Слияние кода завершено, страница обновится автоматически
From e36d01f2f3a91060b0fecd3ef4b2c0e09b1e5f23 Mon Sep 17 00:00:00 2001
From: liuxu <liuxu156@huawei.com>
Date: Fri, 7 Feb 2025 11:43:21 +0800
Subject: [PATCH 185/198] sandbox:sandboxer code isolation
Signed-off-by: liuxu <liuxu156@huawei.com>
---
.../modules/service/service_container.c | 37 ++++++++-----------
src/daemon/sandbox/sandbox.cc | 10 ++++-
src/daemon/sandbox/sandbox.h | 6 ++-
src/daemon/sandbox/sandbox_ops.cc | 2 +
src/daemon/sandbox/sandbox_ops.h | 2 +
.../sandbox/{ => sandboxer}/sandbox_task.cc | 0
.../sandbox/{ => sandboxer}/sandbox_task.h | 0
7 files changed, 33 insertions(+), 24 deletions(-)
rename src/daemon/sandbox/{ => sandboxer}/sandbox_task.cc (100%)
rename src/daemon/sandbox/{ => sandboxer}/sandbox_task.h (100%)
diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c
index 250e8299..18104781 100644
--- a/src/daemon/modules/service/service_container.c
+++ b/src/daemon/modules/service/service_container.c
@@ -780,6 +780,9 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo
oci_runtime_spec *oci_spec = NULL;
rt_create_params_t create_params = { 0 };
rt_start_params_t start_params = { 0 };
+#ifdef ENABLE_SANDBOXER
+ int prepare_container_ret = -1;
+#endif
nret = snprintf(bundle, sizeof(bundle), "%s/%s", cont->root_path, id);
if (nret < 0 || (size_t)nret >= sizeof(bundle)) {
@@ -904,7 +907,7 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo
}
#endif
-#ifdef ENABLE_CRI_API_V1
+#ifdef ENABLE_SANDBOXER
if (cont->common_config->sandbox_info != NULL &&
sandbox_prepare_container(cont->common_config,
oci_spec, console_fifos, tty) != 0) {
@@ -912,6 +915,7 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo
ret = -1;
goto close_exit_fd;
}
+ prepare_container_ret = 0;
#endif
create_params.bundle = bundle;
@@ -935,11 +939,7 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo
if (runtime_create(id, runtime, &create_params) != 0) {
ret = -1;
-#ifdef ENABLE_CRI_API_V1
- goto clean_prepare_container;
-#else
goto close_exit_fd;
-#endif
}
start_params.rootpath = cont->root_path;
@@ -962,32 +962,25 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo
if (do_post_start_on_success(cont, exit_fifo_fd, exit_fifo, pid_info) != 0) {
ERROR("Failed to do post start on runtime start success");
ret = -1;
-#ifdef ENABLE_CRI_API_V1
- goto clean_prepare_container;
-#else
goto close_exit_fd;
-#endif
}
} else {
// wait monitor cleanup cgroup and processes finished
wait_exit_fifo(id, exit_fifo_fd);
-#ifdef ENABLE_CRI_API_V1
- goto clean_prepare_container;
-#else
goto close_exit_fd;
-#endif
}
goto out;
-#ifdef ENABLE_CRI_API_V1
-clean_prepare_container:
- if (cont->common_config->sandbox_info != NULL &&
- sandbox_purge_container(cont->common_config) != 0) {
- ERROR("Failed to remove container %s from sandbox", id);
+close_exit_fd:
+#ifdef ENABLE_SANDBOXER
+ if (prepare_container_ret == 0) {
+ if (cont->common_config->sandbox_info != NULL &&
+ sandbox_purge_container(cont->common_config) != 0) {
+ ERROR("Failed to remove container %s from sandbox", id);
+ }
}
#endif
-close_exit_fd:
close(exit_fifo_fd);
clean_resources_on_failure(cont, engine_log_path, loglevel);
@@ -1689,7 +1682,7 @@ int stop_container(container_t *cont, int timeout, bool force, bool restart)
}
}
-#ifdef ENABLE_CRI_API_V1
+#ifdef ENABLE_SANDBOXER
if (cont->common_config->sandbox_info != NULL &&
sandbox_purge_container(cont->common_config) != 0) {
ERROR("Failed to remove container %s from sandbox", id);
@@ -2159,7 +2152,7 @@ static int do_exec_container(const container_t *cont, const char *runtime, char
goto out;
}
-#ifdef ENABLE_CRI_API_V1
+#ifdef ENABLE_SANDBOXER
if (cont->common_config->sandbox_info != NULL &&
sandbox_prepare_exec(cont->common_config, request->suffix,
process_spec, (const char **)console_fifos, request->tty) != 0) {
@@ -2283,7 +2276,7 @@ static void exec_container_end(container_exec_response *response, const containe
const char *exec_id, uint32_t cc,
int exit_code, int sync_fd, pthread_t thread_id)
{
-#ifdef ENABLE_CRI_API_V1
+#ifdef ENABLE_SANDBOXER
if (cont->common_config->sandbox_info != NULL &&
sandbox_purge_exec(cont->common_config, exec_id) != 0) {
ERROR("Failed to purge container for exec %s", exec_id);
diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc
index d105d71a..d5681d48 100644
--- a/src/daemon/sandbox/sandbox.cc
+++ b/src/daemon/sandbox/sandbox.cc
@@ -494,7 +494,9 @@ auto Sandbox::Load(Errors &error) -> bool
}
LoadNetworkSetting();
+#ifdef ENABLE_SANDBOXER
LoadSandboxTasks();
+#endif
// When the sandbox status acquisition fails or wait fails, the sandbox status is set to not ready,
// and the user decides whether to delete the sandbox.
@@ -583,9 +585,11 @@ void Sandbox::CleanupSandboxDirs()
ERROR("Failed to delete sandbox's root directory %s", m_rootdir.c_str());
}
+#ifdef ENABLE_SANDBOXER
if (util_recursive_rmdir(m_statedir.c_str(), 0) != 0) {
- ERROR("Failed to delete sandbox's state directory %s", m_rootdir.c_str());
+ ERROR("Failed to delete sandbox's state directory %s", m_statedir.c_str());
}
+#endif
}
void Sandbox::PrepareSandboxDirs(Errors &error)
@@ -615,12 +619,14 @@ void Sandbox::PrepareSandboxDirs(Errors &error)
goto out;
}
+#ifdef ENABLE_SANDBOXER
nret = util_mkdir_p(m_statedir.c_str(), TEMP_DIRECTORY_MODE);
if (nret < 0) {
error.Errorf("Unable to create sandbox state directory %s.", m_statedir.c_str());
ERROR("Unable to create sandbox state directory %s.", m_statedir.c_str());
goto out;
}
+#endif
umask(mask);
return;
@@ -1119,6 +1125,7 @@ void Sandbox::FillSandboxMetadata(sandbox_metadata* metadata, Errors &error)
metadata->sandbox_config_json = util_strdup_s(jsonStr.c_str());
}
+#ifdef ENABLE_SANDBOXER
void Sandbox::LoadSandboxTasks()
{
}
@@ -1145,5 +1152,6 @@ auto Sandbox::PurgeExec(const char *containerId, const char *execId) -> int
{
return 0;
}
+#endif
}
\ No newline at end of file
diff --git a/src/daemon/sandbox/sandbox.h b/src/daemon/sandbox/sandbox.h
index 58d60ecb..3a7b0736 100644
--- a/src/daemon/sandbox/sandbox.h
+++ b/src/daemon/sandbox/sandbox.h
@@ -23,6 +23,9 @@
#include <isula_libutils/container_network_settings.h>
#include <isula_libutils/sandbox_state.h>
#include <isula_libutils/sandbox_metadata.h>
+#ifdef ENABLE_SANDBOXER
+#include <isula_libutils/oci_runtime_spec.h>
+#endif
#include "api_v1.grpc.pb.h"
#include "errors.h"
@@ -30,7 +33,6 @@
#include "controller_manager.h"
#include "cstruct_wrapper.h"
#include "read_write_lock.h"
-#include "sandbox_task.h"
namespace sandbox {
@@ -140,6 +142,7 @@ public:
auto Remove(Errors &error) -> bool;
void Status(runtime::v1::PodSandboxStatus &status);
+#ifdef ENABLE_SANDBOXER
// for sandbox api update
virtual void LoadSandboxTasks();
virtual auto PrepareContainer(const char *containerId, const char *baseFs,
@@ -149,6 +152,7 @@ public:
defs_process *processSpec, const char *consoleFifos[]) -> int;
virtual auto PurgeContainer(const char *containerId) -> int;
virtual auto PurgeExec(const char *containerId, const char *execId) -> int;
+#endif
private:
auto SaveState(Errors &error) -> bool;
diff --git a/src/daemon/sandbox/sandbox_ops.cc b/src/daemon/sandbox/sandbox_ops.cc
index ae881933..cf88c1bd 100644
--- a/src/daemon/sandbox/sandbox_ops.cc
+++ b/src/daemon/sandbox/sandbox_ops.cc
@@ -25,6 +25,7 @@
#include "namespace.h"
#include "utils.h"
+#ifdef ENABLE_SANDBOXER
static inline bool validate_sandbox_info(const container_sandbox_info *sandbox)
{
return (sandbox != NULL && sandbox->sandboxer != NULL &&
@@ -110,6 +111,7 @@ int sandbox_purge_exec(const container_config_v2_common_config *config, const ch
return sandbox->PurgeExec(config->id, exec_id);
}
+#endif /* ENABLE_SANDBOXER */
int sandbox_on_sandbox_exit(const char *sandbox_id, int exit_code)
{
diff --git a/src/daemon/sandbox/sandbox_ops.h b/src/daemon/sandbox/sandbox_ops.h
index 8189efd6..e1309313 100644
--- a/src/daemon/sandbox/sandbox_ops.h
+++ b/src/daemon/sandbox/sandbox_ops.h
@@ -24,6 +24,7 @@
extern "C" {
#endif
+#ifdef ENABLE_SANDBOXER
int sandbox_prepare_container(const container_config_v2_common_config *config,
const oci_runtime_spec *oci_spec,
const char *console_fifos[], bool tty);
@@ -35,6 +36,7 @@ int sandbox_prepare_exec(const container_config_v2_common_config *config,
int sandbox_purge_container(const container_config_v2_common_config *config);
int sandbox_purge_exec(const container_config_v2_common_config *config, const char *exec_id);
+#endif
int sandbox_on_sandbox_exit(const char *sandbox_id, int exit_code);
diff --git a/src/daemon/sandbox/sandbox_task.cc b/src/daemon/sandbox/sandboxer/sandbox_task.cc
similarity index 100%
rename from src/daemon/sandbox/sandbox_task.cc
rename to src/daemon/sandbox/sandboxer/sandbox_task.cc
diff --git a/src/daemon/sandbox/sandbox_task.h b/src/daemon/sandbox/sandboxer/sandbox_task.h
similarity index 100%
rename from src/daemon/sandbox/sandbox_task.h
rename to src/daemon/sandbox/sandboxer/sandbox_task.h
--
2.34.1
Вы можете оставить комментарий после Вход в систему
Неприемлемый контент может быть отображен здесь и не будет показан на странице. Вы можете проверить и изменить его с помощью соответствующей функции редактирования.
Если вы подтверждаете, что содержание не содержит непристойной лексики/перенаправления на рекламу/насилия/вульгарной порнографии/нарушений/пиратства/ложного/незначительного или незаконного контента, связанного с национальными законами и предписаниями, вы можете нажать «Отправить» для подачи апелляции, и мы обработаем ее как можно скорее.
Опубликовать ( 0 )