github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-04-29 12:14:48 +00:00
Code Issues Projects Releases Wiki Activity

agent: Disable seccomp feature on aarch64 temporarily

Browse Source 
In order to pass CI test of aarch64, it is necessary to run
`ci/install_libseccomp.sh` before ruuning unit tests in
`jenkins_job_build.sh`.
However, `ci/install_libseccomp.sh` is not available
until PR #1788 including this commit is merged in the mainline.
Therefore, we disable seccomp feature on aarch64 temporarily.
After #1788 lands and CI is fixed, this commit will be reverted.

Fixes: #1476

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
This commit is contained in:
Manabu Sugimoto 2021-10-27 18:41:12 +09:00
parent 5dfedc2b19
commit 42add7f201
3 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/agent/rustjail/Cargo.toml
View File

@ -30,6 +30,9 @@ tokio = { version = "1.2.0", features = ["sync", "io-util", "process", "time", "
futures = "0.3"
async-trait = "0.1.31"
inotify = "0.9.2"
# Disable libseccomp on aarch64 temporarily in order to pass CI
[target.'cfg(not(target_arch = "aarch64"))'.dependencies]
libseccomp = { version = "0.1.3", optional = true }
[dev-dependencies]

6
src/agent/rustjail/src/container.rs
View File

@ -25,7 +25,7 @@ use crate::cgroups::mock::Manager as FsManager;
use crate::cgroups::Manager;
use crate::log_child;
use crate::process::Process;
#[cfg(feature = "seccomp")]
#[cfg(all(not(target_arch = "aarch64"), feature = "seccomp"))]
use crate::seccomp;
use crate::specconv::CreateOpts;
use crate::{mount, validator};
@ -603,7 +603,7 @@ fn do_init_child(cwfd: RawFd) -> Result<()> {
// Without NoNewPrivileges, we need to set seccomp
// before dropping capabilities because the calling thread
// must have the CAP_SYS_ADMIN.
#[cfg(feature = "seccomp")]
#[cfg(all(not(target_arch = "aarch64"), feature = "seccomp"))]
if !oci_process.no_new_privileges {
if let Some(ref scmp) = linux.seccomp {
seccomp::init_seccomp(scmp)?;
@ -685,7 +685,7 @@ fn do_init_child(cwfd: RawFd) -> Result<()> {
// With NoNewPrivileges, we should set seccomp as close to
// do_exec as possible in order to reduce the amount of
// system calls in the seccomp profiles.
#[cfg(feature = "seccomp")]
#[cfg(all(not(target_arch = "aarch64"), feature = "seccomp"))]
if oci_process.no_new_privileges {
if let Some(ref scmp) = linux.seccomp {
seccomp::init_seccomp(scmp)?;

2
src/agent/rustjail/src/lib.rs
View File

@ -34,7 +34,7 @@ pub mod container;
pub mod mount;
pub mod pipestream;
pub mod process;
#[cfg(feature = "seccomp")]
#[cfg(all(not(target_arch = "aarch64"), feature = "seccomp"))]
pub mod seccomp;
pub mod specconv;
pub mod sync;