github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-29 06:27:05 +00:00
Code Issues Projects Releases Wiki Activity

Rename runtime/default to docker default

Browse Source
This commit is contained in:
Pengfei Ni 2017-08-11 16:14:33 +08:00
parent bf01fa2f00
commit c242432a3b
7 changed files with 17 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
cmd/kubelet/app/server.go
View File

@ -819,9 +819,8 @@ func RunDockershim(c *componentconfig.KubeletConfiguration, r *options.Container
SupportedPortForwardProtocols: streaming.DefaultConfig.SupportedPortForwardProtocols, SupportedPortForwardProtocols: streaming.DefaultConfig.SupportedPortForwardProtocols,
} }
ds, err := dockershim.NewDockerService(dockerClient, r.PodSandboxImage, ds, err := dockershim.NewDockerService(dockerClient, r.PodSandboxImage, streamingConfig, &pluginSettings,
streamingConfig, &pluginSettings, c.RuntimeCgroups, c.CgroupDriver, r.DockerExecHandlerName, r.DockershimRootDirectory, c.RuntimeCgroups, c.CgroupDriver, r.DockerExecHandlerName, r.DockershimRootDirectory, r.DockerDisableSharedPID)
r.DockerDisableSharedPID)
if err != nil { if err != nil {
return err return err
} }

6
pkg/kubelet/apis/cri/v1alpha1/runtime/api.pb.go
View File

@ -483,10 +483,11 @@ type LinuxSandboxSecurityContext struct {
// privileged containers are expected to be run. // privileged containers are expected to be run.
Privileged bool `protobuf:"varint,6,opt,name=privileged,proto3" json:"privileged,omitempty"` Privileged bool `protobuf:"varint,6,opt,name=privileged,proto3" json:"privileged,omitempty"`
// Seccomp profile for the sandbox, candidate values are: // Seccomp profile for the sandbox, candidate values are:
// * runtime/default: the default profile for the container runtime // * docker/default: the default profile for the docker container runtime
// * unconfined: unconfined profile, ie, no seccomp sandboxing // * unconfined: unconfined profile, ie, no seccomp sandboxing
// * localhost/<full-path-to-profile>: the profile installed on the node. // * localhost/<full-path-to-profile>: the profile installed on the node.
// <full-path-to-profile> is the full path of the profile. // <full-path-to-profile> is the full path of the profile.
// Default: "", which is identical with unconfined.
SeccompProfilePath string `protobuf:"bytes,7,opt,name=seccomp_profile_path,json=seccompProfilePath,proto3" json:"seccomp_profile_path,omitempty"` SeccompProfilePath string `protobuf:"bytes,7,opt,name=seccomp_profile_path,json=seccompProfilePath,proto3" json:"seccomp_profile_path,omitempty"`
} }
@ -1364,10 +1365,11 @@ type LinuxContainerSecurityContext struct {
// http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference // http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference
ApparmorProfile string `protobuf:"bytes,9,opt,name=apparmor_profile,json=apparmorProfile,proto3" json:"apparmor_profile,omitempty"` ApparmorProfile string `protobuf:"bytes,9,opt,name=apparmor_profile,json=apparmorProfile,proto3" json:"apparmor_profile,omitempty"`
// Seccomp profile for the container, candidate values are: // Seccomp profile for the container, candidate values are:
// * runtime/default: the default profile for the container runtime // * docker/default: the default profile for the docker container runtime
// * unconfined: unconfined profile, ie, no seccomp sandboxing // * unconfined: unconfined profile, ie, no seccomp sandboxing
// * localhost/<full-path-to-profile>: the profile installed on the node. // * localhost/<full-path-to-profile>: the profile installed on the node.
// <full-path-to-profile> is the full path of the profile. // <full-path-to-profile> is the full path of the profile.
// Default: "", which is identical with unconfined.
SeccompProfilePath string `protobuf:"bytes,10,opt,name=seccomp_profile_path,json=seccompProfilePath,proto3" json:"seccomp_profile_path,omitempty"` SeccompProfilePath string `protobuf:"bytes,10,opt,name=seccomp_profile_path,json=seccompProfilePath,proto3" json:"seccomp_profile_path,omitempty"`
// no_new_privs defines if the flag for no_new_privs should be set on the // no_new_privs defines if the flag for no_new_privs should be set on the
// container. // container.

6
pkg/kubelet/apis/cri/v1alpha1/runtime/api.proto
View File

@ -203,10 +203,11 @@ message LinuxSandboxSecurityContext {
// privileged containers are expected to be run. // privileged containers are expected to be run.
bool privileged = 6; bool privileged = 6;
// Seccomp profile for the sandbox, candidate values are: // Seccomp profile for the sandbox, candidate values are:
// * runtime/default: the default profile for the container runtime // * docker/default: the default profile for the docker container runtime
// * unconfined: unconfined profile, ie, no seccomp sandboxing // * unconfined: unconfined profile, ie, no seccomp sandboxing
// * localhost/<full-path-to-profile>: the profile installed on the node. // * localhost/<full-path-to-profile>: the profile installed on the node.
// <full-path-to-profile> is the full path of the profile. // <full-path-to-profile> is the full path of the profile.
// Default: "", which is identical with unconfined.
string seccomp_profile_path = 7; string seccomp_profile_path = 7;
} }
@ -515,10 +516,11 @@ message LinuxContainerSecurityContext {
// http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference // http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference
string apparmor_profile = 9; string apparmor_profile = 9;
// Seccomp profile for the container, candidate values are: // Seccomp profile for the container, candidate values are:
// * runtime/default: the default profile for the container runtime // * docker/default: the default profile for the docker container runtime
// * unconfined: unconfined profile, ie, no seccomp sandboxing // * unconfined: unconfined profile, ie, no seccomp sandboxing
// * localhost/<full-path-to-profile>: the profile installed on the node. // * localhost/<full-path-to-profile>: the profile installed on the node.
// <full-path-to-profile> is the full path of the profile. // <full-path-to-profile> is the full path of the profile.
// Default: "", which is identical with unconfined.
string seccomp_profile_path = 10; string seccomp_profile_path = 10;
// no_new_privs defines if the flag for no_new_privs should be set on the // no_new_privs defines if the flag for no_new_privs should be set on the
// container. // container.

2
pkg/kubelet/dockershim/helpers_linux.go
View File

@ -78,7 +78,7 @@ func getSeccompDockerOpts(seccompProfile string) ([]dockerOpt, error) {
return []dockerOpt{{"seccomp", b.String(), msg}}, nil return []dockerOpt{{"seccomp", b.String(), msg}}, nil
} }
// getSeccompSecurityOpts gets container seccomp options from container security context. // getSeccompSecurityOpts gets container seccomp options from container seccomp profile.
// It is an experimental feature and may be promoted to official runtime api in the future. // It is an experimental feature and may be promoted to official runtime api in the future.
func getSeccompSecurityOpts(seccompProfile string, separator rune) ([]string, error) { func getSeccompSecurityOpts(seccompProfile string, separator rune) ([]string, error) {
seccompOpts, err := getSeccompDockerOpts(seccompProfile) seccompOpts, err := getSeccompDockerOpts(seccompProfile)

4
pkg/kubelet/dockershim/helpers_linux_test.go
View File

@ -61,7 +61,9 @@ func TestLoadSeccompLocalhostProfiles(t *testing.T) {
expectedOpts []string expectedOpts []string
expectErr bool expectErr bool
}{{ }{{
msg: "Seccomp localhost/test profile", msg: "Seccomp localhost/test profile",
// We are abusing localhost for loading test seccomp profiles.
// The profile should be an absolute path while we are using a relative one.
seccompProfile: "localhost/fixtures/seccomp/test", seccompProfile: "localhost/fixtures/seccomp/test",
expectedOpts: []string{`seccomp={"foo":"bar"}`}, expectedOpts: []string{`seccomp={"foo":"bar"}`},
expectErr: false, expectErr: false,

4
pkg/kubelet/kubelet.go
View File

@ -577,8 +577,8 @@ func NewMainKubelet(kubeCfg *componentconfig.KubeletConfiguration,
case kubetypes.DockerContainerRuntime: case kubetypes.DockerContainerRuntime:
// Create and start the CRI shim running as a grpc server. // Create and start the CRI shim running as a grpc server.
streamingConfig := getStreamingConfig(kubeCfg, kubeDeps) streamingConfig := getStreamingConfig(kubeCfg, kubeDeps)
ds, err := dockershim.NewDockerService(kubeDeps.DockerClient, crOptions.PodSandboxImage, ds, err := dockershim.NewDockerService(kubeDeps.DockerClient, crOptions.PodSandboxImage, streamingConfig,
streamingConfig, &pluginSettings, kubeCfg.RuntimeCgroups, kubeCfg.CgroupDriver, crOptions.DockerExecHandlerName, &pluginSettings, kubeCfg.RuntimeCgroups, kubeCfg.CgroupDriver, crOptions.DockerExecHandlerName,
crOptions.DockershimRootDirectory, crOptions.DockerDisableSharedPID) crOptions.DockershimRootDirectory, crOptions.DockerDisableSharedPID)
if err != nil { if err != nil {
return nil, err return nil, err

2
pkg/kubelet/kuberuntime/helpers.go
View File

@ -258,7 +258,7 @@ func getSysctlsFromAnnotations(annotations map[string]string) (map[string]string
} }
// getSeccompProfileFromAnnotations gets seccomp profile from annotations. // getSeccompProfileFromAnnotations gets seccomp profile from annotations.
// It gets pod's profile if containerName is null. // It gets pod's profile if containerName is empty.
func (m *kubeGenericRuntimeManager) getSeccompProfileFromAnnotations(annotations map[string]string, containerName string) string { func (m *kubeGenericRuntimeManager) getSeccompProfileFromAnnotations(annotations map[string]string, containerName string) string {
// try the pod profile. // try the pod profile.
profile, profileOK := annotations[v1.SeccompPodAnnotationKey] profile, profileOK := annotations[v1.SeccompPodAnnotationKey]