packages/iSulad
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
iSulad/0103-Added-restrictions-on-container-health-checks.patch
openeuler-sync-bot bfbf786760 !596 [sync] PR-594: upgrade from upstream 
* upgrade from upstream
2023-08-15 12:28:02 +00:00

101 lines
4.0 KiB
Diff
Raw Blame History

From 0f080a7f31a388eae006b2135ddeb1d6489d643a Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Wed, 9 Aug 2023 11:08:13 +1400
Subject: [PATCH 08/11] Added restrictions on container health checks
Signed-off-by: zhongtao <zhongtao17@huawei.com>
---
.../executor/container_cb/execution_create.c | 2 +-
src/daemon/modules/spec/verify.c | 24 ++++++++++++++++---
src/daemon/modules/spec/verify.h | 2 +-
3 files changed, 23 insertions(+), 5 deletions(-)
diff --git a/src/daemon/executor/container_cb/execution_create.c b/src/daemon/executor/container_cb/execution_create.c
index 29b5fc5e..4d10e9e0 100644
--- a/src/daemon/executor/container_cb/execution_create.c
+++ b/src/daemon/executor/container_cb/execution_create.c
@@ -1457,7 +1457,7 @@ int container_create_cb(const container_create_request *request, container_creat
goto clean_rootfs;
}
- if (verify_container_config(v2_spec->config) != 0) {
+ if (verify_container_config(v2_spec->config, runtime) != 0) {
cc = ISULAD_ERR_EXEC;
goto clean_rootfs;
}
diff --git a/src/daemon/modules/spec/verify.c b/src/daemon/modules/spec/verify.c
index fe53bb0f..64cf7f18 100644
--- a/src/daemon/modules/spec/verify.c
+++ b/src/daemon/modules/spec/verify.c
@@ -2160,7 +2160,12 @@ static inline bool is_less_than_one_second(int64_t timeout)
return timeout != 0 && timeout < Time_Second;
}
-static int verify_health_check_parameter(const container_config *container_spec)
+static inline bool is_more_than_ten_minutes(int64_t timeout)
+{
+ return timeout > (10LL * Time_Minute);
+}
+
+static int verify_health_check_parameter(const container_config *container_spec, const char *runtime)
{
int ret = 0;
@@ -2168,6 +2173,13 @@ static int verify_health_check_parameter(const container_config *container_spec)
return ret;
}
+ if (strcasecmp(runtime, "kata-runtime") == 0) {
+ ERROR("kata-runtime does not support command line health check");
+ isulad_set_error_message("kata-runtime does not support command line health check");
+ ret = -1;
+ goto out;
+ }
+
if (is_less_than_one_second(container_spec->healthcheck->interval)) {
ERROR("Interval in Healthcheck cannot be less than one second");
isulad_set_error_message("Interval in Healthcheck cannot be less than one second");
@@ -2180,6 +2192,12 @@ static int verify_health_check_parameter(const container_config *container_spec)
ret = -1;
goto out;
}
+ if (is_more_than_ten_minutes(container_spec->healthcheck->timeout)) {
+ ERROR("Timeout in Healthcheck cannot be more than ten minutes");
+ isulad_set_error_message("Timeout in Healthcheck cannot be more than ten minutes");
+ ret = -1;
+ goto out;
+ }
if (is_less_than_one_second(container_spec->healthcheck->start_period)) {
ERROR("StartPeriod in Healthcheck cannot be less than one second");
isulad_set_error_message("StartPeriod in Healthcheck cannot be less than one second");
@@ -2219,11 +2237,11 @@ out:
return ret;
}
-int verify_container_config(const container_config *container_spec)
+int verify_container_config(const container_config *container_spec, const char *runtime)
{
int ret = 0;
- if (verify_health_check_parameter(container_spec) != 0) {
+ if (verify_health_check_parameter(container_spec, runtime) != 0) {
ret = -1;
goto out;
}
diff --git a/src/daemon/modules/spec/verify.h b/src/daemon/modules/spec/verify.h
index db54c7ae..21e8fba8 100644
--- a/src/daemon/modules/spec/verify.h
+++ b/src/daemon/modules/spec/verify.h
@@ -33,7 +33,7 @@ int verify_container_settings_start(const oci_runtime_spec *oci_spec);
int verify_host_config_settings(host_config *hostconfig, bool update);
-int verify_container_config(const container_config *container_spec);
+int verify_container_config(const container_config *container_spec, const char *runtime);
#ifdef __cplusplus
}
--
2.25.1
Reference in New Issue View Git Blame Copy Permalink