summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--cmd/podman/create.go856
-rw-r--r--cmd/podman/exec.go7
-rw-r--r--cmd/podman/export.go3
-rw-r--r--cmd/podman/import.go3
-rw-r--r--cmd/podman/load.go3
-rw-r--r--cmd/podman/play_kube.go8
-rw-r--r--cmd/podman/pod_create.go9
-rw-r--r--cmd/podman/run.go3
-rw-r--r--cmd/podman/run_test.go3
-rw-r--r--cmd/podman/save.go3
-rw-r--r--cmd/podman/shared/create.go837
-rw-r--r--cmd/podman/shared/create_cli.go (renamed from cmd/podman/create_cli.go)22
-rw-r--r--cmd/podman/shared/create_cli_test.go (renamed from cmd/podman/create_cli_test.go)10
-rw-r--r--cmd/podman/shared/parse/parse.go (renamed from cmd/podman/parse.go)14
-rw-r--r--cmd/podman/shared/pod.go2
-rw-r--r--cmd/podman/volume_create.go5
-rw-r--r--libpod/container_internal_linux.go13
-rw-r--r--libpod/runtime_img.go29
-rw-r--r--pkg/spec/spec.go9
19 files changed, 941 insertions, 898 deletions
diff --git a/cmd/podman/create.go b/cmd/podman/create.go
index 8a5d0cf73..bceb606f6 100644
--- a/cmd/podman/create.go
+++ b/cmd/podman/create.go
@@ -1,37 +1,15 @@
package main
import (
- "context"
- "encoding/json"
"fmt"
- "io"
- "io/ioutil"
"os"
- "path/filepath"
- "strconv"
- "strings"
- "syscall"
- "github.com/containers/image/manifest"
"github.com/containers/libpod/cmd/podman/cliconfig"
"github.com/containers/libpod/cmd/podman/libpodruntime"
"github.com/containers/libpod/cmd/podman/shared"
- "github.com/containers/libpod/libpod"
- "github.com/containers/libpod/libpod/image"
- ann "github.com/containers/libpod/pkg/annotations"
- "github.com/containers/libpod/pkg/inspect"
- ns "github.com/containers/libpod/pkg/namespaces"
"github.com/containers/libpod/pkg/rootless"
- cc "github.com/containers/libpod/pkg/spec"
- "github.com/containers/libpod/pkg/util"
- "github.com/docker/docker/pkg/signal"
- "github.com/docker/go-connections/nat"
- "github.com/docker/go-units"
- spec "github.com/opencontainers/runtime-spec/specs-go"
- "github.com/opencontainers/selinux/go-selinux/label"
- opentracing "github.com/opentracing/opentracing-go"
+ "github.com/opentracing/opentracing-go"
"github.com/pkg/errors"
- "github.com/sirupsen/logrus"
"github.com/spf13/cobra"
)
@@ -53,11 +31,6 @@ var (
podman create --annotation HELLO=WORLD alpine ls
podman create -t -i --name myctr alpine ls`,
}
-
- defaultEnvVariables = map[string]string{
- "PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
- "TERM": "xterm",
- }
)
func init() {
@@ -91,7 +64,7 @@ func createCmd(c *cliconfig.CreateValues) error {
}
defer runtime.Shutdown(false)
- ctr, _, err := createContainer(&c.PodmanCommand, runtime)
+ ctr, _, err := shared.CreateContainer(getContext(), &c.PodmanCommand, runtime)
if err != nil {
return err
}
@@ -115,828 +88,3 @@ func createInit(c *cliconfig.PodmanCommand) error {
return nil
}
-
-func createContainer(c *cliconfig.PodmanCommand, runtime *libpod.Runtime) (*libpod.Container, *cc.CreateConfig, error) {
- var (
- hasHealthCheck bool
- healthCheck *manifest.Schema2HealthConfig
- )
- if c.Bool("trace") {
- span, _ := opentracing.StartSpanFromContext(Ctx, "createContainer")
- defer span.Finish()
- }
-
- rtc := runtime.GetConfig()
- ctx := getContext()
- rootfs := ""
- if c.Bool("rootfs") {
- rootfs = c.InputArgs[0]
- }
-
- var err error
- var cidFile *os.File
- if c.IsSet("cidfile") && os.Geteuid() == 0 {
- cidFile, err = libpod.OpenExclusiveFile(c.String("cidfile"))
- if err != nil && os.IsExist(err) {
- return nil, nil, errors.Errorf("container id file exists. Ensure another container is not using it or delete %s", c.String("cidfile"))
- }
- if err != nil {
- return nil, nil, errors.Errorf("error opening cidfile %s", c.String("cidfile"))
- }
- defer cidFile.Close()
- defer cidFile.Sync()
- }
-
- imageName := ""
- var data *inspect.ImageData = nil
-
- if rootfs == "" && !rootless.SkipStorageSetup() {
- var writer io.Writer
- if !c.Bool("quiet") {
- writer = os.Stderr
- }
-
- newImage, err := runtime.ImageRuntime().New(ctx, c.InputArgs[0], rtc.SignaturePolicyPath, "", writer, nil, image.SigningOptions{}, false, nil)
- if err != nil {
- return nil, nil, err
- }
- data, err = newImage.Inspect(ctx)
- names := newImage.Names()
- if len(names) > 0 {
- imageName = names[0]
- } else {
- imageName = newImage.ID()
- }
-
- // add healthcheck if it exists AND is correct mediatype
- _, mediaType, err := newImage.Manifest(ctx)
- if err != nil {
- return nil, nil, errors.Wrapf(err, "unable to determine mediatype of image %s", newImage.ID())
- }
- if mediaType == manifest.DockerV2Schema2MediaType {
- healthCheck, err = newImage.GetHealthCheck(ctx)
- if err != nil {
- return nil, nil, errors.Wrapf(err, "unable to get healthcheck for %s", c.InputArgs[0])
- }
- if healthCheck != nil {
- hasHealthCheck = true
- }
- }
- }
- createConfig, err := parseCreateOpts(ctx, c, runtime, imageName, data)
- if err != nil {
- return nil, nil, err
- }
-
- // Because parseCreateOpts does derive anything from the image, we add health check
- // at this point. The rest is done by WithOptions.
- createConfig.HasHealthCheck = hasHealthCheck
- createConfig.HealthCheck = healthCheck
-
- ctr, err := createContainerFromCreateConfig(runtime, createConfig, ctx, nil)
- if err != nil {
- return nil, nil, err
- }
- if cidFile != nil {
- _, err = cidFile.WriteString(ctr.ID())
- if err != nil {
- logrus.Error(err)
- }
-
- }
-
- logrus.Debugf("New container created %q", ctr.ID())
- return ctr, createConfig, nil
-}
-
-func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string) error {
- var (
- labelOpts []string
- )
-
- if config.PidMode.IsHost() {
- labelOpts = append(labelOpts, label.DisableSecOpt()...)
- } else if config.PidMode.IsContainer() {
- ctr, err := config.Runtime.LookupContainer(config.PidMode.Container())
- if err != nil {
- return errors.Wrapf(err, "container %q not found", config.PidMode.Container())
- }
- secopts, err := label.DupSecOpt(ctr.ProcessLabel())
- if err != nil {
- return errors.Wrapf(err, "failed to duplicate label %q ", ctr.ProcessLabel())
- }
- labelOpts = append(labelOpts, secopts...)
- }
-
- if config.IpcMode.IsHost() {
- labelOpts = append(labelOpts, label.DisableSecOpt()...)
- } else if config.IpcMode.IsContainer() {
- ctr, err := config.Runtime.LookupContainer(config.IpcMode.Container())
- if err != nil {
- return errors.Wrapf(err, "container %q not found", config.IpcMode.Container())
- }
- secopts, err := label.DupSecOpt(ctr.ProcessLabel())
- if err != nil {
- return errors.Wrapf(err, "failed to duplicate label %q ", ctr.ProcessLabel())
- }
- labelOpts = append(labelOpts, secopts...)
- }
-
- for _, opt := range securityOpts {
- if opt == "no-new-privileges" {
- config.NoNewPrivs = true
- } else {
- con := strings.SplitN(opt, "=", 2)
- if len(con) != 2 {
- return fmt.Errorf("Invalid --security-opt 1: %q", opt)
- }
-
- switch con[0] {
- case "label":
- labelOpts = append(labelOpts, con[1])
- case "apparmor":
- config.ApparmorProfile = con[1]
- case "seccomp":
- config.SeccompProfilePath = con[1]
- default:
- return fmt.Errorf("Invalid --security-opt 2: %q", opt)
- }
- }
- }
-
- if config.SeccompProfilePath == "" {
- if _, err := os.Stat(libpod.SeccompOverridePath); err == nil {
- config.SeccompProfilePath = libpod.SeccompOverridePath
- } else {
- if !os.IsNotExist(err) {
- return errors.Wrapf(err, "can't check if %q exists", libpod.SeccompOverridePath)
- }
- if _, err := os.Stat(libpod.SeccompDefaultPath); err != nil {
- if !os.IsNotExist(err) {
- return errors.Wrapf(err, "can't check if %q exists", libpod.SeccompDefaultPath)
- }
- } else {
- config.SeccompProfilePath = libpod.SeccompDefaultPath
- }
- }
- }
- config.LabelOpts = labelOpts
- return nil
-}
-
-// isPortInPortBindings determines if an exposed host port is in user
-// provided ports
-func isPortInPortBindings(pb map[nat.Port][]nat.PortBinding, port nat.Port) bool {
- var hostPorts []string
- for _, i := range pb {
- hostPorts = append(hostPorts, i[0].HostPort)
- }
- return util.StringInSlice(port.Port(), hostPorts)
-}
-
-// isPortInImagePorts determines if an exposed host port was given to us by metadata
-// in the image itself
-func isPortInImagePorts(exposedPorts map[string]struct{}, port string) bool {
- for i := range exposedPorts {
- fields := strings.Split(i, "/")
- if port == fields[0] {
- return true
- }
- }
- return false
-}
-
-func configureEntrypoint(c *cliconfig.PodmanCommand, data *inspect.ImageData) []string {
- entrypoint := []string{}
- if c.IsSet("entrypoint") {
- // Force entrypoint to ""
- if c.String("entrypoint") == "" {
- return entrypoint
- }
- // Check if entrypoint specified is json
- if err := json.Unmarshal([]byte(c.String("entrypoint")), &entrypoint); err == nil {
- return entrypoint
- }
- // Return entrypoint as a single command
- return []string{c.String("entrypoint")}
- }
- if data != nil {
- return data.Config.Entrypoint
- }
- return entrypoint
-}
-
-func configurePod(c *cliconfig.PodmanCommand, runtime *libpod.Runtime, namespaces map[string]string, podName string) (map[string]string, error) {
- pod, err := runtime.LookupPod(podName)
- if err != nil {
- return namespaces, err
- }
- podInfraID, err := pod.InfraContainerID()
- if err != nil {
- return namespaces, err
- }
- if (namespaces["pid"] == cc.Pod) || (!c.IsSet("pid") && pod.SharesPID()) {
- namespaces["pid"] = fmt.Sprintf("container:%s", podInfraID)
- }
- if (namespaces["net"] == cc.Pod) || (!c.IsSet("net") && !c.IsSet("network") && pod.SharesNet()) {
- namespaces["net"] = fmt.Sprintf("container:%s", podInfraID)
- }
- if (namespaces["user"] == cc.Pod) || (!c.IsSet("user") && pod.SharesUser()) {
- namespaces["user"] = fmt.Sprintf("container:%s", podInfraID)
- }
- if (namespaces["ipc"] == cc.Pod) || (!c.IsSet("ipc") && pod.SharesIPC()) {
- namespaces["ipc"] = fmt.Sprintf("container:%s", podInfraID)
- }
- if (namespaces["uts"] == cc.Pod) || (!c.IsSet("uts") && pod.SharesUTS()) {
- namespaces["uts"] = fmt.Sprintf("container:%s", podInfraID)
- }
- return namespaces, nil
-}
-
-// Parses CLI options related to container creation into a config which can be
-// parsed into an OCI runtime spec
-func parseCreateOpts(ctx context.Context, c *cliconfig.PodmanCommand, runtime *libpod.Runtime, imageName string, data *inspect.ImageData) (*cc.CreateConfig, error) {
- var (
- inputCommand, command []string
- memoryLimit, memoryReservation, memorySwap, memoryKernel int64
- blkioWeight uint16
- namespaces map[string]string
- )
- if c.IsSet("restart") {
- return nil, errors.Errorf("--restart option is not supported.\nUse systemd unit files for restarting containers")
- }
-
- idmappings, err := util.ParseIDMapping(c.StringSlice("uidmap"), c.StringSlice("gidmap"), c.String("subuidname"), c.String("subgidname"))
- if err != nil {
- return nil, err
- }
-
- if c.String("mac-address") != "" {
- return nil, errors.Errorf("--mac-address option not currently supported")
- }
-
- imageID := ""
-
- inputCommand = c.InputArgs[1:]
- if data != nil {
- imageID = data.ID
- }
-
- rootfs := ""
- if c.Bool("rootfs") {
- rootfs = c.InputArgs[0]
- }
-
- sysctl, err := validateSysctl(c.StringSlice("sysctl"))
- if err != nil {
- return nil, errors.Wrapf(err, "invalid value for sysctl")
- }
-
- if c.String("memory") != "" {
- memoryLimit, err = units.RAMInBytes(c.String("memory"))
- if err != nil {
- return nil, errors.Wrapf(err, "invalid value for memory")
- }
- }
- if c.String("memory-reservation") != "" {
- memoryReservation, err = units.RAMInBytes(c.String("memory-reservation"))
- if err != nil {
- return nil, errors.Wrapf(err, "invalid value for memory-reservation")
- }
- }
- if c.String("memory-swap") != "" {
- memorySwap, err = units.RAMInBytes(c.String("memory-swap"))
- if err != nil {
- return nil, errors.Wrapf(err, "invalid value for memory-swap")
- }
- }
- if c.String("kernel-memory") != "" {
- memoryKernel, err = units.RAMInBytes(c.String("kernel-memory"))
- if err != nil {
- return nil, errors.Wrapf(err, "invalid value for kernel-memory")
- }
- }
- if c.String("blkio-weight") != "" {
- u, err := strconv.ParseUint(c.String("blkio-weight"), 10, 16)
- if err != nil {
- return nil, errors.Wrapf(err, "invalid value for blkio-weight")
- }
- blkioWeight = uint16(u)
- }
- var mountList []spec.Mount
- if mountList, err = parseMounts(c.StringArray("mount")); err != nil {
- return nil, err
- }
-
- if err = parseVolumes(c.StringArray("volume")); err != nil {
- return nil, err
- }
-
- if err = parseVolumesFrom(c.StringSlice("volumes-from")); err != nil {
- return nil, err
- }
-
- tty := c.Bool("tty")
-
- if c.Flag("cpu-period").Changed && c.Flag("cpus").Changed {
- return nil, errors.Errorf("--cpu-period and --cpus cannot be set together")
- }
- if c.Flag("cpu-quota").Changed && c.Flag("cpus").Changed {
- return nil, errors.Errorf("--cpu-quota and --cpus cannot be set together")
- }
-
- // EXPOSED PORTS
- var portBindings map[nat.Port][]nat.PortBinding
- if data != nil {
- portBindings, err = cc.ExposedPorts(c.StringSlice("expose"), c.StringSlice("publish"), c.Bool("publish-all"), data.Config.ExposedPorts)
- if err != nil {
- return nil, err
- }
- }
-
- // Kernel Namespaces
- // TODO Fix handling of namespace from pod
- // Instead of integrating here, should be done in libpod
- // However, that also involves setting up security opts
- // when the pod's namespace is integrated
- namespaceNet := c.String("network")
- if c.Flag("net").Changed {
- namespaceNet = c.String("net")
- }
- namespaces = map[string]string{
- "pid": c.String("pid"),
- "net": namespaceNet,
- "ipc": c.String("ipc"),
- "user": c.String("userns"),
- "uts": c.String("uts"),
- }
-
- originalPodName := c.String("pod")
- podName := strings.Replace(originalPodName, "new:", "", 1)
- // after we strip out :new, make sure there is something left for a pod name
- if len(podName) < 1 && c.IsSet("pod") {
- return nil, errors.Errorf("new pod name must be at least one character")
- }
- if c.IsSet("pod") {
- if strings.HasPrefix(originalPodName, "new:") {
- if rootless.IsRootless() {
- // To create a new pod, we must immediately create the userns.
- became, ret, err := rootless.BecomeRootInUserNS()
- if err != nil {
- return nil, err
- }
- if became {
- os.Exit(ret)
- }
- }
- // pod does not exist; lets make it
- var podOptions []libpod.PodCreateOption
- podOptions = append(podOptions, libpod.WithPodName(podName), libpod.WithInfraContainer(), libpod.WithPodCgroups())
- if len(portBindings) > 0 {
- ociPortBindings, err := cc.NatToOCIPortBindings(portBindings)
- if err != nil {
- return nil, err
- }
- podOptions = append(podOptions, libpod.WithInfraContainerPorts(ociPortBindings))
- }
-
- podNsOptions, err := shared.GetNamespaceOptions(strings.Split(DefaultKernelNamespaces, ","))
- if err != nil {
- return nil, err
- }
- podOptions = append(podOptions, podNsOptions...)
- // make pod
- pod, err := runtime.NewPod(ctx, podOptions...)
- if err != nil {
- return nil, err
- }
- logrus.Debugf("pod %s created by new container request", pod.ID())
-
- // The container now cannot have port bindings; so we reset the map
- portBindings = make(map[nat.Port][]nat.PortBinding)
- }
- namespaces, err = configurePod(c, runtime, namespaces, podName)
- if err != nil {
- return nil, err
- }
- }
-
- pidMode := ns.PidMode(namespaces["pid"])
- if !cc.Valid(string(pidMode), pidMode) {
- return nil, errors.Errorf("--pid %q is not valid", c.String("pid"))
- }
-
- usernsMode := ns.UsernsMode(namespaces["user"])
- if !cc.Valid(string(usernsMode), usernsMode) {
- return nil, errors.Errorf("--userns %q is not valid", namespaces["user"])
- }
-
- utsMode := ns.UTSMode(namespaces["uts"])
- if !cc.Valid(string(utsMode), utsMode) {
- return nil, errors.Errorf("--uts %q is not valid", namespaces["uts"])
- }
-
- ipcMode := ns.IpcMode(namespaces["ipc"])
- if !cc.Valid(string(ipcMode), ipcMode) {
- return nil, errors.Errorf("--ipc %q is not valid", ipcMode)
- }
-
- // Make sure if network is set to container namespace, port binding is not also being asked for
- netMode := ns.NetworkMode(namespaces["net"])
- if netMode.IsContainer() {
- if len(portBindings) > 0 {
- return nil, errors.Errorf("cannot set port bindings on an existing container network namespace")
- }
- }
-
- // USER
- user := c.String("user")
- if user == "" {
- if data == nil {
- user = "0"
- } else {
- user = data.Config.User
- }
- }
-
- // STOP SIGNAL
- stopSignal := syscall.SIGTERM
- signalString := ""
- if data != nil {
- signalString = data.Config.StopSignal
- }
- if c.IsSet("stop-signal") {
- signalString = c.String("stop-signal")
- }
- if signalString != "" {
- stopSignal, err = signal.ParseSignal(signalString)
- if err != nil {
- return nil, err
- }
- }
-
- // ENVIRONMENT VARIABLES
- env := defaultEnvVariables
- if data != nil {
- for _, e := range data.Config.Env {
- split := strings.SplitN(e, "=", 2)
- if len(split) > 1 {
- env[split[0]] = split[1]
- } else {
- env[split[0]] = ""
- }
- }
- }
- if err := readKVStrings(env, c.StringSlice("env-file"), c.StringSlice("env")); err != nil {
- return nil, errors.Wrapf(err, "unable to process environment variables")
- }
-
- // LABEL VARIABLES
- labels, err := getAllLabels(c.StringSlice("label-file"), c.StringArray("label"))
- if err != nil {
- return nil, errors.Wrapf(err, "unable to process labels")
- }
- if data != nil {
- for key, val := range data.Config.Labels {
- if _, ok := labels[key]; !ok {
- labels[key] = val
- }
- }
- }
-
- // ANNOTATIONS
- annotations := make(map[string]string)
- // First, add our default annotations
- annotations[ann.ContainerType] = "sandbox"
- annotations[ann.TTY] = "false"
- if tty {
- annotations[ann.TTY] = "true"
- }
- if data != nil {
- // Next, add annotations from the image
- for key, value := range data.Annotations {
- annotations[key] = value
- }
- }
- // Last, add user annotations
- for _, annotation := range c.StringSlice("annotation") {
- splitAnnotation := strings.SplitN(annotation, "=", 2)
- if len(splitAnnotation) < 2 {
- return nil, errors.Errorf("Annotations must be formatted KEY=VALUE")
- }
- annotations[splitAnnotation[0]] = splitAnnotation[1]
- }
-
- // WORKING DIRECTORY
- workDir := "/"
- if c.IsSet("workdir") || c.IsSet("w") {
- workDir = c.String("workdir")
- } else if data != nil && data.Config.WorkingDir != "" {
- workDir = data.Config.WorkingDir
- }
-
- entrypoint := configureEntrypoint(c, data)
- // Build the command
- // If we have an entry point, it goes first
- if len(entrypoint) > 0 {
- command = entrypoint
- }
- if len(inputCommand) > 0 {
- // User command overrides data CMD
- command = append(command, inputCommand...)
- } else if data != nil && len(data.Config.Cmd) > 0 && !c.IsSet("entrypoint") {
- // If not user command, add CMD
- command = append(command, data.Config.Cmd...)
- }
-
- if data != nil && len(command) == 0 {
- return nil, errors.Errorf("No command specified on command line or as CMD or ENTRYPOINT in this image")
- }
-
- // SHM Size
- shmSize, err := units.FromHumanSize(c.String("shm-size"))
- if err != nil {
- return nil, errors.Wrapf(err, "unable to translate --shm-size")
- }
-
- // Verify the additional hosts are in correct format
- for _, host := range c.StringSlice("add-host") {
- if _, err := validateExtraHost(host); err != nil {
- return nil, err
- }
- }
-
- // Check for . and dns-search domains
- if util.StringInSlice(".", c.StringSlice("dns-search")) && len(c.StringSlice("dns-search")) > 1 {
- return nil, errors.Errorf("cannot pass additional search domains when also specifying '.'")
- }
-
- // Validate domains are good
- for _, dom := range c.StringSlice("dns-search") {
- if _, err := validateDomain(dom); err != nil {
- return nil, err
- }
- }
-
- var ImageVolumes map[string]struct{}
- if data != nil && c.String("image-volume") != "ignore" {
- ImageVolumes = data.Config.Volumes
- }
-
- var imageVolType = map[string]string{
- "bind": "",
- "tmpfs": "",
- "ignore": "",
- }
- if _, ok := imageVolType[c.String("image-volume")]; !ok {
- return nil, errors.Errorf("invalid image-volume type %q. Pick one of bind, tmpfs, or ignore", c.String("image-volume"))
- }
-
- var systemd bool
- if command != nil && c.Bool("systemd") && ((filepath.Base(command[0]) == "init") || (filepath.Base(command[0]) == "systemd")) {
- systemd = true
- if signalString == "" {
- stopSignal, err = signal.ParseSignal("RTMIN+3")
- if err != nil {
- return nil, errors.Wrapf(err, "error parsing systemd signal")
- }
- }
- }
- // This is done because cobra cannot have two aliased flags. So we have to check
- // both
- network := c.String("network")
- if c.Flag("net").Changed {
- network = c.String("net")
- }
-
- var memorySwappiness int64
- if c.Flags().Lookup("memory-swappiness") != nil {
- memorySwappiness, _ = c.Flags().GetInt64("memory-swappiness")
- }
- config := &cc.CreateConfig{
- Runtime: runtime,
- Annotations: annotations,
- BuiltinImgVolumes: ImageVolumes,
- ConmonPidFile: c.String("conmon-pidfile"),
- ImageVolumeType: c.String("image-volume"),
- CapAdd: c.StringSlice("cap-add"),
- CapDrop: c.StringSlice("cap-drop"),
- CgroupParent: c.String("cgroup-parent"),
- Command: command,
- Detach: c.Bool("detach"),
- Devices: c.StringSlice("device"),
- DNSOpt: c.StringSlice("dns-opt"),
- DNSSearch: c.StringSlice("dns-search"),
- DNSServers: c.StringSlice("dns"),
- Entrypoint: entrypoint,
- Env: env,
- //ExposedPorts: ports,
- GroupAdd: c.StringSlice("group-add"),
- Hostname: c.String("hostname"),
- HostAdd: c.StringSlice("add-host"),
- IDMappings: idmappings,
- Image: imageName,
- ImageID: imageID,
- Interactive: c.Bool("interactive"),
- //IP6Address: c.String("ipv6"), // Not implemented yet - needs CNI support for static v6
- IPAddress: c.String("ip"),
- Labels: labels,
- //LinkLocalIP: c.StringSlice("link-local-ip"), // Not implemented yet
- LogDriver: c.String("log-driver"),
- LogDriverOpt: c.StringSlice("log-opt"),
- MacAddress: c.String("mac-address"),
- Name: c.String("name"),
- Network: network,
- //NetworkAlias: c.StringSlice("network-alias"), // Not implemented - does this make sense in Podman?
- IpcMode: ipcMode,
- NetMode: netMode,
- UtsMode: utsMode,
- PidMode: pidMode,
- Pod: podName,
- Privileged: c.Bool("privileged"),
- Publish: c.StringSlice("publish"),
- PublishAll: c.Bool("publish-all"),
- PortBindings: portBindings,
- Quiet: c.Bool("quiet"),
- ReadOnlyRootfs: c.Bool("read-only"),
- Resources: cc.CreateResourceConfig{
- BlkioWeight: blkioWeight,
- BlkioWeightDevice: c.StringSlice("blkio-weight-device"),
- CPUShares: c.Uint64("cpu-shares"),
- CPUPeriod: c.Uint64("cpu-period"),
- CPUsetCPUs: c.String("cpuset-cpus"),
- CPUsetMems: c.String("cpuset-mems"),
- CPUQuota: c.Int64("cpu-quota"),
- CPURtPeriod: c.Uint64("cpu-rt-period"),
- CPURtRuntime: c.Int64("cpu-rt-runtime"),
- CPUs: c.Float64("cpus"),
- DeviceReadBps: c.StringSlice("device-read-bps"),
- DeviceReadIOps: c.StringSlice("device-read-iops"),
- DeviceWriteBps: c.StringSlice("device-write-bps"),
- DeviceWriteIOps: c.StringSlice("device-write-iops"),
- DisableOomKiller: c.Bool("oom-kill-disable"),
- ShmSize: shmSize,
- Memory: memoryLimit,
- MemoryReservation: memoryReservation,
- MemorySwap: memorySwap,
- MemorySwappiness: int(memorySwappiness),
- KernelMemory: memoryKernel,
- OomScoreAdj: c.Int("oom-score-adj"),
- PidsLimit: c.Int64("pids-limit"),
- Ulimit: c.StringSlice("ulimit"),
- },
- Rm: c.Bool("rm"),
- StopSignal: stopSignal,
- StopTimeout: c.Uint("stop-timeout"),
- Sysctl: sysctl,
- Systemd: systemd,
- Tmpfs: c.StringSlice("tmpfs"),
- Tty: tty,
- User: user,
- UsernsMode: usernsMode,
- Mounts: mountList,
- Volumes: c.StringArray("volume"),
- WorkDir: workDir,
- Rootfs: rootfs,
- VolumesFrom: c.StringSlice("volumes-from"),
- Syslog: c.GlobalFlags.Syslog,
- }
- if c.Bool("init") {
- initPath := c.String("init-path")
- if initPath == "" {
- initPath = runtime.GetConfig().InitPath
- }
- if err := config.AddContainerInitBinary(initPath); err != nil {
- return nil, err
- }
- }
-
- if config.Privileged {
- config.LabelOpts = label.DisableSecOpt()
- } else {
- if err := parseSecurityOpt(config, c.StringArray("security-opt")); err != nil {
- return nil, err
- }
- }
- config.SecurityOpts = c.StringArray("security-opt")
- warnings, err := verifyContainerResources(config, false)
- if err != nil {
- return nil, err
- }
- for _, warning := range warnings {
- fmt.Fprintln(os.Stderr, warning)
- }
- return config, nil
-}
-
-type namespace interface {
- IsContainer() bool
- Container() string
-}
-
-func joinOrCreateRootlessUserNamespace(createConfig *cc.CreateConfig, runtime *libpod.Runtime) (bool, int, error) {
- if os.Geteuid() == 0 {
- return false, 0, nil
- }
-
- if createConfig.Pod != "" {
- pod, err := runtime.LookupPod(createConfig.Pod)
- if err != nil {
- return false, -1, err
- }
- inspect, err := pod.Inspect()
- for _, ctr := range inspect.Containers {
- prevCtr, err := runtime.LookupContainer(ctr.ID)
- if err != nil {
- return false, -1, err
- }
- s, err := prevCtr.State()
- if err != nil {
- return false, -1, err
- }
- if s != libpod.ContainerStateRunning && s != libpod.ContainerStatePaused {
- continue
- }
- data, err := ioutil.ReadFile(prevCtr.Config().ConmonPidFile)
- if err != nil {
- return false, -1, errors.Wrapf(err, "cannot read conmon PID file %q", prevCtr.Config().ConmonPidFile)
- }
- conmonPid, err := strconv.Atoi(string(data))
- if err != nil {
- return false, -1, errors.Wrapf(err, "cannot parse PID %q", data)
- }
- return rootless.JoinDirectUserAndMountNS(uint(conmonPid))
- }
- }
-
- namespacesStr := []string{string(createConfig.IpcMode), string(createConfig.NetMode), string(createConfig.UsernsMode), string(createConfig.PidMode), string(createConfig.UtsMode)}
- for _, i := range namespacesStr {
- if cc.IsNS(i) {
- return rootless.JoinNSPath(cc.NS(i))
- }
- }
-
- namespaces := []namespace{createConfig.IpcMode, createConfig.NetMode, createConfig.UsernsMode, createConfig.PidMode, createConfig.UtsMode}
- for _, i := range namespaces {
- if i.IsContainer() {
- ctr, err := runtime.LookupContainer(i.Container())
- if err != nil {
- return false, -1, err
- }
- pid, err := ctr.PID()
- if err != nil {
- return false, -1, err
- }
- if pid == 0 {
- if createConfig.Pod != "" {
- continue
- }
- return false, -1, errors.Errorf("dependency container %s is not running", ctr.ID())
- }
-
- data, err := ioutil.ReadFile(ctr.Config().ConmonPidFile)
- if err != nil {
- return false, -1, errors.Wrapf(err, "cannot read conmon PID file %q", ctr.Config().ConmonPidFile)
- }
- conmonPid, err := strconv.Atoi(string(data))
- if err != nil {
- return false, -1, errors.Wrapf(err, "cannot parse PID %q", data)
- }
- return rootless.JoinDirectUserAndMountNS(uint(conmonPid))
- }
- }
- return rootless.BecomeRootInUserNS()
-}
-
-func createContainerFromCreateConfig(r *libpod.Runtime, createConfig *cc.CreateConfig, ctx context.Context, pod *libpod.Pod) (*libpod.Container, error) {
- runtimeSpec, err := cc.CreateConfigToOCISpec(createConfig)
- if err != nil {
- return nil, err
- }
-
- options, err := createConfig.GetContainerCreateOptions(r, pod)
- if err != nil {
- return nil, err
- }
- became, ret, err := joinOrCreateRootlessUserNamespace(createConfig, r)
- if err != nil {
- return nil, err
- }
- if became {
- os.Exit(ret)
- }
-
- ctr, err := r.NewContainer(ctx, runtimeSpec, options...)
- if err != nil {
- return nil, err
- }
-
- createConfigJSON, err := json.Marshal(createConfig)
- if err != nil {
- return nil, err
- }
- if err := ctr.AddArtifact("create-config", createConfigJSON); err != nil {
- return nil, err
- }
- return ctr, nil
-}
diff --git a/cmd/podman/exec.go b/cmd/podman/exec.go
index e4cea1f5e..aa81edf56 100644
--- a/cmd/podman/exec.go
+++ b/cmd/podman/exec.go
@@ -2,16 +2,17 @@ package main
import (
"fmt"
- "github.com/containers/libpod/cmd/podman/cliconfig"
- "github.com/spf13/cobra"
"io/ioutil"
"os"
"strconv"
+ "github.com/containers/libpod/cmd/podman/cliconfig"
"github.com/containers/libpod/cmd/podman/libpodruntime"
+ "github.com/containers/libpod/cmd/podman/shared/parse"
"github.com/containers/libpod/libpod"
"github.com/containers/libpod/pkg/rootless"
"github.com/pkg/errors"
+ "github.com/spf13/cobra"
)
var (
@@ -130,7 +131,7 @@ func execCmd(c *cliconfig.ExecValues) error {
// ENVIRONMENT VARIABLES
env := map[string]string{}
- if err := readKVStrings(env, []string{}, c.Env); err != nil {
+ if err := parse.ReadKVStrings(env, []string{}, c.Env); err != nil {
return errors.Wrapf(err, "unable to process environment variables")
}
envs := []string{}
diff --git a/cmd/podman/export.go b/cmd/podman/export.go
index 4be2a3c86..e5dc410a7 100644
--- a/cmd/podman/export.go
+++ b/cmd/podman/export.go
@@ -4,6 +4,7 @@ import (
"os"
"github.com/containers/libpod/cmd/podman/cliconfig"
+ "github.com/containers/libpod/cmd/podman/shared/parse"
"github.com/containers/libpod/pkg/adapter"
"github.com/containers/libpod/pkg/rootless"
"github.com/pkg/errors"
@@ -70,7 +71,7 @@ func exportCmd(c *cliconfig.ExportValues) error {
}
}
- if err := validateFileName(output); err != nil {
+ if err := parse.ValidateFileName(output); err != nil {
return err
}
return runtime.Export(args[0], output)
diff --git a/cmd/podman/import.go b/cmd/podman/import.go
index c3351ab1b..f3fb7c988 100644
--- a/cmd/podman/import.go
+++ b/cmd/podman/import.go
@@ -4,6 +4,7 @@ import (
"fmt"
"github.com/containers/libpod/cmd/podman/cliconfig"
+ "github.com/containers/libpod/cmd/podman/shared/parse"
"github.com/containers/libpod/pkg/adapter"
"github.com/pkg/errors"
"github.com/spf13/cobra"
@@ -67,7 +68,7 @@ func importCmd(c *cliconfig.ImportValues) error {
return errors.Errorf("too many arguments. Usage TARBALL [REFERENCE]")
}
- if err := validateFileName(source); err != nil {
+ if err := parse.ValidateFileName(source); err != nil {
return err
}
diff --git a/cmd/podman/load.go b/cmd/podman/load.go
index 3c71e2f61..303c23bc7 100644
--- a/cmd/podman/load.go
+++ b/cmd/podman/load.go
@@ -7,6 +7,7 @@ import (
"os"
"github.com/containers/libpod/cmd/podman/cliconfig"
+ "github.com/containers/libpod/cmd/podman/shared/parse"
"github.com/containers/libpod/pkg/adapter"
"github.com/pkg/errors"
"github.com/spf13/cobra"
@@ -91,7 +92,7 @@ func loadCmd(c *cliconfig.LoadValues) error {
input = outFile.Name()
}
}
- if err := validateFileName(input); err != nil {
+ if err := parse.ValidateFileName(input); err != nil {
return err
}
diff --git a/cmd/podman/play_kube.go b/cmd/podman/play_kube.go
index a9dfee33c..44aa4776b 100644
--- a/cmd/podman/play_kube.go
+++ b/cmd/podman/play_kube.go
@@ -111,7 +111,7 @@ func playKubeYAMLCmd(c *cliconfig.KubePlayValues) error {
podOptions = append(podOptions, libpod.WithPodName(podName))
// TODO for now we just used the default kernel namespaces; we need to add/subtract this from yaml
- nsOptions, err := shared.GetNamespaceOptions(strings.Split(DefaultKernelNamespaces, ","))
+ nsOptions, err := shared.GetNamespaceOptions(strings.Split(shared.DefaultKernelNamespaces, ","))
if err != nil {
return err
}
@@ -174,7 +174,7 @@ func playKubeYAMLCmd(c *cliconfig.KubePlayValues) error {
return errors.Errorf("Directories are the only supported HostPath type")
}
}
- if err := validateVolumeHostDir(hostPath.Path); err != nil {
+ if err := shared.ValidateVolumeHostDir(hostPath.Path); err != nil {
return errors.Wrapf(err, "Error in parsing HostPath in YAML")
}
fmt.Println(volume.Name)
@@ -190,7 +190,7 @@ func playKubeYAMLCmd(c *cliconfig.KubePlayValues) error {
if err != nil {
return err
}
- ctr, err := createContainerFromCreateConfig(runtime, createConfig, ctx, pod)
+ ctr, err := shared.CreateContainerFromCreateConfig(runtime, createConfig, ctx, pod)
if err != nil {
return err
}
@@ -286,7 +286,7 @@ func kubeContainerToCreateConfig(containerYAML v1.Container, runtime *libpod.Run
if !exists {
return nil, errors.Errorf("Volume mount %s specified for container but not configured in volumes", volume.Name)
}
- if err := validateVolumeCtrDir(volume.MountPath); err != nil {
+ if err := shared.ValidateVolumeCtrDir(volume.MountPath); err != nil {
return nil, errors.Wrapf(err, "error in parsing MountPath")
}
containerConfig.Volumes = append(containerConfig.Volumes, fmt.Sprintf("%s:%s", host_path, volume.MountPath))
diff --git a/cmd/podman/pod_create.go b/cmd/podman/pod_create.go
index d2b7da597..2f7a6b415 100644
--- a/cmd/podman/pod_create.go
+++ b/cmd/podman/pod_create.go
@@ -5,6 +5,7 @@ import (
"os"
"github.com/containers/libpod/cmd/podman/cliconfig"
+ "github.com/containers/libpod/cmd/podman/shared"
"github.com/containers/libpod/libpod"
"github.com/containers/libpod/pkg/adapter"
"github.com/pkg/errors"
@@ -14,8 +15,8 @@ import (
var (
// Kernel namespaces shared by default within a pod
- DefaultKernelNamespaces = "cgroup,ipc,net,uts"
- podCreateCommand cliconfig.PodCreateValues
+
+ podCreateCommand cliconfig.PodCreateValues
podCreateDescription = `After creating the pod, the pod ID is printed to stdout.
@@ -50,7 +51,7 @@ func init() {
flags.StringVarP(&podCreateCommand.Name, "name", "n", "", "Assign a name to the pod")
flags.StringVar(&podCreateCommand.PodIDFile, "pod-id-file", "", "Write the pod ID to the file")
flags.StringSliceVarP(&podCreateCommand.Publish, "publish", "p", []string{}, "Publish a container's port, or a range of ports, to the host (default [])")
- flags.StringVar(&podCreateCommand.Share, "share", DefaultKernelNamespaces, "A comma delimited list of kernel namespaces the pod will share")
+ flags.StringVar(&podCreateCommand.Share, "share", shared.DefaultKernelNamespaces, "A comma delimited list of kernel namespaces the pod will share")
}
@@ -87,7 +88,7 @@ func podCreateCmd(c *cliconfig.PodCreateValues) error {
defer podIdFile.Sync()
}
- labels, err := getAllLabels(c.LabelFile, c.Labels)
+ labels, err := shared.GetAllLabels(c.LabelFile, c.Labels)
if err != nil {
return errors.Wrapf(err, "unable to process labels")
}
diff --git a/cmd/podman/run.go b/cmd/podman/run.go
index ff09e670d..130c5a32c 100644
--- a/cmd/podman/run.go
+++ b/cmd/podman/run.go
@@ -10,6 +10,7 @@ import (
"github.com/containers/libpod/cmd/podman/cliconfig"
"github.com/containers/libpod/cmd/podman/libpodruntime"
+ "github.com/containers/libpod/cmd/podman/shared"
"github.com/containers/libpod/libpod"
"github.com/containers/libpod/pkg/rootless"
opentracing "github.com/opentracing/opentracing-go"
@@ -66,7 +67,7 @@ func runCmd(c *cliconfig.RunValues) error {
}
defer runtime.Shutdown(false)
- ctr, createConfig, err := createContainer(&c.PodmanCommand, runtime)
+ ctr, createConfig, err := shared.CreateContainer(getContext(), &c.PodmanCommand, runtime)
if err != nil {
return err
}
diff --git a/cmd/podman/run_test.go b/cmd/podman/run_test.go
index 5ea39e457..a896f1dc7 100644
--- a/cmd/podman/run_test.go
+++ b/cmd/podman/run_test.go
@@ -5,6 +5,7 @@ import (
"testing"
"github.com/containers/libpod/cmd/podman/cliconfig"
+ "github.com/containers/libpod/cmd/podman/shared"
"github.com/containers/libpod/pkg/inspect"
cc "github.com/containers/libpod/pkg/spec"
"github.com/docker/go-units"
@@ -80,7 +81,7 @@ func getRuntimeSpec(c *cliconfig.PodmanCommand) (*spec.Spec, error) {
createConfig, err := parseCreateOpts(c, runtime, "alpine", generateAlpineImageData())
*/
ctx := getContext()
- createConfig, err := parseCreateOpts(ctx, c, nil, "alpine", generateAlpineImageData())
+ createConfig, err := shared.ParseCreateOpts(ctx, c, nil, "alpine", generateAlpineImageData())
if err != nil {
return nil, err
}
diff --git a/cmd/podman/save.go b/cmd/podman/save.go
index 494496a3d..df016b069 100644
--- a/cmd/podman/save.go
+++ b/cmd/podman/save.go
@@ -5,6 +5,7 @@ import (
"strings"
"github.com/containers/libpod/cmd/podman/cliconfig"
+ "github.com/containers/libpod/cmd/podman/shared/parse"
"github.com/containers/libpod/pkg/adapter"
"github.com/containers/libpod/pkg/util"
"github.com/pkg/errors"
@@ -85,7 +86,7 @@ func saveCmd(c *cliconfig.SaveValues) error {
return errors.Errorf("refusing to save to terminal. Use -o flag or redirect")
}
}
- if err := validateFileName(output); err != nil {
+ if err := parse.ValidateFileName(output); err != nil {
return err
}
return runtime.SaveImage(getContext(), c)
diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go
new file mode 100644
index 000000000..bfd05d53e
--- /dev/null
+++ b/cmd/podman/shared/create.go
@@ -0,0 +1,837 @@
+package shared
+
+import (
+ "context"
+ "encoding/json"
+ "fmt"
+ "io"
+ "io/ioutil"
+ "os"
+ "path/filepath"
+ "strconv"
+ "strings"
+ "syscall"
+
+ "github.com/containers/image/manifest"
+ "github.com/containers/libpod/cmd/podman/cliconfig"
+ "github.com/containers/libpod/cmd/podman/shared/parse"
+ "github.com/containers/libpod/libpod"
+ "github.com/containers/libpod/libpod/image"
+ ann "github.com/containers/libpod/pkg/annotations"
+ "github.com/containers/libpod/pkg/inspect"
+ ns "github.com/containers/libpod/pkg/namespaces"
+ "github.com/containers/libpod/pkg/rootless"
+ cc "github.com/containers/libpod/pkg/spec"
+ "github.com/containers/libpod/pkg/util"
+ "github.com/docker/docker/pkg/signal"
+ "github.com/docker/go-connections/nat"
+ "github.com/docker/go-units"
+ spec "github.com/opencontainers/runtime-spec/specs-go"
+ "github.com/opencontainers/selinux/go-selinux/label"
+ "github.com/opentracing/opentracing-go"
+ "github.com/pkg/errors"
+ "github.com/sirupsen/logrus"
+)
+
+// getContext returns a non-nil, empty context
+func getContext() context.Context {
+ return context.TODO()
+}
+
+func CreateContainer(ctx context.Context, c *cliconfig.PodmanCommand, runtime *libpod.Runtime) (*libpod.Container, *cc.CreateConfig, error) {
+ var (
+ hasHealthCheck bool
+ healthCheck *manifest.Schema2HealthConfig
+ )
+ if c.Bool("trace") {
+ span, _ := opentracing.StartSpanFromContext(ctx, "createContainer")
+ defer span.Finish()
+ }
+
+ rtc := runtime.GetConfig()
+ rootfs := ""
+ if c.Bool("rootfs") {
+ rootfs = c.InputArgs[0]
+ }
+
+ var err error
+ var cidFile *os.File
+ if c.IsSet("cidfile") && os.Geteuid() == 0 {
+ cidFile, err = libpod.OpenExclusiveFile(c.String("cidfile"))
+ if err != nil && os.IsExist(err) {
+ return nil, nil, errors.Errorf("container id file exists. Ensure another container is not using it or delete %s", c.String("cidfile"))
+ }
+ if err != nil {
+ return nil, nil, errors.Errorf("error opening cidfile %s", c.String("cidfile"))
+ }
+ defer cidFile.Close()
+ defer cidFile.Sync()
+ }
+
+ imageName := ""
+ var data *inspect.ImageData = nil
+
+ if rootfs == "" && !rootless.SkipStorageSetup() {
+ var writer io.Writer
+ if !c.Bool("quiet") {
+ writer = os.Stderr
+ }
+
+ newImage, err := runtime.ImageRuntime().New(ctx, c.InputArgs[0], rtc.SignaturePolicyPath, "", writer, nil, image.SigningOptions{}, false, nil)
+ if err != nil {
+ return nil, nil, err
+ }
+ data, err = newImage.Inspect(ctx)
+ names := newImage.Names()
+ if len(names) > 0 {
+ imageName = names[0]
+ } else {
+ imageName = newImage.ID()
+ }
+
+ // add healthcheck if it exists AND is correct mediatype
+ _, mediaType, err := newImage.Manifest(ctx)
+ if err != nil {
+ return nil, nil, errors.Wrapf(err, "unable to determine mediatype of image %s", newImage.ID())
+ }
+ if mediaType == manifest.DockerV2Schema2MediaType {
+ healthCheck, err = newImage.GetHealthCheck(ctx)
+ if err != nil {
+ return nil, nil, errors.Wrapf(err, "unable to get healthcheck for %s", c.InputArgs[0])
+ }
+ if healthCheck != nil {
+ hasHealthCheck = true
+ }
+ }
+ }
+ createConfig, err := ParseCreateOpts(ctx, c, runtime, imageName, data)
+ if err != nil {
+ return nil, nil, err
+ }
+
+ // Because parseCreateOpts does derive anything from the image, we add health check
+ // at this point. The rest is done by WithOptions.
+ createConfig.HasHealthCheck = hasHealthCheck
+ createConfig.HealthCheck = healthCheck
+
+ ctr, err := CreateContainerFromCreateConfig(runtime, createConfig, ctx, nil)
+ if err != nil {
+ return nil, nil, err
+ }
+ if cidFile != nil {
+ _, err = cidFile.WriteString(ctr.ID())
+ if err != nil {
+ logrus.Error(err)
+ }
+
+ }
+
+ logrus.Debugf("New container created %q", ctr.ID())
+ return ctr, createConfig, nil
+}
+
+func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string) error {
+ var (
+ labelOpts []string
+ )
+
+ if config.PidMode.IsHost() {
+ labelOpts = append(labelOpts, label.DisableSecOpt()...)
+ } else if config.PidMode.IsContainer() {
+ ctr, err := config.Runtime.LookupContainer(config.PidMode.Container())
+ if err != nil {
+ return errors.Wrapf(err, "container %q not found", config.PidMode.Container())
+ }
+ secopts, err := label.DupSecOpt(ctr.ProcessLabel())
+ if err != nil {
+ return errors.Wrapf(err, "failed to duplicate label %q ", ctr.ProcessLabel())
+ }
+ labelOpts = append(labelOpts, secopts...)
+ }
+
+ if config.IpcMode.IsHost() {
+ labelOpts = append(labelOpts, label.DisableSecOpt()...)
+ } else if config.IpcMode.IsContainer() {
+ ctr, err := config.Runtime.LookupContainer(config.IpcMode.Container())
+ if err != nil {
+ return errors.Wrapf(err, "container %q not found", config.IpcMode.Container())
+ }
+ secopts, err := label.DupSecOpt(ctr.ProcessLabel())
+ if err != nil {
+ return errors.Wrapf(err, "failed to duplicate label %q ", ctr.ProcessLabel())
+ }
+ labelOpts = append(labelOpts, secopts...)
+ }
+
+ for _, opt := range securityOpts {
+ if opt == "no-new-privileges" {
+ config.NoNewPrivs = true
+ } else {
+ con := strings.SplitN(opt, "=", 2)
+ if len(con) != 2 {
+ return fmt.Errorf("Invalid --security-opt 1: %q", opt)
+ }
+
+ switch con[0] {
+ case "label":
+ labelOpts = append(labelOpts, con[1])
+ case "apparmor":
+ config.ApparmorProfile = con[1]
+ case "seccomp":
+ config.SeccompProfilePath = con[1]
+ default:
+ return fmt.Errorf("Invalid --security-opt 2: %q", opt)
+ }
+ }
+ }
+
+ if config.SeccompProfilePath == "" {
+ if _, err := os.Stat(libpod.SeccompOverridePath); err == nil {
+ config.SeccompProfilePath = libpod.SeccompOverridePath
+ } else {
+ if !os.IsNotExist(err) {
+ return errors.Wrapf(err, "can't check if %q exists", libpod.SeccompOverridePath)
+ }
+ if _, err := os.Stat(libpod.SeccompDefaultPath); err != nil {
+ if !os.IsNotExist(err) {
+ return errors.Wrapf(err, "can't check if %q exists", libpod.SeccompDefaultPath)
+ }
+ } else {
+ config.SeccompProfilePath = libpod.SeccompDefaultPath
+ }
+ }
+ }
+ config.LabelOpts = labelOpts
+ return nil
+}
+
+func configureEntrypoint(c *cliconfig.PodmanCommand, data *inspect.ImageData) []string {
+ entrypoint := []string{}
+ if c.IsSet("entrypoint") {
+ // Force entrypoint to ""
+ if c.String("entrypoint") == "" {
+ return entrypoint
+ }
+ // Check if entrypoint specified is json
+ if err := json.Unmarshal([]byte(c.String("entrypoint")), &entrypoint); err == nil {
+ return entrypoint
+ }
+ // Return entrypoint as a single command
+ return []string{c.String("entrypoint")}
+ }
+ if data != nil {
+ return data.Config.Entrypoint
+ }
+ return entrypoint
+}
+
+func configurePod(c *cliconfig.PodmanCommand, runtime *libpod.Runtime, namespaces map[string]string, podName string) (map[string]string, error) {
+ pod, err := runtime.LookupPod(podName)
+ if err != nil {
+ return namespaces, err
+ }
+ podInfraID, err := pod.InfraContainerID()
+ if err != nil {
+ return namespaces, err
+ }
+ if (namespaces["pid"] == cc.Pod) || (!c.IsSet("pid") && pod.SharesPID()) {
+ namespaces["pid"] = fmt.Sprintf("container:%s", podInfraID)
+ }
+ if (namespaces["net"] == cc.Pod) || (!c.IsSet("net") && !c.IsSet("network") && pod.SharesNet()) {
+ namespaces["net"] = fmt.Sprintf("container:%s", podInfraID)
+ }
+ if (namespaces["user"] == cc.Pod) || (!c.IsSet("user") && pod.SharesUser()) {
+ namespaces["user"] = fmt.Sprintf("container:%s", podInfraID)
+ }
+ if (namespaces["ipc"] == cc.Pod) || (!c.IsSet("ipc") && pod.SharesIPC()) {
+ namespaces["ipc"] = fmt.Sprintf("container:%s", podInfraID)
+ }
+ if (namespaces["uts"] == cc.Pod) || (!c.IsSet("uts") && pod.SharesUTS()) {
+ namespaces["uts"] = fmt.Sprintf("container:%s", podInfraID)
+ }
+ return namespaces, nil
+}
+
+// Parses CLI options related to container creation into a config which can be
+// parsed into an OCI runtime spec
+func ParseCreateOpts(ctx context.Context, c *cliconfig.PodmanCommand, runtime *libpod.Runtime, imageName string, data *inspect.ImageData) (*cc.CreateConfig, error) {
+ var (
+ inputCommand, command []string
+ memoryLimit, memoryReservation, memorySwap, memoryKernel int64
+ blkioWeight uint16
+ namespaces map[string]string
+ )
+ if c.IsSet("restart") {
+ return nil, errors.Errorf("--restart option is not supported.\nUse systemd unit files for restarting containers")
+ }
+
+ idmappings, err := util.ParseIDMapping(c.StringSlice("uidmap"), c.StringSlice("gidmap"), c.String("subuidname"), c.String("subgidname"))
+ if err != nil {
+ return nil, err
+ }
+
+ if c.String("mac-address") != "" {
+ return nil, errors.Errorf("--mac-address option not currently supported")
+ }
+
+ imageID := ""
+
+ inputCommand = c.InputArgs[1:]
+ if data != nil {
+ imageID = data.ID
+ }
+
+ rootfs := ""
+ if c.Bool("rootfs") {
+ rootfs = c.InputArgs[0]
+ }
+
+ sysctl, err := validateSysctl(c.StringSlice("sysctl"))
+ if err != nil {
+ return nil, errors.Wrapf(err, "invalid value for sysctl")
+ }
+
+ if c.String("memory") != "" {
+ memoryLimit, err = units.RAMInBytes(c.String("memory"))
+ if err != nil {
+ return nil, errors.Wrapf(err, "invalid value for memory")
+ }
+ }
+ if c.String("memory-reservation") != "" {
+ memoryReservation, err = units.RAMInBytes(c.String("memory-reservation"))
+ if err != nil {
+ return nil, errors.Wrapf(err, "invalid value for memory-reservation")
+ }
+ }
+ if c.String("memory-swap") != "" {
+ memorySwap, err = units.RAMInBytes(c.String("memory-swap"))
+ if err != nil {
+ return nil, errors.Wrapf(err, "invalid value for memory-swap")
+ }
+ }
+ if c.String("kernel-memory") != "" {
+ memoryKernel, err = units.RAMInBytes(c.String("kernel-memory"))
+ if err != nil {
+ return nil, errors.Wrapf(err, "invalid value for kernel-memory")
+ }
+ }
+ if c.String("blkio-weight") != "" {
+ u, err := strconv.ParseUint(c.String("blkio-weight"), 10, 16)
+ if err != nil {
+ return nil, errors.Wrapf(err, "invalid value for blkio-weight")
+ }
+ blkioWeight = uint16(u)
+ }
+ var mountList []spec.Mount
+ if mountList, err = parseMounts(c.StringArray("mount")); err != nil {
+ return nil, err
+ }
+
+ if err = parseVolumes(c.StringArray("volume")); err != nil {
+ return nil, err
+ }
+
+ if err = parseVolumesFrom(c.StringSlice("volumes-from")); err != nil {
+ return nil, err
+ }
+
+ tty := c.Bool("tty")
+
+ if c.Flag("cpu-period").Changed && c.Flag("cpus").Changed {
+ return nil, errors.Errorf("--cpu-period and --cpus cannot be set together")
+ }
+ if c.Flag("cpu-quota").Changed && c.Flag("cpus").Changed {
+ return nil, errors.Errorf("--cpu-quota and --cpus cannot be set together")
+ }
+
+ // EXPOSED PORTS
+ var portBindings map[nat.Port][]nat.PortBinding
+ if data != nil {
+ portBindings, err = cc.ExposedPorts(c.StringSlice("expose"), c.StringSlice("publish"), c.Bool("publish-all"), data.Config.ExposedPorts)
+ if err != nil {
+ return nil, err
+ }
+ }
+
+ // Kernel Namespaces
+ // TODO Fix handling of namespace from pod
+ // Instead of integrating here, should be done in libpod
+ // However, that also involves setting up security opts
+ // when the pod's namespace is integrated
+ namespaceNet := c.String("network")
+ if c.Flag("net").Changed {
+ namespaceNet = c.String("net")
+ }
+ namespaces = map[string]string{
+ "pid": c.String("pid"),
+ "net": namespaceNet,
+ "ipc": c.String("ipc"),
+ "user": c.String("userns"),
+ "uts": c.String("uts"),
+ }
+
+ originalPodName := c.String("pod")
+ podName := strings.Replace(originalPodName, "new:", "", 1)
+ // after we strip out :new, make sure there is something left for a pod name
+ if len(podName) < 1 && c.IsSet("pod") {
+ return nil, errors.Errorf("new pod name must be at least one character")
+ }
+ if c.IsSet("pod") {
+ if strings.HasPrefix(originalPodName, "new:") {
+ if rootless.IsRootless() {
+ // To create a new pod, we must immediately create the userns.
+ became, ret, err := rootless.BecomeRootInUserNS()
+ if err != nil {
+ return nil, err
+ }
+ if became {
+ os.Exit(ret)
+ }
+ }
+ // pod does not exist; lets make it
+ var podOptions []libpod.PodCreateOption
+ podOptions = append(podOptions, libpod.WithPodName(podName), libpod.WithInfraContainer(), libpod.WithPodCgroups())
+ if len(portBindings) > 0 {
+ ociPortBindings, err := cc.NatToOCIPortBindings(portBindings)
+ if err != nil {
+ return nil, err
+ }
+ podOptions = append(podOptions, libpod.WithInfraContainerPorts(ociPortBindings))
+ }
+
+ podNsOptions, err := GetNamespaceOptions(strings.Split(DefaultKernelNamespaces, ","))
+ if err != nil {
+ return nil, err
+ }
+ podOptions = append(podOptions, podNsOptions...)
+ // make pod
+ pod, err := runtime.NewPod(ctx, podOptions...)
+ if err != nil {
+ return nil, err
+ }
+ logrus.Debugf("pod %s created by new container request", pod.ID())
+
+ // The container now cannot have port bindings; so we reset the map
+ portBindings = make(map[nat.Port][]nat.PortBinding)
+ }
+ namespaces, err = configurePod(c, runtime, namespaces, podName)
+ if err != nil {
+ return nil, err
+ }
+ }
+
+ pidMode := ns.PidMode(namespaces["pid"])
+ if !cc.Valid(string(pidMode), pidMode) {
+ return nil, errors.Errorf("--pid %q is not valid", c.String("pid"))
+ }
+
+ usernsMode := ns.UsernsMode(namespaces["user"])
+ if !cc.Valid(string(usernsMode), usernsMode) {
+ return nil, errors.Errorf("--userns %q is not valid", namespaces["user"])
+ }
+
+ utsMode := ns.UTSMode(namespaces["uts"])
+ if !cc.Valid(string(utsMode), utsMode) {
+ return nil, errors.Errorf("--uts %q is not valid", namespaces["uts"])
+ }
+
+ ipcMode := ns.IpcMode(namespaces["ipc"])
+ if !cc.Valid(string(ipcMode), ipcMode) {
+ return nil, errors.Errorf("--ipc %q is not valid", ipcMode)
+ }
+
+ // Make sure if network is set to container namespace, port binding is not also being asked for
+ netMode := ns.NetworkMode(namespaces["net"])
+ if netMode.IsContainer() {
+ if len(portBindings) > 0 {
+ return nil, errors.Errorf("cannot set port bindings on an existing container network namespace")
+ }
+ }
+
+ // USER
+ user := c.String("user")
+ if user == "" {
+ if data == nil {
+ user = "0"
+ } else {
+ user = data.Config.User
+ }
+ }
+
+ // STOP SIGNAL
+ stopSignal := syscall.SIGTERM
+ signalString := ""
+ if data != nil {
+ signalString = data.Config.StopSignal
+ }
+ if c.IsSet("stop-signal") {
+ signalString = c.String("stop-signal")
+ }
+ if signalString != "" {
+ stopSignal, err = signal.ParseSignal(signalString)
+ if err != nil {
+ return nil, err
+ }
+ }
+
+ // ENVIRONMENT VARIABLES
+ env := defaultEnvVariables
+ if data != nil {
+ for _, e := range data.Config.Env {
+ split := strings.SplitN(e, "=", 2)
+ if len(split) > 1 {
+ env[split[0]] = split[1]
+ } else {
+ env[split[0]] = ""
+ }
+ }
+ }
+ if err := parse.ReadKVStrings(env, c.StringSlice("env-file"), c.StringSlice("env")); err != nil {
+ return nil, errors.Wrapf(err, "unable to process environment variables")
+ }
+
+ // LABEL VARIABLES
+ labels, err := GetAllLabels(c.StringSlice("label-file"), c.StringArray("label"))
+ if err != nil {
+ return nil, errors.Wrapf(err, "unable to process labels")
+ }
+ if data != nil {
+ for key, val := range data.Config.Labels {
+ if _, ok := labels[key]; !ok {
+ labels[key] = val
+ }
+ }
+ }
+
+ // ANNOTATIONS
+ annotations := make(map[string]string)
+ // First, add our default annotations
+ annotations[ann.ContainerType] = "sandbox"
+ annotations[ann.TTY] = "false"
+ if tty {
+ annotations[ann.TTY] = "true"
+ }
+ if data != nil {
+ // Next, add annotations from the image
+ for key, value := range data.Annotations {
+ annotations[key] = value
+ }
+ }
+ // Last, add user annotations
+ for _, annotation := range c.StringSlice("annotation") {
+ splitAnnotation := strings.SplitN(annotation, "=", 2)
+ if len(splitAnnotation) < 2 {
+ return nil, errors.Errorf("Annotations must be formatted KEY=VALUE")
+ }
+ annotations[splitAnnotation[0]] = splitAnnotation[1]
+ }
+
+ // WORKING DIRECTORY
+ workDir := "/"
+ if c.IsSet("workdir") || c.IsSet("w") {
+ workDir = c.String("workdir")
+ } else if data != nil && data.Config.WorkingDir != "" {
+ workDir = data.Config.WorkingDir
+ }
+
+ entrypoint := configureEntrypoint(c, data)
+ // Build the command
+ // If we have an entry point, it goes first
+ if len(entrypoint) > 0 {
+ command = entrypoint
+ }
+ if len(inputCommand) > 0 {
+ // User command overrides data CMD
+ command = append(command, inputCommand...)
+ } else if data != nil && len(data.Config.Cmd) > 0 && !c.IsSet("entrypoint") {
+ // If not user command, add CMD
+ command = append(command, data.Config.Cmd...)
+ }
+
+ if data != nil && len(command) == 0 {
+ return nil, errors.Errorf("No command specified on command line or as CMD or ENTRYPOINT in this image")
+ }
+
+ // SHM Size
+ shmSize, err := units.FromHumanSize(c.String("shm-size"))
+ if err != nil {
+ return nil, errors.Wrapf(err, "unable to translate --shm-size")
+ }
+
+ // Verify the additional hosts are in correct format
+ for _, host := range c.StringSlice("add-host") {
+ if _, err := parse.ValidateExtraHost(host); err != nil {
+ return nil, err
+ }
+ }
+
+ // Check for . and dns-search domains
+ if util.StringInSlice(".", c.StringSlice("dns-search")) && len(c.StringSlice("dns-search")) > 1 {
+ return nil, errors.Errorf("cannot pass additional search domains when also specifying '.'")
+ }
+
+ // Validate domains are good
+ for _, dom := range c.StringSlice("dns-search") {
+ if _, err := parse.ValidateDomain(dom); err != nil {
+ return nil, err
+ }
+ }
+
+ var ImageVolumes map[string]struct{}
+ if data != nil && c.String("image-volume") != "ignore" {
+ ImageVolumes = data.Config.Volumes
+ }
+
+ var imageVolType = map[string]string{
+ "bind": "",
+ "tmpfs": "",
+ "ignore": "",
+ }
+ if _, ok := imageVolType[c.String("image-volume")]; !ok {
+ return nil, errors.Errorf("invalid image-volume type %q. Pick one of bind, tmpfs, or ignore", c.String("image-volume"))
+ }
+
+ var systemd bool
+ if command != nil && c.Bool("systemd") && ((filepath.Base(command[0]) == "init") || (filepath.Base(command[0]) == "systemd")) {
+ systemd = true
+ if signalString == "" {
+ stopSignal, err = signal.ParseSignal("RTMIN+3")
+ if err != nil {
+ return nil, errors.Wrapf(err, "error parsing systemd signal")
+ }
+ }
+ }
+ // This is done because cobra cannot have two aliased flags. So we have to check
+ // both
+ network := c.String("network")
+ if c.Flag("net").Changed {
+ network = c.String("net")
+ }
+
+ var memorySwappiness int64
+ if c.Flags().Lookup("memory-swappiness") != nil {
+ memorySwappiness, _ = c.Flags().GetInt64("memory-swappiness")
+ }
+ config := &cc.CreateConfig{
+ Runtime: runtime,
+ Annotations: annotations,
+ BuiltinImgVolumes: ImageVolumes,
+ ConmonPidFile: c.String("conmon-pidfile"),
+ ImageVolumeType: c.String("image-volume"),
+ CapAdd: c.StringSlice("cap-add"),
+ CapDrop: c.StringSlice("cap-drop"),
+ CgroupParent: c.String("cgroup-parent"),
+ Command: command,
+ Detach: c.Bool("detach"),
+ Devices: c.StringSlice("device"),
+ DNSOpt: c.StringSlice("dns-opt"),
+ DNSSearch: c.StringSlice("dns-search"),
+ DNSServers: c.StringSlice("dns"),
+ Entrypoint: entrypoint,
+ Env: env,
+ //ExposedPorts: ports,
+ GroupAdd: c.StringSlice("group-add"),
+ Hostname: c.String("hostname"),
+ HostAdd: c.StringSlice("add-host"),
+ IDMappings: idmappings,
+ Image: imageName,
+ ImageID: imageID,
+ Interactive: c.Bool("interactive"),
+ //IP6Address: c.String("ipv6"), // Not implemented yet - needs CNI support for static v6
+ IPAddress: c.String("ip"),
+ Labels: labels,
+ //LinkLocalIP: c.StringSlice("link-local-ip"), // Not implemented yet
+ LogDriver: c.String("log-driver"),
+ LogDriverOpt: c.StringSlice("log-opt"),
+ MacAddress: c.String("mac-address"),
+ Name: c.String("name"),
+ Network: network,
+ //NetworkAlias: c.StringSlice("network-alias"), // Not implemented - does this make sense in Podman?
+ IpcMode: ipcMode,
+ NetMode: netMode,
+ UtsMode: utsMode,
+ PidMode: pidMode,
+ Pod: podName,
+ Privileged: c.Bool("privileged"),
+ Publish: c.StringSlice("publish"),
+ PublishAll: c.Bool("publish-all"),
+ PortBindings: portBindings,
+ Quiet: c.Bool("quiet"),
+ ReadOnlyRootfs: c.Bool("read-only"),
+ Resources: cc.CreateResourceConfig{
+ BlkioWeight: blkioWeight,
+ BlkioWeightDevice: c.StringSlice("blkio-weight-device"),
+ CPUShares: c.Uint64("cpu-shares"),
+ CPUPeriod: c.Uint64("cpu-period"),
+ CPUsetCPUs: c.String("cpuset-cpus"),
+ CPUsetMems: c.String("cpuset-mems"),
+ CPUQuota: c.Int64("cpu-quota"),
+ CPURtPeriod: c.Uint64("cpu-rt-period"),
+ CPURtRuntime: c.Int64("cpu-rt-runtime"),
+ CPUs: c.Float64("cpus"),
+ DeviceReadBps: c.StringSlice("device-read-bps"),
+ DeviceReadIOps: c.StringSlice("device-read-iops"),
+ DeviceWriteBps: c.StringSlice("device-write-bps"),
+ DeviceWriteIOps: c.StringSlice("device-write-iops"),
+ DisableOomKiller: c.Bool("oom-kill-disable"),
+ ShmSize: shmSize,
+ Memory: memoryLimit,
+ MemoryReservation: memoryReservation,
+ MemorySwap: memorySwap,
+ MemorySwappiness: int(memorySwappiness),
+ KernelMemory: memoryKernel,
+ OomScoreAdj: c.Int("oom-score-adj"),
+ PidsLimit: c.Int64("pids-limit"),
+ Ulimit: c.StringSlice("ulimit"),
+ },
+ Rm: c.Bool("rm"),
+ StopSignal: stopSignal,
+ StopTimeout: c.Uint("stop-timeout"),
+ Sysctl: sysctl,
+ Systemd: systemd,
+ Tmpfs: c.StringSlice("tmpfs"),
+ Tty: tty,
+ User: user,
+ UsernsMode: usernsMode,
+ Mounts: mountList,
+ Volumes: c.StringArray("volume"),
+ WorkDir: workDir,
+ Rootfs: rootfs,
+ VolumesFrom: c.StringSlice("volumes-from"),
+ Syslog: c.GlobalFlags.Syslog,
+ }
+ if c.Bool("init") {
+ initPath := c.String("init-path")
+ if initPath == "" {
+ initPath = runtime.GetConfig().InitPath
+ }
+ if err := config.AddContainerInitBinary(initPath); err != nil {
+ return nil, err
+ }
+ }
+
+ if config.Privileged {
+ config.LabelOpts = label.DisableSecOpt()
+ } else {
+ if err := parseSecurityOpt(config, c.StringArray("security-opt")); err != nil {
+ return nil, err
+ }
+ }
+ config.SecurityOpts = c.StringArray("security-opt")
+ warnings, err := verifyContainerResources(config, false)
+ if err != nil {
+ return nil, err
+ }
+ for _, warning := range warnings {
+ fmt.Fprintln(os.Stderr, warning)
+ }
+ return config, nil
+}
+
+type namespace interface {
+ IsContainer() bool
+ Container() string
+}
+
+func joinOrCreateRootlessUserNamespace(createConfig *cc.CreateConfig, runtime *libpod.Runtime) (bool, int, error) {
+ if os.Geteuid() == 0 {
+ return false, 0, nil
+ }
+
+ if createConfig.Pod != "" {
+ pod, err := runtime.LookupPod(createConfig.Pod)
+ if err != nil {
+ return false, -1, err
+ }
+ inspect, err := pod.Inspect()
+ for _, ctr := range inspect.Containers {
+ prevCtr, err := runtime.LookupContainer(ctr.ID)
+ if err != nil {
+ return false, -1, err
+ }
+ s, err := prevCtr.State()
+ if err != nil {
+ return false, -1, err
+ }
+ if s != libpod.ContainerStateRunning && s != libpod.ContainerStatePaused {
+ continue
+ }
+ data, err := ioutil.ReadFile(prevCtr.Config().ConmonPidFile)
+ if err != nil {
+ return false, -1, errors.Wrapf(err, "cannot read conmon PID file %q", prevCtr.Config().ConmonPidFile)
+ }
+ conmonPid, err := strconv.Atoi(string(data))
+ if err != nil {
+ return false, -1, errors.Wrapf(err, "cannot parse PID %q", data)
+ }
+ return rootless.JoinDirectUserAndMountNS(uint(conmonPid))
+ }
+ }
+
+ namespacesStr := []string{string(createConfig.IpcMode), string(createConfig.NetMode), string(createConfig.UsernsMode), string(createConfig.PidMode), string(createConfig.UtsMode)}
+ for _, i := range namespacesStr {
+ if cc.IsNS(i) {
+ return rootless.JoinNSPath(cc.NS(i))
+ }
+ }
+
+ namespaces := []namespace{createConfig.IpcMode, createConfig.NetMode, createConfig.UsernsMode, createConfig.PidMode, createConfig.UtsMode}
+ for _, i := range namespaces {
+ if i.IsContainer() {
+ ctr, err := runtime.LookupContainer(i.Container())
+ if err != nil {
+ return false, -1, err
+ }
+ pid, err := ctr.PID()
+ if err != nil {
+ return false, -1, err
+ }
+ if pid == 0 {
+ if createConfig.Pod != "" {
+ continue
+ }
+ return false, -1, errors.Errorf("dependency container %s is not running", ctr.ID())
+ }
+ return rootless.JoinNS(uint(pid), 0)
+ }
+ }
+ return rootless.BecomeRootInUserNS()
+}
+
+func CreateContainerFromCreateConfig(r *libpod.Runtime, createConfig *cc.CreateConfig, ctx context.Context, pod *libpod.Pod) (*libpod.Container, error) {
+ runtimeSpec, err := cc.CreateConfigToOCISpec(createConfig)
+ if err != nil {
+ return nil, err
+ }
+
+ options, err := createConfig.GetContainerCreateOptions(r, pod)
+ if err != nil {
+ return nil, err
+ }
+ became, ret, err := joinOrCreateRootlessUserNamespace(createConfig, r)
+ if err != nil {
+ return nil, err
+ }
+ if became {
+ os.Exit(ret)
+ }
+
+ ctr, err := r.NewContainer(ctx, runtimeSpec, options...)
+ if err != nil {
+ return nil, err
+ }
+
+ createConfigJSON, err := json.Marshal(createConfig)
+ if err != nil {
+ return nil, err
+ }
+ if err := ctr.AddArtifact("create-config", createConfigJSON); err != nil {
+ return nil, err
+ }
+ return ctr, nil
+}
+
+var defaultEnvVariables = map[string]string{
+ "PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+ "TERM": "xterm",
+}
diff --git a/cmd/podman/create_cli.go b/cmd/podman/shared/create_cli.go
index ae0549687..4f9cb1699 100644
--- a/cmd/podman/create_cli.go
+++ b/cmd/podman/shared/create_cli.go
@@ -1,4 +1,4 @@
-package main
+package shared
import (
"fmt"
@@ -6,6 +6,7 @@ import (
"path/filepath"
"strings"
+ "github.com/containers/libpod/cmd/podman/shared/parse"
cc "github.com/containers/libpod/pkg/spec"
"github.com/containers/libpod/pkg/sysinfo"
"github.com/docker/go-units"
@@ -19,9 +20,10 @@ const (
linuxMinMemory = 4194304
)
-func getAllLabels(labelFile, inputLabels []string) (map[string]string, error) {
+// GetAllLabels ...
+func GetAllLabels(labelFile, inputLabels []string) (map[string]string, error) {
labels := make(map[string]string)
- labelErr := readKVStrings(labels, labelFile, inputLabels)
+ labelErr := parse.ReadKVStrings(labels, labelFile, inputLabels)
if labelErr != nil {
return labels, errors.Wrapf(labelErr, "unable to process labels from --label and label-file")
}
@@ -149,12 +151,12 @@ func parseMounts(mounts []string) ([]spec.Mount, error) {
if mountInfo.Type == "tmpfs" {
return nil, errors.Errorf("cannot use src= on a tmpfs file system")
}
- if err := validateVolumeHostDir(kv[1]); err != nil {
+ if err := ValidateVolumeHostDir(kv[1]); err != nil {
return nil, err
}
mountInfo.Source = kv[1]
case "target", "dst", "destination":
- if err := validateVolumeCtrDir(kv[1]); err != nil {
+ if err := ValidateVolumeCtrDir(kv[1]); err != nil {
return nil, err
}
mountInfo.Destination = kv[1]
@@ -173,10 +175,10 @@ func parseVolumes(volumes []string) error {
if len(arr) < 2 {
return errors.Errorf("incorrect volume format %q, should be host-dir:ctr-dir[:option]", volume)
}
- if err := validateVolumeHostDir(arr[0]); err != nil {
+ if err := ValidateVolumeHostDir(arr[0]); err != nil {
return err
}
- if err := validateVolumeCtrDir(arr[1]); err != nil {
+ if err := ValidateVolumeCtrDir(arr[1]); err != nil {
return err
}
if len(arr) > 2 {
@@ -203,7 +205,8 @@ func parseVolumesFrom(volumesFrom []string) error {
return nil
}
-func validateVolumeHostDir(hostDir string) error {
+// ValidateVolumeHostDir ...
+func ValidateVolumeHostDir(hostDir string) error {
if len(hostDir) == 0 {
return errors.Errorf("host directory cannot be empty")
}
@@ -217,7 +220,8 @@ func validateVolumeHostDir(hostDir string) error {
return nil
}
-func validateVolumeCtrDir(ctrDir string) error {
+// ValidateVolumeCtrDir ...
+func ValidateVolumeCtrDir(ctrDir string) error {
if len(ctrDir) == 0 {
return errors.Errorf("container directory cannot be empty")
}
diff --git a/cmd/podman/create_cli_test.go b/cmd/podman/shared/create_cli_test.go
index 9db007ff3..fea1a2390 100644
--- a/cmd/podman/create_cli_test.go
+++ b/cmd/podman/shared/create_cli_test.go
@@ -1,4 +1,4 @@
-package main
+package shared
import (
"io/ioutil"
@@ -42,20 +42,20 @@ func TestValidateSysctlBadSysctl(t *testing.T) {
func TestGetAllLabels(t *testing.T) {
fileLabels := []string{}
- labels, _ := getAllLabels(fileLabels, Var1)
+ labels, _ := GetAllLabels(fileLabels, Var1)
assert.Equal(t, len(labels), 2)
}
func TestGetAllLabelsBadKeyValue(t *testing.T) {
inLabels := []string{"=badValue", "="}
fileLabels := []string{}
- _, err := getAllLabels(fileLabels, inLabels)
+ _, err := GetAllLabels(fileLabels, inLabels)
assert.Error(t, err, assert.AnError)
}
func TestGetAllLabelsBadLabelFile(t *testing.T) {
fileLabels := []string{"/foobar5001/be"}
- _, err := getAllLabels(fileLabels, Var1)
+ _, err := GetAllLabels(fileLabels, Var1)
assert.Error(t, err, assert.AnError)
}
@@ -65,6 +65,6 @@ func TestGetAllLabelsFile(t *testing.T) {
defer os.Remove(tFile)
assert.NoError(t, err)
fileLabels := []string{tFile}
- result, _ := getAllLabels(fileLabels, Var1)
+ result, _ := GetAllLabels(fileLabels, Var1)
assert.Equal(t, len(result), 3)
}
diff --git a/cmd/podman/parse.go b/cmd/podman/shared/parse/parse.go
index 2e4959656..a3751835b 100644
--- a/cmd/podman/parse.go
+++ b/cmd/podman/shared/parse/parse.go
@@ -1,7 +1,7 @@
//nolint
// most of these validate and parse functions have been taken from projectatomic/docker
// and modified for cri-o
-package main
+package parse
import (
"bufio"
@@ -50,7 +50,7 @@ var (
// validateExtraHost validates that the specified string is a valid extrahost and returns it.
// ExtraHost is in the form of name:ip where the ip has to be a valid ip (ipv4 or ipv6).
// for add-host flag
-func validateExtraHost(val string) (string, error) { //nolint
+func ValidateExtraHost(val string) (string, error) { //nolint
// allow for IPv6 addresses in extra hosts by only splitting on first ":"
arr := strings.SplitN(val, ":", 2)
if len(arr) != 2 || len(arr[0]) == 0 {
@@ -140,10 +140,10 @@ func validateDNSSearch(val string) (string, error) { //nolint
if val = strings.Trim(val, " "); val == "." {
return val, nil
}
- return validateDomain(val)
+ return ValidateDomain(val)
}
-func validateDomain(val string) (string, error) {
+func ValidateDomain(val string) (string, error) {
if alphaRegexp.FindString(val) == "" {
return "", fmt.Errorf("%s is not a valid domain", val)
}
@@ -181,7 +181,7 @@ func doesEnvExist(name string) bool {
// reads a file of line terminated key=value pairs, and overrides any keys
// present in the file with additional pairs specified in the override parameter
// for env-file and labels-file flags
-func readKVStrings(env map[string]string, files []string, override []string) error {
+func ReadKVStrings(env map[string]string, files []string, override []string) error {
for _, ef := range files {
if err := parseEnvFile(env, ef); err != nil {
return err
@@ -494,9 +494,9 @@ func stringSlicetoUint32Slice(inputSlice []string) ([]uint32, error) {
return outputSlice, nil
}
-// validateFileName returns an error if filename contains ":"
+// ValidateFileName returns an error if filename contains ":"
// as it is currently not supported
-func validateFileName(filename string) error {
+func ValidateFileName(filename string) error {
if strings.Contains(filename, ":") {
return errors.Errorf("invalid filename (should not contain ':') %q", filename)
}
diff --git a/cmd/podman/shared/pod.go b/cmd/podman/shared/pod.go
index 5f65c40ac..4d936d61c 100644
--- a/cmd/podman/shared/pod.go
+++ b/cmd/podman/shared/pod.go
@@ -136,3 +136,5 @@ func CreatePortBindings(ports []string) ([]ocicni.PortMapping, error) {
}
return portBindings, nil
}
+
+var DefaultKernelNamespaces = "cgroup,ipc,net,uts"
diff --git a/cmd/podman/volume_create.go b/cmd/podman/volume_create.go
index d873f9806..8f6237272 100644
--- a/cmd/podman/volume_create.go
+++ b/cmd/podman/volume_create.go
@@ -4,6 +4,7 @@ import (
"fmt"
"github.com/containers/libpod/cmd/podman/cliconfig"
+ "github.com/containers/libpod/cmd/podman/shared"
"github.com/containers/libpod/pkg/adapter"
"github.com/pkg/errors"
"github.com/spf13/cobra"
@@ -50,12 +51,12 @@ func volumeCreateCmd(c *cliconfig.VolumeCreateValues) error {
return errors.Errorf("too many arguments, create takes at most 1 argument")
}
- labels, err := getAllLabels([]string{}, c.Label)
+ labels, err := shared.GetAllLabels([]string{}, c.Label)
if err != nil {
return errors.Wrapf(err, "unable to process labels")
}
- opts, err := getAllLabels([]string{}, c.Opt)
+ opts, err := shared.GetAllLabels([]string{}, c.Opt)
if err != nil {
return errors.Wrapf(err, "unable to process options")
}
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index c9f35dd75..3f3b22b6b 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -26,6 +26,7 @@ import (
"github.com/containers/libpod/pkg/resolvconf"
"github.com/containers/libpod/pkg/rootless"
"github.com/containers/storage/pkg/idtools"
+ "github.com/cyphar/filepath-securejoin"
"github.com/opencontainers/runc/libcontainer/user"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate"
@@ -366,6 +367,18 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
// For private volumes any root propagation value should work.
rootPropagation := ""
for _, m := range mounts {
+ // We need to remove all symlinks from tmpfs mounts.
+ // Runc and other runtimes may choke on them.
+ // Easy solution: use securejoin to do a scoped evaluation of
+ // the links, then trim off the mount prefix.
+ if m.Type == "tmpfs" {
+ finalPath, err := securejoin.SecureJoin(c.state.Mountpoint, m.Destination)
+ if err != nil {
+ return nil, errors.Wrapf(err, "error resolving symlinks for mount destination %s", m.Destination)
+ }
+ trimmedPath := strings.TrimPrefix(finalPath, strings.TrimSuffix(c.state.Mountpoint, "/"))
+ m.Destination = trimmedPath
+ }
g.AddMount(m)
for _, opt := range m.Options {
switch opt {
diff --git a/libpod/runtime_img.go b/libpod/runtime_img.go
index 451c2ebe7..02f925fc6 100644
--- a/libpod/runtime_img.go
+++ b/libpod/runtime_img.go
@@ -14,6 +14,7 @@ import (
"github.com/containers/libpod/pkg/util"
"github.com/containers/storage"
"github.com/pkg/errors"
+ "github.com/sirupsen/logrus"
"github.com/containers/image/directory"
dockerarchive "github.com/containers/image/docker/archive"
@@ -183,6 +184,15 @@ func (r *Runtime) Import(ctx context.Context, source string, reference string, c
defer os.Remove(file)
source = file
}
+ // if it's stdin, buffer it, too
+ if source == "-" {
+ file, err := downloadFromFile(os.Stdin)
+ if err != nil {
+ return "", err
+ }
+ defer os.Remove(file)
+ source = file
+ }
newImage, err := r.imageRuntime.Import(ctx, source, reference, writer, image.SigningOptions{}, config)
if err != nil {
@@ -216,6 +226,25 @@ func downloadFromURL(source string) (string, error) {
return outFile.Name(), nil
}
+// donwloadFromFile reads all of the content from the reader and temporarily
+// saves in it /var/tmp/importxyz, which is deleted after the image is imported
+func downloadFromFile(reader *os.File) (string, error) {
+ outFile, err := ioutil.TempFile("/var/tmp", "import")
+ if err != nil {
+ return "", errors.Wrap(err, "error creating file")
+ }
+ defer outFile.Close()
+
+ logrus.Debugf("saving %s to %s", reader.Name(), outFile.Name())
+
+ _, err = io.Copy(outFile, reader)
+ if err != nil {
+ return "", errors.Wrapf(err, "error saving %s to %s", reader.Name(), outFile.Name())
+ }
+
+ return outFile.Name(), nil
+}
+
// LoadImage loads a container image into local storage
func (r *Runtime) LoadImage(ctx context.Context, name, inputFile string, writer io.Writer, signaturePolicy string) (string, error) {
var newImages []*image.Image
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index 28a636fa6..32d47732b 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -454,10 +454,6 @@ func findMount(target string, mounts []*pmount.Info) (*pmount.Info, error) {
}
func blockAccessToKernelFilesystems(config *CreateConfig, g *generate.Generator) {
- if config.PidMode.IsHost() && rootless.IsRootless() {
- return
- }
-
if !config.Privileged {
for _, mp := range []string{
"/proc/acpi",
@@ -469,10 +465,15 @@ func blockAccessToKernelFilesystems(config *CreateConfig, g *generate.Generator)
"/proc/sched_debug",
"/proc/scsi",
"/sys/firmware",
+ "/sys/fs/selinux",
} {
g.AddLinuxMaskedPaths(mp)
}
+ if config.PidMode.IsHost() && rootless.IsRootless() {
+ return
+ }
+
for _, rp := range []string{
"/proc/asound",
"/proc/bus",