Shishir
GitHub
commit
0550b1a65a
@ -85,6 +85,7 @@ More detailed instructions are in the [`example README.md`](https://github.com/R
|
||||
| **command** | string | no | Command to override command defined in the image. |
|
||||
| **args** | []string | no | Arguments to the command. |
|
||||
| **privileged** | bool | no | Run container in privileged mode. Your container will have all linux capabilities when running in privileged mode. |
|
||||
| **seccomp** | bool | no | Enable default seccomp profile. List of [`allowed syscalls`](https://github.com/containerd/containerd/blob/master/contrib/seccomp/seccomp_default.go#L51-L390). |
|
||||
| **readonly_rootfs** | bool | no | Container root filesystem will be read-only. |
|
||||
| **host_network** | bool | no | Enable host network. This is equivalent to `--net=host` in docker. |
|
||||
| **cap_add** | []string | no | Add individual capabilities. |
|
||||
|
||||
@ -24,6 +24,7 @@ import (
|
||||
|
||||
"github.com/containerd/containerd"
|
||||
"github.com/containerd/containerd/cio"
|
||||
"github.com/containerd/containerd/contrib/seccomp"
|
||||
"github.com/containerd/containerd/oci"
|
||||
specs "github.com/opencontainers/runtime-spec/specs-go"
|
||||
)
|
||||
@ -65,6 +66,12 @@ func (d *Driver) createContainer(image containerd.Image, containerName, containe
|
||||
opts = append(opts, oci.WithPrivileged)
|
||||
}
|
||||
|
||||
// Enable default seccomp profile.
|
||||
// Allowed syscalls for the default seccomp profile: https://github.com/containerd/containerd/blob/master/contrib/seccomp/seccomp_default.go#L51-L390
|
||||
if config.Seccomp {
|
||||
opts = append(opts, seccomp.WithDefaultProfile())
|
||||
}
|
||||
|
||||
// Launch container in read-only mode.
|
||||
if config.ReadOnlyRootfs {
|
||||
opts = append(opts, oci.WithRootFSReadonly())
|
||||
|
||||
@ -92,6 +92,7 @@ var (
|
||||
"cap_drop": hclspec.NewAttr("cap_drop", "list(string)", false),
|
||||
"devices": hclspec.NewAttr("devices", "list(string)", false),
|
||||
"privileged": hclspec.NewAttr("privileged", "bool", false),
|
||||
"seccomp": hclspec.NewAttr("seccomp", "bool", false),
|
||||
"readonly_rootfs": hclspec.NewAttr("readonly_rootfs", "bool", false),
|
||||
"host_network": hclspec.NewAttr("host_network", "bool", false),
|
||||
"mounts": hclspec.NewBlockList("mounts", hclspec.NewObject(map[string]*hclspec.Spec{
|
||||
@ -140,6 +141,7 @@ type TaskConfig struct {
|
||||
CapAdd []string `codec:"cap_add"`
|
||||
CapDrop []string `codec:"cap_drop"`
|
||||
Devices []string `codec:"devices"`
|
||||
Seccomp bool `codec:"seccomp"`
|
||||
Privileged bool `codec:"privileged"`
|
||||
ReadOnlyRootfs bool `codec:"readonly_rootfs"`
|
||||
HostNetwork bool `codec:"host_network"`
|
||||
|
||||
@ -6,7 +6,8 @@ job "redis" {
|
||||
driver = "containerd-driver"
|
||||
|
||||
config {
|
||||
image = "docker.io/library/redis:alpine"
|
||||
image = "docker.io/library/redis:alpine"
|
||||
seccomp = true
|
||||
}
|
||||
|
||||
resources {
|
||||
|
||||
@ -32,6 +32,14 @@ test_redis_nomad_job() {
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "INFO: Check if default seccomp is enabled."
|
||||
output=$(nomad alloc exec -job redis cat /proc/1/status | grep Seccomp)
|
||||
seccomp_code=$(echo $output|cut -d' ' -f2)
|
||||
if [ $seccomp_code != "2" ]; then
|
||||
echo "ERROR: default seccomp is not enabled."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "INFO: Stopping nomad redis job."
|
||||
nomad job stop redis
|
||||
redis_status=$(nomad job status -short redis|grep Status|awk '{split($0,a,"="); print a[2]}'|tr -d ' ')
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user