mirror of
https://github.com/kubernetes/kubernetes.git
synced 2026-03-18 00:22:29 -04:00
84408378f9
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Fixes for HostIPC tests to work when Docker has SELinux support enabled. **What this PR does / why we need it**: Fixes for HostIPC tests to work when Docker has SELinux support enabled. **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: N/A **Special notes for your reviewer**: The core of the matter is to use `ipcs` from util-linux rather than the one from busybox. The typical SELinux policy has enough to allow Docker containers (running under svirt_lxc_net_t SELinux type) to access IPC information by reading the contents of the files under /proc/sysvipc/, but not by using the shmctl etc. syscalls. The `ipcs` implementation in busybox will use `shmctl(0, SHM_INFO, ...)` to detect whether it can read IPC info (see source code [here](https://git.busybox.net/busybox/tree/util-linux/ipcs.c?h=1_28_0#n138)), while the one in util-linux will prefer to read from the /proc files directly if they are available (see source code [here](https://github.com/karelzak/util-linux/blob/v2.27.1/sys-utils/ipcutils.c#L108)). It turns out the SELinux policy doesn't allow the shmctl syscalls in an unprivileged container, while access to it through the /proc interface is fine. (One could argue this is a bug in the SELinux policy, but getting it fixed on stable OSs is hard, and it's not that hard for us to test it with an util-linux `ipcs`, so I propose we do so.) This PR also contains a refactor of the code setting IpcMode, since setting it in the "common options" function is misleading, as on containers other than the sandbox, it ends up always getting overwritten, so let's only set it to "host" in the Sandbox. It also has a minor fix for the `ipcmk` call, since support for size suffix was only introduced in recent versions of it. **Release note**: ```release-note NONE ``` |
||
|---|---|---|
| .. | ||
| builder | ||
| conformance | ||
| environment | ||
| jenkins | ||
| perftype | ||
| remote | ||
| runner | ||
| services | ||
| system | ||
| apparmor_test.go | ||
| benchmark_util.go | ||
| BUILD | ||
| container.go | ||
| container_manager_test.go | ||
| cpu_manager_test.go | ||
| critical_pod_test.go | ||
| density_test.go | ||
| device_plugin.go | ||
| doc.go | ||
| docker_test.go | ||
| docker_util.go | ||
| dockershim_checkpoint_test.go | ||
| dynamic_kubelet_config_test.go | ||
| e2e_node_suite_test.go | ||
| eviction_test.go | ||
| framework.go | ||
| garbage_collector_test.go | ||
| gke_environment_test.go | ||
| gpu_device_plugin.go | ||
| gpus.go | ||
| gubernator.sh | ||
| image_id_test.go | ||
| image_list.go | ||
| kubelet_test.go | ||
| lifecycle_hook_test.go | ||
| log_path_test.go | ||
| mirror_pod_test.go | ||
| node_container_manager_test.go | ||
| node_problem_detector_linux.go | ||
| OWNERS | ||
| pods_container_manager_test.go | ||
| README.md | ||
| resource_collector.go | ||
| resource_usage_test.go | ||
| restart_test.go | ||
| runtime_conformance_test.go | ||
| security_context_test.go | ||
| simple_mount.go | ||
| summary_test.go | ||
| util.go | ||
| volume_manager_test.go | ||