diff --git a/pkg/kubelet/dockershim/security_context.go b/pkg/kubelet/dockershim/security_context.go index 5cb2dd481d1..f29bd9668b3 100644 --- a/pkg/kubelet/dockershim/security_context.go +++ b/pkg/kubelet/dockershim/security_context.go @@ -123,11 +123,13 @@ func modifyHostConfig(sc *runtimeapi.LinuxContainerSecurityContext, hostConfig * // modifySandboxNamespaceOptions apply namespace options for sandbox func modifySandboxNamespaceOptions(nsOpts *runtimeapi.NamespaceOption, hostConfig *dockercontainer.HostConfig, network *knetwork.PluginManager) { hostNetwork := false + hostIpc := false if nsOpts != nil { hostNetwork = nsOpts.HostNetwork + hostIpc = nsOpts.HostIpc } modifyCommonNamespaceOptions(nsOpts, hostConfig) - modifyHostNetworkOptionForSandbox(hostNetwork, network, hostConfig) + modifyHostOptionsForSandbox(hostNetwork, hostIpc, network, hostConfig) } // modifyContainerNamespaceOptions apply namespace options for container @@ -138,23 +140,22 @@ func modifyContainerNamespaceOptions(nsOpts *runtimeapi.NamespaceOption, podSand } hostConfig.PidMode = dockercontainer.PidMode(fmt.Sprintf("container:%v", podSandboxID)) modifyCommonNamespaceOptions(nsOpts, hostConfig) - modifyHostNetworkOptionForContainer(hostNetwork, podSandboxID, hostConfig) + modifyHostOptionsForContainer(hostNetwork, podSandboxID, hostConfig) } // modifyCommonNamespaceOptions apply common namespace options for sandbox and container func modifyCommonNamespaceOptions(nsOpts *runtimeapi.NamespaceOption, hostConfig *dockercontainer.HostConfig) { - if nsOpts != nil { - if nsOpts.HostPid { - hostConfig.PidMode = namespaceModeHost - } - if nsOpts.HostIpc { - hostConfig.IpcMode = namespaceModeHost - } + if nsOpts != nil && nsOpts.HostPid { + hostConfig.PidMode = namespaceModeHost } } -// modifyHostNetworkOptionForSandbox applies NetworkMode/UTSMode to sandbox's dockercontainer.HostConfig. -func modifyHostNetworkOptionForSandbox(hostNetwork bool, network *knetwork.PluginManager, hc *dockercontainer.HostConfig) { +// modifyHostOptionsForSandbox applies NetworkMode/UTSMode to sandbox's dockercontainer.HostConfig. +func modifyHostOptionsForSandbox(hostNetwork bool, hostIpc bool, network *knetwork.PluginManager, hc *dockercontainer.HostConfig) { + if hostIpc { + hc.IpcMode = namespaceModeHost + } + if hostNetwork { hc.NetworkMode = namespaceModeHost return @@ -175,8 +176,8 @@ func modifyHostNetworkOptionForSandbox(hostNetwork bool, network *knetwork.Plugi } } -// modifyHostNetworkOptionForContainer applies NetworkMode/UTSMode to container's dockercontainer.HostConfig. -func modifyHostNetworkOptionForContainer(hostNetwork bool, podSandboxID string, hc *dockercontainer.HostConfig) { +// modifyHostOptionsForContainer applies NetworkMode/UTSMode to container's dockercontainer.HostConfig. +func modifyHostOptionsForContainer(hostNetwork bool, podSandboxID string, hc *dockercontainer.HostConfig) { sandboxNSMode := fmt.Sprintf("container:%v", podSandboxID) hc.NetworkMode = dockercontainer.NetworkMode(sandboxNSMode) hc.IpcMode = dockercontainer.IpcMode(sandboxNSMode) diff --git a/test/e2e/common/util.go b/test/e2e/common/util.go index 2edfd8de7e5..2743207f028 100644 --- a/test/e2e/common/util.go +++ b/test/e2e/common/util.go @@ -53,6 +53,7 @@ var CurrentSuite Suite var CommonImageWhiteList = sets.NewString( "busybox", imageutils.GetE2EImage(imageutils.EntrypointTester), + imageutils.GetE2EImage(imageutils.IpcUtils), imageutils.GetE2EImage(imageutils.Liveness), imageutils.GetE2EImage(imageutils.Mounttest), imageutils.GetE2EImage(imageutils.MounttestUser), diff --git a/test/e2e_node/security_context_test.go b/test/e2e_node/security_context_test.go index af67c721df7..6bdda7308de 100644 --- a/test/e2e_node/security_context_test.go +++ b/test/e2e_node/security_context_test.go @@ -140,7 +140,7 @@ var _ = framework.KubeDescribe("Security Context", func() { } createAndWaitHostIPCPod := func(podName string, hostNetwork bool) { podClient.Create(makeHostIPCPod(podName, - busyboxImage, + imageutils.GetE2EImage(imageutils.IpcUtils), []string{"sh", "-c", "ipcs -m | awk '{print $2}'"}, hostNetwork, )) @@ -150,7 +150,7 @@ var _ = framework.KubeDescribe("Security Context", func() { hostSharedMemoryID := "" BeforeEach(func() { - output, err := exec.Command("sh", "-c", "ipcmk -M 1M | awk '{print $NF}'").Output() + output, err := exec.Command("sh", "-c", "ipcmk -M 1048576 | awk '{print $NF}'").Output() if err != nil { framework.Failf("Failed to create the shared memory on the host: %v", err) } @@ -159,30 +159,30 @@ var _ = framework.KubeDescribe("Security Context", func() { }) It("should show the shared memory ID in the host IPC containers", func() { - busyboxPodName := "busybox-hostipc-" + string(uuid.NewUUID()) - createAndWaitHostIPCPod(busyboxPodName, true) - logs, err := framework.GetPodLogs(f.ClientSet, f.Namespace.Name, busyboxPodName, busyboxPodName) + ipcutilsPodName := "ipcutils-hostipc-" + string(uuid.NewUUID()) + createAndWaitHostIPCPod(ipcutilsPodName, true) + logs, err := framework.GetPodLogs(f.ClientSet, f.Namespace.Name, ipcutilsPodName, ipcutilsPodName) if err != nil { - framework.Failf("GetPodLogs for pod %q failed: %v", busyboxPodName, err) + framework.Failf("GetPodLogs for pod %q failed: %v", ipcutilsPodName, err) } podSharedMemoryIDs := strings.TrimSpace(logs) - framework.Logf("Got shared memory IDs %q from pod %q", podSharedMemoryIDs, busyboxPodName) + framework.Logf("Got shared memory IDs %q from pod %q", podSharedMemoryIDs, ipcutilsPodName) if !strings.Contains(podSharedMemoryIDs, hostSharedMemoryID) { framework.Failf("hostIPC container should show shared memory IDs on host") } }) It("should not show the shared memory ID in the non-hostIPC containers", func() { - busyboxPodName := "busybox-non-hostipc-" + string(uuid.NewUUID()) - createAndWaitHostIPCPod(busyboxPodName, false) - logs, err := framework.GetPodLogs(f.ClientSet, f.Namespace.Name, busyboxPodName, busyboxPodName) + ipcutilsPodName := "ipcutils-non-hostipc-" + string(uuid.NewUUID()) + createAndWaitHostIPCPod(ipcutilsPodName, false) + logs, err := framework.GetPodLogs(f.ClientSet, f.Namespace.Name, ipcutilsPodName, ipcutilsPodName) if err != nil { - framework.Failf("GetPodLogs for pod %q failed: %v", busyboxPodName, err) + framework.Failf("GetPodLogs for pod %q failed: %v", ipcutilsPodName, err) } podSharedMemoryIDs := strings.TrimSpace(logs) - framework.Logf("Got shared memory IDs %q from pod %q", podSharedMemoryIDs, busyboxPodName) + framework.Logf("Got shared memory IDs %q from pod %q", podSharedMemoryIDs, ipcutilsPodName) if strings.Contains(podSharedMemoryIDs, hostSharedMemoryID) { framework.Failf("non-hostIPC container should not show shared memory IDs on host") } diff --git a/test/images/ipc-utils/BASEIMAGE b/test/images/ipc-utils/BASEIMAGE new file mode 100644 index 00000000000..114844f395e --- /dev/null +++ b/test/images/ipc-utils/BASEIMAGE @@ -0,0 +1,4 @@ +amd64=alpine:3.6 +arm=arm32v6/alpine:3.6 +arm64=arm64v8/alpine:3.6 +ppc64le=ppc64le/alpine:3.6 diff --git a/test/images/ipc-utils/Dockerfile b/test/images/ipc-utils/Dockerfile new file mode 100644 index 00000000000..3edaa272083 --- /dev/null +++ b/test/images/ipc-utils/Dockerfile @@ -0,0 +1,19 @@ +# Copyright 2018 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM BASEIMAGE + +CROSS_BUILD_COPY qemu-QEMUARCH-static /usr/bin/ + +RUN apk add --no-cache util-linux diff --git a/test/images/ipc-utils/VERSION b/test/images/ipc-utils/VERSION new file mode 100644 index 00000000000..d3827e75a5c --- /dev/null +++ b/test/images/ipc-utils/VERSION @@ -0,0 +1 @@ +1.0 diff --git a/test/utils/image/manifest.go b/test/utils/image/manifest.go index bac17165482..3e9ebdadd9b 100644 --- a/test/utils/image/manifest.go +++ b/test/utils/image/manifest.go @@ -65,6 +65,7 @@ var ( GBRedisSlave = ImageConfig{sampleRegistry, "gb-redisslave", "v2", true} Goproxy = ImageConfig{e2eRegistry, "goproxy", "1.0", true} Hostexec = ImageConfig{e2eRegistry, "hostexec", "1.0", true} + IpcUtils = ImageConfig{e2eRegistry, "ipc-utils", "1.0", true} Iperf = ImageConfig{e2eRegistry, "iperf", "1.0", true} JessieDnsutils = ImageConfig{e2eRegistry, "jessie-dnsutils", "1.0", true} Kitten = ImageConfig{e2eRegistry, "kitten", "1.0", true}