-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP-Refactor part 1] Move container mounts to internal/factory/container #7859
base: main
Are you sure you want to change the base?
Changes from all commits
86bac11
bad837a
d9d94ea
828b524
531e8b8
591ad69
e70343e
54c133f
572833d
2cc567d
ff82b65
73df13e
59ef28f
7d2f27c
c160309
e4e72ed
4b4e0c6
3919d1d
03c46e4
1dba547
38f2656
0ad1d38
65affef
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
FROM fedora:latest | ||
|
||
RUN dnf update -y && \ | ||
dnf install -y jq \ | ||
vim \ | ||
systemd \ | ||
bats \ | ||
cri-tools \ | ||
containernetworking-plugins \ | ||
conmon \ | ||
containers-common \ | ||
device-mapper-devel \ | ||
git \ | ||
make \ | ||
glib2-devel \ | ||
glibc-devel \ | ||
glibc-static \ | ||
runc \ | ||
libassuan \ | ||
libassuan-devel \ | ||
libgpg-error \ | ||
libseccomp-devel \ | ||
libselinux \ | ||
pkgconf-pkg-config \ | ||
gpgme-devel \ | ||
gcc-go \ | ||
btrfs-progs-devel \ | ||
python3 \ | ||
socat \ | ||
nftables \ | ||
iptables-nft \ | ||
net-tools \ | ||
procps \ | ||
wget \ | ||
bash-completion \ | ||
buildah \ | ||
openssl \ | ||
python \ | ||
iputils \ | ||
iproute \ | ||
podman | ||
|
||
WORKDIR /root | ||
|
||
RUN echo "containers:100000:65536" | tee -a /etc/subuid && \ | ||
echo "containers:100000:65536" | tee -a /etc/subgid && \ | ||
printf "RateLimitInterval=0\nRateLimitBurst=0\n" | tee /etc/systemd/journald.conf && \ | ||
mkdir -p /root/go && \ | ||
mkdir -p /opt/cni/bin && \ | ||
wget https://go.dev/dl/go1.21.7.linux-amd64.tar.gz && \ | ||
rm -rf /usr/local/go && tar -C /usr/local -xzf go*.tar.gz && \ | ||
wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.29.0/crictl-v1.29.0-linux-amd64.tar.gz && \ | ||
rm -rf /usr/local/bin/crictl && tar -C /usr/local/bin/ -xzf crictl-*.tar.gz && \ | ||
echo "export PATH=/usr/local/go/bin:$PATH" >> /root/.bashrc && \ | ||
echo "export GOPATH=/root/go" >> /root/.bashrc && \ | ||
echo "for i in \$(ls /usr/libexec/cni/);do if [ ! -f /opt/cni/bin/\$i ]; then ln -s /usr/libexec/cni/\$i /opt/cni/bin/\$i; fi done" >> /root/.bashrc | ||
|
||
CMD ["/sbin/init"] |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -324,6 +324,13 @@ testunit-bin: | |
--gcflags '-N' -c -o ${TESTBIN_PATH}/$$(basename $$PACKAGE) ;\ | ||
done | ||
|
||
testunit-package: | ||
mkdir -p ${TESTBIN_PATH} | ||
go test ${PACKAGE} \ | ||
--tags "test $(BUILDTAGS)" \ | ||
--gcflags '-N' -c -o ${TESTBIN_PATH}/$$(basename ${PACKAGE}) | ||
|
||
Comment on lines
+327
to
+332
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. this can be acheieved by doing |
||
|
||
mockgen: \ | ||
mock-cmdrunner \ | ||
mock-containerstorage \ | ||
|
@@ -333,7 +340,8 @@ mockgen: \ | |
mock-image-types \ | ||
mock-ocicni-types \ | ||
mock-seccompociartifact-types \ | ||
mock-ociartifact-types | ||
mock-ociartifact-types \ | ||
mock-container | ||
|
||
mock-containereventserver: ${MOCKGEN} | ||
${MOCKGEN} \ | ||
|
@@ -395,6 +403,12 @@ mock-ociartifact-types: ${MOCKGEN} | |
-destination ${MOCK_PATH}/ociartifact/ociartifact.go \ | ||
github.com/cri-o/cri-o/internal/config/ociartifact Impl | ||
|
||
mock-container: ${MOCKGEN} | ||
${BUILD_BIN_PATH}/mockgen \ | ||
-package containermock \ | ||
-destination ${MOCK_PATH}/container/container.go \ | ||
github.com/cri-o/cri-o/internal/factory/container Impl | ||
|
||
codecov: SHELL := $(shell which bash) | ||
codecov: | ||
bash <(curl -s https://codecov.io/bash) -f ${COVERAGE_PATH}/coverprofile | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
package container | ||
|
||
// Impl is the main implementation interface of this package. | ||
type Impl interface { | ||
SecurityLabel(path, secLabel string, shared, maybeRelabel bool) error | ||
} | ||
Comment on lines
+1
to
+6
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't think this is needed if you just add a |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
package container | ||
|
||
type SecLabel struct { | ||
impl Impl | ||
} | ||
|
||
type secLabelImpl struct{} | ||
|
||
func newSecLabel() *SecLabel { | ||
return &SecLabel{ | ||
impl: &secLabelImpl{}, | ||
} | ||
} | ||
|
||
func SecurityLabel(path, secLabel string, shared, maybeRelabel bool) error { | ||
return newSecLabel().impl.SecurityLabel(path, secLabel, shared, maybeRelabel) | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
//go:build linux | ||
// +build linux | ||
|
||
package container | ||
|
||
import ( | ||
"errors" | ||
"fmt" | ||
"strings" | ||
|
||
"github.com/cri-o/cri-o/utils" | ||
selinux "github.com/opencontainers/selinux/go-selinux" | ||
"github.com/opencontainers/selinux/go-selinux/label" | ||
"github.com/sirupsen/logrus" | ||
"golang.org/x/sys/unix" | ||
) | ||
|
||
func (slabel *secLabelImpl) SecurityLabel(path, secLabel string, shared, maybeRelabel bool) error { | ||
if maybeRelabel { | ||
canonicalSecLabel, err := selinux.CanonicalizeContext(secLabel) | ||
if err != nil { | ||
logrus.Errorf("Canonicalize label failed %s: %v", secLabel, err) | ||
} else { | ||
currentLabel, err := label.FileLabel(path) | ||
if err == nil && currentLabel == canonicalSecLabel { | ||
logrus.Debugf( | ||
"Skipping relabel for %s, as TrySkipVolumeSELinuxLabel is true and the label of the top level of the volume is already correct", | ||
path) | ||
Check failure Code scanning / CodeQL Clear-text logging of sensitive information High Sensitive data returned by an access to passwdPath Error loading related location Loading |
||
return nil | ||
} | ||
} | ||
} | ||
if err := label.Relabel(path, secLabel, shared); err != nil && !errors.Is(err, unix.ENOTSUP) { | ||
return fmt.Errorf("relabel failed %s: %w", path, err) | ||
} | ||
return nil | ||
} | ||
|
||
// SelinuxLabel returns the container's SelinuxLabel | ||
// it takes the sandbox's label, which it falls back upon | ||
func (c *container) SelinuxLabel(sboxLabel string) ([]string, error) { | ||
selinuxConfig := c.config.Linux.SecurityContext.SelinuxOptions | ||
|
||
labels := map[string]string{} | ||
|
||
labelOptions, err := label.DupSecOpt(sboxLabel) | ||
if err != nil { | ||
return nil, err | ||
} | ||
for _, r := range labelOptions { | ||
k := strings.Split(r, ":")[0] | ||
labels[k] = r | ||
} | ||
|
||
if selinuxConfig != nil { | ||
for _, r := range utils.GetLabelOptions(selinuxConfig) { | ||
k := strings.Split(r, ":")[0] | ||
labels[k] = r | ||
} | ||
} | ||
ret := []string{} | ||
for _, v := range labels { | ||
ret = append(ret, v) | ||
} | ||
return ret, nil | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
//go:build test | ||
// +build test | ||
|
||
// All *_inject.go files are meant to be used by tests only. Purpose of this | ||
// files is to provide a way to inject mocked data into the current setup. | ||
|
||
package container | ||
|
||
func (label *SecLabel) SetImpl(impl Impl) { | ||
label.impl = impl | ||
} | ||
|
||
func NewSecLabel() *SecLabel { | ||
return newSecLabel() | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
//go:build !linux | ||
// +build !linux | ||
|
||
package container | ||
|
||
func (slabel *secLabelImpl) SecurityLabel(path string, seclabel string, shared, maybeRelabel bool) error { | ||
return nil | ||
} | ||
|
||
// SelinuxLabel returns the container's SelinuxLabel | ||
// it takes the sandbox's label, which it falls back upon | ||
func (c *container) SelinuxLabel(sboxLabel string) ([]string, error) { | ||
return []string{}, nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what is this included for?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please ignore this file, currently im running integration tests in container locally and using this file.