diff options
| author | Valentin Rothberg <rothberg@redhat.com> | 2021-12-22 13:28:36 +0100 |
|---|---|---|
| committer | Valentin Rothberg <rothberg@redhat.com> | 2021-12-23 13:40:46 +0100 |
| commit | 1aa4e4d4d183aa07ea7453e4be70d31eaa8edb13 (patch) | |
| tree | 5d0d0dd951ba6844cbbdc709669a0aa0275bc9eb | |
| parent | cbcab434254e62083b8b73cb73ba95c3bb150b4c (diff) | |
| download | podman-1aa4e4d4d183aa07ea7453e4be70d31eaa8edb13.tar.gz podman-1aa4e4d4d183aa07ea7453e4be70d31eaa8edb13.tar.bz2 podman-1aa4e4d4d183aa07ea7453e4be70d31eaa8edb13.zip | |
container creation: don't apply reserved annotations from image
Do not apply reserved annotations from the image to the container.
Reserved annotations are applied during container creation to retrieve
certain information (e.g., custom seccomp profile or autoremoval)
once a container has been created.
Context: #12671
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| -rw-r--r-- | libpod/define/annotations.go | 12 | ||||
| -rw-r--r-- | pkg/specgen/generate/container.go | 4 | ||||
| -rw-r--r-- | test/e2e/build_test.go | 12 |
3 files changed, 24 insertions, 4 deletions
diff --git a/libpod/define/annotations.go b/libpod/define/annotations.go index f6b1c06ea..3964a1237 100644 --- a/libpod/define/annotations.go +++ b/libpod/define/annotations.go @@ -66,3 +66,15 @@ const ( // annotation. InspectResponseFalse = "FALSE" ) + +// IsReservedAnnotation returns true if the specified value corresponds to an +// already reserved annotation that Podman sets during container creation. +func IsReservedAnnotation(value string) bool { + switch value { + case InspectAnnotationCIDFile, InspectAnnotationAutoremove, InspectAnnotationVolumesFrom, InspectAnnotationPrivileged, InspectAnnotationPublishAll, InspectAnnotationInit, InspectAnnotationLabel, InspectAnnotationSeccomp, InspectAnnotationApparmor, InspectResponseTrue, InspectResponseFalse: + return true + + default: + return false + } +} diff --git a/pkg/specgen/generate/container.go b/pkg/specgen/generate/container.go index 40a18a6ac..57676db10 100644 --- a/pkg/specgen/generate/container.go +++ b/pkg/specgen/generate/container.go @@ -156,7 +156,9 @@ func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerat // Add annotations from the image for k, v := range inspectData.Annotations { - annotations[k] = v + if !define.IsReservedAnnotation(k) { + annotations[k] = v + } } } diff --git a/test/e2e/build_test.go b/test/e2e/build_test.go index 5ed873f78..d4f0a2b04 100644 --- a/test/e2e/build_test.go +++ b/test/e2e/build_test.go @@ -238,19 +238,25 @@ var _ = Describe("Podman build", func() { Expect("sha256:" + data[0].ID).To(Equal(string(id))) }) - It("podman Test PATH in built image", func() { + It("podman Test PATH and reserved annotation in built image", func() { path := "/tmp:/bin:/usr/bin:/usr/sbin" session := podmanTest.Podman([]string{ - "build", "--pull-never", "-f", "build/basicalpine/Containerfile.path", "-t", "test-path", + "build", "--annotation", "io.podman.annotations.seccomp=foobar", "--pull-never", "-f", "build/basicalpine/Containerfile.path", "-t", "test-path", }) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - session = podmanTest.Podman([]string{"run", "test-path", "printenv", "PATH"}) + session = podmanTest.Podman([]string{"run", "--name", "foobar", "test-path", "printenv", "PATH"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) stdoutLines := session.OutputToStringArray() Expect(stdoutLines[0]).Should(Equal(path)) + + // Reserved annotation should not be applied from the image to the container. + session = podmanTest.Podman([]string{"inspect", "foobar"}) + session.WaitWithDefaultTimeout() + Expect(session).Should(Exit(0)) + Expect(session.OutputToString()).NotTo(ContainSubstring("io.podman.annotations.seccomp")) }) It("podman build --http_proxy flag", func() { |