pkg/cri/server: remove dependency on libcontainer/apparmor, libcontainer/utils by thaJeztah · Pull Request #4715 · containerd/containerd

thaJeztah · 2020-11-10T10:17:53Z

relates to #4678 (comment)
relates to opencontainers/runc#2554
relates to moby/moby#5534

recent versions of libcontainer/apparmor simplified the AppArmor
check to only check if the host supports AppArmor, but no longer
checks if apparmor_parser is installed, or if we're running
docker-in-docker;

opencontainers/runc@bfb4ea1

The apparmor_parser binary is not really required for a system to run
AppArmor from a runc perspective. How to apply the profile is more in
the responsibility of higher level runtimes like Podman and Docker,
which may do the binary check on their own.

This patch copies the logic from libcontainer/apparmor, and
restores the additional checks.

theopenlab-ci · 2020-11-10T10:25:16Z

Build succeeded.

containerd-build-arm64 : FAILURE in 5m 52s (non-voting)

thaJeztah · 2020-11-10T10:28:52Z

interesting

Requested golangci-lint 'v1.29', using 'v1.29.0', calculation took 7969ms
Installing golangci-lint v1.29.0...
Downloading https://github.com/golangci/golangci-lint/releases/download/v1.29.0/golangci-lint-1.29.0-darwin-amd64.tar.gz ...

calculation took 7969ms 🙀 that's rather long to change v1.29 to v1.29.0, wondering changing to v1.29.0 would save that step.

thaJeztah · 2020-11-10T10:32:30Z

  Running [/Users/runner/golangci-lint-1.29.0-darwin-amd64/golangci-lint run --out-format=github-actions --path-prefix=src/github.com/containerd/containerd --timeout=5m] in [/Users/runner/work/containerd/containerd/src/github.com/containerd/containerd] ...
  Error: `hostSupportsAppArmor` is unused (deadcode)

🤔 false positive?

theopenlab-ci · 2020-11-10T10:41:03Z

Build succeeded.

containerd-build-arm64 : FAILURE in 5m 37s (non-voting)

theopenlab-ci · 2020-11-10T10:56:21Z

Build succeeded.

containerd-build-arm64 : FAILURE in 5m 35s (non-voting)

theopenlab-ci · 2020-11-10T11:07:12Z

Build succeeded.

containerd-build-arm64 : FAILURE in 5m 43s (non-voting)

theopenlab-ci · 2020-11-10T11:41:43Z

Build succeeded.

containerd-build-arm64 : FAILURE in 5m 36s (non-voting)

thaJeztah · 2020-11-10T11:56:17Z

~~Hmmm... failures look relevant; is it the `sync.Once that's problematic?~~

Details

Summarizing 2 Failures:
[Fail] [k8s.io] AppArmor runtime should support apparmor [It] should enforce a profile blocking writes 
/home/runner/work/containerd/containerd/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/apparmor_linux.go:121
[Fail] [k8s.io] AppArmor runtime should support apparmor [It] should enforce a permissive profile 
/home/runner/work/containerd/containerd/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/apparmor_linux.go:121

edit: never mind; silly mistake; flipped a bool

thaJeztah · 2020-11-10T12:01:31Z

pkg/cri/server/helpers_linux.go

FWIW; I was in doubt wether to add the os.Getenv() here, or in hostSupportsAppArmor(); happy to move it there

I think its cleaner to put it in the function and keep the original logic ordering.

@dmcgowan updated; PTAL

theopenlab-ci · 2020-11-10T12:10:36Z

Build succeeded.

containerd-build-arm64 : FAILURE in 7m 05s (non-voting)

theopenlab-ci · 2020-11-10T13:05:09Z

Build succeeded.

containerd-build-arm64 : FAILURE in 5m 40s (non-voting)

thaJeztah · 2020-11-10T13:54:13Z

Is there a time-limit on tests? Looks like one was cancelled after 15 minutes;

Ran 76 of 83 Specs in 61.066 seconds
SUCCESS! -- 76 Passed | 0 Failed | 0 Pending | 7 Skipped


Ginkgo ran 1 suite in 1m1.131860577s
Test Suite Passed
PASS
Error: The operation was canceled.

edit: rebased to trigger CI again

theopenlab-ci · 2020-11-10T15:26:39Z

Build succeeded.

containerd-build-arm64 : FAILURE in 5m 20s (non-voting)

theopenlab-ci · 2020-11-10T20:00:08Z

Build succeeded.

containerd-build-arm64 : FAILURE in 5m 44s (non-voting)

theopenlab-ci · 2020-11-10T22:42:50Z

Build succeeded.

containerd-build-arm64 : FAILURE in 5m 43s (non-voting)

thaJeztah · 2020-11-10T23:30:41Z

yay, green

@AkihiroSuda @crosbymichael ptal

AkihiroSuda · 2020-11-11T09:43:47Z

pkg/cri/server/helpers_linux.go

This is from 2014... Do we really need it?

Apparently we do opencontainers/runc#2554 (comment)

…ner/utils recent versions of libcontainer/apparmor simplified the AppArmor check to only check if the host supports AppArmor, but no longer checks if apparmor_parser is installed, or if we're running docker-in-docker; opencontainers/runc@bfb4ea1 > The `apparmor_parser` binary is not really required for a system to run > AppArmor from a runc perspective. How to apply the profile is more in > the responsibility of higher level runtimes like Podman and Docker, > which may do the binary check on their own. This patch copies the logic from libcontainer/apparmor, and restores the additional checks. Signed-off-by: Sebastiaan van Stijn <[email protected]>

theopenlab-ci · 2020-11-12T14:50:13Z

Build succeeded.

containerd-build-arm64 : FAILURE in 6m 12s (non-voting)

dmcgowan

LGTM

thaJeztah · 2020-11-13T16:08:43Z

@dmcgowan good to go?

thaJeztah force-pushed the remove_libcontainer_apparmor branch from 20c095c to a6ca3fa Compare November 10, 2020 10:34

thaJeztah force-pushed the remove_libcontainer_apparmor branch from a6ca3fa to b05b5d4 Compare November 10, 2020 10:49

thaJeztah force-pushed the remove_libcontainer_apparmor branch from b05b5d4 to eda49e3 Compare November 10, 2020 11:00

thaJeztah mentioned this pull request Nov 10, 2020

further reduce uses of libcontainer and update runc v1.0.0-rc93 #4717

Merged

2 tasks

thaJeztah force-pushed the remove_libcontainer_apparmor branch from eda49e3 to 9eb4918 Compare November 10, 2020 11:34

thaJeztah force-pushed the remove_libcontainer_apparmor branch from 9eb4918 to b38e28e Compare November 10, 2020 12:00

thaJeztah commented Nov 10, 2020

View reviewed changes

thaJeztah force-pushed the remove_libcontainer_apparmor branch from b38e28e to ce831a0 Compare November 10, 2020 12:58

thaJeztah force-pushed the remove_libcontainer_apparmor branch from ce831a0 to 7ff1502 Compare November 10, 2020 15:19

thaJeztah force-pushed the remove_libcontainer_apparmor branch from 7ff1502 to 9d52370 Compare November 10, 2020 19:53

thaJeztah force-pushed the remove_libcontainer_apparmor branch from 9d52370 to 8c77bce Compare November 10, 2020 22:35

AkihiroSuda reviewed Nov 11, 2020

View reviewed changes

thaJeztah force-pushed the remove_libcontainer_apparmor branch from 8c77bce to eba94a1 Compare November 12, 2020 14:42

AkihiroSuda approved these changes Nov 12, 2020

View reviewed changes

dmcgowan approved these changes Nov 12, 2020

View reviewed changes

mxpv approved these changes Nov 18, 2020

View reviewed changes

mxpv merged commit 2837fb3 into containerd:master Nov 18, 2020

thaJeztah deleted the remove_libcontainer_apparmor branch November 18, 2020 22:36

thaJeztah mentioned this pull request Feb 8, 2023

Don't check for apparmor_parser to be present #5519

Merged

Conversation

thaJeztah commented Nov 10, 2020

Uh oh!

theopenlab-ci bot commented Nov 10, 2020

Uh oh!

thaJeztah commented Nov 10, 2020

Uh oh!

thaJeztah commented Nov 10, 2020

Uh oh!

theopenlab-ci bot commented Nov 10, 2020

Uh oh!

theopenlab-ci bot commented Nov 10, 2020

Uh oh!

theopenlab-ci bot commented Nov 10, 2020

Uh oh!

theopenlab-ci bot commented Nov 10, 2020

Uh oh!

thaJeztah commented Nov 10, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

thaJeztah Nov 10, 2020

Choose a reason for hiding this comment

Uh oh!

dmcgowan Nov 11, 2020

Choose a reason for hiding this comment

Uh oh!

thaJeztah Nov 12, 2020

Choose a reason for hiding this comment

Uh oh!

theopenlab-ci bot commented Nov 10, 2020

Uh oh!

theopenlab-ci bot commented Nov 10, 2020

Uh oh!

thaJeztah commented Nov 10, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

theopenlab-ci bot commented Nov 10, 2020

Uh oh!

theopenlab-ci bot commented Nov 10, 2020

Uh oh!

theopenlab-ci bot commented Nov 10, 2020

Uh oh!

thaJeztah commented Nov 10, 2020

Uh oh!

AkihiroSuda Nov 11, 2020

Choose a reason for hiding this comment

Uh oh!

thaJeztah Nov 11, 2020

Choose a reason for hiding this comment

Uh oh!

theopenlab-ci bot commented Nov 12, 2020

Uh oh!

dmcgowan left a comment

Choose a reason for hiding this comment

Uh oh!

thaJeztah commented Nov 13, 2020

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

thaJeztah commented Nov 10, 2020 •

edited

Loading

thaJeztah commented Nov 10, 2020 •

edited

Loading