diff options
| author | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-07-08 13:11:18 +0200 |
|---|---|---|
| committer | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-07-18 10:32:25 +0200 |
| commit | 0b57e77d7c1c54706611c9ca15e352425adb05e5 (patch) | |
| tree | 6ae9a85fd1f16fb410ccfbd4ea88d5c6ef79004c /pkg/spec/createconfig.go | |
| parent | 7488ed6d9a619d86333dc1880d4df034fbb371b9 (diff) | |
| download | podman-0b57e77d7c1c54706611c9ca15e352425adb05e5.tar.gz podman-0b57e77d7c1c54706611c9ca15e352425adb05e5.tar.bz2 podman-0b57e77d7c1c54706611c9ca15e352425adb05e5.zip | |
libpod: support for cgroup namespace
allow a container to run in a new cgroup namespace.
When running in a new cgroup namespace, the current cgroup appears to
be the root, so that there is no way for the container to access
cgroups outside of its own subtree.
By default it uses --cgroup=host to keep the previous behavior.
To create a new namespace, --cgroup=private must be provided.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'pkg/spec/createconfig.go')
| -rw-r--r-- | pkg/spec/createconfig.go | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go index 0042ed401..1fb1f829b 100644 --- a/pkg/spec/createconfig.go +++ b/pkg/spec/createconfig.go @@ -63,6 +63,7 @@ type CreateConfig struct { CapDrop []string // cap-drop CidFile string ConmonPidFile string + Cgroupns string CgroupParent string // cgroup-parent Command []string Detach bool // detach @@ -101,6 +102,7 @@ type CreateConfig struct { NetworkAlias []string //network-alias PidMode namespaces.PidMode //pid Pod string //pod + CgroupMode namespaces.CgroupMode //cgroup PortBindings nat.PortMap Privileged bool //privileged Publish []string //publish @@ -268,6 +270,23 @@ func (c *CreateConfig) getContainerCreateOptions(runtime *libpod.Runtime, pod *l options = append(options, libpod.WithNetNS(portBindings, postConfigureNetNS, string(c.NetMode), networks)) } + if c.CgroupMode.IsNS() { + ns := c.CgroupMode.NS() + if ns == "" { + return nil, errors.Errorf("invalid empty user-defined network namespace") + } + _, err := os.Stat(ns) + if err != nil { + return nil, err + } + } else if c.CgroupMode.IsContainer() { + connectedCtr, err := runtime.LookupContainer(c.CgroupMode.Container()) + if err != nil { + return nil, errors.Wrapf(err, "container %q not found", c.CgroupMode.Container()) + } + options = append(options, libpod.WithCgroupNSFrom(connectedCtr)) + } + if c.PidMode.IsContainer() { connectedCtr, err := runtime.LookupContainer(c.PidMode.Container()) if err != nil { |