Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix seccomp for localhost profiles #202

Closed
feiskyer opened this issue Nov 17, 2016 · 13 comments
Closed

Fix seccomp for localhost profiles #202

feiskyer opened this issue Nov 17, 2016 · 13 comments
Labels
assigned kube-1.8.x

Comments

@feiskyer
Copy link
Contributor

feiskyer commented Nov 17, 2016
edited
Loading

Seccomp are passed as annotations in CRI. We need to process those keys in annotations and set Seccomp in the runc config.json.

runtime/default has done (#211). Still waiting for kubernetes/kubernetes#36997:

localhost/ is relative to node's local seccomp profile root, it is defined in kubelet. But runtime doesn't know it. We should pass full profile path in CRI.
@feiskyer
Copy link
Contributor Author

See CRI sandbox annotations and libcontainer seccomp config.

@runcom
Copy link
Member

runcom commented Nov 17, 2016

@feiskyer I'd like to work on this if you aren't already. Few questions:

  • k8s has a --seccomp-profile-root string flag, should we have the same in ocid to store/load seccomp profiles for pods/containers?
  • where do we store the default seccomp profile for a given runtime? k8s can pass down to oci just runtime/default, but where do we get its content?
  • https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/api/v1alpha1/runtime/api.proto#L257, this may related to the first question, where the node's local seccomp profile root? some directory setup when starting ocid I guess, right?

@runcom runcom self-assigned this Nov 17, 2016
@feiskyer
Copy link
Contributor Author

feiskyer commented Nov 17, 2016
edited
Loading

@runcom Cool and good catch. Seccomp profile is indeed a problem, I think CRI should pass full path to runtimes instead of relative one. Filed kubernetes/kubernetes#36997 to fix this.

@runcom
Copy link
Member

runcom commented Nov 17, 2016

@runcom Cool and good catch. Seccomp profile is indeed a problem, I think CRI should pass full path to runtimes instead of relative one. Filed kubernetes/kubernetes#36997 to fix this.

thanks 👍 I'll follow that issue and when done, I'll implement it here in cri-o

@feiskyer
Copy link
Contributor Author

@runcom We didn't get a consistent conclusion for kubernetes/kubernetes#36997, and the profile path will be a known issue in kubernetes 1.5, see here.

@runcom
Copy link
Member

runcom commented Nov 22, 2016
edited
Loading

@runcom We didn't get a consistent conclusion for kubernetes/kubernetes#36997, and the profile path will be a known issue in kubernetes 1.5, see here.

@feiskyer thanks, I think we can still support runtime/default and unconfined though - correct me if I'm wrong (we'll follow https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#seccomp). Going to tackle this asap if we can at least use default and unconfined.

@feiskyer
Copy link
Contributor Author

I think we can still support runtime/default and unconfined though

+1.

@runcom runcom mentioned this issue Nov 23, 2016
Merged
@runcom
Copy link
Member

runcom commented Nov 28, 2016

Let's leave this open until the upstream k8s issue about node's profiles is sorted out. @feiskyer could you change the title here?

@feiskyer feiskyer changed the title Add support for Seccomp Fix seccomp for localhost profiles Nov 29, 2016
@feiskyer
Copy link
Contributor Author

@runcom renamed the title.

@rhatdan
Copy link
Contributor

rhatdan commented Jul 11, 2017

@runcom what is the state of this issue?

@runcom
Copy link
Member

runcom commented Jul 12, 2017

@rhatdan still blocked on kubernetes/kubernetes#46332

@runcom
Copy link
Member

runcom commented Jul 18, 2017

kubernetes/kubernetes#46332 has been merged for node-local seccomp profiles - however we are still waiting on a seccomp spec I guess kubernetes/kubernetes#39128

@runcom
Copy link
Member

runcom commented Sep 8, 2017

This is coming with kube 1.8 https://github.com/kubernetes/kubernetes/blob/v1.8.0-beta.1/pkg/kubelet/apis/cri/v1alpha1/runtime/api.proto#L217-L223

@runcom runcom mentioned this issue Sep 11, 2017
Closed
@runcom runcom mentioned this issue Sep 27, 2017
Merged
egernst pushed a commit to egernst/cri-o that referenced this issue Nov 26, 2018
@grahamwhaley
Merge pull request cri-o#202 from nitkon/patch-2
c273c95 
create-repo-branch.sh: Fix a typo
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
assigned kube-1.8.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@feiskyer @runcom @rhatdan