diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2021-03-03 12:28:54 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-03-03 12:28:54 -0500 |
commit | 87e20560ac885c541784af1341098ce8e1e7a940 (patch) | |
tree | 036fb1fb20fd3cf4503a7ab478b4842acaf9cb5d /pkg/specgen | |
parent | 32b2e367b81ffc808195dbc5ee3097d9936bb57f (diff) | |
parent | 81a3f8a43235077fb93faefe6da34fa6af88a625 (diff) | |
download | podman-87e20560ac885c541784af1341098ce8e1e7a940.tar.gz podman-87e20560ac885c541784af1341098ce8e1e7a940.tar.bz2 podman-87e20560ac885c541784af1341098ce8e1e7a940.zip |
Merge pull request #9536 from jmguzik/enable-cgroupsv2-sec-opts
Enable cgroupsv2 rw mount via security-opt unmask
Diffstat (limited to 'pkg/specgen')
-rw-r--r-- | pkg/specgen/generate/oci.go | 28 |
1 files changed, 27 insertions, 1 deletions
diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go index 23a9ce831..eb4dbc944 100644 --- a/pkg/specgen/generate/oci.go +++ b/pkg/specgen/generate/oci.go @@ -2,12 +2,14 @@ package generate import ( "context" + "path" "strings" "github.com/containers/common/pkg/config" "github.com/containers/podman/v3/libpod" "github.com/containers/podman/v3/libpod/define" "github.com/containers/podman/v3/libpod/image" + "github.com/containers/podman/v3/pkg/cgroups" "github.com/containers/podman/v3/pkg/rootless" "github.com/containers/podman/v3/pkg/specgen" spec "github.com/opencontainers/runtime-spec/specs-go" @@ -157,8 +159,32 @@ func canMountSys(isRootless, isNewUserns bool, s *specgen.SpecGenerator) bool { return true } +func getCGroupPermissons(unmask []string) string { + ro := "ro" + rw := "rw" + cgroup := "/sys/fs/cgroup" + + cgroupv2, _ := cgroups.IsCgroup2UnifiedMode() + if !cgroupv2 { + return ro + } + + if unmask != nil && unmask[0] == "ALL" { + return rw + } + + for _, p := range unmask { + if path.Clean(p) == cgroup { + return rw + } + } + return ro +} + +// SpecGenToOCI returns the base configuration for the container. func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runtime, rtc *config.Config, newImage *image.Image, mounts []spec.Mount, pod *libpod.Pod, finalCmd []string) (*spec.Spec, error) { - cgroupPerm := "ro" + cgroupPerm := getCGroupPermissons(s.Unmask) + g, err := generate.New("linux") if err != nil { return nil, err |