diff options
-rw-r--r-- | cmd/podman/registry/remote.go | 5 | ||||
-rw-r--r-- | docs/source/markdown/podman-create.1.md | 14 | ||||
-rw-r--r-- | docs/source/markdown/podman-run.1.md | 9 | ||||
-rw-r--r-- | pkg/domain/infra/abi/system.go | 7 | ||||
-rw-r--r-- | pkg/specgen/container_validate.go | 3 | ||||
-rw-r--r-- | test/e2e/trust_test.go | 9 |
6 files changed, 30 insertions, 17 deletions
diff --git a/cmd/podman/registry/remote.go b/cmd/podman/registry/remote.go index 9b7523ac0..78b820269 100644 --- a/cmd/podman/registry/remote.go +++ b/cmd/podman/registry/remote.go @@ -15,13 +15,14 @@ var remoteFromCLI = struct { }{} // IsRemote returns true if podman was built to run remote or --remote flag given on CLI -// Use in init() functions as a initialization check +// Use in init() functions as an initialization check func IsRemote() bool { remoteFromCLI.sync.Do(func() { fs := pflag.NewFlagSet("remote", pflag.ContinueOnError) - fs.BoolVarP(&remoteFromCLI.Value, "remote", "r", false, "") fs.ParseErrorsWhitelist.UnknownFlags = true + fs.Usage = func() {} fs.SetInterspersed(false) + fs.BoolVarP(&remoteFromCLI.Value, "remote", "r", false, "") _ = fs.Parse(os.Args[1:]) }) return podmanOptions.EngineMode == entities.TunnelMode || remoteFromCLI.Value diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index 05aea53b6..976a1e681 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -339,7 +339,7 @@ value can be expressed in a time format such as `1m22s`. The default value is ` Container host name -Sets the container host name that is available inside the container. +Sets the container host name that is available inside the container. Can only be used with a private UTS namespace `--uts=private` (default). If `--pod` is specified and the pod shares the UTS namespace (default) the pods hostname will be used. **--help** @@ -898,12 +898,14 @@ Set the user namespace mode for the container. It defaults to the **PODMAN_USER This option is incompatible with --gidmap, --uidmap, --subuid and --subgid -**--uts**=*host* +**--uts**=*mode* -Set the UTS mode for the container - **host**: use the host's UTS namespace inside the container. - **ns**: specify the user namespace to use. - Note: the host mode gives the container access to changing the host's hostname and is therefore considered insecure. +Set the UTS namespace mode for the container. The following values are supported: + +- **host**: use the host's UTS namespace inside the container. +- **private**: create a new namespace for the container (default). +- **ns:[path]**: run the container in the given existing UTS namespace. +- **container:[container]**: join the UTS namespace of the specified container. **--volume**, **-v**[=*[[SOURCE-VOLUME|HOST-DIR:]CONTAINER-DIR[:OPTIONS]]*] diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index ef78e15e3..b6c1fab17 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -358,7 +358,7 @@ Print usage statement Container host name -Sets the container host name that is available inside the container. +Sets the container host name that is available inside the container. Can only be used with a private UTS namespace `--uts=private` (default). If `--pod` is specified and the pod shares the UTS namespace (default) the pods hostname will be used. **--http-proxy**=**true**|**false** @@ -938,10 +938,9 @@ This option is incompatible with **--gidmap**, **--uidmap**, **--subuid** and ** Set the UTS namespace mode for the container. The following values are supported: - **host**: use the host's UTS namespace inside the container. -- **private**: create a new namespace for the container (default) -- **ns**: use own UTS namespace. - -**NOTE**: the host mode gives the container access to changing the host's hostname and is therefore considered insecure. +- **private**: create a new namespace for the container (default). +- **ns:[path]**: run the container in the given existing UTS namespace. +- **container:[container]**: join the UTS namespace of the specified container. **--volume**, **-v**[=[[_source-volume_|_host-dir_:]_container-dir_[:_options_]]] diff --git a/pkg/domain/infra/abi/system.go b/pkg/domain/infra/abi/system.go index 71fe478fd..478fac1d5 100644 --- a/pkg/domain/infra/abi/system.go +++ b/pkg/domain/infra/abi/system.go @@ -70,8 +70,13 @@ func (ic *ContainerEngine) SetupRootless(_ context.Context, cmd *cobra.Command) if err != nil { return err } + + initCommand, err := ioutil.ReadFile("/proc/1/comm") + // On errors, default to systemd + runsUnderSystemd := err != nil || string(initCommand) == "systemd" + unitName := fmt.Sprintf("podman-%d.scope", os.Getpid()) - if conf.Engine.CgroupManager == config.SystemdCgroupsManager { + if runsUnderSystemd || conf.Engine.CgroupManager == config.SystemdCgroupsManager { if err := utils.RunUnderSystemdScope(os.Getpid(), "user.slice", unitName); err != nil { logrus.Warnf("Failed to add podman to systemd sandbox cgroup: %v", err) } diff --git a/pkg/specgen/container_validate.go b/pkg/specgen/container_validate.go index 8289e2089..76961fa80 100644 --- a/pkg/specgen/container_validate.go +++ b/pkg/specgen/container_validate.go @@ -46,6 +46,9 @@ func (s *SpecGenerator) Validate() error { } // Cannot set hostname and utsns if len(s.ContainerBasicConfig.Hostname) > 0 && !s.ContainerBasicConfig.UtsNS.IsPrivate() { + if s.ContainerBasicConfig.UtsNS.IsPod() { + return errors.Wrap(ErrInvalidSpecConfig, "cannot set hostname when joining the pod UTS namespace") + } return errors.Wrap(ErrInvalidSpecConfig, "cannot set hostname when running in the host UTS namespace") } // systemd values must be true, false, or always diff --git a/test/e2e/trust_test.go b/test/e2e/trust_test.go index ecdf27a2e..82b0f9f26 100644 --- a/test/e2e/trust_test.go +++ b/test/e2e/trust_test.go @@ -47,9 +47,12 @@ var _ = Describe("Podman trust", func() { Expect(session.ExitCode()).To(Equal(0)) outArray := session.OutputToStringArray() Expect(len(outArray)).To(Equal(3)) - Expect(outArray[0]).Should(ContainSubstring("accept")) - Expect(outArray[1]).Should(ContainSubstring("reject")) - Expect(outArray[2]).Should(ContainSubstring("signed")) + + // image order is not guaranteed. All we can do is check that + // these strings appear in output, we can't cross-check them. + Expect(session.OutputToString()).To(ContainSubstring("accept")) + Expect(session.OutputToString()).To(ContainSubstring("reject")) + Expect(session.OutputToString()).To(ContainSubstring("signed")) }) It("podman image trust set", func() { |