cri-o · openshift-merge-robot · Jul 7, 2021 · Jun 25, 2021 · Jun 25, 2021
diff --git a/completions/fish/crio.fish b/completions/fish/crio.fish
@@ -114,7 +114,7 @@ complete -c crio -n '__fish_crio_no_subcommand' -f -l read-only -d 'Setup all un
 complete -c crio -n '__fish_crio_no_subcommand' -f -l registry -r -d 'Registry to be prepended when pulling unqualified images, can be specified multiple times'
 complete -c crio -n '__fish_crio_no_subcommand' -l root -s r -r -d 'The CRI-O root directory'
 complete -c crio -n '__fish_crio_no_subcommand' -l runroot -r -d 'The CRI-O state directory'
-complete -c crio -n '__fish_crio_no_subcommand' -f -l runtimes -r -d 'OCI runtimes, format is runtime_name:runtime_path:runtime_root:runtime_type:privileged_without_host_devices'
+complete -c crio -n '__fish_crio_no_subcommand' -f -l runtimes -r -d 'OCI runtimes, format is runtime_name:runtime_path:runtime_root:runtime_type:privileged_without_host_devices:runtime_config_path'
 complete -c crio -n '__fish_crio_no_subcommand' -l seccomp-profile -r -d 'Path to the seccomp.json profile to be used as the runtime\'s default. If not specified, then the internal default seccomp profile will be used. (default: "")'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l seccomp-use-default-when-empty -r -d 'Use the default seccomp profile when an empty one is specified (default: false)'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l selinux -d 'Enable selinux support (default: false)'

diff --git a/docs/crio.8.md b/docs/crio.8.md
@@ -292,7 +292,7 @@ crio [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...]
 
 **--runroot**="": The CRI-O state directory (default: /run/containers/storage)
 
-**--runtimes**="": OCI runtimes, format is runtime_name:runtime_path:runtime_root:runtime_type:privileged_without_host_devices (default: [])
+**--runtimes**="": OCI runtimes, format is runtime_name:runtime_path:runtime_root:runtime_type:privileged_without_host_devices:runtime_config_path (default: [])
 
 **--seccomp-profile**="": Path to the seccomp.json profile to be used as the runtime's default. If not specified, then the internal default seccomp profile will be used. (default: "")
 

diff --git a/docs/crio.conf.5.md b/docs/crio.conf.5.md
@@ -268,6 +268,9 @@ The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes.  Th
 **runtime_type**="oci"
   Type of the runtime used for this runtime handler. "oci", "vm"
 
+**runtime_config_path**=""
+  Path to the runtime configuration file, should only be used with VM runtime types
+
 **privileged_without_host_devices**=false
   Whether this runtime handler prevents host devices from being passed to privileged containers.
 

diff --git a/go.mod b/go.mod
@@ -8,6 +8,7 @@ require (
 	github.com/blang/semver v3.5.1+incompatible
 	github.com/containerd/cgroups v1.0.1
 	github.com/containerd/containerd v1.5.2
+	github.com/containerd/cri-containerd v1.19.0
 	github.com/containerd/ttrpc v1.0.2
 	github.com/containerd/typeurl v1.0.2
 	github.com/containernetworking/cni v0.8.1

diff --git a/go.sum b/go.sum
@@ -264,6 +264,8 @@ github.com/containerd/continuity v0.0.0-20201208142359-180525291bb7/go.mod h1:kR
 github.com/containerd/continuity v0.0.0-20210208174643-50096c924a4e/go.mod h1:EXlVlkqNba9rJe3j7w3Xa924itAMLgZH4UD/Q4PExuQ=
 github.com/containerd/continuity v0.1.0 h1:UFRRY5JemiAhPZrr/uE0n8fMTLcZsUvySPr1+D7pgr8=
 github.com/containerd/continuity v0.1.0/go.mod h1:ICJu0PwR54nI0yPEnJ6jcS+J7CZAUXrLh8lPo2knzsM=
+github.com/containerd/cri-containerd v1.19.0 h1:PcTvvl+SHaekCMQZFQkYjn1RKlYrK6khYbuhOeF68k0=
+github.com/containerd/cri-containerd v1.19.0/go.mod h1:wxbGdReWGCalzGOEpifoHeYCK4xAgnj4o/4bVB+9voU=
 github.com/containerd/fifo v0.0.0-20180307165137-3d5202aec260/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI=
 github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI=
 github.com/containerd/fifo v0.0.0-20200410184934-f15a3290365b/go.mod h1:jPQ2IAeZRCYxpS/Cm1495vGFww6ecHmMk1YJH2Q5ln0=

diff --git a/internal/criocli/criocli.go b/internal/criocli/criocli.go
@@ -137,8 +137,12 @@ func mergeConfig(config *libconfig.Config, ctx *cli.Context) error {
 
 			runtimeType := libconfig.DefaultRuntimeType
 			privilegedWithoutHostDevices := false
+			runtimeConfigPath := ""
 
 			switch len(fields) {
+			case 6:
+				runtimeConfigPath = fields[5]
+				fallthrough
 			case 5:
 				if fields[4] == "true" {
 					privilegedWithoutHostDevices = true
@@ -153,6 +157,7 @@ func mergeConfig(config *libconfig.Config, ctx *cli.Context) error {
 					RuntimeRoot:                  fields[2],
 					RuntimeType:                  runtimeType,
 					PrivilegedWithoutHostDevices: privilegedWithoutHostDevices,
+					RuntimeConfigPath:            runtimeConfigPath,
 				}
 			default:
 				return fmt.Errorf("wrong format for --runtimes: %q", r)
@@ -538,7 +543,7 @@ func getCrioFlags(defConf *libconfig.Config) []cli.Flag {
 		},
 		&cli.StringSliceFlag{
 			Name:    "runtimes",
-			Usage:   "OCI runtimes, format is runtime_name:runtime_path:runtime_root:runtime_type:privileged_without_host_devices",
+			Usage:   "OCI runtimes, format is runtime_name:runtime_path:runtime_root:runtime_type:privileged_without_host_devices:runtime_config_path",
 			EnvVars: []string{"CONTAINER_RUNTIMES"},
 		},
 		&cli.StringFlag{

diff --git a/internal/oci/oci.go b/internal/oci/oci.go
@@ -230,7 +230,7 @@ func (r *Runtime) newRuntimeImpl(c *Container) (RuntimeImpl, error) {
 	}
 
 	if rh.RuntimeType == config.RuntimeTypeVM {
-		return newRuntimeVM(rh.RuntimePath, rh.RuntimeRoot), nil
+		return newRuntimeVM(rh.RuntimePath, rh.RuntimeRoot, rh.RuntimeConfigPath), nil
 	}
 
 	// If the runtime type is different from "vm", then let's fallback

diff --git a/internal/oci/oci_test.go b/internal/oci/oci_test.go
@@ -65,6 +65,7 @@ var _ = t.Describe("Oci", func() {
 				RuntimeType:                  "vm",
 				RuntimeRoot:                  "/run/vc",
 				PrivilegedWithoutHostDevices: true,
+				RuntimeConfigPath:            "/opt/kata-containers/config.toml",
 			},
 		}
 

diff --git a/internal/oci/runtime_vm.go b/internal/oci/runtime_vm.go
@@ -16,6 +16,7 @@ import (
 	"github.com/containerd/containerd/namespaces"
 	client "github.com/containerd/containerd/runtime/v2/shim"
 	"github.com/containerd/containerd/runtime/v2/task"
+	runtimeoptions "github.com/containerd/cri-containerd/pkg/api/runtimeoptions/v1"
 	"github.com/containerd/ttrpc"
 	"github.com/containerd/typeurl"
 	conmonconfig "github.com/containers/conmon/runner/config"
@@ -27,6 +28,7 @@ import (
 	"github.com/cri-o/cri-o/utils/fifo"
 	cio "github.com/cri-o/cri-o/utils/io"
 	cioutil "github.com/cri-o/cri-o/utils/ioutil"
+	ptypes "github.com/gogo/protobuf/types"
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -40,11 +42,12 @@ import (
 // runtimeVM is the Runtime interface implementation that is more appropriate
 // for VM based container runtimes.
 type runtimeVM struct {
-	path    string
-	fifoDir string
-	ctx     context.Context
-	client  *ttrpc.Client
-	task    task.TaskService
+	path       string
+	fifoDir    string
+	configPath string
+	ctx        context.Context
+	client     *ttrpc.Client
+	task       task.TaskService
 
 	sync.Mutex
 	ctrs map[string]containerInfo
@@ -60,7 +63,7 @@ const (
 )
 
 // newRuntimeVM creates a new runtimeVM instance
-func newRuntimeVM(path, root string) RuntimeImpl {
+func newRuntimeVM(path, root, configPath string) RuntimeImpl {
 	logrus.Debug("oci.newRuntimeVM() start")
 	defer logrus.Debug("oci.newRuntimeVM() end")
 
@@ -77,10 +80,11 @@ func newRuntimeVM(path, root string) RuntimeImpl {
 	typeurl.Register(&rspec.WindowsResources{}, prefix, "opencontainers/runtime-spec", major, "WindowsResources")
 
 	return &runtimeVM{
-		path:    path,
-		fifoDir: filepath.Join(root, "crio", "fifo"),
-		ctx:     context.Background(),
-		ctrs:    make(map[string]containerInfo),
+		path:       path,
+		configPath: configPath,
+		fifoDir:    filepath.Join(root, "crio", "fifo"),
+		ctx:        context.Background(),
+		ctrs:       make(map[string]containerInfo),
 	}
 }
 
@@ -93,6 +97,24 @@ func (r *runtimeVM) CreateContainer(ctx context.Context, c *Container, cgroupPar
 	c.opLock.Lock()
 	defer c.opLock.Unlock()
 
+	// Lets ensure we're able to properly get construct the Options
+	// that we'll pass to the ContainerCreateTask, as admins can set
+	// the runtime_config_path to an arbitrary location.  Also, lets
+	// fail early if something goes wrong.
+	var opts *ptypes.Any = nil
+	if r.configPath != "" {
+		runtimeOptions := &runtimeoptions.Options{
+			ConfigPath: r.configPath,
+		}
+
+		marshaledOtps, err := typeurl.MarshalAny(runtimeOptions)
+		if err != nil {
+			return err
+		}
+
+		opts = marshaledOtps
+	}
+
 	// First thing, we need to start the runtime daemon
 	if err := r.startRuntimeDaemon(ctx, c); err != nil {
 		return err
@@ -158,6 +180,7 @@ func (r *runtimeVM) CreateContainer(ctx context.Context, c *Container, cgroupPar
 		Stdout:   containerIO.Config().Stdout,
 		Stderr:   containerIO.Config().Stderr,
 		Terminal: containerIO.Config().Terminal,
+		Options:  opts,
 	}
 
 	createdCh := make(chan error)

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -161,9 +161,11 @@ type RootConfig struct {
 // RuntimeHandler represents each item of the "crio.runtime.runtimes" TOML
 // config table.
 type RuntimeHandler struct {
-	RuntimePath string `toml:"runtime_path"`
-	RuntimeType string `toml:"runtime_type"`
-	RuntimeRoot string `toml:"runtime_root"`
+	RuntimeConfigPath string `toml:"runtime_config_path"`
+	RuntimePath       string `toml:"runtime_path"`
+	RuntimeType       string `toml:"runtime_type"`
+	RuntimeRoot       string `toml:"runtime_root"`
+
 	// PrivilegedWithoutHostDevices can be used to restrict passing host devices
 	// to a container running as privileged.
 	PrivilegedWithoutHostDevices bool `toml:"privileged_without_host_devices,omitempty"`
@@ -821,9 +823,10 @@ func (c *RuntimeConfig) Validate(systemContext *types.SystemContext, onExecution
 			// first. If it does not exist then we add runc + its path to the runtimes map.
 			if _, ok := c.Runtimes[defaultRuntime]; !ok {
 				c.Runtimes[defaultRuntime] = &RuntimeHandler{
-					RuntimePath: "",
-					RuntimeType: DefaultRuntimeType,
-					RuntimeRoot: DefaultRuntimeRoot,
+					RuntimePath:       "",
+					RuntimeType:       DefaultRuntimeType,
+					RuntimeRoot:       DefaultRuntimeRoot,
+					RuntimeConfigPath: "",
 				}
 			}
 			// Set the DefaultRuntime to runc so we don't fail further along in the code
@@ -1088,6 +1091,9 @@ func (r *RuntimeHandler) Validate(name string) error {
 	if err := r.ValidateRuntimePath(name); err != nil {
 		return err
 	}
+	if err := r.ValidateRuntimeConfigPath(name); err != nil {
+		return err
+	}
 	if err := r.ValidateRuntimeAllowedAnnotations(); err != nil {
 		return err
 	}
@@ -1146,6 +1152,21 @@ func (r *RuntimeHandler) ValidateRuntimeType(name string) error {
 	return nil
 }
 
+// ValidateRuntimeConfigPath checks if the `RuntimeConfigPath` exists.
+func (r *RuntimeHandler) ValidateRuntimeConfigPath(name string) error {
+	if r.RuntimeConfigPath == "" {
+		return nil
+	}
+	if r.RuntimeType != RuntimeTypeVM {
+		return fmt.Errorf("runtime_config_path can only be used with the 'vm' runtime type")
+	}
+	if _, err := os.Stat(r.RuntimeConfigPath); err != nil && os.IsNotExist(err) {
+		return fmt.Errorf("invalid runtime_config_path for runtime '%s': %q",
+			name, err)
+	}
+	return nil
+}
+
 func (r *RuntimeHandler) ValidateRuntimeAllowedAnnotations() error {
 	disallowedAnnotations := make(map[string]struct{})
 	for _, ann := range annotations.AllAllowedAnnotations {

diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
@@ -1015,4 +1015,45 @@ var _ = t.Describe("Config", func() {
 			Expect(ok).To(BeFalse())
 		})
 	})
+
+	t.Describe("ValidateRuntimeConfigPath", func() {
+		It("should fail with OCI runtime type when runtime_config_path is used", func() {
+			// Given
+			sut.Runtimes["runc"] = &config.RuntimeHandler{
+				RuntimeConfigPath: validFilePath, RuntimeType: config.DefaultRuntimeType,
+			}
+
+			// When
+			err := sut.Runtimes["runc"].ValidateRuntimeConfigPath("runc")
+
+			// Then
+			Expect(err).NotTo(BeNil())
+		})
+
+		It("should fail with VM runtime type and runtime_config_path points to an invalid path", func() {
+			// Given
+			sut.Runtimes["kata"] = &config.RuntimeHandler{
+				RuntimeConfigPath: invalidPath, RuntimeType: config.RuntimeTypeVM,
+			}
+
+			// When
+			err := sut.Runtimes["kata"].ValidateRuntimeConfigPath("kata")
+
+			// Then
+			Expect(err).NotTo(BeNil())
+		})
+
+		It("should succeed with VM runtime type and runtime_config_path points to a valid path", func() {
+			// Given
+			sut.Runtimes["kata"] = &config.RuntimeHandler{
+				RuntimeConfigPath: validFilePath, RuntimeType: config.RuntimeTypeVM,
+			}
+
+			// When
+			err := sut.Runtimes["kata"].ValidateRuntimeConfigPath("kata")
+
+			// Then
+			Expect(err).To(BeNil())
+		})
+	})
 })
diff --git a/pkg/config/template.go b/pkg/config/template.go
@@ -951,6 +951,8 @@ const templateStringCrioRuntimeRuntimesRuntimeHandler = `# The "crio.runtime.run
 #   omitted, an "oci" runtime is assumed.
 # - runtime_root (optional, string): root directory for storage of containers
 #   state.
+# - runtime_config_path (optional, string): the path for the runtime configuration
+#   file. This can only be used with when using the VM runtime_type.
 # - privileged_without_host_devices (optional, bool): an option for restricting
 #   host devices from being passed to privileged containers.
 # - allowed_annotations (optional, array of strings): an option for specifying
@@ -967,6 +969,7 @@ const templateStringCrioRuntimeRuntimesRuntimeHandler = `# The "crio.runtime.run
 runtime_path = "{{ $runtime_handler.RuntimePath }}"
 runtime_type = "{{ $runtime_handler.RuntimeType }}"
 runtime_root = "{{ $runtime_handler.RuntimeRoot }}"
+runtime_config_path = "{{ $runtime_handler.RuntimeConfigPath }}"
 {{ if $runtime_handler.PrivilegedWithoutHostDevices }}
 privileged_without_host_devices = {{ $runtime_handler.PrivilegedWithoutHostDevices }}
 {{ end }}

diff --git a/test/helpers.bash b/test/helpers.bash
@@ -39,6 +39,7 @@ CONTAINER_DEFAULT_RUNTIME=${CONTAINER_DEFAULT_RUNTIME:-runc}
 RUNTIME_BINARY_PATH=$(command -v "$CONTAINER_DEFAULT_RUNTIME")
 RUNTIME_TYPE=${RUNTIME_TYPE:-oci}
 PRIVILEGED_WITHOUT_HOST_DEVICES=${PRIVILEGED_WITHOUT_HOST_DEVICES:-}
+RUNTIME_CONFIG_PATH=${RUNTIME_CONFIG_PATH:-""}
 # Path of the apparmor_parser binary.
 APPARMOR_PARSER_BINARY=${APPARMOR_PARSER_BINARY:-/sbin/apparmor_parser}
 # Path of the apparmor profile for test.
@@ -261,7 +262,7 @@ function setup_crio() {
 
     RUNTIME_ROOT=${RUNTIME_ROOT:-"$TESTDIR/crio-runtime-root"}
     # export here so direct calls to crio later inherit the variable
-    export CONTAINER_RUNTIMES=${CONTAINER_RUNTIMES:-$CONTAINER_DEFAULT_RUNTIME:$RUNTIME_BINARY_PATH:$RUNTIME_ROOT:$RUNTIME_TYPE:$PRIVILEGED_WITHOUT_HOST_DEVICES}
+    export CONTAINER_RUNTIMES=${CONTAINER_RUNTIMES:-$CONTAINER_DEFAULT_RUNTIME:$RUNTIME_BINARY_PATH:$RUNTIME_ROOT:$RUNTIME_TYPE:$PRIVILEGED_WITHOUT_HOST_DEVICES:$RUNTIME_CONFIG_PATH}
 
     # generate the default config file
     "$CRIO_BINARY_PATH" config --default >"$CRIO_CONFIG"