From 1d64b9e9581fdd9a3bd8a08a1966b89925997de6 Mon Sep 17 00:00:00 2001 From: Vivek Kumar Dutta Date: Tue, 21 May 2024 14:09:25 +0530 Subject: [PATCH] swmodd: Support to define additional eu capabilities --- swmodd/Makefile | 2 +- swmodd/files/etc/init.d/crun | 16 +++++---- swmodd/files/etc/swmodd/run.sh | 65 ++++++++++++++++++++++++++++++---- 3 files changed, 69 insertions(+), 14 deletions(-) mode change 100644 => 100755 swmodd/files/etc/init.d/crun mode change 100644 => 100755 swmodd/files/etc/swmodd/run.sh diff --git a/swmodd/Makefile b/swmodd/Makefile index b57a7b4c0..778493fa7 100755 --- a/swmodd/Makefile +++ b/swmodd/Makefile @@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=swmodd -PKG_VERSION:=2.5.5 +PKG_VERSION:=2.5.6 LOCAL_DEV:=0 ifneq ($(LOCAL_DEV),1) diff --git a/swmodd/files/etc/init.d/crun b/swmodd/files/etc/init.d/crun old mode 100644 new mode 100755 index cf029c8a0..769a84a8f --- a/swmodd/files/etc/init.d/crun +++ b/swmodd/files/etc/init.d/crun @@ -56,8 +56,8 @@ configure_lxc_container() { } configure_crun_container() { - local name type autostart du_status requested_state url username password - local BRIDGE BUNDLE BOOT + local name type autostart du_status requested_state url username password capability + local BRIDGE BUNDLE BOOT PERM local RUNNER="/etc/swmodd/run.sh" BUNDLE="${2}" @@ -73,6 +73,10 @@ configure_crun_container() { config_get url "${1}" url "" config_get username "${1}" username "" config_get password "${1}" password "" + config_get capability "${1}" capability "" + if [ -n "${capability}" ]; then + PERM="-p ${capability// /,}" + fi if [ -z "${name}" ] || [ -z "${type}" ] || [ -z "${du_status}" ]; then return 0; @@ -148,7 +152,7 @@ configure_crun_container() { if [ "${BOOT}" -eq "1" ]; then if [ "${autostart}" -eq 1 ]; then - ${RUNNER} -U -b "${BUNDLE}" -n "${name}" + ${RUNNER} -U -b "${BUNDLE}" -n "${name}" ${PERM} result=$(cat ${BUNDLE}/${name}/config.json |jq ".annotations.org_opencontainers_image_description") if [ "${result}" != "null" ]; then uci_set ocicontainer "${1}" description "${result}" @@ -178,10 +182,10 @@ configure_crun_container() { fi elif [ "${requested_state}" = "Active" ]; then if is_container_running "${name}"; then - ${RUNNER} -u -n "${name}" -i "${BRIDGE}" + ${RUNNER} -u -n "${name}" -i "${BRIDGE}" ${PERM} crun resume "${name}" else - ${RUNNER} -U -b "${BUNDLE}" -n "${name}" + ${RUNNER} -U -b "${BUNDLE}" -n "${name}" ${PERM} result=$(cat ${BUNDLE}/${name}/config.json |jq ".annotations.org_opencontainers_image_description") if [ "${result}" != "null" ]; then uci_set ocicontainer "${1}" description "${result}" @@ -207,7 +211,7 @@ configure_crun_container() { procd_set_param stderr 1 procd_set_param command "${RUNNER}" procd_append_param command -b "${BUNDLE}" -n "${name}" -i "${BRIDGE}" - procd_set_param respawn + #procd_set_param respawn procd_close_instance "${name}" } diff --git a/swmodd/files/etc/swmodd/run.sh b/swmodd/files/etc/swmodd/run.sh old mode 100644 new mode 100755 index a0fa4b4c3..5b231e40d --- a/swmodd/files/etc/swmodd/run.sh +++ b/swmodd/files/etc/swmodd/run.sh @@ -123,12 +123,58 @@ update_config_json() { fi cd "${BUNDLE}/${NAME}" if cat config.json |jq '.linux.namespaces[] |select (.type == "network") |.path' |grep -q ${NAME}; then - exit 0; + # If netns already configured and no additional permission bit assigned, exit from here + if [ -z "${PERM}" ]; then + exit 0; + fi fi mv config.json config_orig.json json_init json_load_file "config_orig.json" + + # update hostname to container name + if [ -n "${NAME}" ]; then + json_add_string hostname "${NAME}" + fi + + # Update cabalities + log "## PERM [$PERM], Name [${NAME}] ##" + if [ -n "${PERM}" ]; then + log "Updating Permission in the json ..." + PERM="${PERM//,/ }" + json_select process + json_select capabilities + json_select bounding + for p in ${PERM}; do + json_add_string "" ${p} + done + json_select .. + json_select effective + for p in ${PERM}; do + json_add_string "" ${p} + done + json_select .. + json_select inheritable + for p in ${PERM}; do + json_add_string "" ${p} + done + json_select .. + json_select permitted + for p in ${PERM}; do + json_add_string "" ${p} + done + json_select .. + json_select ambient + for p in ${PERM}; do + json_add_string "" ${p} + done + json_select .. + json_select .. + json_select .. + fi + + # update additional capabilities json_select linux json_for_each_item update_network_ns namespaces json_dump >config.json @@ -212,16 +258,21 @@ pull_image_from_registry() { clean=0 net_update=0 update_json=0 -while getopts b:n:i:r:l:t:cuU options +PERM="" + +log "## Runner [$@] ##" + +while getopts b:n:i:r:l:t:p:cuU options do case "${options}" in b) BUNDLE=${OPTARG};; - n) NAME=${OPTARG};; + c) clean=1;; i) BRIDGE=${OPTARG};; + n) NAME=${OPTARG};; + p) PERM="${OPTARG}";; r) REGURL=${OPTARG};; l) LOGIN=${OPTARG};; t) TIMEOUT=${OPTARG};; - c) clean=1;; u) net_update=1;; U) update_json=1;; *) log "Invalid options";; @@ -233,7 +284,7 @@ if [ -z "${NAME}" ]; then return 0; fi -if [ "${update_json}" -eq 1 ]; then +if [ "${update_json}" -eq "1" ]; then update_config_json return 0; fi @@ -243,7 +294,7 @@ if [ -n "${REGURL}" ]; then return 0; fi -if [ "$clean" -eq 1 ]; then +if [ "$clean" -eq "1" ]; then clean_container_network "${NAME}" return 0; fi @@ -253,7 +304,7 @@ if [ -z "${BRIDGE}" ]; then return 0; fi -if [ "${net_update}" -eq 1 ]; then +if [ "${net_update}" -eq "1" ]; then get_veth_name "${NAME}" brctl addif "${BRIDGE}" "${VETHNAME}" return 0;