Skip to content

Commit d5dd57f

Browse files
bitokubitoku
committed
Refactor container mount setup functions and improve SELinux label handling
Signed-off-by: Ayato Tokubi <[email protected]>
1 parent 4e2f7db commit d5dd57f

File tree

2 files changed

+31
-31
lines changed

2 files changed

+31
-31
lines changed

server/container_create.go

Lines changed: 29 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -677,7 +677,10 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr container.Conta
677677
}
678678
}()
679679

680-
mountLabel, processLabel, hostNet, maybeRelabel, skipRelabel := s.configureSELinuxLabels(ctr, sb, containerInfo, securityContext)
680+
mountLabel, processLabel, maybeRelabel, skipRelabel, err := s.configureSELinuxLabels(ctr, sb, containerInfo, securityContext)
681+
if err != nil {
682+
return nil, err
683+
}
681684

682685
cgroup2RWAnnotation, _ := v2.GetAnnotationValue(sb.Annotations(), v2.Cgroup2MountHierarchyRW)
683686
cgroup2RW := node.CgroupIsV2() && cgroup2RWAnnotation == "true"
@@ -798,6 +801,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr container.Conta
798801
return nil, err
799802
}
800803

804+
hostNet := securityContext.GetNamespaceOptions().GetNetwork() == types.NamespaceMode_NODE
801805
addSysfsMounts(ctr, containerConfig, hostNet, sb, containerMappings)
802806

803807
containerImageConfig := containerInfo.Config
@@ -817,7 +821,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr container.Conta
817821

818822
addShmMount(ctr, sb)
819823

820-
if err := s.setupContainerMounts(ctr, sb, containerConfig, mountLabel, hostNet, specgen); err != nil {
824+
if err := s.setupBaseContainerMounts(ctr, sb, containerConfig, mountLabel, hostNet, specgen); err != nil {
821825
return nil, err
822826
}
823827

@@ -855,7 +859,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr container.Conta
855859
return nil, err
856860
}
857861

858-
processLabel, err = s.setupContainerMountsAndSystemd(ctr, sb, containerInfo, containerIDMappings, mountPoint, mountLabel, processLabel, ociMounts, volumeMounts, specgen)
862+
err = s.setupContainerMounts(ctr, sb, containerInfo, containerIDMappings, mountPoint, mountLabel, ociMounts, volumeMounts, specgen)
859863
if err != nil {
860864
return nil, err
861865
}
@@ -966,7 +970,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr container.Conta
966970
return ociContainer, nil
967971
}
968972

969-
func (s *Server) setupContainerMountsAndSystemd(ctr container.Container, sb *sandbox.Sandbox, containerInfo *storage.ContainerInfo, containerIDMappings *idtools.IDMappings, mountPoint, mountLabel, processLabel string, ociMounts, volumeMounts []rspec.Mount, specgen *generate.Generator) (string, error) {
973+
func (s *Server) setupContainerMounts(ctr container.Container, sb *sandbox.Sandbox, containerInfo *storage.ContainerInfo, containerIDMappings *idtools.IDMappings, mountPoint, mountLabel string, ociMounts, volumeMounts []rspec.Mount, specgen *generate.Generator) error {
970974
rootUID, rootGID := 0, 0
971975

972976
if containerIDMappings != nil {
@@ -989,7 +993,7 @@ func (s *Server) setupContainerMountsAndSystemd(ctr container.Container, sb *san
989993
disableFIPSAnnotation, _ := v2.GetAnnotationValue(sb.Annotations(), v2.DisableFIPS)
990994
if ctr.DisableFips() && disableFIPSAnnotation == "true" {
991995
if err := disableFipsForContainer(ctr, containerInfo.RunDir); err != nil {
992-
return "", fmt.Errorf("failed to disable FIPS for container %s: %w", ctr.ID(), err)
996+
return fmt.Errorf("failed to disable FIPS for container %s: %w", ctr.ID(), err)
993997
}
994998
}
995999

@@ -1012,23 +1016,7 @@ func (s *Server) setupContainerMountsAndSystemd(ctr container.Container, sb *san
10121016
ctr.SpecAddMount(rspecMount)
10131017
}
10141018

1015-
if ctr.WillRunSystemd() {
1016-
var err error
1017-
1018-
// Don't override the process label if it was already set.
1019-
// Otherwise, it should be set container_init_t to run the init process
1020-
// in a container.
1021-
if processLabel == "" {
1022-
processLabel, err = InitLabel(processLabel)
1023-
if err != nil {
1024-
return "", err
1025-
}
1026-
}
1027-
1028-
setupSystemd(specgen.Mounts(), *specgen)
1029-
}
1030-
1031-
return processLabel, nil
1019+
return nil
10321020
}
10331021

10341022
func (s *Server) setupContainerEnvironmentAndWorkdir(ctx context.Context, specgen *generate.Generator, containerConfig *types.ContainerConfig, containerImageConfig *v1.Image, containerInfo *storage.ContainerInfo, mountPoint, mountLabel string, linux *types.LinuxContainerConfig, securityContext *types.LinuxContainerSecurityContext) ([]rspec.Mount, error) {
@@ -1130,7 +1118,7 @@ func (s *Server) setupSeccomp(ctx context.Context, ctr container.Container, sb *
11301118
return seccompRef, nil
11311119
}
11321120

1133-
func (s *Server) setupContainerMounts(ctr container.Container, sb *sandbox.Sandbox, containerConfig *types.ContainerConfig, mountLabel string, hostNet bool, specgen *generate.Generator) error {
1121+
func (s *Server) setupBaseContainerMounts(ctr container.Container, sb *sandbox.Sandbox, containerConfig *types.ContainerConfig, mountLabel string, hostNet bool, specgen *generate.Generator) error {
11341122
options := []string{"rw"}
11351123
if ctr.ReadOnly(s.config.ReadOnly) {
11361124
options = []string{"ro"}
@@ -1189,13 +1177,17 @@ func (s *Server) setupContainerMounts(ctr container.Container, sb *sandbox.Sandb
11891177
setOCIBindMountsPrivileged(specgen)
11901178
}
11911179

1180+
if ctr.WillRunSystemd() {
1181+
setupSystemdMounts(specgen)
1182+
}
1183+
11921184
return nil
11931185
}
11941186

11951187
// configureSELinuxLabels determines the appropriate SELinux labels for a container based on its
11961188
// security context and namespace configuration. It returns the mount and process labels, along with
11971189
// flags indicating network mode and whether volume relabeling should be skipped or made optional.
1198-
func (s *Server) configureSELinuxLabels(ctr container.Container, sb *sandbox.Sandbox, containerInfo *storage.ContainerInfo, securityContext *types.LinuxContainerSecurityContext) (mountLabel, processLabel string, hostNet, maybeRelabel, skipRelabel bool) {
1190+
func (s *Server) configureSELinuxLabels(ctr container.Container, sb *sandbox.Sandbox, containerInfo *storage.ContainerInfo, securityContext *types.LinuxContainerSecurityContext) (mountLabel, processLabel string, maybeRelabel, skipRelabel bool, err error) {
11991191
mountLabel = containerInfo.MountLabel
12001192

12011193
if !ctr.Privileged() {
@@ -1204,7 +1196,7 @@ func (s *Server) configureSELinuxLabels(ctr container.Container, sb *sandbox.San
12041196

12051197
hostIPC := securityContext.GetNamespaceOptions().GetIpc() == types.NamespaceMode_NODE
12061198
hostPID := securityContext.GetNamespaceOptions().GetPid() == types.NamespaceMode_NODE
1207-
hostNet = securityContext.GetNamespaceOptions().GetNetwork() == types.NamespaceMode_NODE
1199+
hostNet := securityContext.GetNamespaceOptions().GetNetwork() == types.NamespaceMode_NODE
12081200

12091201
// Don't use SELinux separation with Host Pid or IPC Namespace or privileged.
12101202
if hostPID || hostIPC {
@@ -1215,22 +1207,29 @@ func (s *Server) configureSELinuxLabels(ctr container.Container, sb *sandbox.San
12151207
processLabel = ""
12161208
}
12171209

1210+
// Don't override the process label if it was already set.
1211+
// Otherwise, it should be set container_init_t to run the init process
1212+
// in a container.
1213+
if processLabel == "" {
1214+
processLabel, err = InitLabel(processLabel)
1215+
if err != nil {
1216+
return "", "", false, false, err
1217+
}
1218+
}
1219+
12181220
if val, present := v2.GetAnnotationValue(sb.Annotations(), v2.TrySkipVolumeSELinuxLabel); present && val == "true" {
12191221
maybeRelabel = true
12201222
}
12211223

12221224
const superPrivilegedType = "spc_t"
12231225

12241226
if securityContext.GetSelinuxOptions().GetType() == superPrivilegedType || // super privileged container
1225-
(ctr.SandboxConfig().GetLinux() != nil &&
1226-
ctr.SandboxConfig().GetLinux().GetSecurityContext() != nil &&
1227-
ctr.SandboxConfig().GetLinux().GetSecurityContext().GetSelinuxOptions() != nil &&
1228-
ctr.SandboxConfig().GetLinux().GetSecurityContext().GetSelinuxOptions().GetType() == superPrivilegedType && // super privileged pod
1227+
(ctr.SandboxConfig().GetLinux().GetSecurityContext().GetSelinuxOptions().GetType() == superPrivilegedType && // super privileged pod
12291228
securityContext.GetSelinuxOptions().GetType() == "") {
12301229
skipRelabel = true
12311230
}
12321231

1233-
return mountLabel, processLabel, hostNet, maybeRelabel, skipRelabel
1232+
return mountLabel, processLabel, maybeRelabel, skipRelabel, nil
12341233
}
12351234

12361235
// createStorageContainer creates the storage layer container with the specified image and ID mappings.

server/container_create_linux.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -655,8 +655,9 @@ func mountExists(specMounts []rspec.Mount, dest string) bool {
655655

656656
// systemd expects to have /run, /run/lock and /tmp on tmpfs
657657
// It also expects to be able to write to /sys/fs/cgroup/systemd and /var/log/journal.
658-
func setupSystemd(mounts []rspec.Mount, g generate.Generator) {
658+
func setupSystemdMounts(g *generate.Generator) {
659659
options := []string{"rw", "rprivate", "noexec", "nosuid", "nodev"}
660+
mounts := g.Mounts()
660661

661662
for _, dest := range []string{"/run", "/run/lock"} {
662663
if mountExists(mounts, dest) {

0 commit comments

Comments
 (0)