packages: enable seccomp in containerd

Fixes: #2259
See: #2259

Cherry-picked from f1df9b5
See: #2854

buildchain/buildchain/versions.py

@@ -21,6 +21,7 @@
 K8S_VERSION        : str = '1.16.13'
 SALT_VERSION       : str = '3000.3'
 CONTAINERD_VERSION : str = '1.2.13'
+CONTAINERD_RELEASE : str = '2.el7'
 
 def load_version_information() -> None:
     """Load version information from `VERSION`."""
@@ -333,7 +334,7 @@ def deb_full_name(self) -> str:
         PackageVersion(
             name='containerd',
             version=CONTAINERD_VERSION,
-            release='1.el7',
+            release=CONTAINERD_RELEASE,
         ),
         PackageVersion(name='container-selinux'),  # TODO #1710
         PackageVersion(name='httpd-tools'),

packages/redhat/Dockerfile

@@ -23,6 +23,7 @@ RUN yum install -y \
         golang \
         btrfs-progs-devel \
         go-md2man \
+        libseccomp-devel \
         systemd \
         && \
     yum clean all

packages/redhat/containerd.spec

@@ -23,16 +23,16 @@ export GOPATH=$GO_BUILD_PATH:%{gopath}
 %define gobuild(o:) %{expand:
 %global _dwz_low_mem_die_limit 0
 %ifnarch ppc64
-go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags %{?__golang_extldflags}'" -a -v -x %{?**};
+go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-seccomp}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags %{?__golang_extldflags}'" -a -v -x %{?**};
 %else
-go build -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags %{?__golang_extldflags}'" -a -v -x %{?**};
+go build -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-seccomp}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags %{?__golang_extldflags}'" -a -v -x %{?**};
 %endif
 }
 %endif
 
 
 Name:           containerd
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        An industry-standard container runtime
 License:        ASL 2.0
 URL:            https://containerd.io
@@ -43,6 +43,7 @@ Source2:        containerd.toml
 BuildRequires:  golang >= 1.10
 BuildRequires:  btrfs-progs-devel
 BuildRequires:  go-md2man
+BuildRequires:  libseccomp-devel
 BuildRequires:  systemd
 %{?systemd_requires}
 Requires:       runc
@@ -209,6 +210,9 @@ install -D -p -m 0644 %{S:2} %{buildroot}%{_sysconfdir}/containerd/config.toml
 
 
 %changelog
+* Mon Apr 6 2020 Nicolas Trangez <[email protected]> - 1.2.13-2
+- Enable seccomp support
+
 * Mon Apr 6 2020 Nicolas Trangez <[email protected]> - 1.2.13-1
 - Latest upstream
 

tests/post/features/seccomp.feature

@@ -0,0 +1,6 @@
+@post @ci @local @seccomp
+Feature: seccomp
+    Scenario: Running a Pod with the 'runtime/default' seccomp profile works
+        Given the Kubernetes API is available
+        When we create a utils Pod with labels {'test': 'seccomp1'} and annotations {'seccomp.security.alpha.kubernetes.io/pod': 'runtime/default'}
+        Then pods with label 'test=seccomp1' are 'Ready'

tests/post/steps/conftest.py

@@ -3,7 +3,7 @@
 from kubernetes.client import CustomObjectsApi
 from kubernetes.client import StorageV1Api
 import pytest
-from pytest_bdd import given, parsers
+from pytest_bdd import given, parsers, then
 
 from tests import kube_utils, utils
 
@@ -77,11 +77,17 @@ def _wait_for_status():
     )
 
 # }}}
+
+
+_PARSE_PODS_WITH_LABEL_STATUS = parsers.parse(
+    "pods with label '{label}' are '{expected_status}'")
+
+
 # Given {{{
 
 
-@given(parsers.parse("pods with label '{label}' are '{expected_status}'"))
-def check_pod_status(request, host, k8s_client, label, expected_status):
+@given(_PARSE_PODS_WITH_LABEL_STATUS)
+def given_check_pod_status(request, host, k8s_client, label, expected_status):
     ssh_config = request.config.getoption('--ssh-config')
 
     _check_pods_status(
@@ -116,3 +122,15 @@ def test_volume(volume_client, name):
         volume_client.delete(name, sync=True)
 
 # }}}
+
+# Then {{{
+
+
+@then(_PARSE_PODS_WITH_LABEL_STATUS)
+def then_check_pod_status(request, host, k8s_client, label, expected_status):
+    ssh_config = request.config.getoption('--ssh-config')
+
+    _check_pods_status(
+        k8s_client, expected_status, ssh_config, label=label
+    )
+# }}}

tests/post/steps/test_seccomp.py

@@ -0,0 +1,59 @@
+import os.path
+
+import yaml
+
+from kubernetes import client
+
+import pytest
+from pytest_bdd import scenario, when
+
+from tests import kube_utils
+from tests import utils
+
+
+@scenario("../features/seccomp.feature",
+          "Running a Pod with the 'runtime/default' seccomp profile works")
+def test_seccomp(host):
+    pass
+
+
+@when("we create a utils Pod with labels {'test': 'seccomp1'} "
+      "and annotations "
+      "{'seccomp.security.alpha.kubernetes.io/pod': 'runtime/default'}")
+def create_utils_pod(utils_pod):
+    pass
+
+
+@pytest.fixture
+def utils_pod(k8s_client, utils_image):
+    manifest_file = os.path.join(
+        os.path.realpath(os.path.dirname(__file__)),
+        "files",
+        "utils.yaml"
+    )
+    with open(manifest_file, encoding="utf-8") as fd:
+        manifest = yaml.safe_load(fd)
+
+    pod_name = 'test-seccomp1'
+
+    manifest["spec"]["containers"][0]["image"] = utils_image
+    manifest["metadata"]["name"] = pod_name
+    manifest["metadata"]["annotations"] = {
+        "seccomp.security.alpha.kubernetes.io/pod": "runtime/default",
+    }
+    manifest["metadata"]["labels"] = {
+        "test": "seccomp1",
+    }
+
+    k8s_client.create_namespaced_pod(body=manifest, namespace='default')
+
+    try:
+        yield pod_name
+    finally:
+        k8s_client.delete_namespaced_pod(
+            name=pod_name,
+            namespace="default",
+            body=client.V1DeleteOptions(
+                grace_period_seconds=0,
+            ),
+        )