github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-04-29 20:24:31 +00:00
Code Issues Projects Releases Wiki Activity

runtime-rs: support disable_guest_seccomp

Browse Source 
support disable_guest_seccomp

Fixes: #4691
Signed-off-by: Quanwei Zhou <quanweiZhou@linux.alibaba.com>
This commit is contained in:
Quanwei Zhou 2022-07-19 13:11:47 +08:00 committed by quanwei.zqw
parent 540303880e
commit 54f53d57ef
10 changed files with 59 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/runtime-rs/crates/resource/src/manager.rs
View File

@ -25,7 +25,7 @@ impl ResourceManager {
sid: &str,
agent: Arc<dyn Agent>,
hypervisor: Arc<dyn Hypervisor>,
toml_config: &TomlConfig,
toml_config: Arc<TomlConfig>,
) -> Result<Self> {
Ok(Self {
inner: Arc::new(RwLock::new(ResourceManagerInner::new(
@ -37,6 +37,11 @@ impl ResourceManager {
})
}
pub async fn config(&self) -> Arc<TomlConfig> {
let inner = self.inner.read().await;
inner.config()
}
pub async fn prepare_before_start_vm(&self, device_configs: Vec<ResourceConfig>) -> Result<()> {
let mut inner = self.inner.write().await;
inner.prepare_before_start_vm(device_configs).await

11
src/runtime-rs/crates/resource/src/manager_inner.rs
View File

@ -24,6 +24,7 @@ use crate::{
pub(crate) struct ResourceManagerInner {
sid: String,
toml_config: Arc<TomlConfig>,
agent: Arc<dyn Agent>,
hypervisor: Arc<dyn Hypervisor>,
network: Option<Arc<dyn Network>>,
@ -39,20 +40,26 @@ impl ResourceManagerInner {
sid: &str,
agent: Arc<dyn Agent>,
hypervisor: Arc<dyn Hypervisor>,
toml_config: &TomlConfig,
toml_config: Arc<TomlConfig>,
) -> Result<Self> {
let cgroups_resource = CgroupsResource::new(sid, &toml_config)?;
Ok(Self {
sid: sid.to_string(),
toml_config,
agent,
hypervisor,
network: None,
share_fs: None,
rootfs_resource: RootFsResource::new(),
volume_resource: VolumeResource::new(),
cgroups_resource: CgroupsResource::new(sid, toml_config)?,
cgroups_resource,
})
}
pub fn config(&self) -> Arc<TomlConfig> {
self.toml_config.clone()
}
pub async fn prepare_before_start_vm(
&mut self,
device_configs: Vec<ResourceConfig>,

2
src/runtime-rs/crates/runtimes/common/src/runtime_handler.rs
View File

@ -36,7 +36,7 @@ pub trait RuntimeHandler: Send + Sync {
&self,
sid: &str,
msg_sender: Sender<Message>,
config: &TomlConfig,
config: Arc<TomlConfig>,
) -> Result<RuntimeInstance>;
fn cleanup(&self, id: &str) -> Result<()>;

4
src/runtime-rs/crates/runtimes/common/src/sandbox.rs
View File

@ -7,11 +7,9 @@
use anyhow::Result;
use async_trait::async_trait;
use kata_types::config::TomlConfig;
#[async_trait]
pub trait Sandbox: Send + Sync {
async fn start(&self, netns: Option<String>, config: &TomlConfig) -> Result<()>;
async fn start(&self, netns: Option<String>) -> Result<()>;
async fn stop(&self) -> Result<()>;
async fn cleanup(&self, container_id: &str) -> Result<()>;
async fn shutdown(&self) -> Result<()>;

2
src/runtime-rs/crates/runtimes/linux_container/src/lib.rs
View File

@ -33,7 +33,7 @@ impl RuntimeHandler for LinuxContainer {
&self,
_sid: &str,
_msg_sender: Sender<Message>,
_config: &TomlConfig,
_config: Arc<TomlConfig>,
) -> Result<RuntimeInstance> {
todo!()
}

6
src/runtime-rs/crates/runtimes/src/manager.rs
View File

@ -40,7 +40,7 @@ impl RuntimeHandlerManagerInner {
async fn init_runtime_handler(
&mut self,
netns: Option<String>,
config: &TomlConfig,
config: Arc<TomlConfig>,
) -> Result<()> {
info!(sl!(), "new runtime handler {}", &config.runtime.name);
let runtime_handler = match config.runtime.name.as_str() {
@ -62,7 +62,7 @@ impl RuntimeHandlerManagerInner {
// start sandbox
runtime_instance
.sandbox
.start(netns, config)
.start(netns)
.await
.context("start sandbox")?;
self.runtime_instance = Some(Arc::new(runtime_instance));
@ -100,7 +100,7 @@ impl RuntimeHandlerManagerInner {
};
let config = load_config(spec).context("load config")?;
self.init_runtime_handler(netns, &config)
self.init_runtime_handler(netns, Arc::new(config))
.await
.context("init runtime handler")?;

33
src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
View File

@ -78,8 +78,9 @@ impl Container {
pub async fn create(&self, mut spec: oci::Spec) -> Result<()> {
// process oci spec
let mut inner = self.inner.write().await;
let toml_config = self.resource_manager.config().await;
let config = &self.config;
amend_spec(&mut spec).context("load spec")?;
amend_spec(&mut spec, toml_config.runtime.disable_guest_seccomp).context("load spec")?;
// handler rootfs
let rootfs = self
@ -372,12 +373,14 @@ impl Container {
}
}
fn amend_spec(spec: &mut oci::Spec) -> Result<()> {
fn amend_spec(spec: &mut oci::Spec, disable_guest_seccomp: bool) -> Result<()> {
// hook should be done on host
spec.hooks = None;
if let Some(linux) = spec.linux.as_mut() {
if disable_guest_seccomp {
linux.seccomp = None;
}
if let Some(resource) = linux.resources.as_mut() {
resource.devices = Vec::new();
@ -400,3 +403,29 @@ fn amend_spec(spec: &mut oci::Spec) -> Result<()> {
Ok(())
}
#[cfg(test)]
mod tests {
use super::amend_spec;
#[test]
fn test_amend_spec_disable_guest_seccomp() {
let mut spec = oci::Spec {
linux: Some(oci::Linux {
seccomp: Some(oci::LinuxSeccomp::default()),
..Default::default()
}),
..Default::default()
};
assert!(spec.linux.as_ref().unwrap().seccomp.is_some());
// disable_guest_seccomp = false
amend_spec(&mut spec, false).unwrap();
assert!(spec.linux.as_ref().unwrap().seccomp.is_some());
// disable_guest_seccomp = true
amend_spec(&mut spec, true).unwrap();
assert!(spec.linux.as_ref().unwrap().seccomp.is_none());
}
}

4
src/runtime-rs/crates/runtimes/virt_container/src/lib.rs
View File

@ -51,9 +51,9 @@ impl RuntimeHandler for VirtContainer {
&self,
sid: &str,
msg_sender: Sender<Message>,
config: &TomlConfig,
config: Arc<TomlConfig>,
) -> Result<RuntimeInstance> {
let hypervisor = new_hypervisor(config).await.context("new hypervisor")?;
let hypervisor = new_hypervisor(&config).await.context("new hypervisor")?;
// get uds from hypervisor and get config from toml_config
let agent = Arc::new(KataAgent::new(kata_types::config::Agent {

7
src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs
View File

@ -15,7 +15,6 @@ use common::{
};
use containerd_shim_protos::events::task::TaskOOM;
use hypervisor::Hypervisor;
use kata_types::config::TomlConfig;
use resource::{
network::{NetworkConfig, NetworkWithNetNsConfig},
ResourceConfig, ResourceManager,
@ -79,10 +78,10 @@ impl VirtSandbox {
&self,
_id: &str,
netns: Option<String>,
config: &TomlConfig,
) -> Result<Vec<ResourceConfig>> {
let mut resource_configs = vec![];
let config = self.resource_manager.config().await;
if let Some(netns_path) = netns {
let network_config = ResourceConfig::Network(NetworkConfig::NetworkResourceWithNetNs(
NetworkWithNetNsConfig {
@ -109,7 +108,7 @@ impl VirtSandbox {
#[async_trait]
impl Sandbox for VirtSandbox {
async fn start(&self, netns: Option<String>, config: &TomlConfig) -> Result<()> {
async fn start(&self, netns: Option<String>) -> Result<()> {
let id = &self.sid;
// if sandbox running, return
@ -127,7 +126,7 @@ impl Sandbox for VirtSandbox {
// generate device and setup before start vm
// should after hypervisor.prepare_vm
let resources = self.prepare_for_start_sandbox(id, netns, config).await?;
let resources = self.prepare_for_start_sandbox(id, netns).await?;
self.resource_manager
.prepare_before_start_vm(resources)
.await

2
src/runtime-rs/crates/runtimes/wasm_container/src/lib.rs
View File

@ -32,7 +32,7 @@ impl RuntimeHandler for WasmContainer {
&self,
_sid: &str,
_msg_sender: Sender<Message>,
_config: &TomlConfig,
_config: Arc<TomlConfig>,
) -> Result<RuntimeInstance> {
todo!()
}