cri-o · openshift-merge-bot · Feb 21, 2025 · Feb 3, 2024 · Feb 3, 2024 · Feb 4, 2024
@@ -68,6 +68,7 @@ require (
 	go.opentelemetry.io/otel/sdk v1.34.0
 	go.opentelemetry.io/otel/trace v1.34.0
 	go.uber.org/mock v0.5.0
+	golang.org/x/net v0.34.0
 	golang.org/x/sync v0.11.0
 	golang.org/x/sys v0.30.0
 	google.golang.org/grpc v1.70.0
@@ -221,7 +222,6 @@ require (
 	golang.org/x/crypto v0.32.0 // indirect
 	golang.org/x/exp v0.0.0-20250103183323-7d7fa50e5329 // indirect
 	golang.org/x/mod v0.22.0 // indirect
-	golang.org/x/net v0.34.0 // indirect
 	golang.org/x/oauth2 v0.26.0 // indirect
 	golang.org/x/term v0.28.0 // indirect
 	golang.org/x/text v0.21.0 // indirect

@@ -23,3 +23,7 @@ func (d *Config) LoadDevices(devsFromConfig []string) error {
 func (d *Config) Devices() []Device {
 	return nil
 }
+
+func DevicesFromAnnotation(annotation string, allowedDevices []string) ([]Device, error) {
+	return []Device{}, nil
+}
@@ -17,7 +17,6 @@ import (
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
 	validate "github.com/opencontainers/runtime-tools/validate/capabilities"
-	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/sirupsen/logrus"
 	"github.com/syndtr/gocapability/capability"
 	types "k8s.io/cri-api/pkg/apis/runtime/v1"
@@ -523,38 +522,6 @@ func (c *container) ReadOnly(serverIsReadOnly bool) bool {
 	return serverIsReadOnly
 }
 
-// SelinuxLabel returns the container's SelinuxLabel
-// it takes the sandbox's label, which it falls back upon.
-func (c *container) SelinuxLabel(sboxLabel string) ([]string, error) {
-	selinuxConfig := c.config.Linux.SecurityContext.SelinuxOptions
-
-	labels := map[string]string{}
-
-	labelOptions, err := label.DupSecOpt(sboxLabel)
-	if err != nil {
-		return nil, err
-	}
-
-	for _, r := range labelOptions {
-		k := strings.Split(r, ":")[0]
-		labels[k] = r
-	}
-
-	if selinuxConfig != nil {
-		for _, r := range utils.GetLabelOptions(selinuxConfig) {
-			k := strings.Split(r, ":")[0]
-			labels[k] = r
-		}
-	}
-
-	ret := []string{}
-	for _, v := range labels {
-		ret = append(ret, v)
-	}
-
-	return ret, nil
-}
-
 // AddUnifiedResourcesFromAnnotations adds the cgroup-v2 resources specified in the io.kubernetes.cri-o.UnifiedCgroup annotation.
 func (c *container) AddUnifiedResourcesFromAnnotations(annotationsMap map[string]string) error {
 	if c.config == nil || c.config.Labels == nil {

@@ -0,0 +1,5 @@
+package container
+
+func (c *container) SelinuxLabel(sboxLabel string) ([]string, error) {
+	return []string{}, nil
+}
@@ -0,0 +1,41 @@
+package container
+
+import (
+	"strings"
+
+	"github.com/opencontainers/selinux/go-selinux/label"
+
+	"github.com/cri-o/cri-o/utils"
+)
+
+// SelinuxLabel returns the container's SelinuxLabel
+// it takes the sandbox's label, which it falls back upon.
+func (c *container) SelinuxLabel(sboxLabel string) ([]string, error) {
+	selinuxConfig := c.config.Linux.SecurityContext.SelinuxOptions
+
+	labels := map[string]string{}
+
+	labelOptions, err := label.DupSecOpt(sboxLabel)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, r := range labelOptions {
+		k := strings.Split(r, ":")[0]
+		labels[k] = r
+	}
+
+	if selinuxConfig != nil {
+		for _, r := range utils.GetLabelOptions(selinuxConfig) {
+			k := strings.Split(r, ":")[0]
+			labels[k] = r
+		}
+	}
+
+	ret := []string{}
+	for _, v := range labels {
+		ret = append(ret, v)
+	}
+
+	return ret, nil
+}
@@ -0,0 +1,9 @@
+package container
+
+import (
+	devicecfg "github.com/cri-o/cri-o/internal/config/device"
+)
+
+func (c *container) SpecAddDevices(configuredDevices, annotationDevices []devicecfg.Device, privilegedWithoutHostDevices, enableDeviceOwnershipFromSecurityContext bool) error {
+	return nil
+}
@@ -1,4 +1,4 @@
-//go:build !linux
+//go:build !linux && !freebsd
 
 package container
 

@@ -1,106 +1,9 @@
 package container
 
 import (
-	"errors"
-	"fmt"
-
-	rspec "github.com/opencontainers/runtime-spec/specs-go"
-	"github.com/opencontainers/runtime-tools/generate"
-	types "k8s.io/cri-api/pkg/apis/runtime/v1"
-
 	"github.com/cri-o/cri-o/internal/config/nsmgr"
-	"github.com/cri-o/cri-o/internal/lib/namespace"
-	oci "github.com/cri-o/cri-o/internal/oci"
-	"github.com/cri-o/cri-o/pkg/config"
 )
 
-func (c *container) SpecAddNamespaces(sb SandboxIFace, targetCtr *oci.Container, serverConfig *config.Config) error {
-	// Join the namespace paths for the pod sandbox container.
-	if err := ConfigureGeneratorGivenNamespacePaths(sb.NamespacePaths(), &c.spec); err != nil {
-		return fmt.Errorf("failed to configure namespaces in container create: %w", err)
-	}
-
-	sc := c.config.Linux.SecurityContext
-
-	if sc.NamespaceOptions.Network == types.NamespaceMode_NODE {
-		if err := c.spec.RemoveLinuxNamespace(string(rspec.NetworkNamespace)); err != nil {
-			return err
-		}
-	}
-
-	switch sc.NamespaceOptions.Pid {
-	case types.NamespaceMode_NODE:
-		// kubernetes PodSpec specify to use Host PID namespace
-		if err := c.spec.RemoveLinuxNamespace(string(rspec.PIDNamespace)); err != nil {
-			return err
-		}
-	case types.NamespaceMode_POD:
-		pidNsPath := sb.PidNsPath()
-		if pidNsPath == "" {
-			if sb.NamespaceOptions().Pid != types.NamespaceMode_POD {
-				return errors.New("pod level PID namespace requested for the container, but pod sandbox was not similarly configured, and does not have an infra container")
-			}
-
-			return errors.New("PID namespace requested, but sandbox infra container unexpectedly invalid")
-		}
-
-		if err := c.spec.AddOrReplaceLinuxNamespace(string(rspec.PIDNamespace), pidNsPath); err != nil {
-			return fmt.Errorf("updating container PID namespace to pod: %w", err)
-		}
-	case types.NamespaceMode_TARGET:
-		if targetCtr == nil {
-			return errors.New("target PID namespace specified with invalid target ID")
-		}
-
-		targetPID, err := targetCtr.Pid()
-		if err != nil {
-			return fmt.Errorf("target PID namespace find PID: %w", err)
-		}
-
-		ns, err := serverConfig.NamespaceManager().NamespaceFromProcEntry(targetPID, nsmgr.PIDNS)
-		if err != nil {
-			return fmt.Errorf("target PID namespace from proc: %w", err)
-		}
-
-		if err := c.spec.AddOrReplaceLinuxNamespace(string(rspec.PIDNamespace), ns.Path()); err != nil {
-			return fmt.Errorf("updating container PID namespace to target %s: %w", targetCtr.ID(), err)
-		}
-
-		c.pidns = ns
-	}
-
-	return nil
-}
-
-// ConfigureGeneratorGivenNamespacePaths takes a map of nsType -> nsPath. It configures the generator
-// to add or replace the defaults to these paths.
-func ConfigureGeneratorGivenNamespacePaths(managedNamespaces []*namespace.ManagedNamespace, g *generate.Generator) error {
-	typeToSpec := map[nsmgr.NSType]rspec.LinuxNamespaceType{
-		nsmgr.IPCNS:  rspec.IPCNamespace,
-		nsmgr.NETNS:  rspec.NetworkNamespace,
-		nsmgr.UTSNS:  rspec.UTSNamespace,
-		nsmgr.USERNS: rspec.UserNamespace,
-	}
-
-	for _, ns := range managedNamespaces {
-		// allow for empty paths, as this namespace just shouldn't be configured
-		if ns.Path() == "" {
-			continue
-		}
-
-		nsForSpec := typeToSpec[ns.Type()]
-		if nsForSpec == "" {
-			return fmt.Errorf("invalid namespace type %s", ns.Type())
-		}
-
-		if err := g.AddOrReplaceLinuxNamespace(string(nsForSpec), ns.Path()); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
 func (c *container) PidNamespace() nsmgr.Namespace {
 	return c.pidns
 }
@@ -0,0 +1,20 @@
+package container
+
+import (
+	"github.com/cri-o/cri-o/internal/config/nsmgr"
+	oci "github.com/cri-o/cri-o/internal/oci"
+	"github.com/cri-o/cri-o/pkg/config"
+)
+
+func (c *container) SpecAddNamespaces(sb SandboxIFace, targetCtr *oci.Container, serverConfig *config.Config) error {
+	// Join the namespace paths for the pod sandbox container.
+	managedNamespaces := sb.NamespacePaths()
+
+	for _, ns := range managedNamespaces {
+		if ns.Type() == nsmgr.NETNS {
+			c.Spec().AddAnnotation("org.freebsd.parentJail", ns.Path())
+		}
+	}
+
+	return nil
+}
@@ -0,0 +1,102 @@
+package container
+
+import (
+	"errors"
+	"fmt"
+
+	rspec "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/runtime-tools/generate"
+	types "k8s.io/cri-api/pkg/apis/runtime/v1"
+
+	"github.com/cri-o/cri-o/internal/config/nsmgr"
+	"github.com/cri-o/cri-o/internal/lib/namespace"
+	oci "github.com/cri-o/cri-o/internal/oci"
+	"github.com/cri-o/cri-o/pkg/config"
+)
+
+func (c *container) SpecAddNamespaces(sb SandboxIFace, targetCtr *oci.Container, serverConfig *config.Config) error {
+	// Join the namespace paths for the pod sandbox container.
+	if err := ConfigureGeneratorGivenNamespacePaths(sb.NamespacePaths(), &c.spec); err != nil {
+		return fmt.Errorf("failed to configure namespaces in container create: %w", err)
+	}
+
+	sc := c.config.Linux.SecurityContext
+
+	if sc.NamespaceOptions.Network == types.NamespaceMode_NODE {
+		if err := c.spec.RemoveLinuxNamespace(string(rspec.NetworkNamespace)); err != nil {
+			return err
+		}
+	}
+
+	switch sc.NamespaceOptions.Pid {
+	case types.NamespaceMode_NODE:
+		// kubernetes PodSpec specify to use Host PID namespace
+		if err := c.spec.RemoveLinuxNamespace(string(rspec.PIDNamespace)); err != nil {
+			return err
+		}
+	case types.NamespaceMode_POD:
+		pidNsPath := sb.PidNsPath()
+		if pidNsPath == "" {
+			if sb.NamespaceOptions().Pid != types.NamespaceMode_POD {
+				return errors.New("pod level PID namespace requested for the container, but pod sandbox was not similarly configured, and does not have an infra container")
+			}
+
+			return errors.New("PID namespace requested, but sandbox infra container unexpectedly invalid")
+		}
+
+		if err := c.spec.AddOrReplaceLinuxNamespace(string(rspec.PIDNamespace), pidNsPath); err != nil {
+			return fmt.Errorf("updating container PID namespace to pod: %w", err)
+		}
+	case types.NamespaceMode_TARGET:
+		if targetCtr == nil {
+			return errors.New("target PID namespace specified with invalid target ID")
+		}
+
+		targetPID, err := targetCtr.Pid()
+		if err != nil {
+			return fmt.Errorf("target PID namespace find PID: %w", err)
+		}
+
+		ns, err := serverConfig.NamespaceManager().NamespaceFromProcEntry(targetPID, nsmgr.PIDNS)
+		if err != nil {
+			return fmt.Errorf("target PID namespace from proc: %w", err)
+		}
+
+		if err := c.spec.AddOrReplaceLinuxNamespace(string(rspec.PIDNamespace), ns.Path()); err != nil {
+			return fmt.Errorf("updating container PID namespace to target %s: %w", targetCtr.ID(), err)
+		}
+
+		c.pidns = ns
+	}
+
+	return nil
+}
+
+// ConfigureGeneratorGivenNamespacePaths takes a map of nsType -> nsPath. It configures the generator
+// to add or replace the defaults to these paths.
+func ConfigureGeneratorGivenNamespacePaths(managedNamespaces []*namespace.ManagedNamespace, g *generate.Generator) error {
+	typeToSpec := map[nsmgr.NSType]rspec.LinuxNamespaceType{
+		nsmgr.IPCNS:  rspec.IPCNamespace,
+		nsmgr.NETNS:  rspec.NetworkNamespace,
+		nsmgr.UTSNS:  rspec.UTSNamespace,
+		nsmgr.USERNS: rspec.UserNamespace,
+	}
+
+	for _, ns := range managedNamespaces {
+		// allow for empty paths, as this namespace just shouldn't be configured
+		if ns.Path() == "" {
+			continue
+		}
+
+		nsForSpec := typeToSpec[ns.Type()]
+		if nsForSpec == "" {
+			return fmt.Errorf("invalid namespace type %s", ns.Type())
+		}
+
+		if err := g.AddOrReplaceLinuxNamespace(string(nsForSpec), ns.Path()); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
@@ -9,7 +9,6 @@ import (
 
 	securejoin "github.com/cyphar/filepath-securejoin"
 	"github.com/opencontainers/selinux/go-selinux/label"
-	"golang.org/x/sys/unix"
 	"k8s.io/apimachinery/pkg/util/validation"
 	types "k8s.io/cri-api/pkg/apis/runtime/v1"
 
@@ -49,7 +48,7 @@ func MountPodLogs(ctx context.Context, kubePodUID, emptyDirVolName, namespace, k
 
 	log.Infof(ctx, "Mounting from %s to %s for linked logs", podLogsPath, emptyDirLoggingVolumePath)
 
-	if err := unix.Mount(podLogsPath, emptyDirLoggingVolumePath, "bind", unix.MS_BIND|unix.MS_RDONLY, ""); err != nil {
+	if err := mountLogPath(podLogsPath, emptyDirLoggingVolumePath); err != nil {
 		return fmt.Errorf("failed to mount %v to %v: %w", podLogsPath, emptyDirLoggingVolumePath, err)
 	}
 
@@ -70,7 +69,7 @@ func UnmountPodLogs(ctx context.Context, kubePodUID, emptyDirVolName string) err
 	log.Infof(ctx, "Unmounting %s for linked logs", emptyDirLoggingVolumePath)
 
 	if _, err := os.Stat(emptyDirLoggingVolumePath); !os.IsNotExist(err) {
-		if err := unix.Unmount(emptyDirLoggingVolumePath, unix.MNT_DETACH); err != nil {
+		if err := unmountLogPath(emptyDirLoggingVolumePath); err != nil {
 			return fmt.Errorf("failed to unmounts logs: %w", err)
 		}
 	}