summaryrefslogtreecommitdiff
path: root/pkg/spec/spec.go
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2018-08-22 17:45:07 +0200
committerAtomic Bot <atomic-devel@projectatomic.io>2018-08-22 20:32:27 +0000
commit77bcc89d526745b2e0d17d94974990a134908751 (patch)
treef70db4c7dac13ac4a4d94d9703183297daf46b44 /pkg/spec/spec.go
parentb4420e22fc838fd2bd9712d476656ed6e891d4c8 (diff)
downloadpodman-77bcc89d526745b2e0d17d94974990a134908751.tar.gz
podman-77bcc89d526745b2e0d17d94974990a134908751.tar.bz2
podman-77bcc89d526745b2e0d17d94974990a134908751.zip
rootless: fix --net host --privileged
Closes: https://github.com/containers/libpod/issues/1313 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1323 Approved by: umohnani8
Diffstat (limited to 'pkg/spec/spec.go')
-rw-r--r--pkg/spec/spec.go16
1 files changed, 13 insertions, 3 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index dec3a05ef..7323b2d2b 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -25,7 +25,13 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
}
g.HostSpecific = true
addCgroup := true
- if config.Privileged {
+ canMountSys := true
+
+ if !config.UsernsMode.IsHost() && config.NetMode.IsHost() {
+ canMountSys = false
+ }
+
+ if config.Privileged && canMountSys {
cgroupPerm = "rw"
g.RemoveMount("/sys")
sysMnt := spec.Mount{
@@ -35,14 +41,18 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
Options: []string{"nosuid", "noexec", "nodev", "rw"},
}
g.AddMount(sysMnt)
- } else if !config.UsernsMode.IsHost() && config.NetMode.IsHost() {
+ } else if !canMountSys {
addCgroup = false
g.RemoveMount("/sys")
+ r := "ro"
+ if config.Privileged {
+ r = "rw"
+ }
sysMnt := spec.Mount{
Destination: "/sys",
Type: "bind",
Source: "/sys",
- Options: []string{"nosuid", "noexec", "nodev", "ro", "rbind"},
+ Options: []string{"nosuid", "noexec", "nodev", r, "rbind"},
}
g.AddMount(sysMnt)
}