tych0
commented
12 hours ago
+ '[' -z https://api.github.com/repos/containerd/nri/pulls/123/commits ']'
++ curl https://api.github.com/repos/containerd/nri/pulls/123/commits
++ jq -r '.[0].parents[0].sha + "..HEAD"'
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 278 100 278 0 0 2986 0 --:--:-- --:--:-- --:--:-- 3021
jq: error (at <stdin>:1): Cannot index object with numberseems like maybe curl needs a --fail there...
This adds an adjustment for seccomp policies. The intent is that people can wholesale replace policies, or parse them, make some changes, and then send them back. Sending them to NRI via containerd requires some containerd patches as well, those are here: https://github.com/tych0/containerd/commits/nri-seccomp/
Specifically, we are interested in making the listenerPath of the policy dynamic based on a k8s pod spec, so we can't use the Localhost custom policy (well, we can use most of it, except for listenerPath, which we have an NRI plugin to change based on this code).
This patch is a lot of boilerplate, which is unfortunate. There is a much smaller but similar patch: https://github.com/tych0/nri/commit/a70547a543f762542212fde804b9cd3f70cfc272 but it involves directly serializing a runtime-spec string
Finally, note the comment in generate.go: the runtime-tools generate code does not have complete coverage for seccomp stuff, so I opted to not use any of it, vs. adding more stuff to runtime-tools. The fact that there are human and computer names is also confusing, it seems like we should stick to the computer names for this particular interface.