Skip to content

Commit

Permalink
Merge pull request k8snetworkplumbingwg#137 from mmirecki/chroot
Browse files Browse the repository at this point in the history 
Fix kernel lockdown checking in chroot
  • Loading branch information
@zshi-redhat
zshi-redhat authored and mmirecki committed May 27, 2021
1 parent db93648 commit 3453196
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 5 deletions.
4 changes: 2 additions & 2 deletions pkg/plugins/mellanox/mellanox_plugin.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ func (p *MellanoxPlugin) OnNodeStateChange(old, new *sriovnetworkv1.SriovNetwork
mellanoxNicsSpec[iface.PciAddress] = iface
}

if utils.IsKernelLockdownMode() {
if utils.IsKernelLockdownMode(false) {
if len(mellanoxNicsSpec) > 0 {
glog.Info("Lockdown mode detected, failing on interface update for mellanox devices")
return false, false, fmt.Errorf("Mellanox device detected when in lockdown mode")
Expand Down Expand Up @@ -180,7 +180,7 @@ func (p *MellanoxPlugin) OnNodeStateChange(old, new *sriovnetworkv1.SriovNetwork

// Apply config change
func (p *MellanoxPlugin) Apply() error {
if utils.IsKernelLockdownMode() {
if utils.IsKernelLockdownMode(false) {
glog.Info("mellanox-plugin Apply() - skipping due to lockdown mode")
return nil
}
Expand Down
10 changes: 7 additions & 3 deletions pkg/utils/utils.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,7 @@ func DiscoverSriovDevices() ([]sriovnetworkv1.InterfaceExt, error) {
// SyncNodeState Attempt to update the node state to match the desired state
//
func SyncNodeState(newState *sriovnetworkv1.SriovNetworkNodeState) error {
if IsKernelLockdownMode() && hasMellanoxInterfacesInSpec(newState) {
if IsKernelLockdownMode(true) && hasMellanoxInterfacesInSpec(newState) {
glog.Warningf("cannot use mellanox devices when in kernel lockdown mode")
return fmt.Errorf("cannot use mellanox devices when in kernel lockdown mode")
}
Expand Down Expand Up @@ -704,8 +704,12 @@ func isSwitchdev(name string) bool {
}

// IsKernelLockdownMode returns true when kernel lockdown mode is enabled
func IsKernelLockdownMode() bool {
out, err := RunCommand("cat", "/host/sys/kernel/security/lockdown")
func IsKernelLockdownMode(chroot bool) bool {
path := "/sys/kernel/security/lockdown"
if !chroot {
path = "/host" + path
}
out, err := RunCommand("cat", path)
glog.V(2).Infof("IsKernelLockdownMode(): %s, %+v", out, err)
if err != nil {
return false
Expand Down

0 comments on commit 3453196

Please sign in to comment.