Fix RuntimeDefault seccomp behavior if disabled #4789

saschagrunert · 2021-04-22T08:34:56Z

What type of PR is this?

/kind bug

What this PR does / why we need it:

The internal seccomp profile (RuntimeDefault) should be ignored in the
same way as it was before using the new field. This aligns the
implementation with CRI-O releases before v1.21.0.

Which issue(s) this PR fixes:

Fixes #4786

Special notes for your reviewer:

The bug comes up because SecurityProfileTypeRuntimeDefault == 0 (the default value if the field is not set)

Does this PR introduce a user-facing change?

Fixed bug where it was not possible to run containers using the default or no seccomp profile on 
seccomp disabled builds/machines

codecov · 2021-04-22T08:38:33Z

Codecov Report

Merging #4789 (ab1af25) into master (94fde3c) will decrease coverage by 0.00%.
The diff coverage is 0.00%.

❗ Current head ab1af25 differs from pull request most recent head 675dead. Consider uploading reports for the commit 675dead to get more accurate results

@@            Coverage Diff             @@
##           master    #4789      +/-   ##
==========================================
- Coverage   43.02%   43.02%   -0.01%     
==========================================
  Files         107      107              
  Lines        9773     9774       +1     
==========================================
  Hits         4205     4205              
- Misses       5114     5115       +1     
  Partials      454      454

saschagrunert · 2021-04-22T08:49:21Z

/hold
this may actually a kubelet bug

saschagrunert · 2021-04-22T09:14:18Z

/hold cancel

Everything is fine.

The internal seccomp profile (`RuntimeDefault`) should be ignored in the same way as it was before using the new field. This aligns the implementation with CRI-O releases before v1.21.0. Signed-off-by: Sascha Grunert <[email protected]>

haircommander · 2021-04-22T13:20:14Z

/retest
/approve

LGTM
/cherry-pick release-1.21

openshift-cherrypick-robot · 2021-04-22T13:20:15Z

@haircommander: once the present PR merges, I will cherry-pick it on top of release-1.21 in a new PR and assign it to you.

Details

In response to this:

/retest
/approve

LGTM
/cherry-pick release-1.21

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

saschagrunert · 2021-04-22T13:53:58Z

/override ci/prow/e2e-agnostic

openshift-ci-robot · 2021-04-22T13:54:01Z

@saschagrunert: Overrode contexts on behalf of saschagrunert: ci/prow/e2e-agnostic

Details

In response to this:

/override ci/prow/e2e-agnostic

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

TomSweeneyRedHat · 2021-04-22T15:33:28Z

LGTM
assuming happy tests

openshift-ci-robot · 2021-04-23T00:16:51Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: haircommander, mrunalp, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [haircommander,mrunalp,saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

mrunalp · 2021-04-23T00:16:57Z

/lgtm

openshift-bot · 2021-04-23T00:29:41Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-04-23T00:41:44Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-04-23T00:53:47Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-04-23T01:05:42Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-04-23T01:17:44Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-04-23T01:41:46Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-04-23T02:05:41Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-04-23T02:41:47Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-04-23T02:53:45Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-04-23T03:05:45Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-04-23T03:17:43Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-04-23T03:29:59Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-04-23T04:29:55Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-04-23T04:41:56Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-04-23T04:53:47Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-04-23T05:06:06Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-04-23T05:20:05Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-04-23T05:54:50Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-04-23T06:07:06Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-04-23T06:19:27Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-04-23T06:30:49Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-ci · 2021-04-23T06:34:16Z

@saschagrunert: The following test failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/openshift-jenkins/e2e_crun_cgroupv2	`675dead`	link	`/test e2e_cgroupv2`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

openshift-bot · 2021-04-23T06:42:47Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-04-23T06:54:44Z

/retest

Please review the full test history for this PR and help us cut down flakes.

saschagrunert · 2021-04-23T07:22:54Z

/override ci/prow/e2e-gcp

openshift-ci-robot · 2021-04-23T07:29:40Z

@saschagrunert: Overrode contexts on behalf of saschagrunert: ci/prow/e2e-gcp

Details

In response to this:

/override ci/prow/e2e-gcp

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

haircommander · 2021-04-28T17:25:21Z

/cherry-pick release-1.21

openshift-cherrypick-robot · 2021-04-28T17:27:24Z

@haircommander: new pull request created: #4819

Details

In response to this:

/cherry-pick release-1.21

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

saschagrunert requested review from mrunalp and runcom as code owners April 22, 2021 08:34

openshift-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Apr 22, 2021

openshift-ci-robot requested review from kolyshkin and rhatdan April 22, 2021 08:35

openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 22, 2021

saschagrunert mentioned this pull request Apr 22, 2021

seccomp is not enabled in your kernel, cannot run with a profile #4786

Closed

openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 22, 2021

openshift-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 22, 2021

saschagrunert force-pushed the seccomp-default branch from 459a472 to 05187cc Compare April 22, 2021 09:15

Fix RuntimeDefault seccomp behavior if disabled

675dead

The internal seccomp profile (`RuntimeDefault`) should be ignored in the same way as it was before using the new field. This aligns the implementation with CRI-O releases before v1.21.0. Signed-off-by: Sascha Grunert <[email protected]>

saschagrunert force-pushed the seccomp-default branch from 05187cc to 675dead Compare April 22, 2021 09:16

mrunalp approved these changes Apr 23, 2021

View reviewed changes

openshift-ci-robot assigned mrunalp Apr 23, 2021

openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Apr 23, 2021

openshift-merge-robot merged commit b993666 into cri-o:master Apr 23, 2021

saschagrunert deleted the seccomp-default branch April 23, 2021 07:31

openshift-cherrypick-robot mentioned this pull request Apr 28, 2021

[release-1.21] Fix RuntimeDefault seccomp behavior if disabled #4819

Merged

orz-nil mentioned this pull request Jan 9, 2023

Localhost seccomp behavior failed to start container if pod seccomp is disabled #6498

Closed

Fix RuntimeDefault seccomp behavior if disabled #4789

Fix RuntimeDefault seccomp behavior if disabled #4789

Conversation

saschagrunert commented Apr 22, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Uh oh!

codecov bot commented Apr 22, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

saschagrunert commented Apr 22, 2021

Uh oh!

saschagrunert commented Apr 22, 2021

Uh oh!

haircommander commented Apr 22, 2021

Uh oh!

openshift-cherrypick-robot commented Apr 22, 2021

Uh oh!

saschagrunert commented Apr 22, 2021

Uh oh!

openshift-ci-robot commented Apr 22, 2021

Uh oh!

TomSweeneyRedHat commented Apr 22, 2021

Uh oh!

openshift-ci-robot commented Apr 23, 2021

Uh oh!

mrunalp commented Apr 23, 2021

Uh oh!

openshift-bot commented Apr 23, 2021

Uh oh!

openshift-bot commented Apr 23, 2021

Uh oh!

openshift-bot commented Apr 23, 2021

Uh oh!

openshift-bot commented Apr 23, 2021

Uh oh!

openshift-bot commented Apr 23, 2021

Uh oh!

openshift-bot commented Apr 23, 2021

Uh oh!

openshift-bot commented Apr 23, 2021

Uh oh!

openshift-bot commented Apr 23, 2021

Uh oh!

openshift-bot commented Apr 23, 2021

Uh oh!

openshift-bot commented Apr 23, 2021

Uh oh!

openshift-bot commented Apr 23, 2021

Uh oh!

openshift-bot commented Apr 23, 2021

Uh oh!

openshift-bot commented Apr 23, 2021

Uh oh!

openshift-bot commented Apr 23, 2021

Uh oh!

openshift-bot commented Apr 23, 2021

Uh oh!

openshift-bot commented Apr 23, 2021

Uh oh!

openshift-bot commented Apr 23, 2021

Uh oh!

openshift-bot commented Apr 23, 2021

Uh oh!

openshift-bot commented Apr 23, 2021

Uh oh!

openshift-bot commented Apr 23, 2021

Uh oh!

openshift-bot commented Apr 23, 2021

Uh oh!

openshift-ci bot commented Apr 23, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-bot commented Apr 23, 2021

Uh oh!

saschagrunert commented Apr 22, 2021 •

edited

Loading

codecov bot commented Apr 22, 2021 •

edited

Loading

openshift-ci bot commented Apr 23, 2021 •

edited

Loading