diff options
| author | Matthew Heon <matthew.heon@pm.me> | 2020-03-01 17:54:11 -0500 |
|---|---|---|
| committer | Matthew Heon <matthew.heon@pm.me> | 2020-03-02 10:58:11 -0500 |
| commit | e45456223c4caa762be1a9b1f6b94006d5053c1a (patch) | |
| tree | 79514017ed640ce8869818f9d68add27a5a4fbd0 /libpod/runtime_ctr.go | |
| parent | 275e9b855dd0a384a283174912c08f3f097101b5 (diff) | |
| download | podman-e45456223c4caa762be1a9b1f6b94006d5053c1a.tar.gz podman-e45456223c4caa762be1a9b1f6b94006d5053c1a.tar.bz2 podman-e45456223c4caa762be1a9b1f6b94006d5053c1a.zip | |
Add validate() for containers
Until now, we've been validating every part of container
configuration through the With... functions that set the options.
This if fine when we are just validating the options to an
individual function, but things get complicated once we need to
validate conflicts between different options. We don't know the
order in which things were passed, so we need the validation on
both of the potential options that can conflict, resulting in
significant code duplication. To solve this, add a validate()
function for containers, and use this to check whether everything
is in a good state.
We can probably move more into this function (there are other
parts of container creation that also do validation of a sort)
but this is a good start to simplifying our options.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Diffstat (limited to 'libpod/runtime_ctr.go')
| -rw-r--r-- | libpod/runtime_ctr.go | 28 |
1 files changed, 6 insertions, 22 deletions
diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go index 39284026c..de93fdce7 100644 --- a/libpod/runtime_ctr.go +++ b/libpod/runtime_ctr.go @@ -133,7 +133,12 @@ func (r *Runtime) newContainer(ctx context.Context, rSpec *spec.Spec, options .. return r.setupContainer(ctx, ctr) } -func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (c *Container, err error) { +func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Container, err error) { + // Validate the container + if err := ctr.validate(); err != nil { + return nil, err + } + // Allocate a lock for the container lock, err := r.lockManager.AllocateLock() if err != nil { @@ -190,27 +195,6 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (c *Contai ctr.config.Name = name } - // If CGroups are disabled, we MUST create a PID namespace. - // Otherwise, the OCI runtime won't be able to stop our container. - if ctr.config.NoCgroups { - if ctr.config.Spec.Linux == nil { - return nil, errors.Wrapf(define.ErrInvalidArg, "must provide Linux namespace configuration in OCI spec when using NoCgroups") - } - foundPid := false - for _, ns := range ctr.config.Spec.Linux.Namespaces { - if ns.Type == spec.PIDNamespace { - foundPid = true - if ns.Path != "" { - return nil, errors.Wrapf(define.ErrInvalidArg, "containers not creating CGroups must create a private PID namespace - cannot use another") - } - break - } - } - if !foundPid { - return nil, errors.Wrapf(define.ErrInvalidArg, "containers not creating CGroups must create a private PID namespace") - } - } - // Check CGroup parent sanity, and set it if it was not set. // Only if we're actually configuring CGroups. if !ctr.config.NoCgroups { |