summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2021-05-18 10:37:54 -0400
committerDaniel J Walsh <dwalsh@redhat.com>2021-05-26 16:39:04 -0400
commitde293c9802a79f83eef83a0ca278ebb22cfb685d (patch)
tree002393067198891b819afff9de236545c3faa811
parent5b4ffc7ba79d0c3ad59cce17500c5a98ea686577 (diff)
downloadpodman-de293c9802a79f83eef83a0ca278ebb22cfb685d.tar.gz
podman-de293c9802a79f83eef83a0ca278ebb22cfb685d.tar.bz2
podman-de293c9802a79f83eef83a0ca278ebb22cfb685d.zip
Handle image user and exposed ports in podman play kube
Currently if a user runs an image with a user specified or exposed ports with podman play kube, the fields are ignored. Fixed: https://github.com/containers/podman/issues/9609 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
-rw-r--r--pkg/specgen/generate/kube/kube.go14
-rw-r--r--pkg/specgen/generate/ports.go49
-rw-r--r--test/system/700-play.bats41
3 files changed, 84 insertions, 20 deletions
diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go
index 054388384..fb563f935 100644
--- a/pkg/specgen/generate/kube/kube.go
+++ b/pkg/specgen/generate/kube/kube.go
@@ -12,6 +12,7 @@ import (
"github.com/containers/common/pkg/secrets"
ann "github.com/containers/podman/v3/pkg/annotations"
"github.com/containers/podman/v3/pkg/specgen"
+ "github.com/containers/podman/v3/pkg/specgen/generate"
"github.com/containers/podman/v3/pkg/util"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
@@ -182,6 +183,19 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
if imageData.Config.WorkingDir != "" {
s.WorkDir = imageData.Config.WorkingDir
}
+ if s.User == "" {
+ s.User = imageData.Config.User
+ }
+
+ exposed, err := generate.GenExposedPorts(imageData.Config.ExposedPorts)
+ if err != nil {
+ return nil, err
+ }
+
+ for k, v := range s.Expose {
+ exposed[k] = v
+ }
+ s.Expose = exposed
// Pull entrypoint and cmd from image
s.Entrypoint = imageData.Config.Entrypoint
s.Command = imageData.Config.Cmd
diff --git a/pkg/specgen/generate/ports.go b/pkg/specgen/generate/ports.go
index 6832664a7..8745f0dad 100644
--- a/pkg/specgen/generate/ports.go
+++ b/pkg/specgen/generate/ports.go
@@ -268,31 +268,18 @@ func createPortMappings(ctx context.Context, s *specgen.SpecGenerator, imageData
logrus.Debugf("Adding exposed ports")
- // We need to merge s.Expose into image exposed ports
expose := make(map[uint16]string)
- for k, v := range s.Expose {
- expose[k] = v
- }
if imageData != nil {
- for imgExpose := range imageData.Config.ExposedPorts {
- // Expose format is portNumber[/protocol]
- splitExpose := strings.SplitN(imgExpose, "/", 2)
- num, err := strconv.Atoi(splitExpose[0])
- if err != nil {
- return nil, errors.Wrapf(err, "unable to convert image EXPOSE statement %q to port number", imgExpose)
- }
- if num > 65535 || num < 1 {
- return nil, errors.Errorf("%d from image EXPOSE statement %q is not a valid port number", num, imgExpose)
- }
- // No need to validate protocol, we'll do it below.
- if len(splitExpose) == 1 {
- expose[uint16(num)] = "tcp"
- } else {
- expose[uint16(num)] = splitExpose[1]
- }
+ expose, err = GenExposedPorts(imageData.Config.ExposedPorts)
+ if err != nil {
+ return nil, err
}
}
+ // We need to merge s.Expose into image exposed ports
+ for k, v := range s.Expose {
+ expose[k] = v
+ }
// There's been a request to expose some ports. Let's do that.
// Start by figuring out what needs to be exposed.
// This is a map of container port number to protocols to expose.
@@ -417,3 +404,25 @@ func checkProtocol(protocol string, allowSCTP bool) ([]string, error) {
return finalProto, nil
}
+
+func GenExposedPorts(exposedPorts map[string]struct{}) (map[uint16]string, error) {
+ expose := make(map[uint16]string)
+ for imgExpose := range exposedPorts {
+ // Expose format is portNumber[/protocol]
+ splitExpose := strings.SplitN(imgExpose, "/", 2)
+ num, err := strconv.Atoi(splitExpose[0])
+ if err != nil {
+ return nil, errors.Wrapf(err, "unable to convert image EXPOSE statement %q to port number", imgExpose)
+ }
+ if num > 65535 || num < 1 {
+ return nil, errors.Errorf("%d from image EXPOSE statement %q is not a valid port number", num, imgExpose)
+ }
+ // No need to validate protocol, we'll do it below.
+ if len(splitExpose) == 1 {
+ expose[uint16(num)] = "tcp"
+ } else {
+ expose[uint16(num)] = splitExpose[1]
+ }
+ }
+ return expose, nil
+}
diff --git a/test/system/700-play.bats b/test/system/700-play.bats
index bcd8cf939..15f3e240a 100644
--- a/test/system/700-play.bats
+++ b/test/system/700-play.bats
@@ -88,3 +88,44 @@ RELABEL="system_u:object_r:container_file_t:s0"
fi
run_podman pod rm -f test_pod
}
+
+@test "podman play with user from image" {
+ TESTDIR=$PODMAN_TMPDIR/testdir
+ mkdir -p $TESTDIR
+
+testUserYaml="
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: test
+ name: test_pod
+spec:
+ containers:
+ - command:
+ - id
+ env:
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ - name: TERM
+ value: xterm
+ - name: container
+ value: podman
+ image: userimage
+ name: test
+ resources: {}
+status: {}
+"
+
+cat > $PODMAN_TMPDIR/Containerfile << _EOF
+from $IMAGE
+USER bin
+_EOF
+
+ echo "$testUserYaml" | sed "s|TESTDIR|${TESTDIR}|g" > $PODMAN_TMPDIR/test.yaml
+ run_podman build -t userimage $PODMAN_TMPDIR
+ run_podman play kube --start=false $PODMAN_TMPDIR/test.yaml
+ run_podman inspect --format "{{ .Config.User }}" test_pod-test
+ is "$output" bin "expect container within pod to run as the bin user"
+ run_podman pod rm -f test_pod
+}