1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
|
From c1d445e178cd610f8a6d9156012c6c7922eed9c5 Mon Sep 17 00:00:00 2001
From: xuxuepeng <xuxuepeng1@huawei.com>
Date: Sat, 20 Apr 2024 11:24:18 +0800
Subject: [PATCH 1/2] isolate sandboxer code by using macro
Signed-off-by: xuxuepeng <xuxuepeng1@huawei.com>
---
cmake/options.cmake | 2 +-
src/daemon/common/cri/v1/v1_cri_helpers.cc | 7 +++++++
src/daemon/config/isulad_config.c | 2 ++
src/daemon/sandbox/controller/CMakeLists.txt | 2 +-
src/daemon/sandbox/controller/controller_manager.cc | 6 ++++++
src/daemon/sandbox/controller/controller_manager.h | 2 ++
6 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/cmake/options.cmake b/cmake/options.cmake
index c1eac472..a15b8194 100644
--- a/cmake/options.cmake
+++ b/cmake/options.cmake
@@ -51,7 +51,7 @@ if (ENABLE_CDI STREQUAL "ON")
endif()
endif()
-option(ENABLE_SANDBOXER "Enable sandbox API" ON)
+option(ENABLE_SANDBOXER "Enable sandbox API" OFF)
if (ENABLE_SANDBOXER STREQUAL "ON")
add_definitions(-DENABLE_SANDBOXER)
set(ENABLE_SANDBOXER 1)
diff --git a/src/daemon/common/cri/v1/v1_cri_helpers.cc b/src/daemon/common/cri/v1/v1_cri_helpers.cc
index 520d23d4..1f797ad7 100644
--- a/src/daemon/common/cri/v1/v1_cri_helpers.cc
+++ b/src/daemon/common/cri/v1/v1_cri_helpers.cc
@@ -391,6 +391,7 @@ void GetContainerSandboxID(const std::string &containerID, std::string &realCont
realContainerID = info->id;
}
+#ifdef ENABLE_SANDBOXER
std::string CRISandboxerConvert(const std::string &runtime)
{
std::string sandboxer;
@@ -429,6 +430,12 @@ out:
(void)isulad_server_conf_unlock();
return sandboxer;
}
+#else
+std::string CRISandboxerConvert(const std::string &runtime)
+{
+ return DEFAULT_SANDBOXER_NAME;
+}
+#endif
void ApplySandboxSecurityContextToHostConfig(const runtime::v1::LinuxSandboxSecurityContext &context, host_config *hc,
Errors &error)
diff --git a/src/daemon/config/isulad_config.c b/src/daemon/config/isulad_config.c
index 695a0d95..617db7a2 100644
--- a/src/daemon/config/isulad_config.c
+++ b/src/daemon/config/isulad_config.c
@@ -1757,8 +1757,10 @@ int merge_json_confs_into_global(struct service_arguments *args)
args->json_confs->runtimes = tmp_json_confs->runtimes;
tmp_json_confs->runtimes = NULL;
#ifdef ENABLE_CRI_API_V1
+#ifdef ENABLE_SANDBOXER
args->json_confs->cri_sandboxers = tmp_json_confs->cri_sandboxers;
tmp_json_confs->cri_sandboxers = NULL;
+#endif
args->json_confs->enable_cri_v1 = tmp_json_confs->enable_cri_v1;
args->json_confs->enable_pod_events = tmp_json_confs->enable_pod_events;
#endif
diff --git a/src/daemon/sandbox/controller/CMakeLists.txt b/src/daemon/sandbox/controller/CMakeLists.txt
index f846657a..8764c05b 100644
--- a/src/daemon/sandbox/controller/CMakeLists.txt
+++ b/src/daemon/sandbox/controller/CMakeLists.txt
@@ -9,7 +9,7 @@ set(local_sandbox_controller_top_incs
${CMAKE_CURRENT_SOURCE_DIR}
)
-if (ENABLE_SANDBOXER)
+if (ENABLE_CRI_API_V1 AND ENABLE_SANDBOXER)
add_subdirectory(sandboxer)
list (APPEND local_sandbox_controller_top_srcs
${CONTROLLER_SANDBOXER_SRCS}
diff --git a/src/daemon/sandbox/controller/controller_manager.cc b/src/daemon/sandbox/controller/controller_manager.cc
index 21c6f5fe..91c98d26 100644
--- a/src/daemon/sandbox/controller/controller_manager.cc
+++ b/src/daemon/sandbox/controller/controller_manager.cc
@@ -20,7 +20,9 @@
#include <isula_libutils/defs.h>
#include "shim_controller.h"
+#ifdef ENABLE_SANDBOXER
#include "sandboxer_controller.h"
+#endif
#include "isulad_config.h"
#include "daemon_arguments.h"
@@ -44,10 +46,12 @@ bool ControllerManager::Init(Errors &error)
return false;
}
+#ifdef ENABLE_SANDBOXER
// Initialize sandboxer controller
if (!RegisterAllSandboxerControllers(error)) {
return false;
}
+#endif
return true;
}
@@ -75,6 +79,7 @@ auto ControllerManager::RegisterShimController(Errors &error) -> bool
return true;
}
+#ifdef ENABLE_SANDBOXER
auto ControllerManager::RegisterAllSandboxerControllers(Errors &error) -> bool
{
std::map<std::string, std::string> config;
@@ -160,6 +165,7 @@ auto ControllerManager::RegisterSandboxerController(const std::string &sandboxer
INFO("Sandboxer controller initialized successfully, sandboxer: %s", sandboxer.c_str());
return true;
}
+#endif
auto ControllerManager::GetController(const std::string &name) -> std::shared_ptr<Controller>
{
diff --git a/src/daemon/sandbox/controller/controller_manager.h b/src/daemon/sandbox/controller/controller_manager.h
index 28b52c2f..3fd547cf 100644
--- a/src/daemon/sandbox/controller/controller_manager.h
+++ b/src/daemon/sandbox/controller/controller_manager.h
@@ -31,9 +31,11 @@ public:
auto GetController(const std::string &name) -> std::shared_ptr<Controller>;
private:
auto RegisterShimController(Errors &error) -> bool;
+#ifdef ENABLE_SANDBOXER
auto RegisterAllSandboxerControllers(Errors &error) -> bool;
auto LoadSandboxerControllersConfig(std::map<std::string, std::string> &config) -> bool;
auto RegisterSandboxerController(const std::string &sandboxer, const std::string &address, Errors &error) -> bool;
+#endif
protected:
std::map<std::string, std::shared_ptr<Controller>> m_controllers;
--
2.34.1
|
