2020-08-10 17:43:49 +00:00
|
|
|
// +build linux,!dockerless
|
2019-01-12 04:58:27 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
Copyright 2015 The Kubernetes Authors.
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
limitations under the License.
|
|
|
|
*/
|
|
|
|
|
|
|
|
package dockershim
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
|
|
|
"crypto/md5"
|
|
|
|
"encoding/json"
|
|
|
|
"fmt"
|
|
|
|
"io/ioutil"
|
|
|
|
"path/filepath"
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
"github.com/blang/semver"
|
|
|
|
dockertypes "github.com/docker/docker/api/types"
|
|
|
|
dockercontainer "github.com/docker/docker/api/types/container"
|
2020-08-10 17:43:49 +00:00
|
|
|
v1 "k8s.io/api/core/v1"
|
2019-08-30 18:33:25 +00:00
|
|
|
runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
|
2019-01-12 04:58:27 +00:00
|
|
|
)
|
|
|
|
|
2020-12-01 01:06:26 +00:00
|
|
|
// DefaultMemorySwap always returns 0 for no memory swap in a sandbox
|
2019-01-12 04:58:27 +00:00
|
|
|
func DefaultMemorySwap() int64 {
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
func (ds *dockerService) getSecurityOpts(seccompProfile string, separator rune) ([]string, error) {
|
|
|
|
// Apply seccomp options.
|
|
|
|
seccompSecurityOpts, err := getSeccompSecurityOpts(seccompProfile, separator)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("failed to generate seccomp security options for container: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return seccompSecurityOpts, nil
|
|
|
|
}
|
|
|
|
|
2020-08-10 17:43:49 +00:00
|
|
|
func (ds *dockerService) getSandBoxSecurityOpts(separator rune) []string {
|
|
|
|
// run sandbox with no-new-privileges and using runtime/default
|
|
|
|
// sending no "seccomp=" means docker will use default profile
|
|
|
|
return []string{"no-new-privileges"}
|
|
|
|
}
|
|
|
|
|
2019-01-12 04:58:27 +00:00
|
|
|
func getSeccompDockerOpts(seccompProfile string) ([]dockerOpt, error) {
|
2020-08-10 17:43:49 +00:00
|
|
|
if seccompProfile == "" || seccompProfile == v1.SeccompProfileNameUnconfined {
|
2019-01-12 04:58:27 +00:00
|
|
|
// return early the default
|
|
|
|
return defaultSeccompOpt, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
if seccompProfile == v1.SeccompProfileRuntimeDefault || seccompProfile == v1.DeprecatedSeccompProfileDockerDefault {
|
|
|
|
// return nil so docker will load the default seccomp profile
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
2020-08-10 17:43:49 +00:00
|
|
|
if !strings.HasPrefix(seccompProfile, v1.SeccompLocalhostProfileNamePrefix) {
|
2019-01-12 04:58:27 +00:00
|
|
|
return nil, fmt.Errorf("unknown seccomp profile option: %s", seccompProfile)
|
|
|
|
}
|
|
|
|
|
|
|
|
// get the full path of seccomp profile when prefixed with 'localhost/'.
|
2020-08-10 17:43:49 +00:00
|
|
|
fname := strings.TrimPrefix(seccompProfile, v1.SeccompLocalhostProfileNamePrefix)
|
2019-01-12 04:58:27 +00:00
|
|
|
if !filepath.IsAbs(fname) {
|
|
|
|
return nil, fmt.Errorf("seccomp profile path must be absolute, but got relative path %q", fname)
|
|
|
|
}
|
|
|
|
file, err := ioutil.ReadFile(filepath.FromSlash(fname))
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("cannot load seccomp profile %q: %v", fname, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
b := bytes.NewBuffer(nil)
|
|
|
|
if err := json.Compact(b, file); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
// Rather than the full profile, just put the filename & md5sum in the event log.
|
|
|
|
msg := fmt.Sprintf("%s(md5:%x)", fname, md5.Sum(file))
|
|
|
|
|
|
|
|
return []dockerOpt{{"seccomp", b.String(), msg}}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// getSeccompSecurityOpts gets container seccomp options from container seccomp profile.
|
|
|
|
// It is an experimental feature and may be promoted to official runtime api in the future.
|
|
|
|
func getSeccompSecurityOpts(seccompProfile string, separator rune) ([]string, error) {
|
|
|
|
seccompOpts, err := getSeccompDockerOpts(seccompProfile)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return fmtDockerOpts(seccompOpts, separator), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (ds *dockerService) updateCreateConfig(
|
|
|
|
createConfig *dockertypes.ContainerCreateConfig,
|
|
|
|
config *runtimeapi.ContainerConfig,
|
|
|
|
sandboxConfig *runtimeapi.PodSandboxConfig,
|
|
|
|
podSandboxID string, securityOptSep rune, apiVersion *semver.Version) error {
|
|
|
|
// Apply Linux-specific options if applicable.
|
|
|
|
if lc := config.GetLinux(); lc != nil {
|
|
|
|
// TODO: Check if the units are correct.
|
|
|
|
// TODO: Can we assume the defaults are sane?
|
|
|
|
rOpts := lc.GetResources()
|
|
|
|
if rOpts != nil {
|
|
|
|
createConfig.HostConfig.Resources = dockercontainer.Resources{
|
|
|
|
// Memory and MemorySwap are set to the same value, this prevents containers from using any swap.
|
|
|
|
Memory: rOpts.MemoryLimitInBytes,
|
|
|
|
MemorySwap: rOpts.MemoryLimitInBytes,
|
|
|
|
CPUShares: rOpts.CpuShares,
|
|
|
|
CPUQuota: rOpts.CpuQuota,
|
|
|
|
CPUPeriod: rOpts.CpuPeriod,
|
2021-03-18 22:40:29 +00:00
|
|
|
CpusetCpus: rOpts.CpusetCpus,
|
|
|
|
CpusetMems: rOpts.CpusetMems,
|
2019-01-12 04:58:27 +00:00
|
|
|
}
|
|
|
|
createConfig.HostConfig.OomScoreAdj = int(rOpts.OomScoreAdj)
|
|
|
|
}
|
|
|
|
// Note: ShmSize is handled in kube_docker_client.go
|
|
|
|
|
|
|
|
// Apply security context.
|
|
|
|
if err := applyContainerSecurityContext(lc, podSandboxID, createConfig.Config, createConfig.HostConfig, securityOptSep); err != nil {
|
|
|
|
return fmt.Errorf("failed to apply container security context for container %q: %v", config.Metadata.Name, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Apply cgroupsParent derived from the sandbox config.
|
|
|
|
if lc := sandboxConfig.GetLinux(); lc != nil {
|
|
|
|
// Apply Cgroup options.
|
|
|
|
cgroupParent, err := ds.GenerateExpectedCgroupParent(lc.CgroupParent)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("failed to generate cgroup parent in expected syntax for container %q: %v", config.Metadata.Name, err)
|
|
|
|
}
|
|
|
|
createConfig.HostConfig.CgroupParent = cgroupParent
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2019-09-27 21:51:53 +00:00
|
|
|
func (ds *dockerService) determinePodIPBySandboxID(uid string) []string {
|
|
|
|
return nil
|
2019-01-12 04:58:27 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func getNetworkNamespace(c *dockertypes.ContainerJSON) (string, error) {
|
|
|
|
if c.State.Pid == 0 {
|
|
|
|
// Docker reports pid 0 for an exited container.
|
|
|
|
return "", fmt.Errorf("cannot find network namespace for the terminated container %q", c.ID)
|
|
|
|
}
|
|
|
|
return fmt.Sprintf(dockerNetNSFmt, c.State.Pid), nil
|
|
|
|
}
|