New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add seccomp profile, hooks dir override for containerd #8044
Conversation
6ac7333
to
84539f9
Compare
Hi @drahnr , I have noticed the commit history is a bit messing up. To fix it, the easiest way IMO is
Later, if you want to get updates from master branch, you could
|
3a27c9c
to
aca0458
Compare
@xtremerui I am not sure why the unit and watsjs tests fail, to my knowledge the files I changed should not affect these checks. I can't seem to access the test result from the run when trying to login with my gh account. It's either errors or is loading indefinitely. |
The error in unit test:
you can join contributors team in concourse/governance to view the build log |
@xtremerui I am not entirely sure what's happening, but the CI is gimping out on various, seemingly unrelated ends and I don't even know where to begin to debug. |
@drahnr In case you're still stuck, you can reproduce locally by running:
I got the same result as what's in CI
|
Looks like your |
Sorry for the noise, new language (it's rather painful coming from rust). How's the logging supposed to be implemented, the current |
@xtremerui / @taylorsilva I'd appreciate a review :) |
Gentle ping |
@drahnr thx for the PR. Just want to make sure the feature is completely optional as we want to make v7.9 as a good upgrade for existing user without worring about behaviour changes. |
Just did another worker run, for both using the newly added flags and not using them. Either way works fine. So as far as I can tell, this is fine to be merged. (I am still not convinced using |
Gentle ping |
Is there anything that's left or missing to do? |
@drahnr So far it is just in pending for reviewing. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the PR. Just some nits then we are good to go.
} | ||
fmt.Println("Using seccomp rules from path by default:", b.seccompProfilePath) | ||
b.seccompProfile = profile | ||
} else { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The else case is needed, unless there is some lang feature I am not aware of? It's the only place where seccompProfile
is initialized if no arg was given.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so if b.seccompProfilePath is not set, it will skip line 213 to 224, and exec line 225 and then line 228. That is the same as you remove line 224 and 226. Maybe I am not clear here in first place sorry about that.
I actually meant keeping line 225 while removing line 224 and 226.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't removing the else cause b.seccompProfile to always be set to the default?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree with @wailashi see, next comment
Signed-off-by: Bernhard Schuster <bernhard@ahoi.io>
Signed-off-by: Bernhard Schuster <bernhard@ahoi.io>
Signed-off-by: Bernhard Schuster <bernhard@ahoi.io>
Signed-off-by: Bernhard Schuster <bernhard@ahoi.io>
Signed-off-by: Bernhard Schuster <bernhard@ahoi.io>
Signed-off-by: Bernhard Schuster <bernhard@ahoi.io>
Signed-off-by: Bernhard Schuster <bernhard@ahoi.io>
This reverts commit a78e6b3. Signed-off-by: Bernhard Schuster <bernhard@ahoi.io>
Signed-off-by: Bernhard Schuster <bernhard@ahoi.io>
Signed-off-by: Bernhard Schuster <bernhard@ahoi.io>
gentle 🎄 / ☃️ ping |
gentle ☃️ ping |
} else { | ||
b.seccompProfile = bespec.GetDefaultSeccompProfile() | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
} else { | |
b.seccompProfile = bespec.GetDefaultSeccompProfile() | |
} | |
b.seccompProfile = bespec.GetDefaultSeccompProfile() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do not understand the proposed changeset.
The if
branch covers and fills b.seccompProfile
from the provided path or fails, the else
branch should fill it ( b.seccompProfile
) with the default seccomp profile bspec.GetDefaultSeccompProfile()
.
If the else case is removed, it will override the loaded seccomp profile with the default one.
Either I do not understand the flow of go code, or I am missing some impl detail, right now I do not see how this would work and why the else branch is not needed. Could you clarify please?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh my mistake here. I thought we either want to always set it to default or the provided one. If thats not the case then we are good here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We always want to set it either explicitly by loading from file, or using the default one. If you want to avoid the else branch we'd have to move b.seccompProfile = bespec.GetDefaultSeccompProfile()
up before the if
branch
Allow to pass an explicit seccomp profile in json format, to override the default abilities for the worker.
This allows for a more fine gained control to, i.e. allow simplistic passthrough of GPUs and other worker specific devices.
For some devices, pre and post hooks are required to be used with i.e. containerd. The client has to pass these on. As such, the worker has to be instructed to pass them on to the container runtime. (WIP)
Changes proposed by this PR
ref #6912
Notes to reviewer
I am new to golang, if there are any idioms I am violating, happy to correct!
Release Note