aboutsummaryrefslogtreecommitdiff
path: root/cmd/podman
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2018-09-08 06:58:47 -0400
committerAtomic Bot <atomic-devel@projectatomic.io>2018-09-11 13:31:55 +0000
commitd9580ec62b716d7c8e861dd27c4b452f2419eb65 (patch)
treea1c236f7c728122703757900cf1b78919ad32c84 /cmd/podman
parent123de3087e142f3a6c05ad35fc2095953065415b (diff)
downloadpodman-d9580ec62b716d7c8e861dd27c4b452f2419eb65.tar.gz
podman-d9580ec62b716d7c8e861dd27c4b452f2419eb65.tar.bz2
podman-d9580ec62b716d7c8e861dd27c4b452f2419eb65.zip
Pass on securityOpts from podInfraContainer to container added to pod.
This is an incomplete fix, as it would be best for the libpod library to be in charge of coordinating the container's dependencies on the infra container. A TODO was left as such. UTS is a special case, because the docker library that namespace handling is based off of doesn't recognize a UTS based on another container as valid, despite the library being able to handle it correctly. Thus, it is left in the old way. Signed-off-by: haircommander <pehunt@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1347 Approved by: mheon
Diffstat (limited to 'cmd/podman')
-rw-r--r--cmd/podman/create.go81
1 files changed, 50 insertions, 31 deletions
diff --git a/cmd/podman/create.go b/cmd/podman/create.go
index 7a3b26c85..bc010d047 100644
--- a/cmd/podman/create.go
+++ b/cmd/podman/create.go
@@ -16,7 +16,7 @@ import (
ann "github.com/containers/libpod/pkg/annotations"
"github.com/containers/libpod/pkg/apparmor"
"github.com/containers/libpod/pkg/inspect"
- "github.com/containers/libpod/pkg/namespaces"
+ ns "github.com/containers/libpod/pkg/namespaces"
"github.com/containers/libpod/pkg/rootless"
cc "github.com/containers/libpod/pkg/spec"
"github.com/containers/libpod/pkg/util"
@@ -357,6 +357,33 @@ func configureEntrypoint(c *cli.Context, data *inspect.ImageData) []string {
return entrypoint
}
+func configurePod(c *cli.Context, runtime *libpod.Runtime, namespaces map[string]string) (map[string]string, error) {
+ pod, err := runtime.LookupPod(c.String("pod"))
+ if err != nil {
+ return namespaces, err
+ }
+ podInfraID, err := pod.InfraContainerID()
+ if err != nil {
+ return namespaces, err
+ }
+ if (namespaces["pid"] == cc.Pod) || (!c.IsSet("pid") && pod.SharesPID()) {
+ namespaces["pid"] = fmt.Sprintf("container:%s", podInfraID)
+ }
+ if (namespaces["net"] == cc.Pod) || (!c.IsSet("net") && pod.SharesNet()) {
+ namespaces["net"] = fmt.Sprintf("container:%s", podInfraID)
+ }
+ if (namespaces["user"] == cc.Pod) || (!c.IsSet("user") && pod.SharesUser()) {
+ namespaces["user"] = fmt.Sprintf("container:%s", podInfraID)
+ }
+ if (namespaces["ipc"] == cc.Pod) || (!c.IsSet("ipc") && pod.SharesIPC()) {
+ namespaces["ipc"] = fmt.Sprintf("container:%s", podInfraID)
+ }
+ if (namespaces["uts"] == cc.Pod) || (!c.IsSet("uts") && pod.SharesUTS()) {
+ namespaces["uts"] = fmt.Sprintf("container:%s", podInfraID)
+ }
+ return namespaces, nil
+}
+
// Parses CLI options related to container creation into a config which can be
// parsed into an OCI runtime spec
func parseCreateOpts(ctx context.Context, c *cli.Context, runtime *libpod.Runtime, imageName string, data *inspect.ImageData) (*cc.CreateConfig, error) {
@@ -444,56 +471,48 @@ func parseCreateOpts(ctx context.Context, c *cli.Context, runtime *libpod.Runtim
}
// Kernel Namespaces
- var pod *libpod.Pod
+ // TODO Fix handling of namespace from pod
+ // Instead of integrating here, should be done in libpod
+ // However, that also involves setting up security opts
+ // when the pod's namespace is integrated
+ namespaces := map[string]string{
+ "pid": c.String("pid"),
+ "net": c.String("net"),
+ "ipc": c.String("ipc"),
+ "user": c.String("userns"),
+ "uts": c.String("uts"),
+ }
+
if c.IsSet("pod") {
- pod, err = runtime.LookupPod(c.String("pod"))
+ namespaces, err = configurePod(c, runtime, namespaces)
if err != nil {
return nil, err
}
}
- pidModeStr := c.String("pid")
- if !c.IsSet("pid") && pod != nil && pod.SharesPID() {
- pidModeStr = cc.POD
- }
- pidMode := namespaces.PidMode(pidModeStr)
+ pidMode := ns.PidMode(namespaces["pid"])
if !cc.Valid(string(pidMode), pidMode) {
return nil, errors.Errorf("--pid %q is not valid", c.String("pid"))
}
- usernsModeStr := c.String("userns")
- if !c.IsSet("userns") && pod != nil && pod.SharesUser() {
- usernsModeStr = cc.POD
- }
- usernsMode := namespaces.UsernsMode(usernsModeStr)
+ usernsMode := ns.UsernsMode(namespaces["user"])
if !cc.Valid(string(usernsMode), usernsMode) {
- return nil, errors.Errorf("--userns %q is not valid", c.String("userns"))
+ return nil, errors.Errorf("--userns %q is not valid", namespaces["user"])
}
- utsModeStr := c.String("uts")
- if !c.IsSet("uts") && pod != nil && pod.SharesUTS() {
- utsModeStr = cc.POD
- }
- utsMode := namespaces.UTSMode(utsModeStr)
+ utsMode := ns.UTSMode(namespaces["uts"])
if !cc.Valid(string(utsMode), utsMode) {
- return nil, errors.Errorf("--uts %q is not valid", c.String("uts"))
+ return nil, errors.Errorf("--uts %q is not valid", namespaces["uts"])
}
- ipcModeStr := c.String("ipc")
- if !c.IsSet("ipc") && pod != nil && pod.SharesIPC() {
- ipcModeStr = cc.POD
- }
- ipcMode := namespaces.IpcMode(ipcModeStr)
+ ipcMode := ns.IpcMode(namespaces["ipc"])
if !cc.Valid(string(ipcMode), ipcMode) {
return nil, errors.Errorf("--ipc %q is not valid", ipcMode)
}
- netModeStr := c.String("network")
- if !c.IsSet("network") && pod != nil && pod.SharesNet() {
- netModeStr = cc.POD
- }
+
// Make sure if network is set to container namespace, port binding is not also being asked for
- netMode := namespaces.NetworkMode(netModeStr)
- if netMode.IsContainer() || cc.IsPod(netModeStr) {
+ netMode := ns.NetworkMode(namespaces["net"])
+ if netMode.IsContainer() {
if len(c.StringSlice("publish")) > 0 || c.Bool("publish-all") {
return nil, errors.Errorf("cannot set port bindings on an existing container network namespace")
}