diff options
author | Matthew Heon <matthew.heon@pm.me> | 2019-03-22 14:39:09 -0400 |
---|---|---|
committer | Matthew Heon <matthew.heon@pm.me> | 2019-03-27 10:12:18 -0400 |
commit | 72f03f0c2587be4ff3ff9c83d28964cc7c1a135c (patch) | |
tree | 25e1824dff64b5069eb4b1fd4e16ebad6185b8b5 | |
parent | b20594ea51ba1fb21cb727a8b224415335e04ac7 (diff) | |
download | podman-72f03f0c2587be4ff3ff9c83d28964cc7c1a135c.tar.gz podman-72f03f0c2587be4ff3ff9c83d28964cc7c1a135c.tar.bz2 podman-72f03f0c2587be4ff3ff9c83d28964cc7c1a135c.zip |
Add support to disable creation of network config files
Specifically, we want to be able to specify whether resolv.conf
and /etc/hosts will be create and bind-mounted into the
container.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
-rw-r--r-- | libpod/container.go | 8 | ||||
-rw-r--r-- | libpod/container_internal_linux.go | 85 | ||||
-rw-r--r-- | libpod/options.go | 52 |
3 files changed, 109 insertions, 36 deletions
diff --git a/libpod/container.go b/libpod/container.go index ec4e31026..866cf5c58 100644 --- a/libpod/container.go +++ b/libpod/container.go @@ -293,6 +293,10 @@ type ContainerConfig struct { // namespace // These are not used unless CreateNetNS is true PortMappings []ocicni.PortMapping `json:"portMappings,omitempty"` + // NoCreateResolvConf indicates that resolv.conf should not be + // bind-mounted inside the container. + // Conflicts with DNSServer, DNSSearch, DNSOption. + NoCreateResolvConf bool // DNS servers to use in container resolv.conf // Will override servers in host resolv if set DNSServer []net.IP `json:"dnsServer,omitempty"` @@ -302,6 +306,10 @@ type ContainerConfig struct { // DNS options to be set in container resolv.conf // With override options in host resolv if set DNSOption []string `json:"dnsOption,omitempty"` + // NoCreateHosts indicates that /etc/hosts should not be + // bind-mounted inside the container. + // Conflicts with HostAdd. + NoCreateHosts bool // Hosts to add in container // Will be appended to host's host file HostAdd []string `json:"hostsAdd,omitempty"` diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index c6c9ceb0c..3bb8b23ec 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -703,10 +703,11 @@ func (c *Container) makeBindMounts() error { } } - if c.config.NetNsCtr != "" { - // We share a net namespace + if c.config.NetNsCtr != "" && (!c.config.NoCreateHosts || !c.config.NoCreateResolvConf) { + // We share a net namespace. // We want /etc/resolv.conf and /etc/hosts from the - // other container + // other container. Unless we're not creating both of + // them. depCtr, err := c.runtime.state.Container(c.config.NetNsCtr) if err != nil { return errors.Wrapf(err, "error fetching dependency %s of container %s", c.config.NetNsCtr, c.ID()) @@ -718,53 +719,65 @@ func (c *Container) makeBindMounts() error { return errors.Wrapf(err, "error fetching bind mounts from dependency %s of container %s", depCtr.ID(), c.ID()) } - // The other container may not have a resolv.conf or /etc/hosts - // If it doesn't, don't copy them - resolvPath, exists := bindMounts["/etc/resolv.conf"] - if exists { - c.state.BindMounts["/etc/resolv.conf"] = resolvPath + if !c.config.NoCreateResolvConf { + // The other container may not have a resolv.conf or /etc/hosts + // If it doesn't, don't copy them + resolvPath, exists := bindMounts["/etc/resolv.conf"] + if exists { + c.state.BindMounts["/etc/resolv.conf"] = resolvPath + } } - // check if dependency container has an /etc/hosts file - hostsPath, exists := bindMounts["/etc/hosts"] - if !exists { - return errors.Errorf("error finding hosts file of dependency container %s for container %s", depCtr.ID(), c.ID()) - } + if !c.config.NoCreateHosts { + // check if dependency container has an /etc/hosts file + hostsPath, exists := bindMounts["/etc/hosts"] + if !exists { + return errors.Errorf("error finding hosts file of dependency container %s for container %s", depCtr.ID(), c.ID()) + } - depCtr.lock.Lock() - // generate a hosts file for the dependency container, - // based on either its old hosts file, or the default, - // and add the relevant information from the new container (hosts and IP) - hostsPath, err = depCtr.appendHosts(hostsPath, c) + depCtr.lock.Lock() + // generate a hosts file for the dependency container, + // based on either its old hosts file, or the default, + // and add the relevant information from the new container (hosts and IP) + hostsPath, err = depCtr.appendHosts(hostsPath, c) - if err != nil { + if err != nil { + depCtr.lock.Unlock() + return errors.Wrapf(err, "error creating hosts file for container %s which depends on container %s", c.ID(), depCtr.ID()) + } depCtr.lock.Unlock() - return errors.Wrapf(err, "error creating hosts file for container %s which depends on container %s", c.ID(), depCtr.ID()) - } - depCtr.lock.Unlock() - // finally, save it in the new container - c.state.BindMounts["/etc/hosts"] = hostsPath + // finally, save it in the new container + c.state.BindMounts["/etc/hosts"] = hostsPath + } } else { - newResolv, err := c.generateResolvConf() - if err != nil { - return errors.Wrapf(err, "error creating resolv.conf for container %s", c.ID()) + if !c.config.NoCreateResolvConf { + newResolv, err := c.generateResolvConf() + if err != nil { + return errors.Wrapf(err, "error creating resolv.conf for container %s", c.ID()) + } + c.state.BindMounts["/etc/resolv.conf"] = newResolv } - c.state.BindMounts["/etc/resolv.conf"] = newResolv - newHosts, err := c.generateHosts("/etc/hosts") - if err != nil { - return errors.Wrapf(err, "error creating hosts file for container %s", c.ID()) + if !c.config.NoCreateHosts { + newHosts, err := c.generateHosts("/etc/hosts") + if err != nil { + return errors.Wrapf(err, "error creating hosts file for container %s", c.ID()) + } + c.state.BindMounts["/etc/hosts"] = newHosts } - c.state.BindMounts["/etc/hosts"] = newHosts } - if err := label.Relabel(c.state.BindMounts["/etc/hosts"], c.config.MountLabel, true); err != nil { - return err + if c.state.BindMounts["/etc/hosts"] != "" { + if err := label.Relabel(c.state.BindMounts["/etc/hosts"], c.config.MountLabel, true); err != nil { + return err + } } - if err := label.Relabel(c.state.BindMounts["/etc/resolv.conf"], c.config.MountLabel, true); err != nil { - return err + if c.state.BindMounts["/etc/resolv.conf"] != "" { + if err := label.Relabel(c.state.BindMounts["/etc/resolv.conf"], c.config.MountLabel, true); err != nil { + return err + } } } diff --git a/libpod/options.go b/libpod/options.go index 1bf3ff9e6..a36309ed7 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -997,6 +997,9 @@ func WithDNSSearch(searchDomains []string) CtrCreateOption { if ctr.valid { return ErrCtrFinalized } + if ctr.config.NoCreateResolvConf { + return errors.Wrapf(ErrInvalidArg, "cannot add DNS search domains if container will not create /etc/resolv.conf") + } ctr.config.DNSSearch = searchDomains return nil } @@ -1008,6 +1011,9 @@ func WithDNS(dnsServers []string) CtrCreateOption { if ctr.valid { return ErrCtrFinalized } + if ctr.config.NoCreateResolvConf { + return errors.Wrapf(ErrInvalidArg, "cannot add DNS servers if container will not create /etc/resolv.conf") + } var dns []net.IP for _, i := range dnsServers { result := net.ParseIP(i) @@ -1027,6 +1033,9 @@ func WithDNSOption(dnsOptions []string) CtrCreateOption { if ctr.valid { return ErrCtrFinalized } + if ctr.config.NoCreateResolvConf { + return errors.Wrapf(ErrInvalidArg, "cannot add DNS options if container will not create /etc/resolv.conf") + } ctr.config.DNSOption = dnsOptions return nil } @@ -1038,6 +1047,11 @@ func WithHosts(hosts []string) CtrCreateOption { if ctr.valid { return ErrCtrFinalized } + + if ctr.config.NoCreateHosts { + return errors.Wrapf(ErrInvalidArg, "cannot add hosts if container will not create /etc/hosts") + } + ctr.config.HostAdd = hosts return nil } @@ -1184,6 +1198,44 @@ func WithCtrNamespace(ns string) CtrCreateOption { } } +// WithNoCreateResolvConf tells the container not to bind-mount resolv.conf in. +// This conflicts with other DNS-related options. +func WithNoCreateResolvConf() CtrCreateOption { + return func(ctr *Container) error { + if ctr.valid { + return ErrCtrFinalized + } + + if len(ctr.config.DNSServer) != 0 || + len(ctr.config.DNSSearch) != 0 || + len(ctr.config.DNSOption) != 0 { + return errors.Wrapf(ErrInvalidArg, "not creating resolv.conf conflicts with DNS options") + } + + ctr.config.NoCreateResolvConf = true + + return nil + } +} + +// WithNoCreateHosts tells the container not to bind-mount /etc/hosts in. +// This conflicts with WithHosts(). +func WithNoCreateHosts() CtrCreateOption { + return func(ctr *Container) error { + if ctr.valid { + return ErrCtrFinalized + } + + if len(ctr.config.HostAdd) != 0 { + return errors.Wrapf(ErrInvalidArg, "not creating /etc/hosts conflicts with adding to the hosts file") + } + + ctr.config.NoCreateHosts = true + + return nil + } +} + // withIsInfra sets the container to be an infra container. This means the container will be sometimes hidden // and expected to be the first container in the pod. func withIsInfra() CtrCreateOption { |