summaryrefslogtreecommitdiff
path: root/cmd/podman
diff options
context:
space:
mode:
authorbaude <bbaude@redhat.com>2018-02-15 08:17:35 -0600
committerAtomic Bot <atomic-devel@projectatomic.io>2018-02-16 18:35:54 +0000
commit586bb86a2ac58056b0d0d23274fb98ec599b0908 (patch)
tree831019f054727e219c2bd11a083b0b10a90cd974 /cmd/podman
parentbc1d25bb19c1664b5669c13d6ff2811571284d27 (diff)
downloadpodman-586bb86a2ac58056b0d0d23274fb98ec599b0908.tar.gz
podman-586bb86a2ac58056b0d0d23274fb98ec599b0908.tar.bz2
podman-586bb86a2ac58056b0d0d23274fb98ec599b0908.zip
Run podman inside a podman container
We should be able to run nested podman containers in particular for our testing environment. i.e. eat our own dog food. Some privileges had to be corrected in order for this to work correctly. Added a third papr target that runs podman tests inside podman. I marked the test as not required right now as we get more confident in the results Signed-off-by: baude <bbaude@redhat.com> Closes: #340 Approved by: rhatdan
Diffstat (limited to 'cmd/podman')
-rw-r--r--cmd/podman/spec.go19
1 files changed, 10 insertions, 9 deletions
diff --git a/cmd/podman/spec.go b/cmd/podman/spec.go
index c5ed2c0d4..e78118b2f 100644
--- a/cmd/podman/spec.go
+++ b/cmd/podman/spec.go
@@ -124,13 +124,9 @@ func addRlimits(config *createConfig, g *generate.Generator) error {
func setupCapabilities(config *createConfig, configSpec *spec.Spec) error {
var err error
var caplist []string
- if config.Privileged {
- caplist = caps.GetAllCapabilities()
- } else {
- caplist, err = caps.TweakCapabilities(configSpec.Process.Capabilities.Bounding, config.CapAdd, config.CapDrop)
- if err != nil {
- return err
- }
+ caplist, err = caps.TweakCapabilities(configSpec.Process.Capabilities.Bounding, config.CapAdd, config.CapDrop)
+ if err != nil {
+ return err
}
configSpec.Process.Capabilities.Bounding = caplist
@@ -163,6 +159,7 @@ func addDevice(g *generate.Generator, device string) error {
func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
cgroupPerm := "ro"
g := generate.New()
+ g.HostSpecific = true
if config.Privileged {
cgroupPerm = "rw"
g.RemoveMount("/sys")
@@ -319,8 +316,12 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
// HANDLE CAPABILITIES
// NOTE: Must happen before SECCOMP
- if err := setupCapabilities(config, configSpec); err != nil {
- return nil, err
+ if !config.Privileged {
+ if err := setupCapabilities(config, configSpec); err != nil {
+ return nil, err
+ }
+ } else {
+ g.SetupPrivileged(true)
}
// HANDLE SECCOMP