diff options
author | baude <bbaude@redhat.com> | 2018-02-15 08:17:35 -0600 |
---|---|---|
committer | Atomic Bot <atomic-devel@projectatomic.io> | 2018-02-16 18:35:54 +0000 |
commit | 586bb86a2ac58056b0d0d23274fb98ec599b0908 (patch) | |
tree | 831019f054727e219c2bd11a083b0b10a90cd974 /cmd/podman | |
parent | bc1d25bb19c1664b5669c13d6ff2811571284d27 (diff) | |
download | podman-586bb86a2ac58056b0d0d23274fb98ec599b0908.tar.gz podman-586bb86a2ac58056b0d0d23274fb98ec599b0908.tar.bz2 podman-586bb86a2ac58056b0d0d23274fb98ec599b0908.zip |
Run podman inside a podman container
We should be able to run nested podman containers in particular
for our testing environment. i.e. eat our own dog food.
Some privileges had to be corrected in order for this to work
correctly.
Added a third papr target that runs podman tests inside podman. I
marked the test as not required right now as we get more confident
in the results
Signed-off-by: baude <bbaude@redhat.com>
Closes: #340
Approved by: rhatdan
Diffstat (limited to 'cmd/podman')
-rw-r--r-- | cmd/podman/spec.go | 19 |
1 files changed, 10 insertions, 9 deletions
diff --git a/cmd/podman/spec.go b/cmd/podman/spec.go index c5ed2c0d4..e78118b2f 100644 --- a/cmd/podman/spec.go +++ b/cmd/podman/spec.go @@ -124,13 +124,9 @@ func addRlimits(config *createConfig, g *generate.Generator) error { func setupCapabilities(config *createConfig, configSpec *spec.Spec) error { var err error var caplist []string - if config.Privileged { - caplist = caps.GetAllCapabilities() - } else { - caplist, err = caps.TweakCapabilities(configSpec.Process.Capabilities.Bounding, config.CapAdd, config.CapDrop) - if err != nil { - return err - } + caplist, err = caps.TweakCapabilities(configSpec.Process.Capabilities.Bounding, config.CapAdd, config.CapDrop) + if err != nil { + return err } configSpec.Process.Capabilities.Bounding = caplist @@ -163,6 +159,7 @@ func addDevice(g *generate.Generator, device string) error { func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) { cgroupPerm := "ro" g := generate.New() + g.HostSpecific = true if config.Privileged { cgroupPerm = "rw" g.RemoveMount("/sys") @@ -319,8 +316,12 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) { // HANDLE CAPABILITIES // NOTE: Must happen before SECCOMP - if err := setupCapabilities(config, configSpec); err != nil { - return nil, err + if !config.Privileged { + if err := setupCapabilities(config, configSpec); err != nil { + return nil, err + } + } else { + g.SetupPrivileged(true) } // HANDLE SECCOMP |