diff options
Diffstat (limited to 'pkg/specgen')
-rw-r--r-- | pkg/specgen/generate/security.go | 26 | ||||
-rw-r--r-- | pkg/specgen/generate/validate.go | 6 | ||||
-rw-r--r-- | pkg/specgen/specgen.go | 4 |
3 files changed, 24 insertions, 12 deletions
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go index 5e4cc3399..d3e3d9278 100644 --- a/pkg/specgen/generate/security.go +++ b/pkg/specgen/generate/security.go @@ -112,7 +112,7 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, // Pass capRequiredRequested in CapAdd field to normalize capabilities names capsRequired, err := capabilities.MergeCapabilities(nil, capsRequiredRequested, nil) if err != nil { - logrus.Errorf("capabilities requested by user or image are not valid: %q", strings.Join(capsRequired, ",")) + return errors.Wrapf(err, "capabilities requested by user or image are not valid: %q", strings.Join(capsRequired, ",")) } else { // Verify all capRequiered are in the capList for _, cap := range capsRequired { @@ -129,12 +129,6 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, } } - g.SetProcessNoNewPrivileges(s.NoNewPrivileges) - - if err := setupApparmor(s, rtc, g); err != nil { - return err - } - configSpec := g.Config configSpec.Process.Capabilities.Bounding = caplist @@ -142,13 +136,21 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, configSpec.Process.Capabilities.Effective = caplist configSpec.Process.Capabilities.Permitted = caplist configSpec.Process.Capabilities.Inheritable = caplist - configSpec.Process.Capabilities.Ambient = caplist } else { - configSpec.Process.Capabilities.Effective = []string{} - configSpec.Process.Capabilities.Permitted = []string{} - configSpec.Process.Capabilities.Inheritable = []string{} - configSpec.Process.Capabilities.Ambient = []string{} + userCaps, err := capabilities.NormalizeCapabilities(s.CapAdd) + if err != nil { + return errors.Wrapf(err, "capabilities requested by user are not valid: %q", strings.Join(s.CapAdd, ",")) + } + configSpec.Process.Capabilities.Effective = userCaps + configSpec.Process.Capabilities.Permitted = userCaps } + + g.SetProcessNoNewPrivileges(s.NoNewPrivileges) + + if err := setupApparmor(s, rtc, g); err != nil { + return err + } + // HANDLE SECCOMP if s.SeccompProfilePath != "unconfined" { seccompConfig, err := getSeccompConfig(s, configSpec, newImage) diff --git a/pkg/specgen/generate/validate.go b/pkg/specgen/generate/validate.go index dca45cc0e..ed337321b 100644 --- a/pkg/specgen/generate/validate.go +++ b/pkg/specgen/generate/validate.go @@ -23,6 +23,12 @@ func verifyContainerResources(s *specgen.SpecGenerator) ([]string, error) { return warnings, nil } + if s.ResourceLimits.Unified != nil { + if !cgroup2 { + return nil, errors.New("Cannot use --cgroup-conf without cgroup v2") + } + } + // Memory checks if s.ResourceLimits.Memory != nil { memory := s.ResourceLimits.Memory diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go index a9161071b..a52225f87 100644 --- a/pkg/specgen/specgen.go +++ b/pkg/specgen/specgen.go @@ -415,6 +415,10 @@ type ContainerResourceConfig struct { ThrottleReadIOPSDevice map[string]spec.LinuxThrottleDevice `json:"throttleReadIOPSDevice,omitempty"` // IO write rate limit per cgroup per device, IO per second ThrottleWriteIOPSDevice map[string]spec.LinuxThrottleDevice `json:"throttleWriteIOPSDevice,omitempty"` + // CgroupConf are key-value options passed into the container runtime + // that are used to configure cgroup v2. + // Optional. + CgroupConf map[string]string `json:"unified,omitempty"` } // ContainerHealthCheckConfig describes a container healthcheck with attributes |