } + ], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_AUDIT_WRITE" + ] + } + }, + { + "names": [ + "socket" + ], + "action": "SCMP_ACT_ALLOW", + "args": null, + "comment": "", + "includes": { + "caps": [ + "CAP_AUDIT_WRITE" + ] + }, + "excludes": {} } ] }
\ No newline at end of file diff --git a/vendor/github.com/seccomp/containers-golang/seccomp_default_linux.go b/vendor/github.com/seccomp/containers-golang/seccomp_default_linux.go index e137a5887..2e3e337ac 100644 --- a/vendor/github.com/seccomp/containers-golang/seccomp_default_linux.go +++ b/vendor/github.com/seccomp/containers-golang/seccomp_default_linux.go @@ -7,6 +7,8 @@ package seccomp // import "github.com/seccomp/containers-golang" import ( + "syscall" + "golang.org/x/sys/unix" ) @@ -45,6 +47,8 @@ func arches() []Architecture { // DefaultProfile defines the whitelist for the default seccomp profile. func DefaultProfile() *Seccomp { + einval := uint(syscall.EINVAL) + syscalls := []*Syscall{ { Names: []string{ @@ -313,7 +317,6 @@ func DefaultProfile() *Seccomp { "signalfd", "signalfd4", "sigreturn", - "socket", "socketcall", "socketpair", "splice", @@ -652,6 +655,85 @@ func DefaultProfile() *Seccomp { Caps: []string{"CAP_SYS_TTY_CONFIG"}, }, }, + { + Names: []string{ + "socket", + }, + Action: ActErrno, + ErrnoRet: &einval, + Args: []*Arg{ + { + Index: 0, + Value: syscall.AF_NETLINK, + Op: OpEqualTo, + }, + { + Index: 2, + Value: syscall.NETLINK_AUDIT, + Op: OpEqualTo, + }, + }, + Excludes: Filter{ + Caps: []string{"CAP_AUDIT_WRITE"}, + }, + }, + { + Names: []string{ + "socket", + }, + Action: ActAllow, + Args: []*Arg{ + { + Index: 2, + Value: syscall.NETLINK_AUDIT, + Op: OpNotEqual, + }, + }, + Excludes: Filter{ + Caps: []string{"CAP_AUDIT_WRITE"}, + }, + }, + { + Names: []string{ + "socket", + }, + Action: ActAllow, + Args: []*Arg{ + { + Index: 0, + Value: syscall.AF_NETLINK, + Op: OpNotEqual, + }, + }, + Excludes: Filter{ + Caps: []string{"CAP_AUDIT_WRITE"}, + }, + }, + { + Names: []string{ + "socket", + }, + Action: ActAllow, + Args: []*Arg{ + { + Index: 2, + Value: syscall.NETLINK_AUDIT, + Op: OpNotEqual, + }, + }, + Excludes: Filter{ + Caps: []string{"CAP_AUDIT_WRITE"}, + }, + }, + { + Names: []string{ + "socket", + }, + Action: ActAllow, + Includes: Filter{ + Caps: []string{"CAP_AUDIT_WRITE"}, + }, + }, } return &Seccomp{ diff --git a/vendor/modules.txt b/vendor/modules.txt index b6498b3af..e79f8587b 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -480,7 +480,7 @@ github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/udp/udpproxy github.com/rootless-containers/rootlesskit/pkg/port/portutil # github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8 github.com/safchain/ethtool -# github.com/seccomp/containers-golang v0.4.1 +# github.com/seccomp/containers-golang v0.5.0 github.com/seccomp/containers-golang # github.com/seccomp/libseccomp-golang v0.9.1 github.com/seccomp/libseccomp-golang |