summaryrefslogtreecommitdiff
path: root/libpod
diff options
context:
space:
mode:
authorValentin Rothberg <rothberg@redhat.com>2020-05-05 11:35:32 +0200
committerValentin Rothberg <rothberg@redhat.com>2020-05-06 17:08:22 +0200
commitf269be3a314a0903bb74a20de0e93b4f274531e6 (patch)
tree5f64bc2b03abb8639fb7cfe2f13ee7589c6f8cdd /libpod
parent0eb905ff2c2f033ee3009d8d374dcd2347ac04d1 (diff)
downloadpodman-f269be3a314a0903bb74a20de0e93b4f274531e6.tar.gz
podman-f269be3a314a0903bb74a20de0e93b4f274531e6.tar.bz2
podman-f269be3a314a0903bb74a20de0e93b4f274531e6.zip
add {generate,play} kube
Add the `podman generate kube` and `podman play kube` command. The code has largely been copied from Podman v1 but restructured to not leak the K8s core API into the (remote) client. Both commands are added in the same commit to allow for enabling the tests at the same time. Move some exports from `cmd/podman/common` to the appropriate places in the backend to avoid circular dependencies. Move definitions of label annotations to `libpod/define` and set the security-opt labels in the frontend to make kube tests pass. Implement rest endpoints, bindings and the tunnel interface. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Diffstat (limited to 'libpod')
-rw-r--r--libpod/container.go2
-rw-r--r--libpod/container_inspect.go83
-rw-r--r--libpod/define/annotations.go68
-rw-r--r--libpod/kube.go2
4 files changed, 78 insertions, 77 deletions
diff --git a/libpod/container.go b/libpod/container.go
index 5cd719ab6..d4a779b13 100644
--- a/libpod/container.go
+++ b/libpod/container.go
@@ -1221,5 +1221,5 @@ func (c *Container) AutoRemove() bool {
if spec.Annotations == nil {
return false
}
- return c.Spec().Annotations[InspectAnnotationAutoremove] == InspectResponseTrue
+ return c.Spec().Annotations[define.InspectAnnotationAutoremove] == define.InspectResponseTrue
}
diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go
index 276429b11..ae28dde94 100644
--- a/libpod/container_inspect.go
+++ b/libpod/container_inspect.go
@@ -16,73 +16,6 @@ import (
"github.com/syndtr/gocapability/capability"
)
-const (
- // InspectAnnotationCIDFile is used by Inspect to determine if a
- // container ID file was created for the container.
- // If an annotation with this key is found in the OCI spec, it will be
- // used in the output of Inspect().
- InspectAnnotationCIDFile = "io.podman.annotations.cid-file"
- // InspectAnnotationAutoremove is used by Inspect to determine if a
- // container will be automatically removed on exit.
- // If an annotation with this key is found in the OCI spec and is one of
- // the two supported boolean values (InspectResponseTrue and
- // InspectResponseFalse) it will be used in the output of Inspect().
- InspectAnnotationAutoremove = "io.podman.annotations.autoremove"
- // InspectAnnotationVolumesFrom is used by Inspect to identify
- // containers whose volumes are are being used by this container.
- // It is expected to be a comma-separated list of container names and/or
- // IDs.
- // If an annotation with this key is found in the OCI spec, it will be
- // used in the output of Inspect().
- InspectAnnotationVolumesFrom = "io.podman.annotations.volumes-from"
- // InspectAnnotationPrivileged is used by Inspect to identify containers
- // which are privileged (IE, running with elevated privileges).
- // It is expected to be a boolean, populated by one of
- // InspectResponseTrue or InspectResponseFalse.
- // If an annotation with this key is found in the OCI spec, it will be
- // used in the output of Inspect().
- InspectAnnotationPrivileged = "io.podman.annotations.privileged"
- // InspectAnnotationPublishAll is used by Inspect to identify containers
- // which have all the ports from their image published.
- // It is expected to be a boolean, populated by one of
- // InspectResponseTrue or InspectResponseFalse.
- // If an annotation with this key is found in the OCI spec, it will be
- // used in the output of Inspect().
- InspectAnnotationPublishAll = "io.podman.annotations.publish-all"
- // InspectAnnotationInit is used by Inspect to identify containers that
- // mount an init binary in.
- // It is expected to be a boolean, populated by one of
- // InspectResponseTrue or InspectResponseFalse.
- // If an annotation with this key is found in the OCI spec, it will be
- // used in the output of Inspect().
- InspectAnnotationInit = "io.podman.annotations.init"
- // InspectAnnotationLabel is used by Inspect to identify containers with
- // special SELinux-related settings. It is used to populate the output
- // of the SecurityOpt setting.
- // If an annotation with this key is found in the OCI spec, it will be
- // used in the output of Inspect().
- InspectAnnotationLabel = "io.podman.annotations.label"
- // InspectAnnotationSeccomp is used by Inspect to identify containers
- // with special Seccomp-related settings. It is used to populate the
- // output of the SecurityOpt setting in Inspect.
- // If an annotation with this key is found in the OCI spec, it will be
- // used in the output of Inspect().
- InspectAnnotationSeccomp = "io.podman.annotations.seccomp"
- // InspectAnnotationApparmor is used by Inspect to identify containers
- // with special Apparmor-related settings. It is used to populate the
- // output of the SecurityOpt setting.
- // If an annotation with this key is found in the OCI spec, it will be
- // used in the output of Inspect().
- InspectAnnotationApparmor = "io.podman.annotations.apparmor"
-
- // InspectResponseTrue is a boolean True response for an inspect
- // annotation.
- InspectResponseTrue = "TRUE"
- // InspectResponseFalse is a boolean False response for an inspect
- // annotation.
- InspectResponseFalse = "FALSE"
-)
-
// inspectLocked inspects a container for low-level information.
// The caller must held c.lock.
func (c *Container) inspectLocked(size bool) (*define.InspectContainerData, error) {
@@ -452,26 +385,26 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named
// Annotations
if ctrSpec.Annotations != nil {
- hostConfig.ContainerIDFile = ctrSpec.Annotations[InspectAnnotationCIDFile]
- if ctrSpec.Annotations[InspectAnnotationAutoremove] == InspectResponseTrue {
+ hostConfig.ContainerIDFile = ctrSpec.Annotations[define.InspectAnnotationCIDFile]
+ if ctrSpec.Annotations[define.InspectAnnotationAutoremove] == define.InspectResponseTrue {
hostConfig.AutoRemove = true
}
- if ctrs, ok := ctrSpec.Annotations[InspectAnnotationVolumesFrom]; ok {
+ if ctrs, ok := ctrSpec.Annotations[define.InspectAnnotationVolumesFrom]; ok {
hostConfig.VolumesFrom = strings.Split(ctrs, ",")
}
- if ctrSpec.Annotations[InspectAnnotationPrivileged] == InspectResponseTrue {
+ if ctrSpec.Annotations[define.InspectAnnotationPrivileged] == define.InspectResponseTrue {
hostConfig.Privileged = true
}
- if ctrSpec.Annotations[InspectAnnotationInit] == InspectResponseTrue {
+ if ctrSpec.Annotations[define.InspectAnnotationInit] == define.InspectResponseTrue {
hostConfig.Init = true
}
- if label, ok := ctrSpec.Annotations[InspectAnnotationLabel]; ok {
+ if label, ok := ctrSpec.Annotations[define.InspectAnnotationLabel]; ok {
hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, fmt.Sprintf("label=%s", label))
}
- if seccomp, ok := ctrSpec.Annotations[InspectAnnotationSeccomp]; ok {
+ if seccomp, ok := ctrSpec.Annotations[define.InspectAnnotationSeccomp]; ok {
hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, fmt.Sprintf("seccomp=%s", seccomp))
}
- if apparmor, ok := ctrSpec.Annotations[InspectAnnotationApparmor]; ok {
+ if apparmor, ok := ctrSpec.Annotations[define.InspectAnnotationApparmor]; ok {
hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, fmt.Sprintf("apparmor=%s", apparmor))
}
}
diff --git a/libpod/define/annotations.go b/libpod/define/annotations.go
new file mode 100644
index 000000000..f6b1c06ea
--- /dev/null
+++ b/libpod/define/annotations.go
@@ -0,0 +1,68 @@
+package define
+
+const (
+ // InspectAnnotationCIDFile is used by Inspect to determine if a
+ // container ID file was created for the container.
+ // If an annotation with this key is found in the OCI spec, it will be
+ // used in the output of Inspect().
+ InspectAnnotationCIDFile = "io.podman.annotations.cid-file"
+ // InspectAnnotationAutoremove is used by Inspect to determine if a
+ // container will be automatically removed on exit.
+ // If an annotation with this key is found in the OCI spec and is one of
+ // the two supported boolean values (InspectResponseTrue and
+ // InspectResponseFalse) it will be used in the output of Inspect().
+ InspectAnnotationAutoremove = "io.podman.annotations.autoremove"
+ // InspectAnnotationVolumesFrom is used by Inspect to identify
+ // containers whose volumes are are being used by this container.
+ // It is expected to be a comma-separated list of container names and/or
+ // IDs.
+ // If an annotation with this key is found in the OCI spec, it will be
+ // used in the output of Inspect().
+ InspectAnnotationVolumesFrom = "io.podman.annotations.volumes-from"
+ // InspectAnnotationPrivileged is used by Inspect to identify containers
+ // which are privileged (IE, running with elevated privileges).
+ // It is expected to be a boolean, populated by one of
+ // InspectResponseTrue or InspectResponseFalse.
+ // If an annotation with this key is found in the OCI spec, it will be
+ // used in the output of Inspect().
+ InspectAnnotationPrivileged = "io.podman.annotations.privileged"
+ // InspectAnnotationPublishAll is used by Inspect to identify containers
+ // which have all the ports from their image published.
+ // It is expected to be a boolean, populated by one of
+ // InspectResponseTrue or InspectResponseFalse.
+ // If an annotation with this key is found in the OCI spec, it will be
+ // used in the output of Inspect().
+ InspectAnnotationPublishAll = "io.podman.annotations.publish-all"
+ // InspectAnnotationInit is used by Inspect to identify containers that
+ // mount an init binary in.
+ // It is expected to be a boolean, populated by one of
+ // InspectResponseTrue or InspectResponseFalse.
+ // If an annotation with this key is found in the OCI spec, it will be
+ // used in the output of Inspect().
+ InspectAnnotationInit = "io.podman.annotations.init"
+ // InspectAnnotationLabel is used by Inspect to identify containers with
+ // special SELinux-related settings. It is used to populate the output
+ // of the SecurityOpt setting.
+ // If an annotation with this key is found in the OCI spec, it will be
+ // used in the output of Inspect().
+ InspectAnnotationLabel = "io.podman.annotations.label"
+ // InspectAnnotationSeccomp is used by Inspect to identify containers
+ // with special Seccomp-related settings. It is used to populate the
+ // output of the SecurityOpt setting in Inspect.
+ // If an annotation with this key is found in the OCI spec, it will be
+ // used in the output of Inspect().
+ InspectAnnotationSeccomp = "io.podman.annotations.seccomp"
+ // InspectAnnotationApparmor is used by Inspect to identify containers
+ // with special Apparmor-related settings. It is used to populate the
+ // output of the SecurityOpt setting.
+ // If an annotation with this key is found in the OCI spec, it will be
+ // used in the output of Inspect().
+ InspectAnnotationApparmor = "io.podman.annotations.apparmor"
+
+ // InspectResponseTrue is a boolean True response for an inspect
+ // annotation.
+ InspectResponseTrue = "TRUE"
+ // InspectResponseFalse is a boolean False response for an inspect
+ // annotation.
+ InspectResponseFalse = "FALSE"
+)
diff --git a/libpod/kube.go b/libpod/kube.go
index 5511d303d..a3c5e912f 100644
--- a/libpod/kube.go
+++ b/libpod/kube.go
@@ -469,7 +469,7 @@ func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) {
}
var selinuxOpts v1.SELinuxOptions
- opts := strings.SplitN(c.config.Spec.Annotations[InspectAnnotationLabel], ":", 2)
+ opts := strings.SplitN(c.config.Spec.Annotations[define.InspectAnnotationLabel], ":", 2)
if len(opts) == 2 {
switch opts[0] {
case "type":