Skip to content

Remove SeccompLevel from Jailer #176

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 13, 2020
Merged

Remove SeccompLevel from Jailer #176

merged 1 commit into from
Feb 13, 2020

Conversation

xibz
Copy link
Contributor

@xibz xibz commented Jan 21, 2020
edited
Loading

Firecracker has since removed specifying the seccomp level in the jailer
and now is specified in Firecracker instead. This change removes the
seccomp level from the jailer and adds it to machine instead.

Signed-off-by: xibz [email protected]

TODO:

  • Update CI system to build against master as well

#175

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@xibz xibz mentioned this pull request Jan 21, 2020
Closed
@xibz xibz force-pushed the seccomp-clean branch 17 times, most recently from 6e3d82a to 9db8a10 Compare January 28, 2020 22:52
@xibz xibz force-pushed the seccomp-clean branch 6 times, most recently from 10a2f33 to 2d48810 Compare January 28, 2020 23:19
@xibz xibz mentioned this pull request Jan 28, 2020
Closed
@xibz
Copy link
Contributor Author

xibz commented Jan 28, 2020
edited
Loading

managed to fix the seccomp issue and add the updated CI test to verify. However, Firecracker is panicking for some odd reason. Here is the issue, firecracker-microvm/firecracker#1557

Also seems this fix is incompatible with v0.20.0 of Firecracker. So, we'll have to wait for our release of v0.20.0 before merging this.

@xibz xibz force-pushed the seccomp-clean branch 4 times, most recently from 78a31a9 to 70c6433 Compare January 30, 2020 21:39
@xibz
Copy link
Contributor Author

xibz commented Jan 30, 2020

root tests will fail due to Firecracker moving where the api socket location is.

@xibz
Remove SeccompLevel from Jailer
dfff4dc 
Firecracker has since removed specifying the seccomp level in the jailer
and now is specified in Firecracker instead. This change removes the
seccomp level from the jailer and adds it to machine instead.

Signed-off-by: xibz <[email protected]>
@xibz xibz requested review from kzys, IRCody and mxpv February 11, 2020 22:08
@IRCody
Copy link

IRCody commented Feb 12, 2020

root tests will fail due to Firecracker moving where the api socket location is.

Is there a reason we can't look in the new location?

@xibz
Copy link
Contributor Author

xibz commented Feb 12, 2020

@IRCody -We are using the new location. Firecracker has changed the default location, which is a breaking change. Which is why it succeeds against master but fails the root tests, since it is looking for the new location

@IRCody
Copy link

IRCody commented Feb 12, 2020

So those tests will pass if we update the firecracker in CI?

kzys
kzys suggested changes Feb 12, 2020
View reviewed changes
@xibz
Copy link
Contributor Author

xibz commented Feb 12, 2020
edited
Loading

So those tests will pass if we update the firecracker in CI?

Once Firecracker releases v0.21.0, then yes. However, they haven't released v0.21.0 yet, but customers are using HEAD of Firecracker and we shouldn't limit ourselves to the most released version, due to this.

@kzys
Copy link
Contributor

kzys commented Feb 13, 2020
edited
Loading

Here is what we used to have. Probably not really intentional, but due to the fact we didn't have Firecracker master on our build host.

Firecraker v0.X.0 Firecracker master
SDK v0.X.0 Must Work We Don't Know
SDK master Must Work We Don't know

And here is what we are going to have.

Firecraker v0.X.0 Firecracker master
SDK v0.X.0 Must Work We Don't Know
SDK master May Work Must Work

Making master compatible with Firecracker's latest release is nice to have, but may require some efforts and we don't have customers who specifically ask about.

Because of that, I think merging this change is fine. We can always create a branch and cherry-pick if we want to have some fixes for Firecracker 0.20.0 customers.

@xibz xibz merged commit 48ec852 into firecracker-microvm:master Feb 13, 2020
@xibz xibz deleted the seccomp-clean branch February 13, 2020 21:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@IRCody IRCody Awaiting requested review from IRCody

@mxpv mxpv Awaiting requested review from mxpv

1 more reviewer

@kzys kzys kzys approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@xibz @IRCody @kzys