summaryrefslogtreecommitdiff
path: root/cmd/kpod/spec.go
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2017-11-05 17:06:25 -0500
committerGitHub <noreply@github.com>2017-11-05 17:06:25 -0500
commitdbd524e3d18fbfc422ded06571b95c3513be9771 (patch)
tree584b740d106bbc43e9d614711ea0eddd0a263cd6 /cmd/kpod/spec.go
parentb06190e0da66f45cbe6a44d79065fabcd00ea19c (diff)
parent619637a9197877f3bda54648f9fabc4af90cf9c2 (diff)
downloadpodman-dbd524e3d18fbfc422ded06571b95c3513be9771.tar.gz
podman-dbd524e3d18fbfc422ded06571b95c3513be9771.tar.bz2
podman-dbd524e3d18fbfc422ded06571b95c3513be9771.zip
Merge pull request #17 from rhatdan/caps
Add support for Caps Options.
Diffstat (limited to 'cmd/kpod/spec.go')
-rw-r--r--cmd/kpod/spec.go29
1 files changed, 25 insertions, 4 deletions
diff --git a/cmd/kpod/spec.go b/cmd/kpod/spec.go
index b990d8463..54a532803 100644
--- a/cmd/kpod/spec.go
+++ b/cmd/kpod/spec.go
@@ -6,6 +6,7 @@ import (
"io/ioutil"
"strings"
+ "github.com/docker/docker/daemon/caps"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
"github.com/projectatomic/libpod/libpod"
@@ -14,6 +15,25 @@ import (
"golang.org/x/sys/unix"
)
+func setupCapabilities(config *createConfig, configSpec *spec.Spec) error {
+ var err error
+ var caplist []string
+ if config.privileged {
+ caplist = caps.GetAllCapabilities()
+ } else {
+ caplist, err = caps.TweakCapabilities(defaultCapabilities(), config.capAdd, config.capDrop)
+ if err != nil {
+ return err
+ }
+ }
+
+ configSpec.Process.Capabilities.Bounding = caplist
+ configSpec.Process.Capabilities.Permitted = caplist
+ configSpec.Process.Capabilities.Inheritable = caplist
+ configSpec.Process.Capabilities.Effective = caplist
+ return nil
+}
+
// Parses information needed to create a container into an OCI runtime spec
func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
configSpec := config.GetDefaultLinuxSpec()
@@ -29,9 +49,6 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
configSpec.Process.Env = config.env
- //TODO
- // Need examples of capacity additions so I can load that properly
-
configSpec.Root.Readonly = config.readOnlyRootfs
configSpec.Hostname = config.hostname
@@ -109,8 +126,12 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
configSpec.Linux.Seccomp = &seccompConfig
}
+ // HANDLE CAPABILITIES
+ if err := setupCapabilities(config, &configSpec); err != nil {
+ return nil, err
+ }
+
/*
- Capabilities: &configSpec.LinuxCapabilities{
// Rlimits []PosixRlimit // Where does this come from
// Type string
// Hard uint64