feat/cli: allow to extract the default seccomp profile #8800
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,10 +4,14 @@ import ( | |
| "crypto/rand" | ||
| "crypto/rsa" | ||
| "crypto/x509" | ||
| "encoding/json" | ||
| "encoding/pem" | ||
| "fmt" | ||
| "io/ioutil" | ||
| "os" | ||
|
|
||
| bespec "github.com/concourse/concourse/worker/runtime/spec" | ||
|
|
||
| "golang.org/x/crypto/ssh" | ||
| ) | ||
|
|
||
|
|
@@ -74,3 +78,27 @@ func (cmd *GenerateKeyCommand) Execute(args []string) error { | |
|
|
||
| return nil | ||
| } | ||
|
|
||
| type ExtractInternalConfigCommand struct { | ||
| FilePath string `short:"f" long:"filename" required:"true" description:"File path where the key shall be created. When generating ssh keys, the public key will be stored in a file with the same name but with '.pub' appended."` | ||
|
There was a problem hiding this comment. The There was a problem hiding this comment. Maybe change the |
||
|
|
||
| Seccomp bool `long:"seccomp" required:"false" description:"Extract the default builtin seccomp filter"` | ||
| } | ||
|
|
||
| func (cmd *ExtractInternalConfigCommand) Execute(args []string) error { | ||
| var dest = cmd.FilePath | ||
| if cmd.Seccomp { | ||
| seccompfilter := bespec.GetDefaultSeccompProfile() | ||
|
There was a problem hiding this comment. So the whole point of this command is to print the There was a problem hiding this comment. Yes, because that's what then could be modified and re-used as baseline for custom trim down or extension based on use case and re-supplied to the containerd runner |
||
| bytes, err := json.Marshal(seccompfilter) | ||
| if err != nil { | ||
| return fmt.Errorf("failed to serialize key file: %s", err) | ||
| } | ||
| err = ioutil.WriteFile(dest, bytes, 0644) | ||
| if err != nil { | ||
| return fmt.Errorf("failed to write json to file: %s @ %s", err, dest) | ||
| } | ||
| return nil | ||
| } else { | ||
| return fmt.Errorf("Nothing to extract, use one of the optional flags for the subcommand") | ||
| } | ||
| } | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Feels weird having this sub-command in this file. Would make more sense to have it in its own file. wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree