From 5e0334f778409f36640d8b2c1a8652fb1f299303 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 16 Jul 2021 00:17:34 +1000 Subject: [PATCH 1/2] Fix propagation of annotations from sandbox to container Commit 8cf32223a1dc1208b53167763638886fd23bde67 introduces some extra processing of seccomp-related sandbox annotations. But it introduced a regression where most sandbox annotations are no longer propagated to the container annotations. Simplify the logic and add an `else` clause to ensure we propagate all the sandbox annotations to the container's OCI configuration. Fixes: https://github.com/cri-o/cri-o/issues/5077 Signed-off-by: Fraser Tweedale --- pkg/container/container.go | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/pkg/container/container.go b/pkg/container/container.go index 1e59371e737..554430e5339 100644 --- a/pkg/container/container.go +++ b/pkg/container/container.go @@ -157,7 +157,7 @@ func (c *container) SpecAddAnnotations(ctx context.Context, sb *sandbox.Sandbox, // The sandbox annotations are already filtered for the allowed // annotations, there is no need to check it additionally here. for k, v := range sb.Annotations() { - if strings.HasPrefix(k, crioann.OCISeccompBPFHookAnnotation) { + if k == crioann.OCISeccompBPFHookAnnotation+"/"+c.config.Metadata.Name { // The OCI seccomp BPF hook // (https://github.com/containers/oci-seccomp-bpf-hook) // uses the annotation io.containers.trace-syscall as indicator @@ -171,17 +171,14 @@ func (c *container) SpecAddAnnotations(ctx context.Context, sb *sandbox.Sandbox, // 'io.containers.trace-syscall' if the metadata name is equal // to 'container'. This allows us to trace containers into // distinguishable files. - if strings.TrimPrefix(k, crioann.OCISeccompBPFHookAnnotation+"/") == c.config.Metadata.Name { - log.Debugf(ctx, - "Annotation key for container %q rewritten to %q (value is: %q)", - c.config.Metadata.Name, crioann.OCISeccompBPFHookAnnotation, v, - ) - c.config.Annotations[crioann.OCISeccompBPFHookAnnotation] = v - c.spec.AddAnnotation(crioann.OCISeccompBPFHookAnnotation, v) - } else { - // Annotation not suffixed with the container name - c.spec.AddAnnotation(k, v) - } + log.Debugf(ctx, + "Annotation key for container %q rewritten to %q (value is: %q)", + c.config.Metadata.Name, crioann.OCISeccompBPFHookAnnotation, v, + ) + c.config.Annotations[crioann.OCISeccompBPFHookAnnotation] = v + c.spec.AddAnnotation(crioann.OCISeccompBPFHookAnnotation, v) + } else { + c.spec.AddAnnotation(k, v) } } From 34ddc81f47e7c918b36d59a3dd52feabd73f2224 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 20 Jul 2021 11:33:41 +1000 Subject: [PATCH 2/2] Add regression test for sandbox annotation passthrough Signed-off-by: Fraser Tweedale --- test/ctr.bats | 15 +++++++++++++++ test/testdata/sandbox_config.json | 3 ++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/test/ctr.bats b/test/ctr.bats index 7eb4462e7ad..0f57e0bebf8 100644 --- a/test/ctr.bats +++ b/test/ctr.bats @@ -27,6 +27,17 @@ function wait_until_exit() { return 1 } +function check_oci_annotation() { + # check for OCI annotation in container's config.json + local ctr_id="$1" + local key="$2" + local value="$3" + + config=$(runtime state "$ctr_id" | jq -r .bundle)/config.json + + [ "$(jq -r .annotations.\""$key"\" < "$config")" = "$value" ] +} + @test "ctr not found correct error message" { start_crio ! crictl inspect "container_not_exist" @@ -886,6 +897,10 @@ function wait_until_exit() { pod_id=$(crictl runp "$TESTDATA"/sandbox_config.json) crictl inspectp "$pod_id" | grep '"owner": "hmeng"' crictl inspectp "$pod_id" | grep '"security.alpha.kubernetes.io/seccomp/pod": "unconfined"' + + # sandbox annotations passed through to container OCI config + ctr_id=$(crictl create "$pod_id" "$TESTDATA"/container_config.json "$TESTDATA"/sandbox_config.json) + check_oci_annotation "$ctr_id" "com.example.test" "sandbox annotation" } @test "ctr with default_env set in configuration" { diff --git a/test/testdata/sandbox_config.json b/test/testdata/sandbox_config.json index d1bd60123de..5507f2352f7 100644 --- a/test/testdata/sandbox_config.json +++ b/test/testdata/sandbox_config.json @@ -28,7 +28,8 @@ }, "annotations": { "owner": "hmeng", - "security.alpha.kubernetes.io/seccomp/pod": "unconfined" + "security.alpha.kubernetes.io/seccomp/pod": "unconfined", + "com.example.test": "sandbox annotation" }, "linux": { "cgroup_parent": "pod_123-456.slice",