diff --git a/README.md b/README.md index 8b31e68..35e2fd1 100644 --- a/README.md +++ b/README.md @@ -85,6 +85,7 @@ More detailed instructions are in the [`example README.md`](https://github.com/R | **command** | string | no | Command to override command defined in the image. | | **args** | []string | no | Arguments to the command. | | **privileged** | bool | no | Run container in privileged mode. Your container will have all linux capabilities when running in privileged mode. | +| **seccomp** | bool | no | Enable default seccomp profile. List of [`allowed syscalls`](https://github.com/containerd/containerd/blob/master/contrib/seccomp/seccomp_default.go#L51-L390). | | **readonly_rootfs** | bool | no | Container root filesystem will be read-only. | | **host_network** | bool | no | Enable host network. This is equivalent to `--net=host` in docker. | | **cap_add** | []string | no | Add individual capabilities. | diff --git a/containerd/containerd.go b/containerd/containerd.go index 3f9fad2..1a54b6b 100644 --- a/containerd/containerd.go +++ b/containerd/containerd.go @@ -24,6 +24,7 @@ import ( "github.com/containerd/containerd" "github.com/containerd/containerd/cio" + "github.com/containerd/containerd/contrib/seccomp" "github.com/containerd/containerd/oci" specs "github.com/opencontainers/runtime-spec/specs-go" ) @@ -65,6 +66,12 @@ func (d *Driver) createContainer(image containerd.Image, containerName, containe opts = append(opts, oci.WithPrivileged) } + // Enable default seccomp profile. + // Allowed syscalls for the default seccomp profile: https://github.com/containerd/containerd/blob/master/contrib/seccomp/seccomp_default.go#L51-L390 + if config.Seccomp { + opts = append(opts, seccomp.WithDefaultProfile()) + } + // Launch container in read-only mode. if config.ReadOnlyRootfs { opts = append(opts, oci.WithRootFSReadonly()) diff --git a/containerd/driver.go b/containerd/driver.go index 17157d0..f14a95a 100644 --- a/containerd/driver.go +++ b/containerd/driver.go @@ -92,6 +92,7 @@ var ( "cap_drop": hclspec.NewAttr("cap_drop", "list(string)", false), "devices": hclspec.NewAttr("devices", "list(string)", false), "privileged": hclspec.NewAttr("privileged", "bool", false), + "seccomp": hclspec.NewAttr("seccomp", "bool", false), "readonly_rootfs": hclspec.NewAttr("readonly_rootfs", "bool", false), "host_network": hclspec.NewAttr("host_network", "bool", false), "mounts": hclspec.NewBlockList("mounts", hclspec.NewObject(map[string]*hclspec.Spec{ @@ -140,6 +141,7 @@ type TaskConfig struct { CapAdd []string `codec:"cap_add"` CapDrop []string `codec:"cap_drop"` Devices []string `codec:"devices"` + Seccomp bool `codec:"seccomp"` Privileged bool `codec:"privileged"` ReadOnlyRootfs bool `codec:"readonly_rootfs"` HostNetwork bool `codec:"host_network"` diff --git a/example/redis.nomad b/example/redis.nomad index 4795e15..0a37653 100644 --- a/example/redis.nomad +++ b/example/redis.nomad @@ -6,7 +6,8 @@ job "redis" { driver = "containerd-driver" config { - image = "docker.io/library/redis:alpine" + image = "docker.io/library/redis:alpine" + seccomp = true } resources { diff --git a/tests/001-test-redis.sh b/tests/001-test-redis.sh index b2daa72..f16557f 100755 --- a/tests/001-test-redis.sh +++ b/tests/001-test-redis.sh @@ -32,6 +32,14 @@ test_redis_nomad_job() { exit 1 fi + echo "INFO: Check if default seccomp is enabled." + output=$(nomad alloc exec -job redis cat /proc/1/status | grep Seccomp) + seccomp_code=$(echo $output|cut -d' ' -f2) + if [ $seccomp_code != "2" ]; then + echo "ERROR: default seccomp is not enabled." + exit 1 + fi + echo "INFO: Stopping nomad redis job." nomad job stop redis redis_status=$(nomad job status -short redis|grep Status|awk '{split($0,a,"="); print a[2]}'|tr -d ' ')