-
Notifications
You must be signed in to change notification settings - Fork 842
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat/cli: allow to extract the default seccomp profile #8800
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,10 +4,14 @@ import ( | |
"crypto/rand" | ||
"crypto/rsa" | ||
"crypto/x509" | ||
"encoding/json" | ||
"encoding/pem" | ||
"fmt" | ||
"io/ioutil" | ||
"os" | ||
|
||
bespec "github.com/concourse/concourse/worker/runtime/spec" | ||
|
||
"golang.org/x/crypto/ssh" | ||
) | ||
|
||
|
@@ -74,3 +78,27 @@ func (cmd *GenerateKeyCommand) Execute(args []string) error { | |
|
||
return nil | ||
} | ||
|
||
type ExtractInternalConfigCommand struct { | ||
FilePath string `short:"f" long:"filename" required:"true" description:"File path where the key shall be created. When generating ssh keys, the public key will be stored in a file with the same name but with '.pub' appended."` | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Maybe change the |
||
|
||
Seccomp bool `long:"seccomp" required:"false" description:"Extract the default builtin seccomp filter"` | ||
} | ||
|
||
func (cmd *ExtractInternalConfigCommand) Execute(args []string) error { | ||
var dest = cmd.FilePath | ||
if cmd.Seccomp { | ||
seccompfilter := bespec.GetDefaultSeccompProfile() | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. So the whole point of this command is to print the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, because that's what then could be modified and re-used as baseline for custom trim down or extension based on use case and re-supplied to the containerd runner |
||
bytes, err := json.Marshal(seccompfilter) | ||
if err != nil { | ||
return fmt.Errorf("failed to serialize key file: %s", err) | ||
} | ||
err = ioutil.WriteFile(dest, bytes, 0644) | ||
if err != nil { | ||
return fmt.Errorf("failed to write json to file: %s @ %s", err, dest) | ||
} | ||
return nil | ||
} else { | ||
return fmt.Errorf("Nothing to extract, use one of the optional flags for the subcommand") | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Feels weird having this sub-command in this file. Would make more sense to have it in its own file. wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree