Migrate seccomp profile (#223)

.github/workflows/integration.yml

@@ -70,7 +70,7 @@ jobs:
         with:
           repository: kubernetes-sigs/cri-tools
           path: src/sigs.k8s.io/cri-tools
-          ref: e3c99451faee42de2fcf4568bdd81be8bb29e40f
+          ref: 5fd98895f3bbf8a3ba2d25e93fa95ba1e2ae0923
 
       - name: Build cri-tools
         working-directory: src/sigs.k8s.io/cri-tools

core/container_create.go

@@ -116,7 +116,7 @@ func (ds *dockerService) CreateContainer(
 	hc.Resources.Devices = devices
 
 	securityOpts, err := ds.getSecurityOpts(
-		config.GetLinux().GetSecurityContext().GetSeccompProfilePath(),
+		config.GetLinux().GetSecurityContext().GetSeccomp(),
 		securityOptSeparator,
 	)
 	if err != nil {

core/security_context.go

@@ -21,12 +21,13 @@ import (
 	"crypto/md5"
 	"encoding/json"
 	"fmt"
-	"github.com/Mirantis/cri-dockerd/config"
 	"io/ioutil"
 	"path/filepath"
 	"strconv"
 	"strings"
 
+	"github.com/Mirantis/cri-dockerd/config"
+
 	dockercontainer "github.com/docker/docker/api/types/container"
 
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
@@ -248,24 +249,25 @@ func modifyHostOptionsForContainer(
 	}
 }
 
-func getSeccompDockerOpts(seccompProfile string) ([]DockerOpt, error) {
-	if seccompProfile == "" || seccompProfile == config.SeccompProfileNameUnconfined {
+func getSeccompDockerOpts(seccomp *runtimeapi.SecurityProfile) ([]DockerOpt, error) {
+
+	if seccomp == nil || seccomp.GetProfileType() == runtimeapi.SecurityProfile_Unconfined {
 		// return early the default
 		return defaultSeccompOpt, nil
 	}
 
-	if seccompProfile == config.SeccompProfileRuntimeDefault ||
-		seccompProfile == config.DeprecatedSeccompProfileDockerDefault {
+	if seccomp.GetProfileType() == runtimeapi.SecurityProfile_RuntimeDefault ||
+		seccomp.GetProfileType().String() == config.DeprecatedSeccompProfileDockerDefault {
 		// return nil so docker will load the default seccomp profile
 		return nil, nil
 	}
 
-	if !strings.HasPrefix(seccompProfile, config.SeccompLocalhostProfileNamePrefix) {
-		return nil, fmt.Errorf("unknown seccomp profile option: %s", seccompProfile)
+	if seccomp.GetProfileType() != runtimeapi.SecurityProfile_Localhost {
+		return nil, fmt.Errorf("unknown seccomp profile option: %s", seccomp)
 	}
 
 	// get the full path of seccomp profile when prefixed with 'localhost/'.
-	fname := strings.TrimPrefix(seccompProfile, config.SeccompLocalhostProfileNamePrefix)
+	fname := seccomp.GetLocalhostRef()
 	if !filepath.IsAbs(fname) {
 		return nil, fmt.Errorf(
 			"seccomp profile path must be absolute, but got relative path %q",
@@ -289,7 +291,7 @@ func getSeccompDockerOpts(seccompProfile string) ([]DockerOpt, error) {
 
 // getSeccompSecurityOpts gets container seccomp options from container seccomp profile.
 // It is an experimental feature and may be promoted to official runtime api in the future.
-func getSeccompSecurityOpts(seccompProfile string, separator rune) ([]string, error) {
+func getSeccompSecurityOpts(seccompProfile *runtimeapi.SecurityProfile, separator rune) ([]string, error) {
 	seccompOpts, err := getSeccompDockerOpts(seccompProfile)
 	if err != nil {
 		return nil, err

core/security_context_linux.go

@@ -20,11 +20,13 @@ package core
 
 import (
 	"fmt"
+
+	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
 )
 
-func (ds *dockerService) getSecurityOpts(seccompProfile string, separator rune) ([]string, error) {
+func (ds *dockerService) getSecurityOpts(seccomp *runtimeapi.SecurityProfile, separator rune) ([]string, error) {
 	// Apply seccomp options.
-	seccompSecurityOpts, err := getSeccompSecurityOpts(seccompProfile, separator)
+	seccompSecurityOpts, err := getSeccompSecurityOpts(seccomp, separator)
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate seccomp security options for container: %v", err)
 	}