Merge pull request #334 from keloyang/spec-compatibility

make sure kataAgent/createContainer can decode old specs.Spec
2025-08-25 19:21:53 +00:00 · 2018-06-04 11:29:39 +08:00 · 2018-06-04 11:29:39 +08:00 · 813c8c3b56
commit 813c8c3b56
parent fdb6d957c8 9a0434d6bf
3 changed files with 123 additions and 12 deletions
--- a/cli/main_test.go
+++ b/cli/main_test.go
@ -421,7 +421,11 @@ func readOCIConfigFile(configPath string) (oci.CompatOCISpec, error) {
 	if err := json.Unmarshal(data, &ociSpec); err != nil {
 		return oci.CompatOCISpec{}, err
 	}
-
+	caps, err := oci.ContainerCapabilities(ociSpec)
+	if err != nil {
+		return oci.CompatOCISpec{}, err
+	}
+	ociSpec.Process.Capabilities = caps
 	return ociSpec, nil
 }

--- a/virtcontainers/pkg/oci/utils.go
+++ b/virtcontainers/pkg/oci/utils.go
@ -323,6 +323,14 @@ func containerCapabilities(s CompatOCISpec) (vc.LinuxCapabilities, error) {
 	return c, nil
 }

+// ContainerCapabilities return a LinuxCapabilities for virtcontainer
+func ContainerCapabilities(s CompatOCISpec) (vc.LinuxCapabilities, error) {
+	if s.Process == nil {
+		return vc.LinuxCapabilities{}, fmt.Errorf("ContainerCapabilities, Process is nil")
+	}
+	return containerCapabilities(s)
+}
+
 func networkConfig(ocispec CompatOCISpec, config RuntimeConfig) (vc.NetworkConfig, error) {
 	linux := ocispec.Linux
 	if linux == nil {
@ -368,6 +376,11 @@ func ParseConfigJSON(bundlePath string) (CompatOCISpec, error) {
 	if err := json.Unmarshal(configByte, &ocispec); err != nil {
 		return CompatOCISpec{}, err
 	}
+	caps, err := ContainerCapabilities(ocispec)
+	if err != nil {
+		return CompatOCISpec{}, err
+	}
+	ocispec.Process.Capabilities = caps

 	return ocispec, nil
 }
@ -557,9 +570,12 @@ func ContainerConfig(ocispec CompatOCISpec, bundlePath, cid, console string, det
 		return vc.ContainerConfig{}, err
 	}

-	cmd.Capabilities, err = containerCapabilities(ocispec)
-	if err != nil {
-		return vc.ContainerConfig{}, err
+	if ocispec.Process != nil {
+		caps, ok := ocispec.Process.Capabilities.(vc.LinuxCapabilities)
+		if !ok {
+			return vc.ContainerConfig{}, fmt.Errorf("Unexpected format for capabilities: %v", ocispec.Process.Capabilities)
+		}
+		cmd.Capabilities = caps
 	}

 	var resources vc.ContainerResources
--- a/virtcontainers/pkg/oci/utils_test.go
+++ b/virtcontainers/pkg/oci/utils_test.go
@ -24,11 +24,54 @@ import (
 	vcAnnotations "github.com/kata-containers/runtime/virtcontainers/pkg/annotations"
 )

-const tempBundlePath = "/tmp/virtc/ocibundle/"
-const containerID = "virtc-oci-test"
-const consolePath = "/tmp/virtc/console"
-const fileMode = os.FileMode(0640)
-const dirMode = os.FileMode(0750)
+const (
+	tempBundlePath = "/tmp/virtc/ocibundle/"
+	containerID    = "virtc-oci-test"
+	consolePath    = "/tmp/virtc/console"
+	fileMode       = os.FileMode(0640)
+	dirMode        = os.FileMode(0750)
+
+	capabilitiesSpecArray = `
+		{
+		    "ociVersion": "1.0.0-rc2-dev",
+		    "process": {
+		        "capabilities": [
+		            "CAP_CHOWN",
+		            "CAP_DAC_OVERRIDE",
+		            "CAP_FSETID"
+		        ]
+		    }
+		}`
+
+	capabilitiesSpecStruct = `
+		{
+		    "ociVersion": "1.0.0-rc5",
+		    "process": {
+		        "capabilities": {
+		            "bounding": [
+		                "CAP_CHOWN",
+		                "CAP_DAC_OVERRIDE",
+		                "CAP_FSETID"
+		            ],
+		            "effective": [
+		                "CAP_CHOWN",
+		                "CAP_DAC_OVERRIDE",
+		                "CAP_FSETID"
+		            ],
+		            "inheritable": [
+		                "CAP_CHOWN",
+		                "CAP_DAC_OVERRIDE",
+		                "CAP_FSETID"
+		            ],
+		            "permitted": [
+		                "CAP_CHOWN",
+		                "CAP_DAC_OVERRIDE",
+		                "CAP_FSETID"
+		            ]
+		        }
+		    }
+		}`
+)

 func createConfig(fileName string, fileData string) (string, error) {
 	configPath := path.Join(tempBundlePath, fileName)
@ -127,6 +170,13 @@ func TestMinimalSandboxConfig(t *testing.T) {
 	if err := json.Unmarshal([]byte(minimalConfig), &minimalOCISpec); err != nil {
 		t.Fatal(err)
 	}
+	if minimalOCISpec.Process != nil {
+		caps, err := ContainerCapabilities(minimalOCISpec)
+		if err != nil {
+			t.Fatal(err)
+		}
+		minimalOCISpec.Process.Capabilities = caps
+	}
 	ociSpecJSON, err := json.Marshal(minimalOCISpec)
 	if err != nil {
 		t.Fatal(err)
@ -719,7 +769,7 @@ func TestContainerCapabilities(t *testing.T) {
 		"ambient":     []interface{}{""},
 	}

-	c, err := containerCapabilities(ociSpec)
+	c, err := ContainerCapabilities(ociSpec)
 	assert.Nil(t, err)
 	assert.Equal(t, c.Bounding, []string{"CAP_KILL"})
 	assert.Equal(t, c.Effective, []string{"CAP_KILL", "CAP_LEASE"})
@ -729,7 +779,7 @@ func TestContainerCapabilities(t *testing.T) {

 	ociSpec.Process.Capabilities = []interface{}{"CAP_LEASE", "CAP_SETUID"}

-	c, err = containerCapabilities(ociSpec)
+	c, err = ContainerCapabilities(ociSpec)
 	assert.Nil(t, err)
 	assert.Equal(t, c.Bounding, []string{"CAP_LEASE", "CAP_SETUID"})
 	assert.Equal(t, c.Effective, []string{"CAP_LEASE", "CAP_SETUID"})
@ -739,7 +789,7 @@ func TestContainerCapabilities(t *testing.T) {

 	ociSpec.Process.Capabilities = nil

-	c, err = containerCapabilities(ociSpec)
+	c, err = ContainerCapabilities(ociSpec)
 	assert.Nil(t, err)
 	assert.Equal(t, c.Bounding, []string(nil))
 	assert.Equal(t, c.Effective, []string(nil))
@ -748,6 +798,47 @@ func TestContainerCapabilities(t *testing.T) {
 	assert.Equal(t, c.Ambient, []string(nil))
 }

+// use specs.Spec to decode the spec, the content of capabilities is [] string
+func TestCompatOCISpecWithArray(t *testing.T) {
+	compatOCISpec := CompatOCISpec{}
+	err := json.Unmarshal([]byte(capabilitiesSpecArray), &compatOCISpec)
+	assert.Nil(t, err, "use CompatOCISpec to decode capabilitiesSpecArray failed")
+
+	ociSpecJSON, err := json.Marshal(compatOCISpec)
+	assert.Nil(t, err, "encode compatOCISpec failed")
+
+	// use specs.Spec to decode the spec, specs.Spec' capabilities is struct,
+	// but the content of spec' capabilities is [] string
+	ociSpec := specs.Spec{}
+	err = json.Unmarshal(ociSpecJSON, &ociSpec)
+	assert.NotNil(t, err, "This test should fail")
+
+	caps, err := ContainerCapabilities(compatOCISpec)
+	assert.Nil(t, err, "decode capabilities failed")
+	compatOCISpec.Process.Capabilities = caps
+
+	ociSpecJSON, err = json.Marshal(compatOCISpec)
+	assert.Nil(t, err, "encode compatOCISpec failed")
+
+	// capabilities has been chaged to struct
+	err = json.Unmarshal(ociSpecJSON, &ociSpec)
+	assert.Nil(t, err, "This test should fail")
+}
+
+// use specs.Spec to decode the spec, the content of capabilities is struct
+func TestCompatOCISpecWithStruct(t *testing.T) {
+	compatOCISpec := CompatOCISpec{}
+	err := json.Unmarshal([]byte(capabilitiesSpecStruct), &compatOCISpec)
+	assert.Nil(t, err, "use CompatOCISpec to decode capabilitiesSpecStruct failed")
+
+	ociSpecJSON, err := json.Marshal(compatOCISpec)
+	assert.Nil(t, err, "encode compatOCISpec failed")
+
+	ociSpec := specs.Spec{}
+	err = json.Unmarshal(ociSpecJSON, &ociSpec)
+	assert.Nil(t, err, "This test should not fail")
+}
+
 func TestMain(m *testing.M) {
 	/* Create temp bundle directory if necessary */
 	err := os.MkdirAll(tempBundlePath, dirMode)