diff options
| author | Daniel J Walsh <dwalsh@redhat.com> | 2020-04-15 14:48:53 -0400 |
|---|---|---|
| committer | Daniel J Walsh <dwalsh@redhat.com> | 2020-04-15 16:52:16 -0400 |
| commit | c4ca3c71ffe3c08bc74158340b3427d00efdfe32 (patch) | |
| tree | 46a81877ca430ebf3f2161f6b582773fd3dd869d /libpod/oci_conmon_linux.go | |
| parent | 195cb11276d61311bbd2b5274ac7a98b62abaaba (diff) | |
| download | podman-c4ca3c71ffe3c08bc74158340b3427d00efdfe32.tar.gz podman-c4ca3c71ffe3c08bc74158340b3427d00efdfe32.tar.bz2 podman-c4ca3c71ffe3c08bc74158340b3427d00efdfe32.zip | |
Add support for selecting kvm and systemd labels
In order to better support kata containers and systemd containers
container-selinux has added new types. Podman should execute the
container with an SELinux process label to match the container type.
Traditional Container process : container_t
KVM Container Process: containre_kvm_t
PID 1 Init process: container_init_t
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'libpod/oci_conmon_linux.go')
| -rw-r--r-- | libpod/oci_conmon_linux.go | 28 |
1 files changed, 25 insertions, 3 deletions
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go index 18b438792..0113f7d8e 100644 --- a/libpod/oci_conmon_linux.go +++ b/libpod/oci_conmon_linux.go @@ -60,6 +60,7 @@ type ConmonOCIRuntime struct { noPivot bool reservePorts bool supportsJSON bool + supportsKVM bool supportsNoCgroups bool sdNotify bool } @@ -70,11 +71,25 @@ type ConmonOCIRuntime struct { // The first path that points to a valid executable will be used. // Deliberately private. Someone should not be able to construct this outside of // libpod. -func newConmonOCIRuntime(name string, paths []string, conmonPath string, runtimeCfg *config.Config, supportsJSON, supportsNoCgroups bool) (OCIRuntime, error) { +func newConmonOCIRuntime(name string, paths []string, conmonPath string, runtimeCfg *config.Config) (OCIRuntime, error) { if name == "" { return nil, errors.Wrapf(define.ErrInvalidArg, "the OCI runtime must be provided a non-empty name") } + // Make lookup tables for runtime support + supportsJSON := make(map[string]bool, len(runtimeCfg.Engine.RuntimeSupportsJSON)) + supportsNoCgroups := make(map[string]bool, len(runtimeCfg.Engine.RuntimeSupportsNoCgroups)) + supportsKVM := make(map[string]bool, len(runtimeCfg.Engine.RuntimeSupportsKVM)) + for _, r := range runtimeCfg.Engine.RuntimeSupportsJSON { + supportsJSON[r] = true + } + for _, r := range runtimeCfg.Engine.RuntimeSupportsNoCgroups { + supportsNoCgroups[r] = true + } + for _, r := range runtimeCfg.Engine.RuntimeSupportsKVM { + supportsKVM[r] = true + } + runtime := new(ConmonOCIRuntime) runtime.name = name runtime.conmonPath = conmonPath @@ -89,8 +104,9 @@ func newConmonOCIRuntime(name string, paths []string, conmonPath string, runtime // TODO: probe OCI runtime for feature and enable automatically if // available. - runtime.supportsJSON = supportsJSON - runtime.supportsNoCgroups = supportsNoCgroups + runtime.supportsJSON = supportsJSON[name] + runtime.supportsNoCgroups = supportsNoCgroups[name] + runtime.supportsKVM = supportsKVM[name] foundPath := false for _, path := range paths { @@ -971,6 +987,12 @@ func (r *ConmonOCIRuntime) SupportsNoCgroups() bool { return r.supportsNoCgroups } +// SupportsKVM checks if the OCI runtime supports running containers +// without KVM separation +func (r *ConmonOCIRuntime) SupportsKVM() bool { + return r.supportsKVM +} + // AttachSocketPath is the path to a single container's attach socket. func (r *ConmonOCIRuntime) AttachSocketPath(ctr *Container) (string, error) { if ctr == nil { |