summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xAPI.md2
-rw-r--r--cmd/podman/cliconfig/config.go1
-rw-r--r--cmd/podman/libpodruntime/runtime.go19
-rw-r--r--cmd/podman/pod_create.go1
-rw-r--r--cmd/podman/varlink.go2
-rw-r--r--cmd/podman/varlink/io.podman.varlink3
-rw-r--r--cmd/podman/volume_create.go1
-rw-r--r--cmd/podman/volume_inspect.go24
-rw-r--r--docs/podman-build.1.md24
-rw-r--r--docs/podman-create.1.md21
-rw-r--r--docs/podman-run.1.md11
-rw-r--r--go.mod2
-rw-r--r--go.sum4
-rw-r--r--libpod/oci.go2
-rw-r--r--libpod/oci_internal_linux.go12
-rw-r--r--libpod/options.go71
-rw-r--r--libpod/pod.go2
-rw-r--r--libpod/runtime.go4
-rw-r--r--libpod/runtime_pod_infra_linux.go4
-rw-r--r--libpod/runtime_pod_linux.go4
-rw-r--r--libpod/runtime_volume_linux.go7
-rw-r--r--libpod/volume.go46
-rw-r--r--libpod/volume_inspect.go70
-rw-r--r--pkg/adapter/pods.go10
-rw-r--r--pkg/adapter/runtime.go14
-rw-r--r--pkg/adapter/runtime_remote.go1
-rw-r--r--pkg/adapter/volumes_remote.go2
-rw-r--r--pkg/varlinkapi/volumes.go1
-rw-r--r--test/e2e/play_kube_test.go54
-rw-r--r--test/e2e/run_selinux_test.go12
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go18
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go14
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go13
-rw-r--r--vendor/modules.txt2
34 files changed, 374 insertions, 104 deletions
diff --git a/API.md b/API.md
index 4afa18b45..8d53a77d3 100755
--- a/API.md
+++ b/API.md
@@ -1981,8 +1981,6 @@ mountPoint [string](https://godoc.org/builtin#string)
driver [string](https://godoc.org/builtin#string)
options [map[string]](#map[string])
-
-scope [string](https://godoc.org/builtin#string)
### <a name="VolumeCreateOpts"></a>type VolumeCreateOpts
diff --git a/cmd/podman/cliconfig/config.go b/cmd/podman/cliconfig/config.go
index f7c78908f..e7ad921da 100644
--- a/cmd/podman/cliconfig/config.go
+++ b/cmd/podman/cliconfig/config.go
@@ -300,6 +300,7 @@ type PodCreateValues struct {
LabelFile []string
Labels []string
Name string
+ Hostname string
PodIDFile string
Publish []string
Share string
diff --git a/cmd/podman/libpodruntime/runtime.go b/cmd/podman/libpodruntime/runtime.go
index ee9e57966..a133549ea 100644
--- a/cmd/podman/libpodruntime/runtime.go
+++ b/cmd/podman/libpodruntime/runtime.go
@@ -15,25 +15,30 @@ import (
// GetRuntimeMigrate gets a libpod runtime that will perform a migration of existing containers
func GetRuntimeMigrate(ctx context.Context, c *cliconfig.PodmanCommand) (*libpod.Runtime, error) {
- return getRuntime(ctx, c, false, true, false)
+ return getRuntime(ctx, c, false, true, false, true)
+}
+
+// GetRuntimeDisableFDs gets a libpod runtime that will disable sd notify
+func GetRuntimeDisableFDs(ctx context.Context, c *cliconfig.PodmanCommand) (*libpod.Runtime, error) {
+ return getRuntime(ctx, c, false, false, false, false)
}
// GetRuntimeRenumber gets a libpod runtime that will perform a lock renumber
func GetRuntimeRenumber(ctx context.Context, c *cliconfig.PodmanCommand) (*libpod.Runtime, error) {
- return getRuntime(ctx, c, true, false, false)
+ return getRuntime(ctx, c, true, false, false, true)
}
// GetRuntime generates a new libpod runtime configured by command line options
func GetRuntime(ctx context.Context, c *cliconfig.PodmanCommand) (*libpod.Runtime, error) {
- return getRuntime(ctx, c, false, false, false)
+ return getRuntime(ctx, c, false, false, false, true)
}
// GetRuntimeNoStore generates a new libpod runtime configured by command line options
func GetRuntimeNoStore(ctx context.Context, c *cliconfig.PodmanCommand) (*libpod.Runtime, error) {
- return getRuntime(ctx, c, false, false, true)
+ return getRuntime(ctx, c, false, false, true, true)
}
-func getRuntime(ctx context.Context, c *cliconfig.PodmanCommand, renumber, migrate, noStore bool) (*libpod.Runtime, error) {
+func getRuntime(ctx context.Context, c *cliconfig.PodmanCommand, renumber, migrate, noStore, withFDS bool) (*libpod.Runtime, error) {
options := []libpod.RuntimeOption{}
storageOpts := storage.StoreOptions{}
storageSet := false
@@ -165,6 +170,10 @@ func getRuntime(ctx context.Context, c *cliconfig.PodmanCommand, renumber, migra
infraCommand, _ := c.Flags().GetString("infra-command")
options = append(options, libpod.WithDefaultInfraCommand(infraCommand))
}
+
+ if withFDS {
+ options = append(options, libpod.WithEnableSDNotify())
+ }
if c.Flags().Changed("config") {
return libpod.NewRuntimeFromConfig(ctx, c.GlobalFlags.Config, options...)
}
diff --git a/cmd/podman/pod_create.go b/cmd/podman/pod_create.go
index d04c85dba..ad3c00aa8 100644
--- a/cmd/podman/pod_create.go
+++ b/cmd/podman/pod_create.go
@@ -52,6 +52,7 @@ func init() {
flags.StringSliceVar(&podCreateCommand.LabelFile, "label-file", []string{}, "Read in a line delimited file of labels")
flags.StringSliceVarP(&podCreateCommand.Labels, "label", "l", []string{}, "Set metadata on pod (default [])")
flags.StringVarP(&podCreateCommand.Name, "name", "n", "", "Assign a name to the pod")
+ flags.StringVarP(&podCreateCommand.Hostname, "hostname", "", "", "Set a hostname to the pod")
flags.StringVar(&podCreateCommand.PodIDFile, "pod-id-file", "", "Write the pod ID to the file")
flags.StringSliceVarP(&podCreateCommand.Publish, "publish", "p", []string{}, "Publish a container's port, or a range of ports, to the host (default [])")
flags.StringVar(&podCreateCommand.Share, "share", shared.DefaultKernelNamespaces, "A comma delimited list of kernel namespaces the pod will share")
diff --git a/cmd/podman/varlink.go b/cmd/podman/varlink.go
index 92315cd6b..5f89534be 100644
--- a/cmd/podman/varlink.go
+++ b/cmd/podman/varlink.go
@@ -79,7 +79,7 @@ func varlinkCmd(c *cliconfig.VarlinkValues) error {
timeout := time.Duration(c.Timeout) * time.Millisecond
// Create a single runtime for varlink
- runtime, err := libpodruntime.GetRuntime(getContext(), &c.PodmanCommand)
+ runtime, err := libpodruntime.GetRuntimeDisableFDs(getContext(), &c.PodmanCommand)
if err != nil {
return errors.Wrapf(err, "error creating libpod runtime")
}
diff --git a/cmd/podman/varlink/io.podman.varlink b/cmd/podman/varlink/io.podman.varlink
index 2e7dee94d..08a69275e 100644
--- a/cmd/podman/varlink/io.podman.varlink
+++ b/cmd/podman/varlink/io.podman.varlink
@@ -7,8 +7,7 @@ type Volume (
labels: [string]string,
mountPoint: string,
driver: string,
- options: [string]string,
- scope: string
+ options: [string]string
)
type NotImplemented (
diff --git a/cmd/podman/volume_create.go b/cmd/podman/volume_create.go
index 0897ab705..617f701a4 100644
--- a/cmd/podman/volume_create.go
+++ b/cmd/podman/volume_create.go
@@ -38,7 +38,6 @@ func init() {
flags.StringVar(&volumeCreateCommand.Driver, "driver", "", "Specify volume driver name (default local)")
flags.StringSliceVarP(&volumeCreateCommand.Label, "label", "l", []string{}, "Set metadata for a volume (default [])")
flags.StringSliceVarP(&volumeCreateCommand.Opt, "opt", "o", []string{}, "Set driver specific options (default [])")
-
}
func volumeCreateCmd(c *cliconfig.VolumeCreateValues) error {
diff --git a/cmd/podman/volume_inspect.go b/cmd/podman/volume_inspect.go
index 1ebc5ce60..94c99a58c 100644
--- a/cmd/podman/volume_inspect.go
+++ b/cmd/podman/volume_inspect.go
@@ -1,6 +1,9 @@
package main
import (
+ "fmt"
+
+ "github.com/containers/buildah/pkg/formats"
"github.com/containers/libpod/cmd/podman/cliconfig"
"github.com/containers/libpod/pkg/adapter"
"github.com/pkg/errors"
@@ -53,5 +56,24 @@ func volumeInspectCmd(c *cliconfig.VolumeInspectValues) error {
if err != nil {
return err
}
- return generateVolLsOutput(vols, volumeLsOptions{Format: c.Format})
+
+ switch c.Format {
+ case "", formats.JSONString:
+ // Normal format - JSON string
+ jsonOut, err := json.MarshalIndent(vols, "", " ")
+ if err != nil {
+ return errors.Wrapf(err, "error marshalling inspect JSON")
+ }
+ fmt.Println(string(jsonOut))
+ default:
+ // It's a Go template.
+ interfaces := make([]interface{}, len(vols))
+ for i, vol := range vols {
+ interfaces[i] = vol
+ }
+ out := formats.StdoutTemplateArray{Output: interfaces, Template: c.Format}
+ return out.Out()
+ }
+
+ return nil
}
diff --git a/docs/podman-build.1.md b/docs/podman-build.1.md
index 878b31080..8deb8811e 100644
--- a/docs/podman-build.1.md
+++ b/docs/podman-build.1.md
@@ -375,18 +375,18 @@ to podman build, the option given would be `--runtime-flag log-format=json`.
Security Options
- "label=user:USER" : Set the label user for the container
- "label=role:ROLE" : Set the label role for the container
- "label=type:TYPE" : Set the label type for the container
- "label=level:LEVEL" : Set the label level for the container
- "label=disable" : Turn off label confinement for the container
- "no-new-privileges" : Not supported
-
- "seccomp=unconfined" : Turn off seccomp confinement for the container
- "seccomp=profile.json : White listed syscalls seccomp Json file to be used as a seccomp filter
-
- "apparmor=unconfined" : Turn off apparmor confinement for the container
- "apparmor=your-profile" : Set the apparmor confinement profile for the container
+- `apparmor=unconfined` : Turn off apparmor confinement for the container
+- `apparmor=your-profile` : Set the apparmor confinement profile for the container
+
+- `label=user:USER` : Set the label user for the container processes
+- `label=role:ROLE` : Set the label role for the container processes
+- `label=type:TYPE` : Set the label process type for the container processes
+- `label=level:LEVEL` : Set the label level for the container processes
+- `label=filetype:TYPE` : Set the label file type for the container files
+- `label=disable` : Turn off label separation for the container
+
+- `seccomp=unconfined` : Turn off seccomp confinement for the container
+- `seccomp=profile.json` : White listed syscalls seccomp Json file to be used as a seccomp filter
**--shm-size**=*size*
diff --git a/docs/podman-create.1.md b/docs/podman-create.1.md
index 1377f2a03..7634408f5 100644
--- a/docs/podman-create.1.md
+++ b/docs/podman-create.1.md
@@ -640,19 +640,20 @@ of the container is assumed to be managed externally.
Security Options
-"apparmor=unconfined" : Turn off apparmor confinement for the container
-"apparmor=your-profile" : Set the apparmor confinement profile for the container
+- `apparmor=unconfined` : Turn off apparmor confinement for the container
+- `apparmor=your-profile` : Set the apparmor confinement profile for the container
-"label=user:USER" : Set the label user for the container
-"label=role:ROLE" : Set the label role for the container
-"label=type:TYPE" : Set the label type for the container
-"label=level:LEVEL" : Set the label level for the container
-"label=disable" : Turn off label confinement for the container
+- `label=user:USER` : Set the label user for the container processes
+- `label=role:ROLE` : Set the label role for the container processes
+- `label=type:TYPE` : Set the label process type for the container processes
+- `label=level:LEVEL` : Set the label level for the container processes
+- `label=filetype:TYPE` : Set the label file type for the container files
+- `label=disable` : Turn off label separation for the container
-"no-new-privileges" : Disable container processes from gaining additional privileges
+- `no-new-privileges` : Disable container processes from gaining additional privileges
-"seccomp=unconfined" : Turn off seccomp confinement for the container
-"seccomp=profile.json : White listed syscalls seccomp Json file to be used as a seccomp filter
+- `seccomp=unconfined` : Turn off seccomp confinement for the container
+- `seccomp=profile.json` : White listed syscalls seccomp Json file to be used as a seccomp filter
Note: Labeling can be disabled for all containers by setting label=false in the **libpod.conf** (`/etc/containers/libpod.conf`) file.
diff --git a/docs/podman-run.1.md b/docs/podman-run.1.md
index 2445df566..33b5cbf9e 100644
--- a/docs/podman-run.1.md
+++ b/docs/podman-run.1.md
@@ -665,11 +665,12 @@ Security Options
- `apparmor=unconfined` : Turn off apparmor confinement for the container
- `apparmor=your-profile` : Set the apparmor confinement profile for the container
-- `label=user:USER` : Set the label user for the container
-- `label=role:ROLE` : Set the label role for the container
-- `label=type:TYPE` : Set the label type for the container
-- `label=level:LEVEL` : Set the label level for the container
-- `label=disable` : Turn off label confinement for the container
+- `label=user:USER` : Set the label user for the container processes
+- `label=role:ROLE` : Set the label role for the container processes
+- `label=type:TYPE` : Set the label process type for the container processes
+- `label=level:LEVEL` : Set the label level for the container processes
+- `label=filetype:TYPE` : Set the label file type for the container files
+- `label=disable` : Turn off label separation for the container
- `no-new-privileges` : Disable container processes from gaining additional privileges
diff --git a/go.mod b/go.mod
index 00e1c1cf4..5f3b3ea66 100644
--- a/go.mod
+++ b/go.mod
@@ -69,7 +69,7 @@ require (
github.com/opencontainers/runc v1.0.0-rc8
github.com/opencontainers/runtime-spec v0.1.2-0.20190618234442-a950415649c7
github.com/opencontainers/runtime-tools v0.9.0
- github.com/opencontainers/selinux v1.2.2
+ github.com/opencontainers/selinux v1.3.0
github.com/opentracing/opentracing-go v1.1.0
github.com/pelletier/go-toml v1.4.0 // indirect
github.com/pkg/errors v0.8.1
diff --git a/go.sum b/go.sum
index f09083eb7..e837f0efc 100644
--- a/go.sum
+++ b/go.sum
@@ -394,6 +394,8 @@ github.com/opencontainers/selinux v0.0.0-20190118194635-b707dfcb00a1 h1:V8Icxoi2
github.com/opencontainers/selinux v0.0.0-20190118194635-b707dfcb00a1/go.mod h1:+BLncwf63G4dgOzykXAxcmnFlUaOlkDdmw/CqsW6pjs=
github.com/opencontainers/selinux v1.2.2 h1:Kx9J6eDG5/24A6DtUquGSpJQ+m2MUTahn4FtGEe8bFg=
github.com/opencontainers/selinux v1.2.2/go.mod h1:+BLncwf63G4dgOzykXAxcmnFlUaOlkDdmw/CqsW6pjs=
+github.com/opencontainers/selinux v1.3.0 h1:xsI95WzPZu5exzA6JzkLSfdr/DilzOhCJOqGe5TgR0g=
+github.com/opencontainers/selinux v1.3.0/go.mod h1:+BLncwf63G4dgOzykXAxcmnFlUaOlkDdmw/CqsW6pjs=
github.com/openshift/imagebuilder v1.1.0 h1:oT704SkwMEzmIMU/+Uv1Wmvt+p10q3v2WuYMeFI18c4=
github.com/openshift/imagebuilder v1.1.0/go.mod h1:9aJRczxCH0mvT6XQ+5STAQaPWz7OsWcU5/mRkt8IWeo=
github.com/opentracing/opentracing-go v0.0.0-20190218023034-25a84ff92183 h1:kwFCLTA0DYhH0JpGMBOZtVVhyRL5ec+unn4mnoJhQI0=
@@ -440,6 +442,8 @@ github.com/prometheus/procfs v0.0.2 h1:6LJUbpNm42llc4HRCuvApCSWB/WfhuNo9K98Q9sNG
github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
github.com/prometheus/tsdb v0.8.0/go.mod h1:fSI0j+IUQrDd7+ZtR9WKIGtoYAYAJUKcKhYLG25tN4g=
+github.com/rhatdan/oci-selinux v0.0.0-20190809194358-225b95ae1d0b h1:9CE1lDQ/YC1deOJE/elAI+nbE1OzOxSvrs6JXwyn+1s=
+github.com/rhatdan/oci-selinux v0.0.0-20190809194358-225b95ae1d0b/go.mod h1:T/CPBeRZLtTvck9OtpX3PGw/uDABnTuRPhyTacu5aSo=
github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
github.com/rogpeppe/fastuuid v1.1.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
diff --git a/libpod/oci.go b/libpod/oci.go
index 2eb004b84..4ba3114e3 100644
--- a/libpod/oci.go
+++ b/libpod/oci.go
@@ -60,6 +60,7 @@ type OCIRuntime struct {
noPivot bool
reservePorts bool
supportsJSON bool
+ sdNotify bool
}
// ociError is used to parse the OCI runtime JSON log. It is not part of the
@@ -87,6 +88,7 @@ func newOCIRuntime(name string, paths []string, conmonPath string, runtimeCfg *R
runtime.logSizeMax = runtimeCfg.MaxLogSize
runtime.noPivot = runtimeCfg.NoPivotRoot
runtime.reservePorts = runtimeCfg.EnablePortReservation
+ runtime.sdNotify = runtimeCfg.SDNotify
// TODO: probe OCI runtime for feature and enable automatically if
// available.
diff --git a/libpod/oci_internal_linux.go b/libpod/oci_internal_linux.go
index e2c73f5ed..6e4ee2cf2 100644
--- a/libpod/oci_internal_linux.go
+++ b/libpod/oci_internal_linux.go
@@ -247,10 +247,14 @@ func (r *OCIRuntime) configureConmonEnv(runtimeDir string) ([]string, []*os.File
if notify, ok := os.LookupEnv("NOTIFY_SOCKET"); ok {
env = append(env, fmt.Sprintf("NOTIFY_SOCKET=%s", notify))
}
- if listenfds, ok := os.LookupEnv("LISTEN_FDS"); ok {
- env = append(env, fmt.Sprintf("LISTEN_FDS=%s", listenfds), "LISTEN_PID=1")
- fds := activation.Files(false)
- extraFiles = append(extraFiles, fds...)
+ if !r.sdNotify {
+ if listenfds, ok := os.LookupEnv("LISTEN_FDS"); ok {
+ env = append(env, fmt.Sprintf("LISTEN_FDS=%s", listenfds), "LISTEN_PID=1")
+ fds := activation.Files(false)
+ extraFiles = append(extraFiles, fds...)
+ }
+ } else {
+ logrus.Debug("disabling SD notify")
}
return env, extraFiles, nil
}
diff --git a/libpod/options.go b/libpod/options.go
index 7fbd0016a..a7ddbec34 100644
--- a/libpod/options.go
+++ b/libpod/options.go
@@ -482,6 +482,15 @@ func WithEventsLogger(logger string) RuntimeOption {
}
}
+// WithEnableSDNotify sets a runtime option so we know whether to disable socket/FD
+// listening
+func WithEnableSDNotify() RuntimeOption {
+ return func(rt *Runtime) error {
+ rt.config.SDNotify = true
+ return nil
+ }
+}
+
// Container Creation Options
// WithShmDir sets the directory that should be mounted on /dev/shm.
@@ -1362,6 +1371,17 @@ func WithNamedVolumes(volumes []*ContainerNamedVolume) CtrCreateOption {
}
}
+// WithHealthCheck adds the healthcheck to the container config
+func WithHealthCheck(healthCheck *manifest.Schema2HealthConfig) CtrCreateOption {
+ return func(ctr *Container) error {
+ if ctr.valid {
+ return define.ErrCtrFinalized
+ }
+ ctr.config.HealthCheckConfig = healthCheck
+ return nil
+ }
+}
+
// Volume Creation Options
// WithVolumeName sets the name of the volume.
@@ -1381,30 +1401,30 @@ func WithVolumeName(name string) VolumeCreateOption {
}
}
-// WithVolumeLabels sets the labels of the volume.
-func WithVolumeLabels(labels map[string]string) VolumeCreateOption {
+// WithVolumeDriver sets the volume's driver.
+// It is presently not implemented, but will be supported in a future Podman
+// release.
+func WithVolumeDriver(driver string) VolumeCreateOption {
return func(volume *Volume) error {
if volume.valid {
return define.ErrVolumeFinalized
}
- volume.config.Labels = make(map[string]string)
- for key, value := range labels {
- volume.config.Labels[key] = value
- }
-
- return nil
+ return define.ErrNotImplemented
}
}
-// WithVolumeDriver sets the driver of the volume.
-func WithVolumeDriver(driver string) VolumeCreateOption {
+// WithVolumeLabels sets the labels of the volume.
+func WithVolumeLabels(labels map[string]string) VolumeCreateOption {
return func(volume *Volume) error {
if volume.valid {
return define.ErrVolumeFinalized
}
- volume.config.Driver = driver
+ volume.config.Labels = make(map[string]string)
+ for key, value := range labels {
+ volume.config.Labels[key] = value
+ }
return nil
}
@@ -1488,6 +1508,24 @@ func WithPodName(name string) PodCreateOption {
}
}
+// WithPodHostname sets the hostname of the pod.
+func WithPodHostname(hostname string) PodCreateOption {
+ return func(pod *Pod) error {
+ if pod.valid {
+ return define.ErrPodFinalized
+ }
+
+ // Check the hostname against a regex
+ if !nameRegex.MatchString(hostname) {
+ return regexError
+ }
+
+ pod.config.Hostname = hostname
+
+ return nil
+ }
+}
+
// WithPodLabels sets the labels of a pod.
func WithPodLabels(labels map[string]string) PodCreateOption {
return func(pod *Pod) error {
@@ -1673,14 +1711,3 @@ func WithInfraContainerPorts(bindings []ocicni.PortMapping) PodCreateOption {
return nil
}
}
-
-// WithHealthCheck adds the healthcheck to the container config
-func WithHealthCheck(healthCheck *manifest.Schema2HealthConfig) CtrCreateOption {
- return func(ctr *Container) error {
- if ctr.valid {
- return define.ErrCtrFinalized
- }
- ctr.config.HealthCheckConfig = healthCheck
- return nil
- }
-}
diff --git a/libpod/pod.go b/libpod/pod.go
index 60626bfd7..3b9bb9c60 100644
--- a/libpod/pod.go
+++ b/libpod/pod.go
@@ -36,6 +36,8 @@ type PodConfig struct {
// Namespace the pod is in
Namespace string `json:"namespace,omitempty"`
+ Hostname string `json:"hostname,omitempty"`
+
// Labels contains labels applied to the pod
Labels map[string]string `json:"labels"`
// CgroupParent contains the pod's CGroup parent
diff --git a/libpod/runtime.go b/libpod/runtime.go
index 8a4eee081..2fa8dd424 100644
--- a/libpod/runtime.go
+++ b/libpod/runtime.go
@@ -252,6 +252,10 @@ type RuntimeConfig struct {
EventsLogFilePath string `toml:"-events_logfile_path"`
//DetachKeys is the sequence of keys used to detach a container
DetachKeys string `toml:"detach_keys"`
+
+ // SDNotify tells Libpod to allow containers to notify the host
+ // systemd of readiness using the SD_NOTIFY mechanism
+ SDNotify bool
}
// runtimeConfiguredFrom is a struct used during early runtime init to help
diff --git a/libpod/runtime_pod_infra_linux.go b/libpod/runtime_pod_infra_linux.go
index 5387eb587..ad6662f03 100644
--- a/libpod/runtime_pod_infra_linux.go
+++ b/libpod/runtime_pod_infra_linux.go
@@ -31,8 +31,8 @@ func (r *Runtime) makeInfraContainer(ctx context.Context, p *Pod, imgName, imgID
return nil, err
}
- // Set Pod hostname as Pod name
- g.Config.Hostname = p.config.Name
+ // Set Pod hostname
+ g.Config.Hostname = p.config.Hostname
isRootless := rootless.IsRootless()
diff --git a/libpod/runtime_pod_linux.go b/libpod/runtime_pod_linux.go
index f38e6e7c1..073c5054d 100644
--- a/libpod/runtime_pod_linux.go
+++ b/libpod/runtime_pod_linux.go
@@ -52,6 +52,10 @@ func (r *Runtime) NewPod(ctx context.Context, options ...PodCreateOption) (_ *Po
pod.config.Name = name
}
+ if pod.config.Hostname == "" {
+ pod.config.Hostname = pod.config.Name
+ }
+
// Allocate a lock for the pod
lock, err := r.lockManager.AllocateLock()
if err != nil {
diff --git a/libpod/runtime_volume_linux.go b/libpod/runtime_volume_linux.go
index ac6fd02c3..84703787d 100644
--- a/libpod/runtime_volume_linux.go
+++ b/libpod/runtime_volume_linux.go
@@ -7,6 +7,7 @@ import (
"os"
"path/filepath"
"strings"
+ "time"
"github.com/containers/libpod/libpod/define"
"github.com/containers/libpod/libpod/events"
@@ -42,14 +43,10 @@ func (r *Runtime) newVolume(ctx context.Context, options ...VolumeCreateOption)
if volume.config.Name == "" {
volume.config.Name = stringid.GenerateNonCryptoID()
}
- // TODO: support for other volume drivers
if volume.config.Driver == "" {
volume.config.Driver = "local"
}
- // TODO: determine when the scope is global and set it to that
- if volume.config.Scope == "" {
- volume.config.Scope = "local"
- }
+ volume.config.CreatedTime = time.Now()
// Create the mountpoint of this volume
volPathRoot := filepath.Join(r.config.VolumePath, volume.config.Name)
diff --git a/libpod/volume.go b/libpod/volume.go
index 9ed2ff087..74126b49b 100644
--- a/libpod/volume.go
+++ b/libpod/volume.go
@@ -1,5 +1,9 @@
package libpod
+import (
+ "time"
+)
+
// Volume is the type used to create named volumes
// TODO: all volumes should be created using this and the Volume API
type Volume struct {
@@ -15,10 +19,10 @@ type VolumeConfig struct {
Name string `json:"name"`
Labels map[string]string `json:"labels"`
- MountPoint string `json:"mountPoint"`
Driver string `json:"driver"`
+ MountPoint string `json:"mountPoint"`
+ CreatedTime time.Time `json:"createdAt,omitempty"`
Options map[string]string `json:"options"`
- Scope string `json:"scope"`
IsCtrSpecific bool `json:"ctrSpecific"`
UID int `json:"uid"`
GID int `json:"gid"`
@@ -29,6 +33,18 @@ func (v *Volume) Name() string {
return v.config.Name
}
+// Driver retrieves the volume's driver.
+func (v *Volume) Driver() string {
+ return v.config.Driver
+}
+
+// Scope retrieves the volume's scope.
+// Libpod does not implement volume scoping, and this is provided solely for
+// Docker compatibility. It returns only "local".
+func (v *Volume) Scope() string {
+ return "local"
+}
+
// Labels returns the volume's labels
func (v *Volume) Labels() map[string]string {
labels := make(map[string]string)
@@ -43,11 +59,6 @@ func (v *Volume) MountPoint() string {
return v.config.MountPoint
}
-// Driver returns the volume's driver
-func (v *Volume) Driver() string {
- return v.config.Driver
-}
-
// Options return the volume's options
func (v *Volume) Options() map[string]string {
options := make(map[string]string)
@@ -58,14 +69,25 @@ func (v *Volume) Options() map[string]string {
return options
}
-// Scope returns the scope of the volume
-func (v *Volume) Scope() string {
- return v.config.Scope
-}
-
// IsCtrSpecific returns whether this volume was created specifically for a
// given container. Images with this set to true will be removed when the
// container is removed with the Volumes parameter set to true.
func (v *Volume) IsCtrSpecific() bool {
return v.config.IsCtrSpecific
}
+
+// UID returns the UID the volume will be created as.
+func (v *Volume) UID() int {
+ return v.config.UID
+}
+
+// GID returns the GID the volume will be created as.
+func (v *Volume) GID() int {
+ return v.config.GID
+}
+
+// CreatedTime returns the time the volume was created at. It was not tracked
+// for some time, so older volumes may not contain one.
+func (v *Volume) CreatedTime() time.Time {
+ return v.config.CreatedTime
+}
diff --git a/libpod/volume_inspect.go b/libpod/volume_inspect.go
new file mode 100644
index 000000000..87ed9d340
--- /dev/null
+++ b/libpod/volume_inspect.go
@@ -0,0 +1,70 @@
+package libpod
+
+import (
+ "time"
+
+ "github.com/containers/libpod/libpod/define"
+)
+
+// InspectVolumeData is the output of Inspect() on a volume. It is matched to
+// the format of 'docker volume inspect'.
+type InspectVolumeData struct {
+ // Name is the name of the volume.
+ Name string `json:"Name"`
+ // Driver is the driver used to create the volume.
+ // This will be properly implemented in a future version.
+ Driver string `json:"Driver"`
+ // Mountpoint is the path on the host where the volume is mounted.
+ Mountpoint string `json:"Mountpoint"`
+ // CreatedAt is the date and time the volume was created at. This is not
+ // stored for older Libpod volumes; if so, it will be omitted.
+ CreatedAt time.Time `json:"CreatedAt,omitempty"`
+ // Status is presently unused and provided only for Docker compatibility.
+ // In the future it will be used to return information on the volume's
+ // current state.
+ Status map[string]string `json:"Status,omitempty"`
+ // Labels includes the volume's configured labels, key:value pairs that
+ // can be passed during volume creation to provide information for third
+ // party tools.
+ Labels map[string]string `json:"Labels"`
+ // Scope is unused and provided solely for Docker compatibility. It is
+ // unconditionally set to "local".
+ Scope string `json:"Scope"`
+ // Options is a set of options that were used when creating the volume.
+ // It is presently not used.
+ Options map[string]string `json:"Options"`
+ // UID is the UID that the volume was created with.
+ UID int `json:"UID,omitempty"`
+ // GID is the GID that the volume was created with.
+ GID int `json:"GID,omitempty"`
+ // ContainerSpecific indicates that the volume was created as part of a
+ // specific container, and will be removed when that container is
+ // removed.
+ ContainerSpecific bool `json:"ContainerSpecific,omitempty"`
+}
+
+// Inspect provides detailed information about the configuration of the given
+// volume.
+func (v *Volume) Inspect() (*InspectVolumeData, error) {
+ if !v.valid {
+ return nil, define.ErrVolumeRemoved
+ }
+
+ data := new(InspectVolumeData)
+
+ data.Name = v.config.Name
+ data.Driver = v.config.Driver
+ data.Mountpoint = v.config.MountPoint
+ data.CreatedAt = v.config.CreatedTime
+ data.Labels = make(map[string]string)
+ for k, v := range v.config.Labels {
+ data.Labels[k] = v
+ }
+ data.Scope = v.Scope()
+ data.Options = make(map[string]string)
+ data.UID = v.config.UID
+ data.GID = v.config.GID
+ data.ContainerSpecific = v.config.IsCtrSpecific
+
+ return data, nil
+}
diff --git a/pkg/adapter/pods.go b/pkg/adapter/pods.go
index 1dd72babf..ded805de2 100644
--- a/pkg/adapter/pods.go
+++ b/pkg/adapter/pods.go
@@ -256,6 +256,10 @@ func (r *LocalRuntime) CreatePod(ctx context.Context, cli *cliconfig.PodCreateVa
options = append(options, libpod.WithPodName(cli.Name))
}
+ if cli.Flag("hostname").Changed {
+ options = append(options, libpod.WithPodHostname(cli.Hostname))
+ }
+
if cli.Infra {
options = append(options, libpod.WithInfraContainer())
nsOptions, err := shared.GetNamespaceOptions(strings.Split(cli.Share, ","))
@@ -476,6 +480,12 @@ func (r *LocalRuntime) PlayKubeYAML(ctx context.Context, c *cliconfig.KubePlayVa
podOptions = append(podOptions, libpod.WithPodName(podName))
// TODO for now we just used the default kernel namespaces; we need to add/subtract this from yaml
+ hostname := podYAML.Spec.Hostname
+ if hostname == "" {
+ hostname = podName
+ }
+ podOptions = append(podOptions, libpod.WithPodHostname(hostname))
+
nsOptions, err := shared.GetNamespaceOptions(strings.Split(shared.DefaultKernelNamespaces, ","))
if err != nil {
return nil, err
diff --git a/pkg/adapter/runtime.go b/pkg/adapter/runtime.go
index ba988aaf7..7d4f97b28 100644
--- a/pkg/adapter/runtime.go
+++ b/pkg/adapter/runtime.go
@@ -210,7 +210,7 @@ func (r *LocalRuntime) Push(ctx context.Context, srcName, destination, manifestM
}
// InspectVolumes returns a slice of volumes based on an arg list or --all
-func (r *LocalRuntime) InspectVolumes(ctx context.Context, c *cliconfig.VolumeInspectValues) ([]*Volume, error) {
+func (r *LocalRuntime) InspectVolumes(ctx context.Context, c *cliconfig.VolumeInspectValues) ([]*libpod.InspectVolumeData, error) {
var (
volumes []*libpod.Volume
err error
@@ -230,7 +230,17 @@ func (r *LocalRuntime) InspectVolumes(ctx context.Context, c *cliconfig.VolumeIn
if err != nil {
return nil, err
}
- return libpodVolumeToVolume(volumes), nil
+
+ inspectVols := make([]*libpod.InspectVolumeData, 0, len(volumes))
+ for _, vol := range volumes {
+ inspectOut, err := vol.Inspect()
+ if err != nil {
+ return nil, errors.Wrapf(err, "error inspecting volume %s", vol.Name())
+ }
+ inspectVols = append(inspectVols, inspectOut)
+ }
+
+ return inspectVols, nil
}
// Volumes returns a slice of localruntime volumes
diff --git a/pkg/adapter/runtime_remote.go b/pkg/adapter/runtime_remote.go
index 420c9d0bb..f4eb926c9 100644
--- a/pkg/adapter/runtime_remote.go
+++ b/pkg/adapter/runtime_remote.go
@@ -669,7 +669,6 @@ func varlinkVolumeToVolume(r *LocalRuntime, volumes []iopodman.Volume) []*Volume
MountPoint: v.MountPoint,
Driver: v.Driver,
Options: v.Options,
- Scope: v.Scope,
}
n := remoteVolume{
Runtime: r,
diff --git a/pkg/adapter/volumes_remote.go b/pkg/adapter/volumes_remote.go
index beacd943a..58f9ba625 100644
--- a/pkg/adapter/volumes_remote.go
+++ b/pkg/adapter/volumes_remote.go
@@ -29,5 +29,5 @@ func (v *Volume) MountPoint() string {
// Scope returns the scope for an adapter.volume
func (v *Volume) Scope() string {
- return v.config.Scope
+ return "local"
}
diff --git a/pkg/varlinkapi/volumes.go b/pkg/varlinkapi/volumes.go
index 19ba38e7c..6dd86d831 100644
--- a/pkg/varlinkapi/volumes.go
+++ b/pkg/varlinkapi/volumes.go
@@ -68,7 +68,6 @@ func (i *LibpodAPI) GetVolumes(call iopodman.VarlinkCall, args []string, all boo
MountPoint: v.MountPoint(),
Name: v.Name(),
Options: v.Options(),
- Scope: v.Scope(),
}
volumes = append(volumes, newVol)
}
diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go
index b0a9f2ead..af3cab379 100644
--- a/test/e2e/play_kube_test.go
+++ b/test/e2e/play_kube_test.go
@@ -21,6 +21,7 @@ metadata:
app: {{ .Name }}
name: {{ .Name }}
spec:
+ hostname: {{ .Hostname }}
containers:
{{ with .Containers }}
{{ range . }}
@@ -66,6 +67,7 @@ status: {}
type Pod struct {
Name string
+ Hostname string
Containers []Container
}
@@ -78,13 +80,13 @@ type Container struct {
CapDrop []string
}
-func generateKubeYaml(ctrs []Container, fileName string) error {
+func generateKubeYaml(name string, hostname string, ctrs []Container, fileName string) error {
f, err := os.Create(fileName)
if err != nil {
return err
}
defer f.Close()
- testPod := Pod{"test", ctrs}
+ testPod := Pod{name, hostname, ctrs}
t, err := template.New("pod").Parse(yamlTemplate)
if err != nil {
@@ -127,7 +129,7 @@ var _ = Describe("Podman generate kube", func() {
testContainer := Container{ctrCmd, ALPINE, ctrName, false, nil, nil}
tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")
- err := generateKubeYaml([]Container{testContainer}, tempFile)
+ err := generateKubeYaml("test", "", []Container{testContainer}, tempFile)
Expect(err).To(BeNil())
kube := podmanTest.Podman([]string{"play", "kube", tempFile})
@@ -146,7 +148,7 @@ var _ = Describe("Podman generate kube", func() {
testContainer := Container{ctrCmd, ALPINE, ctrName, false, nil, nil}
tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")
- err := generateKubeYaml([]Container{testContainer}, tempFile)
+ err := generateKubeYaml("test", "", []Container{testContainer}, tempFile)
Expect(err).To(BeNil())
kube := podmanTest.Podman([]string{"play", "kube", tempFile})
@@ -164,6 +166,46 @@ var _ = Describe("Podman generate kube", func() {
Expect(inspect.OutputToString()).To(ContainSubstring("hello"))
})
+ It("podman play kube test hostname", func() {
+ podName := "test"
+ ctrName := "testCtr"
+ ctrCmd := []string{"top"}
+ testContainer := Container{ctrCmd, ALPINE, ctrName, false, nil, nil}
+ tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")
+
+ err := generateKubeYaml(podName, "", []Container{testContainer}, tempFile)
+ Expect(err).To(BeNil())
+
+ kube := podmanTest.Podman([]string{"play", "kube", tempFile})
+ kube.WaitWithDefaultTimeout()
+ Expect(kube.ExitCode()).To(Equal(0))
+
+ inspect := podmanTest.Podman([]string{"inspect", ctrName, "--format", "{{ .Config.Hostname }}"})
+ inspect.WaitWithDefaultTimeout()
+ Expect(inspect.ExitCode()).To(Equal(0))
+ Expect(inspect.OutputToString()).To(Equal(podName))
+ })
+
+ It("podman play kube test with customized hostname", func() {
+ hostname := "myhostname"
+ ctrName := "testCtr"
+ ctrCmd := []string{"top"}
+ testContainer := Container{ctrCmd, ALPINE, ctrName, false, nil, nil}
+ tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")
+
+ err := generateKubeYaml("test", hostname, []Container{testContainer}, tempFile)
+ Expect(err).To(BeNil())
+
+ kube := podmanTest.Podman([]string{"play", "kube", tempFile})
+ kube.WaitWithDefaultTimeout()
+ Expect(kube.ExitCode()).To(Equal(0))
+
+ inspect := podmanTest.Podman([]string{"inspect", ctrName, "--format", "{{ .Config.Hostname }}"})
+ inspect.WaitWithDefaultTimeout()
+ Expect(inspect.ExitCode()).To(Equal(0))
+ Expect(inspect.OutputToString()).To(Equal(hostname))
+ })
+
It("podman play kube cap add", func() {
ctrName := "testCtr"
ctrCmd := []string{"cat", "/proc/self/status"}
@@ -171,7 +213,7 @@ var _ = Describe("Podman generate kube", func() {
testContainer := Container{ctrCmd, ALPINE, ctrName, true, []string{capAdd}, nil}
tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")
- err := generateKubeYaml([]Container{testContainer}, tempFile)
+ err := generateKubeYaml("test", "", []Container{testContainer}, tempFile)
Expect(err).To(BeNil())
kube := podmanTest.Podman([]string{"play", "kube", tempFile})
@@ -191,7 +233,7 @@ var _ = Describe("Podman generate kube", func() {
testContainer := Container{ctrCmd, ALPINE, ctrName, true, []string{capDrop}, nil}
tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")
- err := generateKubeYaml([]Container{testContainer}, tempFile)
+ err := generateKubeYaml("test", "", []Container{testContainer}, tempFile)
Expect(err).To(BeNil())
kube := podmanTest.Podman([]string{"play", "kube", tempFile})
diff --git a/test/e2e/run_selinux_test.go b/test/e2e/run_selinux_test.go
index a2228411e..dfe71531a 100644
--- a/test/e2e/run_selinux_test.go
+++ b/test/e2e/run_selinux_test.go
@@ -153,4 +153,16 @@ var _ = Describe("Podman run", func() {
Expect(match).Should(BeTrue())
})
+ It("podman run selinux file type setup test", func() {
+ session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", "--security-opt", "label=filetype:container_var_lib_t", fedoraMinimal, "ls", "-Z", "/dev"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ match, _ := session.GrepString("container_var_lib_t")
+ Expect(match).Should(BeTrue())
+
+ session = podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", "--security-opt", "label=filetype:foobar", fedoraMinimal, "ls", "-Z", "/dev"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(127))
+ })
+
})
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
index 1eb9a6bf2..2730fcf4a 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
@@ -13,11 +13,12 @@ import (
// Valid Label Options
var validOptions = map[string]bool{
- "disable": true,
- "type": true,
- "user": true,
- "role": true,
- "level": true,
+ "disable": true,
+ "type": true,
+ "filetype": true,
+ "user": true,
+ "role": true,
+ "level": true,
}
var ErrIncompatibleLabel = fmt.Errorf("Bad SELinux option z and Z can not be used together")
@@ -51,13 +52,16 @@ func InitLabels(options []string) (plabel string, mlabel string, Err error) {
return "", mountLabel, nil
}
if i := strings.Index(opt, ":"); i == -1 {
- return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt)
+ return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt)
}
con := strings.SplitN(opt, ":", 2)
if !validOptions[con[0]] {
- return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type'", con[0])
+ return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type, filetype'", con[0])
}
+ if con[0] == "filetype" {
+ mcon["type"] = con[1]
+ }
pcon[con[0]] = con[1]
if con[0] == "level" || con[0] == "user" {
mcon[con[0]] = con[1]
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
index d7786c33c..2d4e9f890 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
@@ -18,6 +18,7 @@ import (
"strings"
"sync"
"syscall"
+ "golang.org/x/sys/unix"
)
const (
@@ -392,6 +393,14 @@ func SetExecLabel(label string) error {
return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", syscall.Gettid()), label)
}
+/*
+SetTaskLabel sets the SELinux label for the current thread, or an error.
+This requires the dyntransition permission.
+*/
+func SetTaskLabel(label string) error {
+ return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/current", syscall.Gettid()), label)
+}
+
// SetSocketLabel takes a process label and tells the kernel to assign the
// label to the next socket that gets created
func SetSocketLabel(label string) error {
@@ -403,6 +412,11 @@ func SocketLabel() (string, error) {
return readCon(fmt.Sprintf("/proc/self/task/%d/attr/sockcreate", syscall.Gettid()))
}
+// PeerLabel retrieves the label of the client on the other side of a socket
+func PeerLabel(fd uintptr) (string, error) {
+ return unix.GetsockoptString(int(fd), syscall.SOL_SOCKET, syscall.SO_PEERSEC)
+}
+
// SetKeyLabel takes a process label and tells the kernel to assign the
// label to the next kernel keyring that gets created
func SetKeyLabel(label string) error {
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
index 79b005d19..0c2e1cd38 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
@@ -97,6 +97,14 @@ func SetExecLabel(label string) error {
}
/*
+SetTaskLabel sets the SELinux label for the current thread, or an error.
+This requires the dyntransition permission.
+*/
+func SetTaskLabel(label string) error {
+ return nil
+}
+
+/*
SetSocketLabel sets the SELinux label that the kernel will use for any programs
that are executed by the current process thread, or an error.
*/
@@ -109,6 +117,11 @@ func SocketLabel() (string, error) {
return "", nil
}
+// PeerLabel retrieves the label of the client on the other side of a socket
+func PeerLabel(fd uintptr) (string, error) {
+ return "", nil
+}
+
// SetKeyLabel takes a process label and tells the kernel to assign the
// label to the next kernel keyring that gets created
func SetKeyLabel(label string) error {
diff --git a/vendor/modules.txt b/vendor/modules.txt
index efb7d99da..c4a410be6 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -365,7 +365,7 @@ github.com/opencontainers/runtime-tools/generate/seccomp
github.com/opencontainers/runtime-tools/filepath
github.com/opencontainers/runtime-tools/specerror
github.com/opencontainers/runtime-tools/error
-# github.com/opencontainers/selinux v1.2.2
+# github.com/opencontainers/selinux v1.3.0
github.com/opencontainers/selinux/go-selinux/label
github.com/opencontainers/selinux/go-selinux
# github.com/openshift/imagebuilder v1.1.0