diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2018-10-02 00:51:48 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-10-02 00:51:48 -0700 |
commit | abdaf79dac76efcd27ac8c7b719ec8d4107921bd (patch) | |
tree | 7c4691160cfa3c435c88f311e7f071348c843dc5 /pkg | |
parent | 3bdccd8a461217ac6d0094c2081f50612d60c19a (diff) | |
parent | abde1ef0ef890d716d4e6d2dff89fdffc25b8295 (diff) | |
download | podman-abdaf79dac76efcd27ac8c7b719ec8d4107921bd.tar.gz podman-abdaf79dac76efcd27ac8c7b719ec8d4107921bd.tar.bz2 podman-abdaf79dac76efcd27ac8c7b719ec8d4107921bd.zip |
Merge pull request #1547 from giuseppe/rootless-error-on-invalid-resources
rootless: raise an error when trying to use cgroups
Diffstat (limited to 'pkg')
-rw-r--r-- | pkg/spec/config_linux.go | 25 | ||||
-rw-r--r-- | pkg/spec/spec.go | 176 |
2 files changed, 112 insertions, 89 deletions
diff --git a/pkg/spec/config_linux.go b/pkg/spec/config_linux.go index 6c0a99419..20cdcc458 100644 --- a/pkg/spec/config_linux.go +++ b/pkg/spec/config_linux.go @@ -91,18 +91,23 @@ func getSeccompConfig(config *CreateConfig, configSpec *spec.Spec) (*spec.LinuxS } func (c *CreateConfig) createBlockIO() (*spec.LinuxBlockIO, error) { + var ret *spec.LinuxBlockIO bio := &spec.LinuxBlockIO{} - bio.Weight = &c.Resources.BlkioWeight + if c.Resources.BlkioWeight > 0 { + ret = bio + bio.Weight = &c.Resources.BlkioWeight + } if len(c.Resources.BlkioWeightDevice) > 0 { var lwds []spec.LinuxWeightDevice + ret = bio for _, i := range c.Resources.BlkioWeightDevice { wd, err := validateweightDevice(i) if err != nil { - return bio, errors.Wrapf(err, "invalid values for blkio-weight-device") + return ret, errors.Wrapf(err, "invalid values for blkio-weight-device") } wdStat, err := getStatFromPath(wd.path) if err != nil { - return bio, errors.Wrapf(err, "error getting stat from path %q", wd.path) + return ret, errors.Wrapf(err, "error getting stat from path %q", wd.path) } lwd := spec.LinuxWeightDevice{ Weight: &wd.weight, @@ -114,34 +119,38 @@ func (c *CreateConfig) createBlockIO() (*spec.LinuxBlockIO, error) { bio.WeightDevice = lwds } if len(c.Resources.DeviceReadBps) > 0 { + ret = bio readBps, err := makeThrottleArray(c.Resources.DeviceReadBps, bps) if err != nil { - return bio, err + return ret, err } bio.ThrottleReadBpsDevice = readBps } if len(c.Resources.DeviceWriteBps) > 0 { + ret = bio writeBpds, err := makeThrottleArray(c.Resources.DeviceWriteBps, bps) if err != nil { - return bio, err + return ret, err } bio.ThrottleWriteBpsDevice = writeBpds } if len(c.Resources.DeviceReadIOps) > 0 { + ret = bio readIOps, err := makeThrottleArray(c.Resources.DeviceReadIOps, iops) if err != nil { - return bio, err + return ret, err } bio.ThrottleReadIOPSDevice = readIOps } if len(c.Resources.DeviceWriteIOps) > 0 { + ret = bio writeIOps, err := makeThrottleArray(c.Resources.DeviceWriteIOps, iops) if err != nil { - return bio, err + return ret, err } bio.ThrottleWriteIOPSDevice = writeIOps } - return bio, nil + return ret, nil } func makeThrottleArray(throttleInput []string, rateType int) ([]spec.LinuxThrottleDevice, error) { diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index ad14ea65d..1ad55fc8c 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -159,73 +159,86 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint } g.AddProcessEnv("container", "podman") - canAddResources := !rootless.IsRootless() - - if canAddResources { - // RESOURCES - MEMORY - if config.Resources.Memory != 0 { - g.SetLinuxResourcesMemoryLimit(config.Resources.Memory) - // If a swap limit is not explicitly set, also set a swap limit - // Default to double the memory limit - if config.Resources.MemorySwap == 0 { - g.SetLinuxResourcesMemorySwap(2 * config.Resources.Memory) - } - } - if config.Resources.MemoryReservation != 0 { - g.SetLinuxResourcesMemoryReservation(config.Resources.MemoryReservation) - } - if config.Resources.MemorySwap != 0 { - g.SetLinuxResourcesMemorySwap(config.Resources.MemorySwap) - } - if config.Resources.KernelMemory != 0 { - g.SetLinuxResourcesMemoryKernel(config.Resources.KernelMemory) - } - if config.Resources.MemorySwappiness != -1 { - g.SetLinuxResourcesMemorySwappiness(uint64(config.Resources.MemorySwappiness)) - } - g.SetLinuxResourcesMemoryDisableOOMKiller(config.Resources.DisableOomKiller) - g.SetProcessOOMScoreAdj(config.Resources.OomScoreAdj) - - // RESOURCES - CPU - if config.Resources.CPUShares != 0 { - g.SetLinuxResourcesCPUShares(config.Resources.CPUShares) - } - if config.Resources.CPUQuota != 0 { - g.SetLinuxResourcesCPUQuota(config.Resources.CPUQuota) - } - if config.Resources.CPUPeriod != 0 { - g.SetLinuxResourcesCPUPeriod(config.Resources.CPUPeriod) - } - if config.Resources.CPUs != 0 { - g.SetLinuxResourcesCPUPeriod(cpuPeriod) - g.SetLinuxResourcesCPUQuota(int64(config.Resources.CPUs * cpuPeriod)) - } - if config.Resources.CPURtRuntime != 0 { - g.SetLinuxResourcesCPURealtimeRuntime(config.Resources.CPURtRuntime) - } - if config.Resources.CPURtPeriod != 0 { - g.SetLinuxResourcesCPURealtimePeriod(config.Resources.CPURtPeriod) - } - if config.Resources.CPUsetCPUs != "" { - g.SetLinuxResourcesCPUCpus(config.Resources.CPUsetCPUs) - } - if config.Resources.CPUsetMems != "" { - g.SetLinuxResourcesCPUMems(config.Resources.CPUsetMems) - } - - // Devices - if config.Privileged { - // If privileged, we need to add all the host devices to the - // spec. We do not add the user provided ones because we are - // already adding them all. + addedResources := false + + // RESOURCES - MEMORY + if config.Resources.Memory != 0 { + g.SetLinuxResourcesMemoryLimit(config.Resources.Memory) + // If a swap limit is not explicitly set, also set a swap limit + // Default to double the memory limit + if config.Resources.MemorySwap == 0 { + g.SetLinuxResourcesMemorySwap(2 * config.Resources.Memory) + } + addedResources = true + } + if config.Resources.MemoryReservation != 0 { + g.SetLinuxResourcesMemoryReservation(config.Resources.MemoryReservation) + addedResources = true + } + if config.Resources.MemorySwap != 0 { + g.SetLinuxResourcesMemorySwap(config.Resources.MemorySwap) + addedResources = true + } + if config.Resources.KernelMemory != 0 { + g.SetLinuxResourcesMemoryKernel(config.Resources.KernelMemory) + addedResources = true + } + if config.Resources.MemorySwappiness != -1 { + g.SetLinuxResourcesMemorySwappiness(uint64(config.Resources.MemorySwappiness)) + addedResources = true + } + g.SetLinuxResourcesMemoryDisableOOMKiller(config.Resources.DisableOomKiller) + g.SetProcessOOMScoreAdj(config.Resources.OomScoreAdj) + + // RESOURCES - CPU + if config.Resources.CPUShares != 0 { + g.SetLinuxResourcesCPUShares(config.Resources.CPUShares) + addedResources = true + } + if config.Resources.CPUQuota != 0 { + g.SetLinuxResourcesCPUQuota(config.Resources.CPUQuota) + addedResources = true + } + if config.Resources.CPUPeriod != 0 { + g.SetLinuxResourcesCPUPeriod(config.Resources.CPUPeriod) + addedResources = true + } + if config.Resources.CPUs != 0 { + g.SetLinuxResourcesCPUPeriod(cpuPeriod) + g.SetLinuxResourcesCPUQuota(int64(config.Resources.CPUs * cpuPeriod)) + addedResources = true + } + if config.Resources.CPURtRuntime != 0 { + g.SetLinuxResourcesCPURealtimeRuntime(config.Resources.CPURtRuntime) + addedResources = true + } + if config.Resources.CPURtPeriod != 0 { + g.SetLinuxResourcesCPURealtimePeriod(config.Resources.CPURtPeriod) + addedResources = true + } + if config.Resources.CPUsetCPUs != "" { + g.SetLinuxResourcesCPUCpus(config.Resources.CPUsetCPUs) + addedResources = true + } + if config.Resources.CPUsetMems != "" { + g.SetLinuxResourcesCPUMems(config.Resources.CPUsetMems) + addedResources = true + } + + // Devices + if config.Privileged { + // If privileged, we need to add all the host devices to the + // spec. We do not add the user provided ones because we are + // already adding them all. + if !rootless.IsRootless() { if err := config.AddPrivilegedDevices(&g); err != nil { return nil, err } - } else { - for _, device := range config.Devices { - if err := addDevice(&g, device); err != nil { - return nil, err - } + } + } else { + for _, device := range config.Devices { + if err := addDevice(&g, device); err != nil { + return nil, err } } } @@ -240,13 +253,12 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint g.SetProcessNoNewPrivileges(config.NoNewPrivs) g.SetProcessApparmorProfile(config.ApparmorProfile) - if canAddResources { - blockAccessToKernelFilesystems(config, &g) + blockAccessToKernelFilesystems(config, &g) - // RESOURCES - PIDS - if config.Resources.PidsLimit != 0 { - g.SetLinuxResourcesPidsLimit(config.Resources.PidsLimit) - } + // RESOURCES - PIDS + if config.Resources.PidsLimit != 0 { + g.SetLinuxResourcesPidsLimit(config.Resources.PidsLimit) + addedResources = true } if config.Systemd && (strings.HasSuffix(config.Command[0], "init") || @@ -347,21 +359,23 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint configSpec.Mounts = supercedeUserMounts(volumeMounts, configSpec.Mounts) //--mount configSpec.Mounts = supercedeUserMounts(config.initFSMounts(), configSpec.Mounts) - if canAddResources { - // BLOCK IO - blkio, err := config.CreateBlockIO() - if err != nil { - return nil, errors.Wrapf(err, "error creating block io") - } - if blkio != nil { - configSpec.Linux.Resources.BlockIO = blkio - } + // BLOCK IO + blkio, err := config.CreateBlockIO() + if err != nil { + return nil, errors.Wrapf(err, "error creating block io") + } + if blkio != nil { + configSpec.Linux.Resources.BlockIO = blkio + addedResources = true } - // If we cannot add resources be sure everything is cleared out - if !canAddResources { + if rootless.IsRootless() { + if addedResources { + return nil, errors.New("invalid configuration, cannot set resources with rootless containers") + } configSpec.Linux.Resources = &spec.LinuxResources{} } + return configSpec, nil } |