summaryrefslogtreecommitdiff
path: root/pkg/spec
diff options
context:
space:
mode:
authorbaude <bbaude@redhat.com>2020-10-01 15:18:11 -0500
committerbaude <bbaude@redhat.com>2020-10-01 15:18:11 -0500
commitf0c71168481e525414a38dc3eaf5a027afe2d4e7 (patch)
tree3be3d290633ff11a5ee4fd80225ace250a298806 /pkg/spec
parent5d22eb02f95f28a87ed263afe28b7ff4bf2f6fee (diff)
downloadpodman-f0c71168481e525414a38dc3eaf5a027afe2d4e7.tar.gz
podman-f0c71168481e525414a38dc3eaf5a027afe2d4e7.tar.bz2
podman-f0c71168481e525414a38dc3eaf5a027afe2d4e7.zip
fix compat api privileged and entrypoint code
when adding /dev to a privileged container using the compatibility API, we need to make sure we dont pass on devices that are simply symlinks. this was already being done by specgen but not on the compat. side. the entrypoint code that was recently rewritten for the compatibility layer was also failing due to the odd inputs that docker is willing to accept in its json, specifically [] vs "". in the case of the latter, this was being made into a []string with a len of one but no content. this would then be used to prefix the command to run in the container and would fail. For example " ls" vs "ls". Signed-off-by: baude <bbaude@redhat.com>
Diffstat (limited to 'pkg/spec')
-rw-r--r--pkg/spec/config_linux.go3
-rw-r--r--pkg/spec/spec.go19
2 files changed, 17 insertions, 5 deletions
diff --git a/pkg/spec/config_linux.go b/pkg/spec/config_linux.go
index d03663f12..319cce61f 100644
--- a/pkg/spec/config_linux.go
+++ b/pkg/spec/config_linux.go
@@ -200,6 +200,9 @@ func getDevices(path string) ([]*configs.Device, error) {
}
case f.Name() == "console":
continue
+ case f.Mode()&os.ModeSymlink != 0:
+ // do not add symlink'd devices to privileged devices
+ continue
}
device, err := devices.DeviceFromPath(filepath.Join(path, f.Name()), "rwm")
if err != nil {
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index 42228540c..81620997f 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -182,14 +182,23 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
g.SetProcessCwd(config.WorkDir)
ProcessArgs := make([]string, 0)
- if len(config.Entrypoint) > 0 {
- ProcessArgs = config.Entrypoint
+ // We need to iterate the input for entrypoint because it is a []string
+ // but "" is a legit json input, which translates into a []string with an
+ // empty position. This messes up the eventual command being executed
+ // in the container
+ for _, a := range config.Entrypoint {
+ if len(a) > 0 {
+ ProcessArgs = append(ProcessArgs, a)
+ }
}
- if len(config.Command) > 0 {
- ProcessArgs = append(ProcessArgs, config.Command...)
+ // Same issue as explained above for config.Entrypoint.
+ for _, a := range config.Command {
+ if len(a) > 0 {
+ ProcessArgs = append(ProcessArgs, a)
+ }
}
- g.SetProcessArgs(ProcessArgs)
+ g.SetProcessArgs(ProcessArgs)
g.SetProcessTerminal(config.Tty)
for key, val := range config.Annotations {