Skip to content

Commit

Permalink
resmgr: disallow docker-based runtimes by default.
Browse files Browse the repository at this point in the history 
Disallow docker-based CRI runtime emulation unless
explicitly enabled on the command line.
  • Loading branch information
@klihub
klihub committed Jun 2, 2022
1 parent 2930193 commit bc172a1
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 0 deletions.
4 changes: 4 additions & 0 deletions pkg/cri/resource-manager/flags.go
View file
Expand Up @@ -28,6 +28,7 @@ type options struct {
RuntimeSocket string
RelaySocket string
RelayDir string
AllowDocker bool
AgentSocket string
ConfigSocket string
PidFile string
Expand Down Expand Up @@ -56,6 +57,9 @@ func init() {
"Unix domain socket path where the resource manager should serve requests on.")
flag.StringVar(&opt.RelayDir, "relay-dir", "/var/lib/cri-resmgr",
"Permanent storage directory path for the resource manager to store its state in.")
flag.BoolVar(&opt.AllowDocker, "allow-docker", false,
"Allow cri-dockerd/docker-shim as a CRI runtime. Usually this is not a good idea.")

flag.StringVar(&opt.AgentSocket, "agent-socket", sockets.ResourceManagerAgent,
"local socket of the cri-resmgr agent to connect")
flag.StringVar(&opt.ConfigSocket, "config-socket", sockets.ResourceManagerConfig,
Expand Down
18 changes: 18 additions & 0 deletions pkg/cri/resource-manager/requests.go
View file
Expand Up @@ -17,6 +17,7 @@ package resmgr
import (
"context"
"fmt"
"strings"

criapi "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"

Expand All @@ -28,6 +29,11 @@ import (
"github.com/intel/cri-resource-manager/pkg/cri/server"
)

const (
kubeAPIVersion = "0.1.0"
dockerRuntimeName = "docker"
)

// setupRequestProcessing prepares the resource manager for CRI request processing.
func (m *resmgr) setupRequestProcessing() error {
interceptors := map[string]server.Interceptor{
Expand Down Expand Up @@ -158,6 +164,18 @@ func (m *resmgr) startRequestProcessing() error {

// syncWithCRI synchronizes cache pods and containers with the CRI runtime.
func (m *resmgr) syncWithCRI(ctx context.Context) ([]cache.Container, []cache.Container, error) {
version, err := m.relay.Client().Version(ctx, &criapi.VersionRequest{
Version: kubeAPIVersion,
})
if err != nil {
return nil, nil, resmgrError("failed to query runtime version: %v", err)
}
if strings.HasPrefix(version.RuntimeName, dockerRuntimeName) {
if !opt.AllowDocker {
return nil, nil, resmgrError("%s runtime disallowed", version.RuntimeName)
}
}

if m.policy.Bypassed() || !m.relay.Client().HasRuntimeService() {
return nil, nil, nil
}
Expand Down

0 comments on commit bc172a1

Please sign in to comment.