Merge branch 'master' into selinux-install

.dockerignore

@@ -1,12 +1,7 @@
 ./bin
 ./etc
-./build/data
-./build/data.tar.gz
 ./pkg/data/zz_generated_bindata.go
-./package/data.tar.gz
 ./.vagrant
 ./.cache
 ./.dapper
-./data-dir
-./dist
 ./.trash-cache

.drone.yml

@@ -59,6 +59,31 @@ steps:
     event:
     - tag
 
+- name: rpm-publish
+  image: centos:7
+  environment:
+    PRIVATE_KEY:
+      from_secret: private_key
+    PRIVATE_KEY_PASS_PHRASE:
+      from_secret: private_key_pass_phrase
+    AWS_S3_BUCKET:
+      from_secret: aws_s3_bucket
+    AWS_ACCESS_KEY_ID:
+      from_secret: aws_access_key_id
+    AWS_SECRET_ACCESS_KEY:
+      from_secret: aws_secret_access_key
+  commands:
+  - scripts/provision/generic/centos7/yum-install-rpm-tools
+  - scripts/package-rpm
+  when:
+    instance:
+    - drone-publish.rancher.io
+    ref:
+    - refs/head/master
+    - refs/tags/*
+    event:
+    - tag
+
 - name: test
   image: rancher/dapper:v0.4.2
   secrets: [ gcloud_auth ]
@@ -154,6 +179,31 @@ steps:
     event:
     - tag
 
+- name: rpm-publish
+  image: centos:7
+  environment:
+    PRIVATE_KEY:
+      from_secret: private_key
+    PRIVATE_KEY_PASS_PHRASE:
+      from_secret: private_key_pass_phrase
+    AWS_S3_BUCKET:
+      from_secret: aws_s3_bucket
+    AWS_ACCESS_KEY_ID:
+      from_secret: aws_access_key_id
+    AWS_SECRET_ACCESS_KEY:
+      from_secret: aws_secret_access_key
+  commands:
+  - scripts/provision/generic/centos7/yum-install-rpm-tools
+  - scripts/package-rpm
+  when:
+    instance:
+    - drone-publish.rancher.io
+    ref:
+    - refs/head/master
+    - refs/tags/*
+    event:
+    - tag
+
 - name: test
   image: rancher/dapper:v0.4.2
   secrets: [ gcloud_auth ]
@@ -273,7 +323,8 @@ steps:
     - DOCKER_USERNAME
     - DOCKER_PASSWORD
     - DRONE_TAG
-  when:
+
+trigger:
   instance:
   - drone-publish.rancher.io
   ref:
@@ -286,3 +337,42 @@ depends_on:
 - amd64
 - arm64
 - arm
+
+---
+kind: pipeline
+name: dispatch
+
+platform:
+  os: linux
+  arch: amd64
+
+steps:
+- name: dispatch
+  image: rancher/dapper:v0.4.2
+  environment:
+    PAT_USERNAME:
+      from_secret: pat_username
+    PAT_TOKEN:
+      from_secret: github_token
+  commands:
+    - dapper dispatch
+  volumes:
+    - name: docker
+      path: /var/run/docker.sock
+
+trigger:
+  instance:
+    - drone-publish.rancher.io
+  ref:
+    - refs/head/master
+    - refs/tags/*
+  event:
+    - tag
+
+volumes:
+  - name: docker
+    host:
+      path: /var/run/docker.sock
+
+depends_on:
+- manifest

.gitignore

@@ -28,3 +28,4 @@ __pycache__
 /tests/.tox/
 /tests/.vscode
 /sonobuoy-output
+*.tmp

Dockerfile.dapper

@@ -1,13 +1,13 @@
 FROM golang:1.13.8-alpine3.10
 
 RUN apk -U --no-cache add bash git gcc musl-dev docker vim less file curl wget ca-certificates jq linux-headers zlib-dev tar zip squashfs-tools npm coreutils \
-    python2 python3 py3-pip python3-dev openssl-dev libffi-dev libseccomp libseccomp-dev make libuv-static
+    python2 openssl-dev libffi-dev libseccomp libseccomp-dev make libuv-static
-RUN pip3 install 'tox==3.6.0'
+
-RUN apk -U --no-cache --repository http://dl-3.alpinelinux.org/alpine/edge/main/ add sqlite-dev sqlite-static
+RUN apk -U --no-cache --repository http://dl-3.alpinelinux.org/alpine/edge/main/ add sqlite-dev sqlite-static libselinux libselinux-dev
 RUN mkdir -p /go/src/golang.org/x && \
-    cd /go/src/golang.org/x && git clone https://github.com/golang/tools && \
+    cd /go/src/golang.org/x && git clone https://github.com/golang/tools && cd tools && \
-    git -C /go/src/golang.org/x/tools checkout -b current aa82965741a9fecd12b026fbb3d3c6ed3231b8f8 && \
+    git checkout -b current aa82965741a9fecd12b026fbb3d3c6ed3231b8f8 && \
-    go install golang.org/x/tools/cmd/goimports
+    go install golang.org/x/tools/cmd/goimports && cd
 RUN rm -rf /go/src /go/pkg
 
 ARG DAPPER_HOST_ARCH
@@ -17,6 +17,9 @@ RUN if [ "${ARCH}" == "amd64" ]; then \
         curl -sL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s v1.15.0; \
     fi
 
+ARG SELINUX=true
+ENV SELINUX $SELINUX
+
 ARG DQLITE=true
 ENV DQLITE $DQLITE
 COPY --from=rancher/dqlite-build:v1.3.1-r1 /dist/artifacts /usr/src/

Vagrantfile

@@ -1,12 +1,13 @@
-BOX = "generic/alpine310"
+OS = (ENV['OS'] || "alpine310")
+BOX_REPO = (ENV['BOX_REPO'] || "generic")
 HOME = File.dirname(__FILE__)
 PROJECT = File.basename(HOME)
-MOUNT_TYPE = ENV['MOUNT_TYPE'] || "nfs"
 NUM_NODES = (ENV['NUM_NODES'] || 0).to_i
 NODE_CPUS = (ENV['NODE_CPUS'] || 4).to_i
 NODE_MEMORY = (ENV['NODE_MEMORY'] || 8192).to_i
 NETWORK_PREFIX = ENV['NETWORK_PREFIX'] || "10.135.135"
-VAGRANT_PROVISION = ENV['VAGRANT_PROVISION'] || "./scripts/vagrant-provision"
+VAGRANT_PROVISION = ENV['VAGRANT_PROVISION'] || "./scripts/provision/vagrant"
+MOUNT_TYPE = ENV['MOUNT_TYPE'] || "nfs"
 
 # --- Rules for /etc/sudoers to avoid password entry configuring NFS:
 # %admin	ALL = (root) NOPASSWD: /usr/bin/sed -E -e * -ibak /etc/exports
@@ -14,61 +15,36 @@ VAGRANT_PROVISION = ENV['VAGRANT_PROVISION'] || "./scripts/vagrant-provision"
 # %admin	ALL = (root) NOPASSWD: /sbin/nfsd restart
 # --- May need to add terminal to System Preferences -> Security & Privacy -> Privacy -> Full Disk Access
 
-# --- Check for missing plugins
+def provision(vm, node_num)
-required_plugins = %w( vagrant-alpine vagrant-timezone )
+  node_os = (ENV["OS_#{node_num}"] || OS)
-plugin_installed = false
+  vm.box = (ENV["BOX_#{node_num}"] || ENV["BOX"] || "#{BOX_REPO}/#{node_os}")
-required_plugins.each do |plugin|
+  vm.hostname = "#{PROJECT}-#{node_num}-#{node_os}"
-  unless Vagrant.has_plugin?(plugin)
+  vm.network "private_network", ip: "#{NETWORK_PREFIX}.#{100+node_num}"
-    system "vagrant plugin install #{plugin}"
+  vm.provision "shell",
-    plugin_installed = true
+      path: VAGRANT_PROVISION,
+      env: { 'HOME' => HOME, 'GOPATH' => ENV['GOPATH'], 'BOX' => vm.box }
 end
-end
-# --- If new plugins installed, restart Vagrant process
-if plugin_installed === true
-  exec "vagrant #{ARGV.join' '}"
-end
-
-provision = <<SCRIPT
-# --- Use system gopath if available
-export GOPATH=#{ENV['GOPATH']}
-# --- Default to root user for vagrant ssh
-cat <<\\EOF >/etc/profile.d/root.sh
-[ $EUID -ne 0 ] && exec sudo -i
-EOF
-# --- Set home to current directory
-cat <<\\EOF >/etc/profile.d/home.sh
-export HOME="#{HOME}" && cd
-EOF
-. /etc/profile.d/home.sh
-# --- Run vagrant provision script if available
-if [ ! -x #{VAGRANT_PROVISION} ]; then
-  echo 'WARNING: Unable to execute provision script "#{VAGRANT_PROVISION}"'
-  exit
-fi
-echo "running '#{VAGRANT_PROVISION}'..." && \
-  #{VAGRANT_PROVISION} && \
-  echo "finished '#{VAGRANT_PROVISION}'!"
-SCRIPT
 
 Vagrant.configure("2") do |config|
+
   config.vm.provider "virtualbox" do |v|
     v.cpus = NODE_CPUS
     v.memory = NODE_MEMORY
     v.customize ["modifyvm", :id, "--audio", "none"]
   end
-
+  if Vagrant.has_plugin?("vagrant-timezone")
-  config.vm.box = BOX
-  config.vm.hostname = PROJECT
-  config.vm.synced_folder ".", HOME, type: MOUNT_TYPE
-  config.vm.provision "shell", inline: provision
     config.timezone.value = :host
+  end
+  config.vm.synced_folder ".", HOME, type: MOUNT_TYPE
 
-  config.vm.network "private_network", ip: "#{NETWORK_PREFIX}.100" if NUM_NODES==0
+  if NUM_NODES==0
-
+    provision(config.vm, 0)
+  else
     (1..NUM_NODES).each do |i|
       config.vm.define ".#{i}" do |node|
-      node.vm.network "private_network", ip: "#{NETWORK_PREFIX}.#{100+i}"
+        provision(node.vm, i)
-      node.vm.hostname = "#{PROJECT}-#{i}"
       end
     end
   end
+
+end

contrib/ansible/roles/k3s/master/templates/k3s.service.j2

@@ -2,7 +2,9 @@
 Description=Lightweight Kubernetes
 Documentation=https://k3s.io
 After=network-online.target
+
 [Service]
+Type=notify
 ExecStartPre=-/sbin/modprobe br_netfilter
 ExecStartPre=-/sbin/modprobe overlay
 ExecStart=/usr/local/bin/k3s server {{ extra_server_args | default("") }}
@@ -12,6 +14,7 @@ LimitNOFILE=infinity
 LimitNPROC=infinity
 LimitCORE=infinity
 TasksMax=infinity
+TimeoutStartSec=infinity
 Restart=always
 RestartSec=5s
 

contrib/ansible/roles/k3s/node/templates/k3s.service.j2

@@ -2,7 +2,11 @@
 Description=Lightweight Kubernetes
 Documentation=https://k3s.io
 After=network-online.target
+
 [Service]
+Type=notify
+ExecStartPre=-/sbin/modprobe br_netfilter
+ExecStartPre=-/sbin/modprobe overlay
 ExecStart=/usr/local/bin/k3s agent --server https://{{ master_ip }}:6443 --token {{ hostvars[groups['master'][0]]['token'] }}
 KillMode=process
 Delegate=yes
@@ -10,6 +14,7 @@ LimitNOFILE=infinity
 LimitNPROC=infinity
 LimitCORE=infinity
 TasksMax=infinity
+TimeoutStartSec=infinity
 Restart=always
 RestartSec=5s
 

go.mod

@@ -7,9 +7,9 @@ replace (
 	github.com/containerd/btrfs => github.com/containerd/btrfs v0.0.0-20181101203652-af5082808c83
 	github.com/containerd/cgroups => github.com/containerd/cgroups v0.0.0-20190717030353-c4b9ac5c7601
 	github.com/containerd/console => github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50
-	github.com/containerd/containerd => github.com/rancher/containerd v1.3.3-k3s1
+	github.com/containerd/containerd => github.com/rancher/containerd v1.3.3-k3s2
 	github.com/containerd/continuity => github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02
-	github.com/containerd/cri => github.com/rancher/cri v1.3.0-k3s.3
+	github.com/containerd/cri => github.com/rancher/cri v1.3.0-k3s.4
 	github.com/containerd/fifo => github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c
 	github.com/containerd/go-runc => github.com/containerd/go-runc v0.0.0-20190911050354-e029b79d8cda
 	github.com/containerd/typeurl => github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd
@@ -94,6 +94,7 @@ require (
 	github.com/mattn/go-sqlite3 v1.13.0
 	github.com/natefinch/lumberjack v2.0.0+incompatible
 	github.com/opencontainers/runc v1.0.0-rc9
+	github.com/opencontainers/selinux v1.3.1-0.20190929122143-5215b1806f52
 	github.com/pkg/errors v0.8.1
 	github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8 // indirect
 	github.com/rancher/dynamiclistener v0.2.0
@@ -122,6 +123,5 @@ require (
 	k8s.io/component-base v0.0.0
 	k8s.io/cri-api v0.0.0
 	k8s.io/klog v1.0.0
-	k8s.io/kubelet v0.0.0
 	k8s.io/kubernetes v1.16.0
 )

go.sum

@@ -708,10 +708,10 @@ github.com/quasilyte/go-consistent v0.0.0-20190521200055-c6f3937de18c/go.mod h1:
 github.com/quobyte/api v0.1.2/go.mod h1:jL7lIHrmqQ7yh05OJ+eEEdHr0u/kmT1Ff9iHd+4H6VI=
 github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8 h1:83l9gPhYtgxODlZKU0Odq4pQuDcMZEVgAh364+PV3OU=
 github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8/go.mod h1:4XHkfaUj+URzGO9sohoAgt2V9Y8nIW7fugpu0E6gShk=
-github.com/rancher/containerd v1.3.3-k3s1 h1:j8NGZdXKsZd2ne0XQg6OBfMJ/NkY/Qri6QhscGrJp2M=
+github.com/rancher/containerd v1.3.3-k3s2 h1:RZr+TqFt7+YsrSYkyytlhW4HmneWeFNM7IymNOoGW6A=
-github.com/rancher/containerd v1.3.3-k3s1/go.mod h1:ZMfzmqce2Z+QSEqdHMfeJs1TZ/UeJ1aDrazjpQT4ehM=
+github.com/rancher/containerd v1.3.3-k3s2/go.mod h1:ZMfzmqce2Z+QSEqdHMfeJs1TZ/UeJ1aDrazjpQT4ehM=
-github.com/rancher/cri v1.3.0-k3s.3 h1:j/Sq2LMyg6gBn2MS1j5dEudpdL+UYVH7ubbewUCXkS0=
+github.com/rancher/cri v1.3.0-k3s.4 h1:BXER8109dxgNw4qq8HHOCJ+3sHO+9AA1cwZTOLlqoTo=
-github.com/rancher/cri v1.3.0-k3s.3/go.mod h1:Ht5T1dIKzm+4NExmb7wDVG6qR+j0xeXIjjhCv1d9geY=
+github.com/rancher/cri v1.3.0-k3s.4/go.mod h1:Ht5T1dIKzm+4NExmb7wDVG6qR+j0xeXIjjhCv1d9geY=
 github.com/rancher/cri-tools v1.17.0-k3s1 h1:jfu97FowbraTDc7b6fxWtO+dq+DU2oW+ABBQSEFiRb0=
 github.com/rancher/cri-tools v1.17.0-k3s1/go.mod h1:bRTZttsvk+nCG8tSFs8D6UUx8CkMXR5TAsRLS0fXAqI=
 github.com/rancher/dynamiclistener v0.2.0 h1:KucYwJXVVGhZ/NndfMCeQoCafT/VN7kvqSGgmlX8Lxk=

install.sh

@@ -26,6 +26,9 @@ set -e
 #     If set to 'skip' will not create symlinks, 'force' will overwrite,
 #     default will symlink if command does not exist in path.
 #
+#   - INSTALL_K3S_SKIP_ENABLE
+#     If set to true will not enable or start k3s service.
+#
 #   - INSTALL_K3S_SKIP_START
 #     If set to true will not start k3s service.
 #
@@ -166,11 +169,6 @@ setup_env() {
             ${invalid_chars}"
     fi
 
-    # --- set related files from system name ---
-    SERVICE_K3S=${SYSTEM_NAME}.service
-    UNINSTALL_K3S_SH=${SYSTEM_NAME}-uninstall.sh
-    KILLALL_K3S_SH=k3s-killall.sh
-
     # --- use sudo if we are not already root ---
     SUDO=sudo
     if [ $(id -u) -eq 0 ]; then
@@ -202,6 +200,11 @@ setup_env() {
         SYSTEMD_DIR=/etc/systemd/system
     fi
 
+    # --- set related files from system name ---
+    SERVICE_K3S=${SYSTEM_NAME}.service
+    UNINSTALL_K3S_SH=${UNINSTALL_K3S_SH:-${BIN_DIR}/${SYSTEM_NAME}-uninstall.sh}
+    KILLALL_K3S_SH=${KILLALL_K3S_SH:-${BIN_DIR}/k3s-killall.sh}
+
     # --- use service or environment location depending on systemd/openrc ---
     if [ "${HAS_SYSTEMD}" = true ]; then
         FILE_K3S_SERVICE=${SYSTEMD_DIR}/${SERVICE_K3S}
@@ -389,7 +392,7 @@ setup_binary() {
 
     if ! $SUDO chcon -u system_u -r object_r -t container_runtime_exec_t ${BIN_DIR}/k3s 2>/dev/null 2>&1; then
         if $SUDO grep SELINUX=enforcing /etc/selinux/config >/dev/null 2>&1; then
-            fatal "Failed to apply container_runtime_exec_t to ${BIN_DIR}/k3s, please install k3s_selinux RPM"
+            fatal "Failed to apply container_runtime_exec_t to ${BIN_DIR}/k3s, please install k3s-selinux RPM"
         fi
     fi
 }
@@ -425,7 +428,7 @@ create_symlinks() {
 
     for cmd in kubectl crictl ctr; do
         if [ ! -e ${BIN_DIR}/${cmd} ] || [ "${INSTALL_K3S_SYMLINK}" = force ]; then
-            which_cmd=$(which ${cmd} || true)
+            which_cmd=$(which ${cmd} 2>/dev/null || true)
             if [ -z "${which_cmd}" ] || [ "${INSTALL_K3S_SYMLINK}" = force ]; then
                 info "Creating ${BIN_DIR}/${cmd} symlink to k3s"
                 $SUDO ln -sf k3s ${BIN_DIR}/${cmd}
@@ -441,13 +444,13 @@ create_symlinks() {
 # --- create killall script ---
 create_killall() {
     [ "${INSTALL_K3S_BIN_DIR_READ_ONLY}" = true ] && return
-    info "Creating killall script ${BIN_DIR}/${KILLALL_K3S_SH}"
+    info "Creating killall script ${KILLALL_K3S_SH}"
-    $SUDO tee ${BIN_DIR}/${KILLALL_K3S_SH} >/dev/null << \EOF
+    $SUDO tee ${KILLALL_K3S_SH} >/dev/null << \EOF
 #!/bin/sh
 [ $(id -u) -eq 0 ] || exec sudo $0 $@
 
 for bin in /var/lib/rancher/k3s/data/**/bin/; do
-    [ -d $bin ] && export PATH=$bin:$PATH
+    [ -d $bin ] && export PATH=$PATH:$bin:$bin/aux
 done
 
 set -x
@@ -485,7 +488,7 @@ killtree() {
 }
 
 getshims() {
-    lsof | sed -e 's/^[^0-9]*//g; s/  */\t/g' | grep -w 'k3s/data/[^/]*/bin/containerd-shim' | cut -f1 | sort -n -u
+    ps -e -o pid= -o args= | sed -e 's/^ *//; s/\s\s*/\t/;' | grep -w 'k3s/data/[^/]*/bin/containerd-shim' | cut -f1
 }
 
 killtree $({ set +x; } 2>/dev/null; getshims; set -x)
@@ -520,20 +523,20 @@ ip link delete flannel.1
 rm -rf /var/lib/cni/
 iptables-save | grep -v KUBE- | grep -v CNI- | iptables-restore
 EOF
-    $SUDO chmod 755 ${BIN_DIR}/${KILLALL_K3S_SH}
+    $SUDO chmod 755 ${KILLALL_K3S_SH}
-    $SUDO chown root:root ${BIN_DIR}/${KILLALL_K3S_SH}
+    $SUDO chown root:root ${KILLALL_K3S_SH}
 }
 
 # --- create uninstall script ---
 create_uninstall() {
     [ "${INSTALL_K3S_BIN_DIR_READ_ONLY}" = true ] && return
-    info "Creating uninstall script ${BIN_DIR}/${UNINSTALL_K3S_SH}"
+    info "Creating uninstall script ${UNINSTALL_K3S_SH}"
-    $SUDO tee ${BIN_DIR}/${UNINSTALL_K3S_SH} >/dev/null << EOF
+    $SUDO tee ${UNINSTALL_K3S_SH} >/dev/null << EOF
 #!/bin/sh
 set -x
 [ \$(id -u) -eq 0 ] || exec sudo \$0 \$@
 
-${BIN_DIR}/${KILLALL_K3S_SH}
+${KILLALL_K3S_SH}
 
 if which systemctl; then
     systemctl disable ${SYSTEM_NAME}
@@ -548,7 +551,7 @@ rm -f ${FILE_K3S_SERVICE}
 rm -f ${FILE_K3S_ENV}
 
 remove_uninstall() {
-    rm -f ${BIN_DIR}/${UNINSTALL_K3S_SH}
+    rm -f ${UNINSTALL_K3S_SH}
 }
 trap remove_uninstall EXIT
 
@@ -567,10 +570,10 @@ rm -rf /etc/rancher/k3s
 rm -rf /var/lib/rancher/k3s
 rm -rf /var/lib/kubelet
 rm -f ${BIN_DIR}/k3s
-rm -f ${BIN_DIR}/${KILLALL_K3S_SH}
+rm -f ${KILLALL_K3S_SH}
 EOF
-    $SUDO chmod 755 ${BIN_DIR}/${UNINSTALL_K3S_SH}
+    $SUDO chmod 755 ${UNINSTALL_K3S_SH}
-    $SUDO chown root:root ${BIN_DIR}/${UNINSTALL_K3S_SH}
+    $SUDO chown root:root ${UNINSTALL_K3S_SH}
 }
 
 # --- disable current service if loaded --
@@ -704,6 +707,8 @@ openrc_start() {
 
 # --- startup systemd or openrc service ---
 service_enable_and_start() {
+    [ "${INSTALL_K3S_SKIP_ENABLE}" = true ] && return
+
     [ "${HAS_SYSTEMD}" = true ] && systemd_enable
     [ "${HAS_OPENRC}" = true ] && openrc_enable
 

package/k3s.spec

@@ -0,0 +1,57 @@
+# vim: sw=4:ts=4:et
+
+%define install_path  /usr/bin
+%define util_path     %{_datadir}/k3s
+%define install_sh    %{util_path}/.install.sh
+%define uninstall_sh  %{util_path}/.uninstall.sh
+
+Name:    k3s
+Version: %{k3s_version}
+Release: %{k3s_release}%{?dist}
+Summary: Lightweight Kubernetes
+
+Group:   System Environment/Base		
+License: ASL 2.0
+URL:     http://k3s.io
+
+BuildRequires: systemd
+Requires(post): k3s-selinux >= %{k3s_policyver}
+
+%description
+The certified Kubernetes distribution built for IoT & Edge computing.
+
+%install
+install -d %{buildroot}%{install_path}
+install dist/artifacts/%{k3s_binary} %{buildroot}%{install_path}/k3s
+install -d %{buildroot}%{util_path}
+install install.sh %{buildroot}%{install_sh}
+
+%post
+# do not run install script on upgrade
+echo post-install args: $@
+if [ $1 == 1 ]; then
+    INSTALL_K3S_BIN_DIR=%{install_path} \
+    INSTALL_K3S_SKIP_DOWNLOAD=true \
+    INSTALL_K3S_SKIP_ENABLE=true \
+    UNINSTALL_K3S_SH=%{uninstall_sh} \
+        %{install_sh}
+fi
+%systemd_post k3s.service
+exit 0
+
+%postun
+echo post-uninstall args: $@
+# do not run uninstall script on upgrade
+if [ $1 == 0 ]; then
+    %{uninstall_sh}
+    rm -rf %{util_path}
+fi
+exit 0
+
+%files
+%{install_path}/k3s
+%{install_sh}
+
+%changelog
+* Mon Mar 2 2020 Erik Wilson <erik@rancher.com> 0.1-1
+- Initial version

pkg/agent/config/config.go

@@ -397,6 +397,7 @@ func get(envInfo *cmds.Agent) (*config.Node, error) {
 
 	nodeConfig := &config.Node{
 		Docker:                   envInfo.Docker,
+		DisableSELinux:           envInfo.DisableSELinux,
 		ContainerRuntimeEndpoint: envInfo.ContainerRuntimeEndpoint,
 		FlannelBackend:           controlConfig.FlannelBackend,
 	}
@@ -474,6 +475,7 @@ func get(envInfo *cmds.Agent) (*config.Node, error) {
 	nodeConfig.AgentConfig.DisableCCM = controlConfig.DisableCCM
 	nodeConfig.AgentConfig.DisableNPC = controlConfig.DisableNPC
 	nodeConfig.AgentConfig.Rootless = envInfo.Rootless
+	nodeConfig.DisableSELinux = envInfo.DisableSELinux
 
 	return nodeConfig, nil
 }

pkg/agent/containerd/command.go

@@ -0,0 +1,15 @@
+// +build !windows
+
+package containerd
+
+import (
+	"os/exec"
+	"syscall"
+)
+
+func addDeathSig(cmd *exec.Cmd) {
+	// not supported in this OS
+	cmd.SysProcAttr = &syscall.SysProcAttr{
+		Pdeathsig: syscall.SIGKILL,
+	}
+}

pkg/agent/containerd/command_windows.go

@@ -0,0 +1,7 @@
+package containerd
+
+import "os/exec"
+
+func addDeathSig(_ *exec.Cmd) {
+	// not supported in this OS
+}

pkg/agent/containerd/containerd.go

@@ -8,13 +8,13 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
-	"syscall"
 	"time"
 
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/namespaces"
 	"github.com/natefinch/lumberjack"
 	"github.com/opencontainers/runc/libcontainer/system"
+	"github.com/pkg/errors"
 	"github.com/rancher/k3s/pkg/agent/templates"
 	util2 "github.com/rancher/k3s/pkg/agent/util"
 	"github.com/rancher/k3s/pkg/daemons/config"
@@ -66,9 +66,7 @@ func Run(ctx context.Context, cfg *config.Node) error {
 		cmd := exec.Command(args[0], args[1:]...)
 		cmd.Stdout = stdOut
 		cmd.Stderr = stdErr
-		cmd.SysProcAttr = &syscall.SysProcAttr{
+		addDeathSig(cmd)
-			Pdeathsig: syscall.SIGKILL,
-		}
 		if err := cmd.Run(); err != nil {
 			fmt.Fprintf(os.Stderr, "containerd: %s\n", err)
 		}
@@ -170,6 +168,22 @@ func setupContainerdConfig(ctx context.Context, cfg *config.Node) error {
 		PrivateRegistryConfig: privRegistries,
 	}
 
+	selEnabled, selConfigured, err := selinuxStatus()
+	if err != nil {
+		return errors.Wrap(err, "failed to detect selinux")
+	}
+	if cfg.DisableSELinux {
+		containerdConfig.SELinuxEnabled = false
+		if selEnabled {
+			logrus.Warn("SELinux is enabled for system but has been disabled for containerd by override")
+		}
+	} else {
+		containerdConfig.SELinuxEnabled = selEnabled
+	}
+	if containerdConfig.SELinuxEnabled && !selConfigured {
+		logrus.Warnf("SELinux is enabled for k3s but process is not running in context '%s', k3s-selinux policy may need to be applied", SELinuxContextType)
+	}
+
 	containerdTemplateBytes, err := ioutil.ReadFile(cfg.Containerd.Template)
 	if err == nil {
 		logrus.Infof("Using containerd template at %s", cfg.Containerd.Template)

pkg/agent/containerd/selinux.go

@@ -0,0 +1,27 @@
+package containerd
+
+import (
+	"github.com/opencontainers/selinux/go-selinux"
+)
+
+const (
+	SELinuxContextType = "container_runtime_t"
+)
+
+func selinuxStatus() (bool, bool, error) {
+	if !selinux.GetEnabled() {
+		return false, false, nil
+	}
+
+	label, err := selinux.CurrentLabel()
+	if err != nil {
+		return true, false, err
+	}
+
+	ctx, err := selinux.NewContext(label)
+	if err != nil {
+		return true, false, err
+	}
+
+	return true, ctx["type"] == SELinuxContextType, nil
+}

pkg/agent/netpol/netpol_windows.go

@@ -0,0 +1,10 @@
+package netpol
+
+import (
+	"context"
+	daemonconfig "github.com/rancher/k3s/pkg/daemons/config"
+)
+
+func Run(ctx context.Context, nodeConfig *daemonconfig.Node) error {
+	panic("Netpol is not supported on windows ensure to pass --disable-network-policy")
+}

pkg/agent/netpol/network_policy.go

@@ -1,3 +1,5 @@
+// +build !windows
+
 package netpol
 
 import (

pkg/agent/netpol/network_policy_controller.go

@@ -1,6 +1,8 @@
 // Apache License v2.0 (copyright Cloud Native Labs & Rancher Labs)
 // - modified from https://github.com/cloudnativelabs/kube-router/blob/d6f9f31a7b/pkg/controllers/netpol/network_policy_controller.go
 
+// +build !windows
+
 package netpol
 
 import (

pkg/agent/netpol/utils.go

@@ -1,6 +1,8 @@
 // Apache License v2.0 (copyright Cloud Native Labs & Rancher Labs)
 // - modified from https://github.com/cloudnativelabs/kube-router/tree/d6f9f31a7b/pkg/utils
 
+// +build !windows
+
 package netpol
 
 import (

pkg/agent/syssetup/setup.go

@@ -1,3 +1,5 @@
+// +build !windows
+
 package syssetup
 
 import (

pkg/agent/syssetup/setup_windows.go

@@ -0,0 +1,3 @@
+package syssetup
+
+func Configure() {}

pkg/agent/templates/templates.go

@@ -10,6 +10,7 @@ import (
 type ContainerdConfig struct {
 	NodeConfig            *config.Node
 	IsRunningInUserNS     bool
+	SELinuxEnabled        bool
 	PrivateRegistryConfig *Registry
 }
 
@@ -20,6 +21,7 @@ const ContainerdConfigTemplate = `
 [plugins.cri]
   stream_server_address = "127.0.0.1"
   stream_server_port = "10010"
+  enable_selinux = {{ .SELinuxEnabled }}
 
 {{- if .IsRunningInUserNS }}
   disable_cgroup = true

pkg/cli/cmds/agent.go

@@ -28,6 +28,7 @@ type Agent struct {
 	Rootless                 bool
 	RootlessAlreadyUnshared  bool
 	WithNodeID               bool
+	DisableSELinux           bool
 	AgentShared
 	ExtraKubeletArgs   cli.StringSlice
 	ExtraKubeProxyArgs cli.StringSlice
@@ -127,6 +128,12 @@ var (
 		Usage: "(agent/node) Registering and starting kubelet with set of labels",
 		Value: &AgentConfig.Labels,
 	}
+	DisableSELinuxFlag = cli.BoolFlag{
+		Name:        "disable-selinux",
+		Usage:       "(agent/node) Disable SELinux in containerd if currently enabled",
+		Hidden:      true,
+		Destination: &AgentConfig.DisableSELinux,
+	}
 )
 
 func NewAgentCommand(action func(ctx *cli.Context) error) cli.Command {
@@ -169,6 +176,7 @@ func NewAgentCommand(action func(ctx *cli.Context) error) cli.Command {
 			NodeLabels,
 			NodeTaints,
 			DockerFlag,
+			DisableSELinuxFlag,
 			CRIEndpointFlag,
 			PauseImageFlag,
 			PrivateRegistryFlag,

pkg/cli/cmds/server.go

@@ -216,6 +216,7 @@ func NewServerCommand(action func(*cli.Context) error) cli.Command {
 			NodeLabels,
 			NodeTaints,
 			DockerFlag,
+			DisableSELinuxFlag,
 			CRIEndpointFlag,
 			PauseImageFlag,
 			PrivateRegistryFlag,

pkg/daemons/config/types.go

@@ -25,6 +25,7 @@ type Node struct {
 	Docker                   bool
 	ContainerRuntimeEndpoint string
 	NoFlannel                bool
+	DisableSELinux           bool
 	FlannelBackend           string
 	FlannelConf              string
 	FlannelConfOverride      bool

pkg/nodeconfig/nodeconfig.go

@@ -16,6 +16,7 @@ const (
 	NodeArgsAnnotation       = "k3s.io/node-args"
 	NodeEnvAnnotation        = "k3s.io/node-env"
 	NodeConfigHashAnnotation = "k3s.io/node-config-hash"
+	OmittedValue             = "********"
 )
 
 func getNodeArgs() (string, error) {
@@ -31,7 +32,7 @@ func getNodeArgs() (string, error) {
 	for i, arg := range nodeArgsList {
 		if isSecret(arg) {
 			if i+1 < len(nodeArgsList) {
-				nodeArgsList[i+1] = ""
+				nodeArgsList[i+1] = OmittedValue
 			}
 		}
 	}
@@ -52,7 +53,7 @@ func getNodeEnv() (string, error) {
 	}
 	for key := range k3sEnv {
 		if isSecret(key) {
-			k3sEnv[key] = ""
+			k3sEnv[key] = OmittedValue
 		}
 	}
 	k3sEnvJSON, err := json.Marshal(k3sEnv)

pkg/passwd/passwd.go

@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	"github.com/rancher/k3s/pkg/token"
+	"github.com/rancher/k3s/pkg/util"
 )
 
 type entry struct {
@@ -141,7 +142,7 @@ func writePasswords(passwdFile string, records [][]string) error {
 		}
 		defer out.Close()
 
-		if err := out.Chmod(0600); err != nil {
+		if err := util.SetFileModeForFile(out, 0600); err != nil {
 			return err
 		}
 

pkg/rootless/mounts.go

@@ -1,3 +1,5 @@
+// +build !windows
+
 package rootless
 
 import (

pkg/rootless/rootless.go

@@ -1,3 +1,5 @@
+// +build !windows
+
 package rootless
 
 import (

pkg/rootless/rootless_windows.go

@@ -0,0 +1,5 @@
+package rootless
+
+func Rootless(stateDir string) error {
+	panic("Rootless not supported on windows")
+}

pkg/rootlessports/controller.go

@@ -1,3 +1,5 @@
+// +build !windows
+
 package rootlessports
 
 import (

pkg/rootlessports/controller_windows.go

@@ -0,0 +1,10 @@
+package rootlessports
+
+import (
+	"context"
+	coreClients "github.com/rancher/wrangler-api/pkg/generated/controllers/core/v1"
+)
+
+func Register(ctx context.Context, serviceController coreClients.ServiceController, httpsPort int) error {
+	panic("Rootless is not supported on windows")
+}

pkg/server/server.go

@@ -24,6 +24,7 @@ import (
 	"github.com/rancher/k3s/pkg/rootlessports"
 	"github.com/rancher/k3s/pkg/servicelb"
 	"github.com/rancher/k3s/pkg/static"
+	"github.com/rancher/k3s/pkg/util"
 	v1 "github.com/rancher/wrangler-api/pkg/generated/controllers/core/v1"
 	"github.com/rancher/wrangler/pkg/leader"
 	"github.com/rancher/wrangler/pkg/resolvehome"
@@ -263,12 +264,12 @@ func writeKubeConfig(certs string, config *Config) error {
 	if config.ControlConfig.KubeConfigMode != "" {
 		mode, err := strconv.ParseInt(config.ControlConfig.KubeConfigMode, 8, 0)
 		if err == nil {
-			os.Chmod(kubeConfig, os.FileMode(mode))
+			util.SetFileModeForPath(kubeConfig, os.FileMode(mode))
 		} else {
 			logrus.Errorf("failed to set %s to mode %s: %v", kubeConfig, os.FileMode(mode), err)
 		}
 	} else {
-		os.Chmod(kubeConfig, os.FileMode(0600))
+		util.SetFileModeForPath(kubeConfig, os.FileMode(0600))
 	}
 
 	if kubeConfigSymlink != kubeConfig {

pkg/util/file.go

@@ -0,0 +1,15 @@
+// +build !windows
+
+package util
+
+import (
+	"os"
+)
+
+func SetFileModeForPath(name string, mode os.FileMode) error {
+	return os.Chmod(name, mode)
+}
+
+func SetFileModeForFile(file *os.File, mode os.FileMode) error {
+	return file.Chmod(mode)
+}

pkg/util/file_windows.go

@@ -0,0 +1,13 @@
+package util
+
+import (
+	"os"
+)
+
+func SetFileModeForPath(name string, mode os.FileMode) error {
+	return nil
+}
+
+func SetFileModeForFile(file *os.File, mode os.FileMode) error {
+	return nil
+}

scripts/build

@@ -46,12 +46,20 @@ STATIC_SQLITE="
     -extldflags '-static -lm -ldl -lz -lpthread $DQLITE_STATIC_SQLITE'
 "
 TAGS="ctrd apparmor seccomp no_btrfs netcgo osusergo providerless $DQLITE_TAGS"
+RUNC_TAGS="apparmor seccomp"
+RUNC_STATIC="static"
+
+if [ "$SELINUX" = "true" ]; then
+    TAGS="$TAGS selinux"
+    RUNC_TAGS="$RUNC_TAGS selinux"
+fi
 
 if [ "$STATIC_BUILD" != "true" ]; then
     STATIC="
 "
     STATIC_SQLITE="
 "
+    RUNC_STATIC=""
 else
     TAGS="static_build libsqlite3 $TAGS"
 fi
@@ -109,13 +117,16 @@ ln -s containerd ./bin/ctr
 # echo Building containerd
 # CGO_ENABLED=0 go build -tags "$TAGS" -ldflags "$VERSIONFLAGS $LDFLAGS $STATIC" -o bin/containerd ./cmd/containerd/
 echo Building runc
-make EXTRA_LDFLAGS="-w -s" BUILDTAGS="apparmor seccomp" -C ./vendor/github.com/opencontainers/runc static
+rm -f ./vendor/github.com/opencontainers/runc/runc
+make EXTRA_LDFLAGS="-w -s" BUILDTAGS="$RUNC_TAGS" -C ./vendor/github.com/opencontainers/runc $RUNC_STATIC
 cp -f ./vendor/github.com/opencontainers/runc/runc ./bin/runc
 
 echo Building containerd-shim
+rm -f ./vendor/github.com/containerd/containerd/bin/containerd-shim
 make -C ./vendor/github.com/containerd/containerd bin/containerd-shim
 cp -f ./vendor/github.com/containerd/containerd/bin/containerd-shim ./bin/containerd-shim
 
 echo Building containerd-shim-runc-v2
+rm -f ./vendor/github.com/containerd/containerd/bin/containerd-shim-runc-v2
 make -C ./vendor/github.com/containerd/containerd bin/containerd-shim-runc-v2
 cp -f ./vendor/github.com/containerd/containerd/bin/containerd-shim-runc-v2 ./bin/containerd-shim-runc-v2

scripts/dispatch

@@ -0,0 +1,11 @@
+#!/bin/sh
+set -e
+set -x
+
+REPO="https://api.github.com/repos/rancher/k3s-upgrade/dispatches"
+
+# send dispatch event to REPO
+curl -XPOST -u "${PAT_USERNAME}:${PAT_TOKEN}" \
+        -H "Accept: application/vnd.github.everest-preview+json"  \
+        -H "Content-Type: application/json" $REPO \
+        --data '{"event_type": "create_tag", "client_payload": {"tag":"'"$DRONE_TAG"'"}}'

scripts/package-rpm

@@ -0,0 +1,78 @@
+#!/bin/bash
+set -e -x
+
+cd $(dirname $0)/..
+
+ARCH=${DRONE_STAGE_ARCH:-$(arch)}
+. ./scripts/version.sh
+
+if [[ ! "$VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(\-[^\+]*)?\+k3s.+$ ]]; then
+  echo "k3s version $VERSION does not match regex for rpm upload"
+  exit 0
+fi
+
+TMPDIR=$(mktemp -d)
+cleanup() {
+  exit_code=$?
+  trap - EXIT INT
+  rm -rf ${TMPDIR}
+  exit ${exit_code}
+}
+trap cleanup EXIT INT
+
+export HOME=${TMPDIR}
+
+BIN_SUFFIX=""
+if [ ${ARCH} = aarch64 ] || [ ${ARCH} = arm64 ]; then
+    BIN_SUFFIX="-arm64"
+elif [ ${ARCH} = armv7l ] || [ ${ARCH} = arm ]; then
+    BIN_SUFFIX="-armhf"
+fi
+
+# capture version of k3s
+k3s_version=$(sed -E -e 's/^v([^-+]*).*$/\1/' <<< $VERSION)
+# capture pre-release and metadata information of k3s
+k3s_release=$(sed -E -e 's/\+k3s/+/; s/\+/-/g; s/^[^-]*//; s/^--/dev-/; s/-+/./g; s/^\.+//; s/\.+$//;' <<< $VERSION)
+# k3s-selinux policy version needed for functionality
+k3s_policyver=0.1-1
+
+rpmbuild \
+  --define "k3s_version ${k3s_version}" \
+  --define "k3s_release ${k3s_release}" \
+  --define "k3s_policyver ${k3s_policyver}" \
+  --define "k3s_binary k3s${BIN_SUFFIX}" \
+  --define "_sourcedir ${PWD}" \
+  --define "_specdir ${PWD}" \
+  --define "_builddir ${PWD}" \
+  --define "_srcrpmdir ${PWD}" \
+  --define "_rpmdir ${PWD}/dist/rpm" \
+  --define "_buildrootdir ${PWD}/.rpm-build" \
+  -bb package/k3s.spec
+
+if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then
+  echo "PRIVATE_KEY not defined, skipping rpm sign and upload"
+  exit 0
+fi
+
+cat <<\EOF >~/.rpmmacros 
+%_signature gpg
+%_gpg_name ci@rancher.com
+EOF
+gpg --import - <<<"$PRIVATE_KEY"
+
+expect <<EOF
+set timeout 60
+spawn sh -c "rpmsign --addsign dist/rpm/**/k3s-*.rpm"
+expect "Enter pass phrase:"
+send -- "$PRIVATE_KEY_PASS_PHRASE\r"
+expect eof
+lassign [wait] _ _ _ code
+exit \$code
+EOF
+
+if [ -z "$AWS_S3_BUCKET" ]; then
+  echo "AWS_S3_BUCKET skipping rpm upload"
+  exit 0
+fi
+
+rpm-s3 --bucket $AWS_S3_BUCKET dist/rpm/**/k3s-*.rpm

scripts/provision/generic/alpine310/vagrant

@@ -0,0 +1,31 @@
+#!/bin/bash
+set -ve
+
+apk add -q -f curl libc6-compat tzdata
+download_go
+download_dqlite
+# ---
+cat <<EOF >/etc/profile.d/build.sh
+export SELINUX=true
+export DQLITE=true
+export STATIC_BUILD=true
+EOF
+. /etc/profile.d/build.sh
+# ---
+. /tmp/docker-run
+# ---
+go get -u github.com/go-delve/delve/cmd/dlv
+# ---
+cat <<EOF >/etc/profile.d/docker.sh
+export DOCKER_HOST=tcp://10.0.2.2:2375
+EOF
+. /etc/profile.d/docker.sh
+# ---
+(
+    if ! docker version --format '{{.Server.Version}}' >/tmp/docker-server-version; then
+        echo "WARNING: Unable to connect to the docker socket, to enable docker in vagrant run the following command on the host:"
+        echo "docker run -d -v /var/run/docker.sock:/var/run/docker.sock -p 127.0.0.1:2375:2375 alpine/socat TCP-LISTEN:2375,fork UNIX-CONNECT:/var/run/docker.sock"
+    else
+        echo "Using host docker server v$(cat /tmp/docker-server-version)"
+    fi
+)

scripts/provision/generic/centos7/gen-gpg-keys

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+set -e -x
+
+TMPDIR=$(mktemp -d)
+cleanup() {
+  exit_code=$?
+  trap - EXIT INT
+  rm -rf ${TMPDIR}
+  exit ${exit_code}
+}
+trap cleanup EXIT INT
+
+export HOME=${TMPDIR}
+
+gpg --batch --gen-key - <<EOF
+%echo Generating a default key
+Key-Type: default
+Subkey-Type: default
+Name-Real: Rancher
+Name-Comment: CI
+Name-Email: ci@rancher.com
+Expire-Date: 0
+
+# Key-Length: 4096
+# Subkey-Length: 4096
+Passphrase: $PRIVATE_KEY_PASS_PHRASE
+# %no-protection
+# %no-ask-passphrase
+
+# Do a commit here, so that we can later print "done" :-)
+%commit
+%echo done
+EOF
+
+gpg --armor --export ci@rancher.com >public.key
+gpg --armor --export-secret-key ci@rancher.com >private.key

scripts/provision/generic/centos7/vagrant

@@ -0,0 +1,46 @@
+#!/bin/bash
+set -ve
+
+download_go
+# ---
+cat <<EOF >/etc/profile.d/build.sh
+export SELINUX=true
+# export DQLITE=true
+# export STATIC_BUILD=true
+EOF
+. /etc/profile.d/build.sh
+# ---
+sed -E 's|apk( -U)?( --no-cache)?( --repository [^ ]*)? add|yum install -y|g' -i /tmp/docker-run
+sed -E 's/-dev/-devel/g' -i /tmp/docker-run
+. /tmp/docker-run
+# ---
+go get -u github.com/go-delve/delve/cmd/dlv
+# ---
+# docker install instructions slightly changed from https://kubernetes.io/docs/setup/production-environment/container-runtimes/
+# default "exec-opts": ["native.cgroupdriver=cgroupfs"], and set "selinux-enabled": true
+yum remove -y docker docker-common
+yum install -y yum-utils device-mapper-persistent-data lvm2
+yum-config-manager --add-repo   https://download.docker.com/linux/centos/docker-ce.repo
+yum update -y && yum install -y   containerd.io-1.2.10   docker-ce-19.03.4   docker-ce-cli-19.03.4
+mkdir -p /etc/docker
+cat > /etc/docker/daemon.json <<EOF
+{
+  "log-driver": "json-file",
+  "log-opts": {
+    "max-size": "100m"
+  },
+  "selinux-enabled": true,
+  "storage-driver": "overlay2",
+  "storage-opts": [
+    "overlay2.override_kernel_check=true"
+  ]
+}
+EOF
+# ---
+systemctl daemon-reload
+systemctl disable --now firewalld
+systemctl disable --now docker
+# ---
+# set selinux to permissive for dev & testing purposes only
+setenforce 0
+sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config

scripts/provision/generic/centos7/yum-install-rpm-tools

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -e -x
+
+yum install -y git expect yum-utils rpm-build rpm-sign python-deltarpm epel-release
+yum install -y python2-pip
+pip install git+git://github.com/Voronenko/rpm-s3.git@5695c6ad9a08548141d3713328e1bd3f533d137e

scripts/provision/generic/ubuntu1804/vagrant

@@ -0,0 +1,26 @@
+#!/bin/bash
+set -ve
+
+download_go
+# ---
+cat <<EOF >/etc/profile.d/build.sh
+export SELINUX=true
+# export DQLITE=true
+# export STATIC_BUILD=true
+EOF
+. /etc/profile.d/build.sh
+# ---
+apt-get install -y \
+  build-essential \
+  pkg-config \
+  libseccomp-dev \
+  libsqlite3-dev \
+  libselinux1-dev \
+  zlib1g-dev \
+
+# ---
+sed -E 's|apk( -U)?( --no-cache)?( --repository [^ ]*)? add|apt-get install -y|g' -i /tmp/docker-run
+. /tmp/docker-run
+# ---
+go get -u github.com/go-delve/delve/cmd/dlv
+# ---

scripts/provision/vagrant

@@ -0,0 +1,101 @@
+#!/bin/bash
+set -ve
+
+PROVISION="scripts/provision/$BOX/vagrant"
+
+if [ ! -f /etc/vagrant_box_build_time ]; then
+    echo "This script should only be called during vagrant provisioning"
+    exit 1
+fi
+
+if [[ $HOME == /go/* ]]; then
+    echo "Must not launch vagrant from /go/"
+    exit 1
+fi 
+cd
+
+# --- Default to root user for vagrant ssh
+cat <<\EOF >/etc/profile.d/root.sh
+[ $EUID -ne 0 ] && exec sudo -i
+EOF
+
+# --- Setup go version
+if [ -z "${GOPATH}" ]; then
+    GOPATH=$(realpath $HOME/../../../..)
+    echo "WARNING: Assuming GOPATH=$GOPATH"
+else
+    echo "Using parent GOPATH=$GOPATH"
+fi
+
+# --- Setup basic env
+cat <<EOF >/etc/profile.d/env.sh
+export ARCH=amd64
+export GO111MODULE=off
+export GOPATH="$GOPATH"
+export PATH=/usr/local/bin:$PATH:/usr/local/go/bin:$GOPATH/bin
+export HOME="$HOME" && cd
+EOF
+. /etc/profile.d/env.sh
+
+# --- Clean go cache
+rm -rf .cache/go-build || true
+
+# --- Set color prompt
+sed -i 's|:/bin/ash$|:/bin/bash|g' /etc/passwd
+cat <<\EOF >/etc/profile.d/color.sh
+alias ls='ls --color=auto'
+export PS1='\033[31m[ \033[90m\D{%F 🐮 %T}\033[31m ]\n\[\033[36m\]\u\[\033[m\]@\[\033[32m\]\h\[\033[35m\]:\[\033[33;1m\]\w\[\033[m\]\$ '
+EOF
+
+# --- Setup install script from docker run commands
+mkdir -p ${GOPATH}/bin
+mkdir -p /go
+ln -sf $GOPATH/bin /go/bin
+sed ':a;N;$!ba;s/\\\n/ /g' <Dockerfile.dapper | grep '^RUN ' | sed -e 's/^RUN //' >/tmp/docker-run
+export BINDIR=/go/bin
+export GOPATH=/go
+export HOME=/tmp
+
+# --- Add k3s motd
+cat <<\EOF >/etc/motd
+               ,        ,
+   ,-----------|'------'| |\    ____
+  /.           '-'@  o|-' | |  /___ \
+ |/|             | .. |   | | __ __) | ____
+   |   .________.'----'   | |/ /|__ < / __/
+   |  ||        |  ||     |   < ___) |\__ \
+   \__|'        \__|'     |_|\_\_____/____/
+
+EOF
+
+# --- Utility function to download go
+download_go() {
+    goversion=$(grep "^FROM " Dockerfile.dapper | sed -e 's/^FROM golang:\(.*\)-.*/\1/')
+    if [ -z "$goversion" ]; then
+        echo "Cannot find version of go to fetch"
+        return 1
+    fi
+    echo "Installing go $goversion"
+    curl -sL https://storage.googleapis.com/golang/go${goversion}.linux-${ARCH}.tar.gz | tar -xzf - -C /usr/local
+}
+
+# --- Utility function to download dqlite
+download_dqlite() {
+    dqliteURL="https://github.com/$(grep dqlite-build Dockerfile.dapper | sed -e 's/^.*--from=\([^ ]*\).*$/\1/' -e 's|:|/releases/download/|')/dqlite-$ARCH.tgz"
+    if [ -z "$dqliteURL" ]; then
+        echo "Cannot find dqlite URL to fetch"
+        return 1
+    fi
+    mkdir -p /usr/src/
+    echo "Downloading DQLITE from $dqliteURL"
+    curl -sL $dqliteURL -o /usr/src/dqlite.tgz
+}
+
+# --- Run vagrant provision script if available
+if [ ! -f "${PROVISION}" ]; then
+  echo 'WARNING: Unable to execute provision script "${PROVISION}"'
+  exit
+fi
+echo "running '${PROVISION}'..." && \
+  . ${PROVISION} && \
+  echo "finished '${PROVISION}'!"

scripts/test

@@ -13,19 +13,18 @@ mkdir -p $artifacts
 
 # ---
 
+[ "$ARCH" = 'arm' ] && \
+  early-exit "Skipping sonobuoy, images not available for $ARCH."
+
 E2E_OUTPUT=$artifacts test-run-sonobuoy
 
 # ---
 
-if [ "$DRONE_BUILD_EVENT" = 'tag' ]; then
+[ "$DRONE_BUILD_EVENT" = 'tag' ] && \
-  printf "\033[33mSkipping remaining tests on tag.\033[m\n"
+  early-exit 'Skipping remaining tests on tag.'
-  exit 0
-fi
 
-if [ "$ARCH" != 'amd64' ]; then
+[ "$ARCH" != 'amd64' ] && \
-  printf "\033[33mSkipping remaining tests, images not available for $ARCH.\033[m\n"
+  early-exit "Skipping remaining tests, images not available for $ARCH."
-  exit 0
-fi
 
 # ---
 

scripts/test-helpers

@@ -437,6 +437,14 @@ export -f provision-cluster
 
 # ---
 
+early-exit() {
+    printf "\033[33m$1\033[m\n"
+    exit $2
+}
+export -f early-exit
+
+# ---
+
 run-test() {
     export PROVISION_LOCK=$(mktemp)
     ./scripts/test-runner $@ &

scripts/test-run-basics

@@ -1,14 +1,38 @@
 #!/bin/bash
 
+all_services=(
+    coredns
+    local-path-provisioner
+    metrics-server
+    traefik
+)
+
 export NUM_SERVERS=1
 export NUM_AGENTS=1
-export SERVER_ARGS='--no-deploy=traefik,coredns,local-storage,metrics-server'
+export WAIT_SERVICES="${all_services[@]}"
 
 start-test() {
     docker exec $(cat $TEST_DIR/servers/1/metadata/name) check-config || true
     verify-valid-versions $(cat $TEST_DIR/servers/1/metadata/name)
+    verify-airgap-images $(cat $TEST_DIR/{servers,agents}/*/metadata/name)
 }
 export -f start-test
 
+# -- check for changes to the airgap image list
+verify-airgap-images() {
+    local airgap_image_list='scripts/airgap/image-list.txt'
+
+    for name in $@; do
+        docker exec $name crictl images -o json \
+            | jq -r '.images[].repoTags[0] | select(. != null)'
+    done | sort -u >$airgap_image_list.tmp
+
+    if ! diff $airgap_image_list{,.tmp}; then
+        echo '[ERROR] Failed airgap image check'
+        return 1
+    fi
+}
+export -f verify-airgap-images
+
 # --- create a basic cluster and check for valid versions
 LABEL=BASICS run-test

scripts/vagrant-provision

@@ -1,85 +0,0 @@
-#!/bin/bash
-set -ve
-
-cd $(dirname $0)/..
-
-if [ ! -f /etc/vagrant_box_build_time ]; then
-    echo "This script should only be called during vagrant provisioning"
-    exit 1
-fi
-
-ARCH=amd64
-if [[ $HOME == /go/* ]]; then
-    echo "Must not launch vagrant from /go/"
-    exit 1
-fi 
-
-if [ -z "${GOPATH}" ]; then
-    GOPATH=$(realpath $HOME/../../../..)
-    echo "WARNING: Assuming GOPATH=$GOPATH"
-else
-    echo "Using parent GOPATH=$GOPATH"
-fi
-goversion=$(grep "^FROM " Dockerfile.dapper | sed -e 's/^FROM golang:\(.*\)-.*/\1/')
-
-if [ -z "$goversion" ]; then
-    echo "Cannot find version of go to fetch"
-    exit 1
-fi
-
-echo "Installing go $goversion"
-apk add -q -f curl libc6-compat tzdata
-curl -sL https://storage.googleapis.com/golang/go${goversion}.linux-${ARCH}.tar.gz | tar -xzf - -C /usr/local
-# ---
-cat <<EOF >/etc/profile.d/build.sh
-export STATIC_BUILD=true
-EOF
-# ---
-cat <<EOF >/etc/profile.d/go.sh
-export GOPATH=$GOPATH
-export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
-EOF
-. /etc/profile.d/go.sh
-# ---
-sed -i 's|:/bin/ash$|:/bin/bash|g' /etc/passwd
-cat <<\EOF >/etc/profile.d/color.sh
-alias ls='ls --color=auto'
-export PS1='\033[31m[ \033[90m\D{%F %T}\033[31m ]\n\[\033[36m\]\u\[\033[m\]🐮\[\033[32m\]\h:\[\033[33;1m\]\w\[\033[m\]$ '
-EOF
-# ---
-mkdir -p ${GOPATH}/bin
-mkdir -p /go
-ln -s $GOPATH/bin /go/bin
-sed ':a;N;$!ba;s/\\\n/ /g' <Dockerfile.dapper | grep '^RUN ' | sed -e 's/^RUN //' >/tmp/docker-run
-export BINDIR=/go/bin
-export GOPATH=/go
-export HOME=/tmp && cd
-. /tmp/docker-run
-cd /go
-go get github.com/rancher/trash
-rm -rf /go
-cd
-# ---
-cat <<EOF >/etc/profile.d/docker.sh
-export DOCKER_HOST=tcp://10.0.2.2:2375
-EOF
-. /etc/profile.d/docker.sh
-# ---
-cat <<\EOF >>/etc/motd
-               ,        ,
-   ,-----------|'------'| |\    ____
-  /.           '-'@  o|-' | |  /___ \
- |/|             | .. |   | | __ __) | ____
-   |   .________.'----'   | |/ /|__ < / __/
-   |  ||        |  ||     |   < ___) |\__ \
-   \__|'        \__|'     |_|\_\_____/____/
-
-EOF
-# ---
-set +v
-if ! docker version --format '{{.Server.Version}}' >/tmp/docker-server-version; then
-    echo "WARNING: Unable to connect to the docker socket, to enable docker in vagrant run the following command on the host:"
-    echo "docker run -d -v /var/run/docker.sock:/var/run/docker.sock -p 127.0.0.1:2375:2375 alpine/socat TCP-LISTEN:2375,fork UNIX-CONNECT:/var/run/docker.sock"
-else
-    echo "Using host docker server v$(cat /tmp/docker-server-version)"
-fi

scripts/version.sh

@@ -1,6 +1,15 @@
 #!/bin/bash
 
+ARCH=${ARCH:-$(go env GOARCH)}
+SUFFIX="-${ARCH}"
+GIT_TAG=$DRONE_TAG
 TREE_STATE=clean
+COMMIT=$DRONE_COMMIT
+
+if [ -d .git ]; then
+    if [ -z "$GIT_TAG" ]; then
+        GIT_TAG=$(git tag -l --contains HEAD | head -n 1)
+    fi
     if [ -n "$(git status --porcelain --untracked-files=no)" ]; then
         DIRTY="-dirty"
         TREE_STATE=dirty
@@ -8,13 +17,9 @@ fi
 
     COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\  | head -1)
     if [ -z "${COMMIT}" ]; then
-  COMMIT=$(git rev-parse HEAD)
+    COMMIT=$(git rev-parse HEAD || true)
+    fi
 fi
-
-GIT_TAG=${DRONE_TAG:-$(git tag -l --contains HEAD | head -n 1)}
-
-ARCH=$(go env GOARCH)
-SUFFIX="-${ARCH}"
 
 VERSION_CONTAINERD=$(grep github.com/containerd/containerd go.mod | head -n1 | awk '{print $4}')
 if [ -z "$VERSION_CONTAINERD" ]; then

vendor/github.com/containerd/containerd/container.go

@@ -36,6 +36,7 @@ import (
 	prototypes "github.com/gogo/protobuf/types"
 	ver "github.com/opencontainers/image-spec/specs-go"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 )
 
@@ -242,7 +243,17 @@ func (c *container) NewTask(ctx context.Context, ioCreate cio.Creator, opts ...N
 		if err != nil {
 			return nil, err
 		}
+		spec, err := c.Spec(ctx)
+		if err != nil {
+			return nil, err
+		}
 		for _, m := range mounts {
+			if spec.Linux != nil && spec.Linux.MountLabel != "" {
+				context := label.FormatMountLabel("", spec.Linux.MountLabel)
+				if context != "" {
+					m.Options = append(m.Options, context)
+				}
+			}
 			request.Rootfs = append(request.Rootfs, &types.Mount{
 				Type:    m.Type,
 				Source:  m.Source,

vendor/github.com/containerd/cri/pkg/server/container_create.go

@@ -39,6 +39,7 @@ import (
 	"github.com/davecgh/go-spew/spew"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
 	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 	"golang.org/x/net/context"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
@@ -173,6 +174,18 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta
 		return nil, errors.Wrapf(err, "failed to generate container %q spec", id)
 	}
 
+	meta.ProcessLabel = spec.Process.SelinuxLabel
+	if config.GetLinux().GetSecurityContext().GetPrivileged() {
+		// If privileged don't set the SELinux label but still record it on the container so
+		// the unused MCS label can be release later
+		spec.Process.SelinuxLabel = ""
+	}
+	defer func() {
+		if retErr != nil {
+			_ = label.ReleaseLabel(spec.Process.SelinuxLabel)
+		}
+	}()
+
 	log.G(ctx).Debugf("Container %q spec: %#+v", id, spew.NewFormatter(spec))
 
 	// Set snapshotter before any other options.
@@ -324,7 +337,7 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta
 
 func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxPid uint32, config *runtime.ContainerConfig,
 	sandboxConfig *runtime.PodSandboxConfig, imageConfig *imagespec.ImageConfig, extraMounts []*runtime.Mount,
-	ociRuntime config.Runtime) (*runtimespec.Spec, error) {
+	ociRuntime config.Runtime) (retSpec *runtimespec.Spec, retErr error) {
 
 	specOpts := []oci.SpecOpts{
 		customopts.WithoutRunMount,
@@ -366,11 +379,27 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
 	specOpts = append(specOpts, oci.WithEnv(env))
 
 	securityContext := config.GetLinux().GetSecurityContext()
-	selinuxOpt := securityContext.GetSelinuxOptions()
+	labelOptions := toLabel(securityContext.GetSelinuxOptions())
-	processLabel, mountLabel, err := initSelinuxOpts(selinuxOpt)
+	if len(labelOptions) == 0 {
+		// Use pod level SELinux config
+		if sandbox, err := c.sandboxStore.Get(sandboxID); err == nil {
+			labelOptions, err = label.DupSecOpt(sandbox.ProcessLabel)
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+
+	processLabel, mountLabel, err := label.InitLabels(labelOptions)
 	if err != nil {
 		return nil, errors.Wrapf(err, "failed to init selinux options %+v", securityContext.GetSelinuxOptions())
 	}
+	defer func() {
+		if retErr != nil {
+			_ = label.ReleaseLabel(processLabel)
+		}
+	}()
+
 	specOpts = append(specOpts, customopts.WithMounts(c.os, config, extraMounts, mountLabel))
 
 	if !c.config.DisableProcMount {

vendor/github.com/containerd/cri/pkg/server/helpers.go

@@ -298,47 +298,55 @@ func (c *criService) ensureImageExists(ctx context.Context, ref string, config *
 	return &newImage, nil
 }
 
-func initSelinuxOpts(selinuxOpt *runtime.SELinuxOption) (string, string, error) {
+func toLabel(selinuxOptions *runtime.SELinuxOption) (labels []string) {
-	if selinuxOpt == nil {
+	if selinuxOptions == nil {
-		return "", "", nil
+		return nil
 	}
 
-	// Should ignored selinuxOpts if they are incomplete.
+	if selinuxOptions.User != "" {
-	if selinuxOpt.GetUser() == "" ||
+		labels = append(labels, "user:"+selinuxOptions.User)
-		selinuxOpt.GetRole() == "" ||
+	}
-		selinuxOpt.GetType() == "" {
+	if selinuxOptions.Role != "" {
-		return "", "", nil
+		labels = append(labels, "role:"+selinuxOptions.Role)
+	}
+	if selinuxOptions.Type != "" {
+		labels = append(labels, "type:"+selinuxOptions.Type)
+	}
+	if selinuxOptions.Level != "" {
+		labels = append(labels, "level:"+selinuxOptions.Level)
 	}
 
-	// make sure the format of "level" is correct.
+	return
-	ok, err := checkSelinuxLevel(selinuxOpt.GetLevel())
+}
-	if err != nil || !ok {
+
+func initLabelsFromOpt(selinuxOpts *runtime.SELinuxOption) (string, string, error) {
+	return initLabels(toLabel(selinuxOpts))
+}
+
+func initLabels(options []string) (string, string, error) {
+	for _, opt := range options {
+		if strings.HasPrefix(opt, "level:") {
+			if err := checkSelinuxLevel(strings.TrimPrefix(opt, "level:")); err != nil {
 				return "", "", err
 			}
-
+		}
-	labelOpts := fmt.Sprintf("%s:%s:%s:%s",
-		selinuxOpt.GetUser(),
-		selinuxOpt.GetRole(),
-		selinuxOpt.GetType(),
-		selinuxOpt.GetLevel())
-
-	options, err := label.DupSecOpt(labelOpts)
-	if err != nil {
-		return "", "", err
 	}
 	return label.InitLabels(options)
 }
 
-func checkSelinuxLevel(level string) (bool, error) {
+func checkSelinuxLevel(level string) error {
 	if len(level) == 0 {
-		return true, nil
+		return nil
 	}
 
 	matched, err := regexp.MatchString(`^s\d(-s\d)??(:c\d{1,4}((.c\d{1,4})?,c\d{1,4})*(.c\d{1,4})?(,c\d{1,4}(.c\d{1,4})?)*)?$`, level)
-	if err != nil || !matched {
+	if err != nil {
-		return false, errors.Wrapf(err, "the format of 'level' %q is not correct", level)
+		return errors.Wrapf(err, "the format of 'level' %q is not correct", level)
 	}
-	return true, nil
+	if !matched {
+		return fmt.Errorf("the format of 'level' %q is not correct", level)
+	}
+	return nil
 }
 
 // isInCRIMounts checks whether a destination is in CRI mount list.

vendor/github.com/containerd/cri/pkg/server/sandbox_run.go

@@ -34,6 +34,7 @@ import (
 	"github.com/davecgh/go-spew/spew"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
 	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/net/context"
@@ -158,6 +159,18 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox
 		return nil, errors.Wrap(err, "failed to generate sandbox container spec")
 	}
 	log.G(ctx).Debugf("Sandbox container %q spec: %#+v", id, spew.NewFormatter(spec))
+	sandbox.ProcessLabel = spec.Process.SelinuxLabel
+	defer func() {
+		if retErr != nil {
+			_ = label.ReleaseLabel(sandbox.ProcessLabel)
+		}
+	}()
+
+	if securityContext.GetPrivileged() {
+		// If privileged don't set selinux label, but we still record the MCS label so that
+		// the unused label can be freed later.
+		spec.Process.SelinuxLabel = ""
+	}
 
 	var specOpts []oci.SpecOpts
 	userstr, err := generateUserString(
@@ -328,7 +341,7 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox
 }
 
 func (c *criService) generateSandboxContainerSpec(id string, config *runtime.PodSandboxConfig,
-	imageConfig *imagespec.ImageConfig, nsPath string, runtimePodAnnotations []string) (*runtimespec.Spec, error) {
+	imageConfig *imagespec.ImageConfig, nsPath string, runtimePodAnnotations []string) (retSpec *runtimespec.Spec, retErr error) {
 	// Creates a spec Generator with the default spec.
 	// TODO(random-liu): [P1] Compare the default settings with docker and containerd default.
 	specOpts := []oci.SpecOpts{
@@ -403,11 +416,15 @@ func (c *criService) generateSandboxContainerSpec(id string, config *runtime.Pod
 		},
 	}))
 
-	selinuxOpt := securityContext.GetSelinuxOptions()
+	processLabel, mountLabel, err := initLabelsFromOpt(securityContext.GetSelinuxOptions())
-	processLabel, mountLabel, err := initSelinuxOpts(selinuxOpt)
 	if err != nil {
 		return nil, errors.Wrapf(err, "failed to init selinux options %+v", securityContext.GetSelinuxOptions())
 	}
+	defer func() {
+		if retErr != nil && processLabel != "" {
+			_ = label.ReleaseLabel(processLabel)
+		}
+	}()
 
 	supplementalGroups := securityContext.GetSupplementalGroups()
 	specOpts = append(specOpts,

vendor/github.com/containerd/cri/pkg/server/service.go

@@ -25,6 +25,7 @@ import (
 
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/plugin"
+	"github.com/containerd/cri/pkg/store/label"
 	cni "github.com/containerd/go-cni"
 	runcapparmor "github.com/opencontainers/runc/libcontainer/apparmor"
 	runcseccomp "github.com/opencontainers/runc/libcontainer/seccomp"
@@ -104,14 +105,15 @@ type criService struct {
 // NewCRIService returns a new instance of CRIService
 func NewCRIService(config criconfig.Config, client *containerd.Client) (CRIService, error) {
 	var err error
+	labels := label.NewStore()
 	c := &criService{
 		config:             config,
 		client:             client,
 		apparmorEnabled:    runcapparmor.IsEnabled() && !config.DisableApparmor,
 		seccompEnabled:     runcseccomp.IsEnabled(),
 		os:                 osinterface.RealOS{},
-		sandboxStore:       sandboxstore.NewStore(),
+		sandboxStore:       sandboxstore.NewStore(labels),
-		containerStore:     containerstore.NewStore(),
+		containerStore:     containerstore.NewStore(labels),
 		imageStore:         imagestore.NewStore(client),
 		snapshotStore:      snapshotstore.NewStore(),
 		sandboxNameIndex:   registrar.NewRegistrar(),

vendor/github.com/containerd/cri/pkg/store/container/container.go

@@ -20,6 +20,7 @@ import (
 	"sync"
 
 	"github.com/containerd/containerd"
+	"github.com/containerd/cri/pkg/store/label"
 	"github.com/docker/docker/pkg/truncindex"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
 
@@ -101,13 +102,15 @@ type Store struct {
 	lock       sync.RWMutex
 	containers map[string]Container
 	idIndex    *truncindex.TruncIndex
+	labels     *label.Store
 }
 
 // NewStore creates a container store.
-func NewStore() *Store {
+func NewStore(labels *label.Store) *Store {
 	return &Store{
 		containers: make(map[string]Container),
 		idIndex:    truncindex.NewTruncIndex([]string{}),
+		labels:     labels,
 	}
 }
 
@@ -119,6 +122,9 @@ func (s *Store) Add(c Container) error {
 	if _, ok := s.containers[c.ID]; ok {
 		return store.ErrAlreadyExist
 	}
+	if err := s.labels.Reserve(c.ProcessLabel); err != nil {
+		return err
+	}
 	if err := s.idIndex.Add(c.ID); err != nil {
 		return err
 	}
@@ -165,6 +171,7 @@ func (s *Store) Delete(id string) {
 		// So we need to return if there are error.
 		return
 	}
+	s.labels.Release(s.containers[id].ProcessLabel)
 	s.idIndex.Delete(id) // nolint: errcheck
 	delete(s.containers, id)
 }

vendor/github.com/containerd/cri/pkg/store/container/metadata.go

@@ -61,6 +61,8 @@ type Metadata struct {
 	// StopSignal is the system call signal that will be sent to the container to exit.
 	// TODO(random-liu): Add integration test for stop signal.
 	StopSignal string
+	// ProcessLabel is the SELinux process label for the container
+	ProcessLabel string
 }
 
 // MarshalJSON encodes Metadata into bytes in json format.

vendor/github.com/containerd/cri/pkg/store/label/label.go

@@ -0,0 +1,90 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package label
+
+import (
+	"sync"
+
+	"github.com/opencontainers/selinux/go-selinux"
+)
+
+type Store struct {
+	sync.Mutex
+	levels   map[string]int
+	Releaser func(string)
+	Reserver func(string)
+}
+
+func NewStore() *Store {
+	return &Store{
+		levels:   map[string]int{},
+		Releaser: selinux.ReleaseLabel,
+		Reserver: selinux.ReserveLabel,
+	}
+}
+
+func (s *Store) Reserve(label string) error {
+	s.Lock()
+	defer s.Unlock()
+
+	context, err := selinux.NewContext(label)
+	if err != nil {
+		return err
+	}
+
+	level := context["level"]
+	// no reason to count empty
+	if level == "" {
+		return nil
+	}
+
+	if _, ok := s.levels[level]; !ok {
+		s.Reserver(label)
+	}
+
+	s.levels[level]++
+	return nil
+}
+
+func (s *Store) Release(label string) {
+	s.Lock()
+	defer s.Unlock()
+
+	context, err := selinux.NewContext(label)
+	if err != nil {
+		return
+	}
+
+	level := context["level"]
+	if level == "" {
+		return
+	}
+
+	count, ok := s.levels[level]
+	if !ok {
+		return
+	}
+	switch {
+	case count == 1:
+		s.Releaser(label)
+		delete(s.levels, level)
+	case count < 1:
+		delete(s.levels, level)
+	case count > 1:
+		s.levels[level] = count - 1
+	}
+}

vendor/github.com/containerd/cri/pkg/store/sandbox/metadata.go

@@ -61,6 +61,8 @@ type Metadata struct {
 	RuntimeHandler string
 	// CNIresult resulting configuration for attached network namespace interfaces
 	CNIResult *cni.CNIResult
+	// ProcessLabel is the SELinux process label for the container
+	ProcessLabel string
 }
 
 // MarshalJSON encodes Metadata into bytes in json format.

vendor/github.com/containerd/cri/pkg/store/sandbox/sandbox.go

@@ -20,6 +20,7 @@ import (
 	"sync"
 
 	"github.com/containerd/containerd"
+	"github.com/containerd/cri/pkg/store/label"
 	"github.com/docker/docker/pkg/truncindex"
 
 	"github.com/containerd/cri/pkg/netns"
@@ -62,13 +63,15 @@ type Store struct {
 	lock      sync.RWMutex
 	sandboxes map[string]Sandbox
 	idIndex   *truncindex.TruncIndex
+	labels    *label.Store
 }
 
 // NewStore creates a sandbox store.
-func NewStore() *Store {
+func NewStore(labels *label.Store) *Store {
 	return &Store{
 		sandboxes: make(map[string]Sandbox),
 		idIndex:   truncindex.NewTruncIndex([]string{}),
+		labels:    labels,
 	}
 }
 
@@ -79,6 +82,9 @@ func (s *Store) Add(sb Sandbox) error {
 	if _, ok := s.sandboxes[sb.ID]; ok {
 		return store.ErrAlreadyExist
 	}
+	if err := s.labels.Reserve(sb.ProcessLabel); err != nil {
+		return err
+	}
 	if err := s.idIndex.Add(sb.ID); err != nil {
 		return err
 	}
@@ -125,6 +131,7 @@ func (s *Store) Delete(id string) {
 		// So we need to return if there are error.
 		return
 	}
+	s.labels.Release(s.sandboxes[id].ProcessLabel)
 	s.idIndex.Delete(id) // nolint: errcheck
 	delete(s.sandboxes, id)
 }

vendor/modules.txt

@@ -151,7 +151,7 @@ github.com/container-storage-interface/spec/lib/go/csi
 github.com/containerd/cgroups
 # github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1 => github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50
 github.com/containerd/console
-# github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69 => github.com/rancher/containerd v1.3.3-k3s1
+# github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69 => github.com/rancher/containerd v1.3.3-k3s2
 github.com/containerd/containerd
 github.com/containerd/containerd/api/events
 github.com/containerd/containerd/api/services/containers/v1
@@ -288,7 +288,7 @@ github.com/containerd/continuity/pathdriver
 github.com/containerd/continuity/proto
 github.com/containerd/continuity/syscallx
 github.com/containerd/continuity/sysx
-# github.com/containerd/cri v0.0.0-00010101000000-000000000000 => github.com/rancher/cri v1.3.0-k3s.3
+# github.com/containerd/cri v0.0.0-00010101000000-000000000000 => github.com/rancher/cri v1.3.0-k3s.4
 github.com/containerd/cri
 github.com/containerd/cri/pkg/annotations
 github.com/containerd/cri/pkg/api/runtimeoptions/v1
@@ -306,6 +306,7 @@ github.com/containerd/cri/pkg/server/io
 github.com/containerd/cri/pkg/store
 github.com/containerd/cri/pkg/store/container
 github.com/containerd/cri/pkg/store/image
+github.com/containerd/cri/pkg/store/label
 github.com/containerd/cri/pkg/store/sandbox
 github.com/containerd/cri/pkg/store/snapshot
 github.com/containerd/cri/pkg/util