Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openeuler
iSulad
提交
41963eb8
I
iSulad
项目概览
openeuler
/
iSulad
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
I
iSulad
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
41963eb8
编写于
3月 02, 2020
作者:
O
openeuler-ci-bot
提交者:
Gitee
3月 02, 2020
浏览文件
操作
浏览文件
下载
差异文件
!78 iSulad: fix some bugs for syscontainer
Merge pull request !78 from zhangsong234/master
上级
423aeff2
b7e7ec33
变更
4
显示空白变更内容
内联
并排
Showing
4 changed file
with
38 addition
and
4 deletion
+38
-4
src/services/execution/execute/execution.c
src/services/execution/execute/execution.c
+17
-3
src/services/execution/spec/specs.c
src/services/execution/spec/specs.c
+1
-1
src/services/execution/spec/specs.h
src/services/execution/spec/specs.h
+3
-0
src/services/execution/spec/specs_security.c
src/services/execution/spec/specs_security.c
+17
-0
未找到文件。
src/services/execution/execute/execution.c
浏览文件 @
41963eb8
...
...
@@ -527,10 +527,24 @@ static int mount_dev_tmpfs_for_system_container(const container_t *cont)
return
-
1
;
}
}
if
(
mount
(
"tmpfs"
,
rootfs_dev_path
,
"tmpfs"
,
0
,
"size=500000,mode=755"
))
{
/* set /dev mount size to half of container memory limit */
if
(
cont
->
hostconfig
->
memory
>
0
)
{
char
mnt_opt
[
MOUNT_PROPERTIES_SIZE
]
=
{
0
};
nret
=
snprintf
(
mnt_opt
,
sizeof
(
mnt_opt
),
"size=%lld,mode=755"
,
(
long
long
int
)(
cont
->
hostconfig
->
memory
/
2
));
if
(
nret
<
0
||
(
size_t
)
nret
>=
sizeof
(
mnt_opt
))
{
ERROR
(
"Out of memory"
);
return
-
1
;
}
if
(
mount
(
"tmpfs"
,
rootfs_dev_path
,
"tmpfs"
,
0
,
mnt_opt
)
!=
0
)
{
ERROR
(
"Failed to mount dev tmpfs on '%s'"
,
rootfs_dev_path
);
return
-
1
;
}
}
else
{
if
(
mount
(
"tmpfs"
,
rootfs_dev_path
,
"tmpfs"
,
0
,
"mode=755"
)
!=
0
)
{
ERROR
(
"Failed to mount dev tmpfs on '%s'"
,
rootfs_dev_path
);
return
-
1
;
}
}
if
(
cont
->
hostconfig
->
user_remap
!=
NULL
)
{
unsigned
int
host_uid
=
0
;
unsigned
int
host_gid
=
0
;
...
...
src/services/execution/spec/specs.c
浏览文件 @
41963eb8
...
...
@@ -1691,7 +1691,7 @@ out:
return
ret
;
}
static
int
parse_security_opt
(
const
host_config
*
host_spec
,
bool
*
no_new_privileges
,
int
parse_security_opt
(
const
host_config
*
host_spec
,
bool
*
no_new_privileges
,
char
***
label_opts
,
size_t
*
label_opts_len
,
char
**
seccomp_profile
)
{
...
...
src/services/execution/spec/specs.h
浏览文件 @
41963eb8
...
...
@@ -37,6 +37,9 @@ oci_runtime_spec *default_spec(bool system_container);
int
merge_conf_cgroup
(
oci_runtime_spec
*
oci_spec
,
const
host_config
*
host_spec
);
int
save_oci_config
(
const
char
*
id
,
const
char
*
rootpath
,
const
oci_runtime_spec
*
oci_spec
);
int
parse_security_opt
(
const
host_config
*
host_spec
,
bool
*
no_new_privileges
,
char
***
label_opts
,
size_t
*
label_opts_len
,
char
**
seccomp_profile
);
#ifdef __cplusplus
}
#endif
...
...
src/services/execution/spec/specs_security.c
浏览文件 @
41963eb8
...
...
@@ -45,6 +45,7 @@
#include "libisulad.h"
#include "specs_extend.h"
#include "selinux_label.h"
#include "specs.h"
#define MAX_CAP_LEN 32
...
...
@@ -984,6 +985,10 @@ int adapt_settings_for_system_container(oci_runtime_spec *oci_spec, const host_c
};
char
**
adds
=
NULL
;
size_t
adds_len
=
0
;
bool
no_new_privileges
=
false
;
char
**
label_opts
=
NULL
;
size_t
label_opts_len
=
0
;
char
*
seccomp_profile
=
NULL
;
ret
=
get_adds_cap_for_system_container
(
host_spec
,
&
adds
,
&
adds_len
);
if
(
ret
!=
0
)
{
...
...
@@ -1009,6 +1014,16 @@ int adapt_settings_for_system_container(oci_runtime_spec *oci_spec, const host_c
goto
out
;
}
ret
=
parse_security_opt
(
host_spec
,
&
no_new_privileges
,
&
label_opts
,
&
label_opts_len
,
&
seccomp_profile
);
if
(
ret
!=
0
)
{
ERROR
(
"Failed to parse security opt"
);
goto
out
;
}
/* do not append to seccomp if seccomp profile is NULL or unconfined */
if
(
seccomp_profile
==
NULL
||
strcmp
(
seccomp_profile
,
"unconfined"
)
==
0
)
{
goto
out
;
}
ret
=
append_systemcall_to_seccomp
(
oci_spec
->
linux
->
seccomp
,
make_seccomp_syscalls_element
((
const
char
**
)
unblocked_systemcall_for_system_container
,
...
...
@@ -1021,6 +1036,8 @@ int adapt_settings_for_system_container(oci_runtime_spec *oci_spec, const host_c
goto
out
;
}
out:
util_free_array
(
label_opts
);
free
(
seccomp_profile
);
free_adds_cap_for_system_container
(
adds
,
adds_len
);
return
ret
;
}
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录