diff options
author | baude <bbaude@redhat.com> | 2020-10-01 15:18:11 -0500 |
---|---|---|
committer | baude <bbaude@redhat.com> | 2020-10-01 15:18:11 -0500 |
commit | f0c71168481e525414a38dc3eaf5a027afe2d4e7 (patch) | |
tree | 3be3d290633ff11a5ee4fd80225ace250a298806 /pkg/spec | |
parent | 5d22eb02f95f28a87ed263afe28b7ff4bf2f6fee (diff) | |
download | podman-f0c71168481e525414a38dc3eaf5a027afe2d4e7.tar.gz podman-f0c71168481e525414a38dc3eaf5a027afe2d4e7.tar.bz2 podman-f0c71168481e525414a38dc3eaf5a027afe2d4e7.zip |
fix compat api privileged and entrypoint code
when adding /dev to a privileged container using the compatibility API, we need to make sure we dont pass on devices that are simply symlinks. this was already being done by specgen but not on the compat. side.
the entrypoint code that was recently rewritten for the compatibility layer was also failing due to the odd inputs that docker is willing to accept in its json, specifically [] vs "". in the case of the latter, this was being made into a []string with a len of one but no content. this would then be used to prefix the command to run in the container and would fail. For example " ls" vs "ls".
Signed-off-by: baude <bbaude@redhat.com>
Diffstat (limited to 'pkg/spec')
-rw-r--r-- | pkg/spec/config_linux.go | 3 | ||||
-rw-r--r-- | pkg/spec/spec.go | 19 |
2 files changed, 17 insertions, 5 deletions
diff --git a/pkg/spec/config_linux.go b/pkg/spec/config_linux.go index d03663f12..319cce61f 100644 --- a/pkg/spec/config_linux.go +++ b/pkg/spec/config_linux.go @@ -200,6 +200,9 @@ func getDevices(path string) ([]*configs.Device, error) { } case f.Name() == "console": continue + case f.Mode()&os.ModeSymlink != 0: + // do not add symlink'd devices to privileged devices + continue } device, err := devices.DeviceFromPath(filepath.Join(path, f.Name()), "rwm") if err != nil { diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index 42228540c..81620997f 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -182,14 +182,23 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM g.SetProcessCwd(config.WorkDir) ProcessArgs := make([]string, 0) - if len(config.Entrypoint) > 0 { - ProcessArgs = config.Entrypoint + // We need to iterate the input for entrypoint because it is a []string + // but "" is a legit json input, which translates into a []string with an + // empty position. This messes up the eventual command being executed + // in the container + for _, a := range config.Entrypoint { + if len(a) > 0 { + ProcessArgs = append(ProcessArgs, a) + } } - if len(config.Command) > 0 { - ProcessArgs = append(ProcessArgs, config.Command...) + // Same issue as explained above for config.Entrypoint. + for _, a := range config.Command { + if len(a) > 0 { + ProcessArgs = append(ProcessArgs, a) + } } - g.SetProcessArgs(ProcessArgs) + g.SetProcessArgs(ProcessArgs) g.SetProcessTerminal(config.Tty) for key, val := range config.Annotations { |