aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2019-10-06 11:11:29 +0200
committerGiuseppe Scrivano <gscrivan@redhat.com>2019-10-09 23:38:45 +0200
commit3ba3e1c7510d1780b6527a4aa52e40ac2c5b576a (patch)
treecf643117c58e4ac9136ad21969e48ba57738c146
parent2bf184aa019387de560bec60636ae5152f8b54ce (diff)
downloadpodman-3ba3e1c7510d1780b6527a4aa52e40ac2c5b576a.tar.gz
podman-3ba3e1c7510d1780b6527a4aa52e40ac2c5b576a.tar.bz2
podman-3ba3e1c7510d1780b6527a4aa52e40ac2c5b576a.zip
systemd: expect full path /usr/sbin/init
"init" is a quite common name for the command executed in a container image and Podman ends up using the systemd mode also when not required. Be stricter on enabling the systemd mode and not enable it automatically when the basename is "init" but expect the full path "/usr/sbin/init". Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
-rw-r--r--cmd/podman/shared/create.go2
-rw-r--r--docs/podman-create.1.md7
-rw-r--r--docs/podman-derivative-api64
-rw-r--r--docs/podman-run.1.md5
-rw-r--r--pkg/spec/createconfig.go3
-rw-r--r--test/e2e/systemd_test.go2
6 files changed, 74 insertions, 9 deletions
diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go
index 9020613c5..675dfbad6 100644
--- a/cmd/podman/shared/create.go
+++ b/cmd/podman/shared/create.go
@@ -663,7 +663,7 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod.
}
var systemd bool
- if command != nil && c.Bool("systemd") && ((filepath.Base(command[0]) == "init") || (filepath.Base(command[0]) == "systemd")) {
+ if command != nil && c.Bool("systemd") && (command[0] == "/usr/sbin/init" || (filepath.Base(command[0]) == "systemd")) {
systemd = true
if signalString == "" {
stopSignal, err = signal.ParseSignal("RTMIN+3")
diff --git a/docs/podman-create.1.md b/docs/podman-create.1.md
index 46fa4fcd4..418ad2c4e 100644
--- a/docs/podman-create.1.md
+++ b/docs/podman-create.1.md
@@ -709,13 +709,14 @@ Network Namespace - current sysctls allowed:
Sysctls beginning with net.*
Note: if you use the --network=host option these sysctls will not be allowed.
-
+x
**--systemd**=*true|false*
Run container in systemd mode. The default is *true*.
-If the command you running inside of the container is systemd or init, podman
-will setup tmpfs mount points in the following directories:
+If the command you are running inside of the container is systemd or
+/usr/sbin/init, Podman will setup tmpfs mount points in the following
+directories:
/run, /run/lock, /tmp, /sys/fs/cgroup/systemd, /var/lib/journal
diff --git a/docs/podman-derivative-api b/docs/podman-derivative-api
new file mode 100644
index 000000000..1b6153df5
--- /dev/null
+++ b/docs/podman-derivative-api
@@ -0,0 +1,64 @@
+.TH How to use libpod for custom/derivative projects
+.PP
+libpod today is a Golang library and a CLI. The choice of interface you make has advantages and disadvantages.
+
+.SH Running as a subprocess
+.PP
+Advantages:
+
+.RS
+.IP \(bu 2
+Many commands output JSON
+.IP \(bu 2
+Works with languages other than Golang
+.IP \(bu 2
+Easy to get started
+
+.RE
+
+.PP
+Disadvantages:
+
+.RS
+.IP \(bu 2
+Error handling is harder
+.IP \(bu 2
+May be slower
+.IP \(bu 2
+Can't hook into or control low\-level things like how images are pulled
+
+.RE
+
+.SH Vendoring into a Go project
+.PP
+Advantages:
+
+.RS
+.IP \(bu 2
+Significant power and control
+
+.RE
+
+.PP
+Disadvantages:
+
+.RS
+.IP \(bu 2
+You are now on the hook for container runtime security updates (partially, \fB\fCrunc\fR/\fB\fCcrun\fR are separate)
+.IP \(bu 2
+Binary size
+.IP \(bu 2
+Potential skew between multiple libpod versions operating on the same storage can cause problems
+
+.RE
+
+.SH Varlink
+.PP
+Some code exists for this; splits the difference. Future uncertain.
+
+.SH Making the choice
+.PP
+A good question to ask first is: Do you want users to be able to use \fB\fCpodman\fR to manipulate the containers created by your project?
+If so, that makes it more likely that you want to run \fB\fCpodman\fR as a subprocess. If you want a separate image store and a fundamentally
+different experience; if what you're doing with containers is quite different from those created by the \fB\fCpodman\fR CLI,
+that may drive you towards vendoring.
diff --git a/docs/podman-run.1.md b/docs/podman-run.1.md
index dfc634288..5cbe1a38f 100644
--- a/docs/podman-run.1.md
+++ b/docs/podman-run.1.md
@@ -751,8 +751,9 @@ Note: if you use the `--network=host` option these sysctls will not be allowed.
Run container in systemd mode. The default is *true*.
-If the command you are running inside of the container is systemd or init, Podman
-will setup tmpfs mount points in the following directories:
+If the command you are running inside of the container is systemd or
+/usr/sbin/init, Podman will setup tmpfs mount points in the following
+directories:
/run, /run/lock, /tmp, /sys/fs/cgroup/systemd, /var/lib/journal
diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go
index a65263b7d..3685450f0 100644
--- a/pkg/spec/createconfig.go
+++ b/pkg/spec/createconfig.go
@@ -195,8 +195,7 @@ func (c *CreateConfig) getContainerCreateOptions(runtime *libpod.Runtime, pod *l
if c.Interactive {
options = append(options, libpod.WithStdin())
}
- if c.Systemd && (strings.HasSuffix(c.Command[0], "init") ||
- strings.HasSuffix(c.Command[0], "systemd")) {
+ if c.Systemd {
options = append(options, libpod.WithSystemd())
}
if c.Name != "" {
diff --git a/test/e2e/systemd_test.go b/test/e2e/systemd_test.go
index 02778d493..9ec48ba00 100644
--- a/test/e2e/systemd_test.go
+++ b/test/e2e/systemd_test.go
@@ -94,7 +94,7 @@ WantedBy=multi-user.target
Expect(pull.ExitCode()).To(Equal(0))
ctrName := "testSystemd"
- run := podmanTest.Podman([]string{"run", "--name", ctrName, "-t", "-i", "-d", systemdImage, "init"})
+ run := podmanTest.Podman([]string{"run", "--name", ctrName, "-t", "-i", "-d", systemdImage, "/usr/sbin/init"})
run.WaitWithDefaultTimeout()
Expect(run.ExitCode()).To(Equal(0))
ctrID := run.OutputToString()