diff --git a/apis/swagger.yml b/apis/swagger.yml index 8139f2d15..637dfb52e 100644 --- a/apis/swagger.yml +++ b/apis/swagger.yml @@ -2263,16 +2263,6 @@ definitions: MaxLength: 64 The characters of given id should be in 0123456789abcdef. By default, given id is unnecessary. - MaskedPaths: - description: "Masks over the provided paths inside the container." - type: "array" - items: - type: "string" - ReadonlyPaths: - description: "Set the provided paths as RO inside the container." - type: "array" - items: - type: "string" Snapshotter: description: | The snapshotter container choose, can be different with @@ -2494,6 +2484,16 @@ definitions: InitScript: type: "string" description: "Initial script executed in container. The script will be executed before entrypoint or command" + MaskedPaths: + description: "Masks over the provided paths inside the container." + type: "array" + items: + type: "string" + ReadonlyPaths: + description: "Set the provided paths as RO inside the container." + type: "array" + items: + type: "string" - $ref: "#/definitions/Resources" UpdateConfig: diff --git a/apis/types/container_config.go b/apis/types/container_config.go index a7b076b39..910d453e0 100644 --- a/apis/types/container_config.go +++ b/apis/types/container_config.go @@ -77,9 +77,6 @@ type ContainerConfig struct { // MAC address of the container. MacAddress string `json:"MacAddress,omitempty"` - // Masks over the provided paths inside the container. - MaskedPaths []string `json:"MaskedPaths"` - // net priority. NetPriority int64 `json:"NetPriority,omitempty"` @@ -98,9 +95,6 @@ type ContainerConfig struct { // QuotaID string `json:"QuotaID,omitempty"` - // Set the provided paths as RO inside the container. - ReadonlyPaths []string `json:"ReadonlyPaths"` - // Whether to start container in rich container mode. (default false) Rich bool `json:"Rich,omitempty"` diff --git a/apis/types/host_config.go b/apis/types/host_config.go index e30fea090..d1f2aeead 100644 --- a/apis/types/host_config.go +++ b/apis/types/host_config.go @@ -91,6 +91,9 @@ type HostConfig struct { // The logging configuration for this container LogConfig *LogConfig `json:"LogConfig,omitempty"` + // Masks over the provided paths inside the container. + MaskedPaths []string `json:"MaskedPaths"` + // Network mode to use for this container. Supported standard values are: `bridge`, `host`, `none`, and `container:`. Any other value is taken as a custom network's name to which this container should connect to. NetworkMode string `json:"NetworkMode,omitempty"` @@ -116,6 +119,9 @@ type HostConfig struct { // Allocates a random host port for all of a container's exposed ports. PublishAllPorts bool `json:"PublishAllPorts,omitempty"` + // Set the provided paths as RO inside the container. + ReadonlyPaths []string `json:"ReadonlyPaths"` + // Mount the container's root filesystem as read only. ReadonlyRootfs bool `json:"ReadonlyRootfs,omitempty"` @@ -206,6 +212,8 @@ func (m *HostConfig) UnmarshalJSON(raw []byte) error { LogConfig *LogConfig `json:"LogConfig,omitempty"` + MaskedPaths []string `json:"MaskedPaths"` + NetworkMode string `json:"NetworkMode,omitempty"` OomScoreAdj int64 `json:"OomScoreAdj,omitempty"` @@ -218,6 +226,8 @@ func (m *HostConfig) UnmarshalJSON(raw []byte) error { PublishAllPorts bool `json:"PublishAllPorts,omitempty"` + ReadonlyPaths []string `json:"ReadonlyPaths"` + ReadonlyRootfs bool `json:"ReadonlyRootfs,omitempty"` RestartPolicy *RestartPolicy `json:"RestartPolicy,omitempty"` @@ -286,6 +296,8 @@ func (m *HostConfig) UnmarshalJSON(raw []byte) error { m.LogConfig = dataAO0.LogConfig + m.MaskedPaths = dataAO0.MaskedPaths + m.NetworkMode = dataAO0.NetworkMode m.OomScoreAdj = dataAO0.OomScoreAdj @@ -298,6 +310,8 @@ func (m *HostConfig) UnmarshalJSON(raw []byte) error { m.PublishAllPorts = dataAO0.PublishAllPorts + m.ReadonlyPaths = dataAO0.ReadonlyPaths + m.ReadonlyRootfs = dataAO0.ReadonlyRootfs m.RestartPolicy = dataAO0.RestartPolicy @@ -377,6 +391,8 @@ func (m HostConfig) MarshalJSON() ([]byte, error) { LogConfig *LogConfig `json:"LogConfig,omitempty"` + MaskedPaths []string `json:"MaskedPaths"` + NetworkMode string `json:"NetworkMode,omitempty"` OomScoreAdj int64 `json:"OomScoreAdj,omitempty"` @@ -389,6 +405,8 @@ func (m HostConfig) MarshalJSON() ([]byte, error) { PublishAllPorts bool `json:"PublishAllPorts,omitempty"` + ReadonlyPaths []string `json:"ReadonlyPaths"` + ReadonlyRootfs bool `json:"ReadonlyRootfs,omitempty"` RestartPolicy *RestartPolicy `json:"RestartPolicy,omitempty"` @@ -454,6 +472,8 @@ func (m HostConfig) MarshalJSON() ([]byte, error) { dataAO0.LogConfig = m.LogConfig + dataAO0.MaskedPaths = m.MaskedPaths + dataAO0.NetworkMode = m.NetworkMode dataAO0.OomScoreAdj = m.OomScoreAdj @@ -466,6 +486,8 @@ func (m HostConfig) MarshalJSON() ([]byte, error) { dataAO0.PublishAllPorts = m.PublishAllPorts + dataAO0.ReadonlyPaths = m.ReadonlyPaths + dataAO0.ReadonlyRootfs = m.ReadonlyRootfs dataAO0.RestartPolicy = m.RestartPolicy diff --git a/cri/v1alpha2/cri.go b/cri/v1alpha2/cri.go index 4ca0184c7..082794649 100644 --- a/cri/v1alpha2/cri.go +++ b/cri/v1alpha2/cri.go @@ -712,8 +712,6 @@ func (c *CriManager) CreateContainer(ctx context.Context, r *runtime.CreateConta NetPriority: config.NetPriority, DiskQuota: resources.GetDiskQuota(), QuotaID: config.GetQuotaId(), - MaskedPaths: config.GetLinux().GetSecurityContext().GetMaskedPaths(), - ReadonlyPaths: config.GetLinux().GetSecurityContext().GetReadonlyPaths(), }, HostConfig: &apitypes.HostConfig{ Binds: generateMountBindings(config.GetMounts()), diff --git a/cri/v1alpha2/cri_utils.go b/cri/v1alpha2/cri_utils.go index 5df46356c..3c14fcac2 100644 --- a/cri/v1alpha2/cri_utils.go +++ b/cri/v1alpha2/cri_utils.go @@ -759,6 +759,12 @@ func modifyHostConfig(sc *runtime.LinuxContainerSecurityContext, hostConfig *api if sc.NoNewPrivs { hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, "no-new-privileges") } + + if !hostConfig.Privileged { + hostConfig.MaskedPaths = sc.GetMaskedPaths() + hostConfig.ReadonlyPaths = sc.GetReadonlyPaths() + } + return nil } diff --git a/cri/v1alpha2/cri_utils_test.go b/cri/v1alpha2/cri_utils_test.go index f6a67de61..273006d41 100644 --- a/cri/v1alpha2/cri_utils_test.go +++ b/cri/v1alpha2/cri_utils_test.go @@ -702,6 +702,8 @@ func Test_modifyHostConfig(t *testing.T) { SeccompProfilePath: mgr.ProfileDockerDefault, ApparmorProfile: mgr.ProfileRuntimeDefault, NoNewPrivs: true, + ReadonlyPaths: []string{"/test/readyonly/path"}, + MaskedPaths: []string{"/test/masked/path"}, }, hostConfig: &apitypes.HostConfig{}, }, @@ -714,6 +716,35 @@ func Test_modifyHostConfig(t *testing.T) { }, wantErr: nil, }, + { + name: "ReadonlypathAndMaskedPathTest", + args: args{ + sc: &runtime.LinuxContainerSecurityContext{ + Privileged: false, + ReadonlyRootfs: true, + Capabilities: &runtime.Capability{ + AddCapabilities: []string{"fooAdd1", "fooAdd2"}, + DropCapabilities: []string{"fooDrop1", "fooDrop2"}, + }, + SeccompProfilePath: mgr.ProfileDockerDefault, + ApparmorProfile: mgr.ProfileRuntimeDefault, + NoNewPrivs: true, + ReadonlyPaths: []string{"/test/readyonly/path"}, + MaskedPaths: []string{"/test/masked/path"}, + }, + hostConfig: &apitypes.HostConfig{}, + }, + wantHostConfig: &apitypes.HostConfig{ + Privileged: false, + ReadonlyRootfs: true, + CapAdd: []string{"fooAdd1", "fooAdd2"}, + CapDrop: []string{"fooDrop1", "fooDrop2"}, + SecurityOpt: []string{"no-new-privileges"}, + ReadonlyPaths: []string{"/test/readyonly/path"}, + MaskedPaths: []string{"/test/masked/path"}, + }, + wantErr: nil, + }, { name: "Capabilities Nil Test", args: args{ diff --git a/daemon/mgr/container.go b/daemon/mgr/container.go index 5f7bd81cc..8be7fb91d 100644 --- a/daemon/mgr/container.go +++ b/daemon/mgr/container.go @@ -416,21 +416,25 @@ func (mgr *ContainerManager) Create(ctx context.Context, name string, config *ty // set default log driver and validate for logger driver config.HostConfig.LogConfig = mgr.getDefaultLogConfigIfMissing(config.HostConfig.LogConfig) + // set ReadonlyPaths and MaskedPaths to nil if privileged was set. + if config.HostConfig.Privileged { + config.HostConfig.ReadonlyPaths = nil + config.HostConfig.MaskedPaths = nil + } + container := &Container{ State: &types.ContainerState{ Status: types.StatusCreated, StartedAt: time.Time{}.UTC().Format(utils.TimeLayout), FinishedAt: time.Time{}.UTC().Format(utils.TimeLayout), }, - ID: id, - Image: imgID.String(), - Name: name, - Config: &config.ContainerConfig, - Created: time.Now().UTC().Format(utils.TimeLayout), - HostConfig: config.HostConfig, - SnapshotID: snapID, - ReadonlyPaths: config.ReadonlyPaths, - MaskedPaths: config.MaskedPaths, + ID: id, + Image: imgID.String(), + Name: name, + Config: &config.ContainerConfig, + Created: time.Now().UTC().Format(utils.TimeLayout), + HostConfig: config.HostConfig, + SnapshotID: snapID, } if _, err := mgr.initContainerIO(container); err != nil { diff --git a/daemon/mgr/container_types.go b/daemon/mgr/container_types.go index fda840516..f83ea9184 100644 --- a/daemon/mgr/container_types.go +++ b/daemon/mgr/container_types.go @@ -269,12 +269,6 @@ type Container struct { // SnapshotID specify id of the snapshot that container using. SnapshotID string - - // Masks over the provided paths inside the container. - MaskedPaths []string `json:"MaskedPaths,omitempty"` - - // Set the provided paths as RO inside the container. - ReadonlyPaths []string `json:"ReadonlyPaths,omitempty"` } // Key returns container's id. diff --git a/daemon/mgr/spec_linux.go b/daemon/mgr/spec_linux.go index 59d8bd5b7..ab9760ce4 100644 --- a/daemon/mgr/spec_linux.go +++ b/daemon/mgr/spec_linux.go @@ -69,21 +69,18 @@ func populatePlatform(ctx context.Context, c *Container, specWrapper *SpecWrappe // setup something depend on privileged authority if !c.HostConfig.Privileged { s.Linux.MountLabel = c.MountLabel + + // if MaskedPaths or ReadonlyPaths are set, we will use them, otherwise using the default values. + if len(c.HostConfig.MaskedPaths) > 0 { + s.Linux.MaskedPaths = c.HostConfig.MaskedPaths + } + if len(c.HostConfig.ReadonlyPaths) > 0 { + s.Linux.ReadonlyPaths = c.HostConfig.ReadonlyPaths + } } else { - s.Linux.ReadonlyPaths = nil + // MaskedPaths and ReadonlyPaths have default values, we should reset them when privileged be set s.Linux.MaskedPaths = nil - } - - // Apply masked paths if specified. - if c.MaskedPaths != nil { - s.Linux.MaskedPaths = make([]string, len(c.MaskedPaths)) - copy(s.Linux.MaskedPaths, c.MaskedPaths) - } - - // Apply readonly paths if specified. - if c.ReadonlyPaths != nil { - s.Linux.ReadonlyPaths = make([]string, len(c.ReadonlyPaths)) - copy(s.Linux.ReadonlyPaths, c.ReadonlyPaths) + s.Linux.ReadonlyPaths = nil } // start to setup linux seccomp