diff options
| -rw-r--r-- | cmd/podman/common.go | 2 | ||||
| -rw-r--r-- | cmd/podman/main_local.go | 4 | ||||
| -rw-r--r-- | docs/source/markdown/podman-create.1.md | 4 | ||||
| -rw-r--r-- | docs/source/markdown/podman-run.1.md | 4 | ||||
| -rw-r--r-- | install.md | 2 | ||||
| -rw-r--r-- | libpod.conf | 23 | ||||
| -rw-r--r-- | libpod/events/journal_linux.go | 2 | ||||
| -rw-r--r-- | libpod/events/logfile.go | 2 | ||||
| -rw-r--r-- | libpod/util.go | 3 | ||||
| -rw-r--r-- | pkg/adapter/pods.go | 18 | ||||
| -rw-r--r-- | pkg/namespaces/namespaces.go | 5 | ||||
| -rw-r--r-- | pkg/rootless/rootless_linux.c | 14 | ||||
| -rw-r--r-- | pkg/spec/spec.go | 13 | ||||
| -rw-r--r-- | test/e2e/run_cgroup_parent_test.go | 6 | ||||
| -rw-r--r-- | test/e2e/test.yaml | 34 |
15 files changed, 119 insertions, 17 deletions
diff --git a/cmd/podman/common.go b/cmd/podman/common.go index 7046d1925..8afbe2e0b 100644 --- a/cmd/podman/common.go +++ b/cmd/podman/common.go @@ -132,7 +132,7 @@ func getCreateFlags(c *cliconfig.PodmanCommand) { "Drop capabilities from the container", ) createFlags.String( - "cgroupns", "host", + "cgroupns", "", "cgroup namespace to use", ) createFlags.String( diff --git a/cmd/podman/main_local.go b/cmd/podman/main_local.go index 6057eeec3..f630f1210 100644 --- a/cmd/podman/main_local.go +++ b/cmd/podman/main_local.go @@ -16,7 +16,6 @@ import ( "github.com/containers/libpod/cmd/podman/cliconfig" "github.com/containers/libpod/cmd/podman/libpodruntime" - "github.com/containers/libpod/libpod/config" "github.com/containers/libpod/libpod/define" "github.com/containers/libpod/pkg/cgroups" "github.com/containers/libpod/pkg/rootless" @@ -34,9 +33,6 @@ const remote = false func init() { cgroupManager := define.SystemdCgroupsManager - if runtimeConfig, err := config.NewConfig(""); err == nil { - cgroupManager = runtimeConfig.CgroupManager - } cgroupHelp := "Cgroup manager to use (cgroupfs or systemd)" cgroupv2, _ := cgroups.IsCgroup2UnifiedMode() if rootless.IsRootless() && !cgroupv2 { diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index f4f35714e..c10cf2cfa 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -67,12 +67,14 @@ Drop Linux capabilities **--cgroupns**=*mode* -Set the cgroup namespace mode for the container, by default **host** is used. +Set the cgroup namespace mode for the container. **host**: use the host's cgroup namespace inside the container. **container:<NAME|ID>**: join the namespace of the specified container. **private**: create a new cgroup namespace. **ns:<PATH>**: join the namespace at the specified path. +If the host uses cgroups v1, the default is set to **host**. On cgroups v2 the default is **private**. + **--cgroups**=*mode* Determines whether the container will create CGroups. diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index d0d8a5677..75f1f94ce 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -81,12 +81,14 @@ Drop Linux capabilities **--cgroupns**=*mode* -Set the cgroup namespace mode for the container, by default **host** is used. +Set the cgroup namespace mode for the container. **host**: use the host's cgroup namespace inside the container. **container:<NAME|ID>**: join the namespace of the specified container. **private**: create a new cgroup namespace. **ns:<PATH>**: join the namespace at the specified path. +If the host uses cgroups v1, the default is set to **host**. On cgroups v2 the default is **private**. + **--cgroups**=*mode* Determines whether the container will create CGroups. diff --git a/install.md b/install.md index 2583c4f9d..39b639176 100644 --- a/install.md +++ b/install.md @@ -72,6 +72,8 @@ sudo apt-get install -qq -y software-properties-common uidmap sudo add-apt-repository -y ppa:projectatomic/ppa sudo apt-get update -qq sudo apt-get -qq -y install podman +sudo mkdir -p /etc/containers +echo -e "[registries.search]\nregistries = ['docker.io', 'quay.io']" | sudo tee /etc/containers/registries.conf ``` #### Fedora diff --git a/libpod.conf b/libpod.conf index 47f66ecc1..47563099c 100644 --- a/libpod.conf +++ b/libpod.conf @@ -146,6 +146,29 @@ crun = [ "/usr/local/bin/crun", ] +# Kata Containers is an OCI runtime, where containers are run inside lightweight +# Virtual Machines (VMs). Kata provides additional isolation towards the host, +# minimizing the host attack surface and mitigating the consequences of +# containers breakout. +# Please notes that Kata does not support rootless podman yet, but we can leave +# the paths below blank to let them be discovered by the $PATH environment +# variable. + +# Kata Containers with the default configured VMM +kata-runtime = [ + "/usr/bin/kata-runtime", +] + +# Kata Containers with the QEMU VMM +kata-qemu = [ + "/usr/bin/kata-qemu", +] + +# Kata Containers with the Firecracker VMM +kata-fc = [ + "/usr/bin/kata-fc", +] + # The [runtimes] table MUST be the last thing in this file. # (Unless another table is added) # TOML does not provide a way to end a table other than a further table being diff --git a/libpod/events/journal_linux.go b/libpod/events/journal_linux.go index 470c76959..9e6fffc29 100644 --- a/libpod/events/journal_linux.go +++ b/libpod/events/journal_linux.go @@ -54,6 +54,7 @@ func (e EventJournalD) Write(ee Event) error { // Read reads events from the journal and sends qualified events to the event channel func (e EventJournalD) Read(options ReadOptions) error { + defer close(options.EventChannel) eventOptions, err := generateEventOptions(options.Filters, options.Since, options.Until) if err != nil { return errors.Wrapf(err, "failed to generate event options") @@ -87,7 +88,6 @@ func (e EventJournalD) Read(options ReadOptions) error { if err != nil { return err } - defer close(options.EventChannel) for { if _, err := j.Next(); err != nil { return err diff --git a/libpod/events/logfile.go b/libpod/events/logfile.go index 4b65b0ad0..93e6fa3c9 100644 --- a/libpod/events/logfile.go +++ b/libpod/events/logfile.go @@ -41,6 +41,7 @@ func (e EventLogFile) Write(ee Event) error { // Reads from the log file func (e EventLogFile) Read(options ReadOptions) error { + defer close(options.EventChannel) eventOptions, err := generateEventOptions(options.Filters, options.Since, options.Until) if err != nil { return errors.Wrapf(err, "unable to generate event options") @@ -68,7 +69,6 @@ func (e EventLogFile) Read(options ReadOptions) error { options.EventChannel <- event } } - close(options.EventChannel) return nil } diff --git a/libpod/util.go b/libpod/util.go index 7bd834e30..bae2f4eb8 100644 --- a/libpod/util.go +++ b/libpod/util.go @@ -187,6 +187,9 @@ func programVersion(mountProgram string) (string, error) { return strings.TrimSuffix(output, "\n"), nil } +// DefaultSeccompPath returns the path to the default seccomp.json file +// if it exists, first it checks OverrideSeccomp and then default. +// If neither exist function returns "" func DefaultSeccompPath() (string, error) { _, err := os.Stat(config.SeccompOverridePath) if err == nil { diff --git a/pkg/adapter/pods.go b/pkg/adapter/pods.go index d8d5b884f..f6795970b 100644 --- a/pkg/adapter/pods.go +++ b/pkg/adapter/pods.go @@ -704,6 +704,24 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container } } + if seopt := containerYAML.SecurityContext.SELinuxOptions; seopt != nil { + if seopt.User != "" { + containerConfig.SecurityOpts = append(containerConfig.SecurityOpts, fmt.Sprintf("label=user:%s", seopt.User)) + containerConfig.LabelOpts = append(containerConfig.LabelOpts, fmt.Sprintf("user:%s", seopt.User)) + } + if seopt.Role != "" { + containerConfig.SecurityOpts = append(containerConfig.SecurityOpts, fmt.Sprintf("label=role:%s", seopt.Role)) + containerConfig.LabelOpts = append(containerConfig.LabelOpts, fmt.Sprintf("role:%s", seopt.Role)) + } + if seopt.Type != "" { + containerConfig.SecurityOpts = append(containerConfig.SecurityOpts, fmt.Sprintf("label=type:%s", seopt.Type)) + containerConfig.LabelOpts = append(containerConfig.LabelOpts, fmt.Sprintf("type:%s", seopt.Type)) + } + if seopt.Level != "" { + containerConfig.SecurityOpts = append(containerConfig.SecurityOpts, fmt.Sprintf("label=level:%s", seopt.Level)) + containerConfig.LabelOpts = append(containerConfig.LabelOpts, fmt.Sprintf("level:%s", seopt.Level)) + } + } if caps := containerYAML.SecurityContext.Capabilities; caps != nil { for _, capability := range caps.Add { containerConfig.CapAdd = append(containerConfig.CapAdd, string(capability)) diff --git a/pkg/namespaces/namespaces.go b/pkg/namespaces/namespaces.go index 9d1033b93..78b55bb2a 100644 --- a/pkg/namespaces/namespaces.go +++ b/pkg/namespaces/namespaces.go @@ -25,6 +25,11 @@ func (n CgroupMode) IsHost() bool { return n == hostType } +// IsDefaultValue indicates whether the cgroup namespace has the default value. +func (n CgroupMode) IsDefaultValue() bool { + return n == "" +} + // IsNS indicates a cgroup namespace passed in by path (ns:<path>) func (n CgroupMode) IsNS() bool { return strings.HasPrefix(string(n), nsType) diff --git a/pkg/rootless/rootless_linux.c b/pkg/rootless/rootless_linux.c index 94933ddd0..9604de638 100644 --- a/pkg/rootless/rootless_linux.c +++ b/pkg/rootless/rootless_linux.c @@ -24,12 +24,16 @@ int renameat2 (int olddirfd, const char *oldpath, int newdirfd, const char *newpath, unsigned int flags) { -# ifdef __NR_renameat2 - return (int) syscall (__NR_renameat2, olddirfd, oldpath, newdirfd, newpath, flags); +# ifdef SYS_renameat2 + return (int) syscall (SYS_renameat2, olddirfd, oldpath, newdirfd, newpath, flags); # else - /* no way to implement it atomically. */ - errno = ENOSYS; - return -1; + /* This might be an issue if another process is trying to read the file while it is empty. */ + int fd = open (newpath, O_EXCL|O_CREAT, 0700); + if (fd < 0) + return fd; + close (fd); + /* We are sure we created the file, let's overwrite it. */ + return rename (oldpath, newpath); # endif } #endif diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index 86d701f7e..33e9ec076 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -631,6 +631,19 @@ func addIpcNS(config *CreateConfig, g *generate.Generator) error { func addCgroupNS(config *CreateConfig, g *generate.Generator) error { cgroupMode := config.CgroupMode + + if cgroupMode.IsDefaultValue() { + // If the value is not specified, default to "private" on cgroups v2 and "host" on cgroups v1. + unified, err := cgroups.IsCgroup2UnifiedMode() + if err != nil { + return err + } + if unified { + cgroupMode = "private" + } else { + cgroupMode = "host" + } + } if cgroupMode.IsNS() { return g.AddOrReplaceLinuxNamespace(string(spec.CgroupNamespace), NS(string(cgroupMode))) } diff --git a/test/e2e/run_cgroup_parent_test.go b/test/e2e/run_cgroup_parent_test.go index 1fb9f6871..14294eeac 100644 --- a/test/e2e/run_cgroup_parent_test.go +++ b/test/e2e/run_cgroup_parent_test.go @@ -40,7 +40,7 @@ var _ = Describe("Podman run with --cgroup-parent", func() { Skip("Must be containerized to run this test.") } cgroup := "/zzz" - run := podmanTest.Podman([]string{"run", "--cgroup-parent", cgroup, fedoraMinimal, "cat", "/proc/self/cgroup"}) + run := podmanTest.Podman([]string{"run", "--cgroupns=host", "--cgroup-parent", cgroup, fedoraMinimal, "cat", "/proc/self/cgroup"}) run.WaitWithDefaultTimeout() Expect(run.ExitCode()).To(Equal(0)) ok, _ := run.GrepString(cgroup) @@ -52,7 +52,7 @@ var _ = Describe("Podman run with --cgroup-parent", func() { if !Containerized() && podmanTest.CgroupManager != "cgroupfs" { cgroup = "/machine.slice" } - run := podmanTest.Podman([]string{"run", fedoraMinimal, "cat", "/proc/self/cgroup"}) + run := podmanTest.Podman([]string{"run", "--cgroupns=host", fedoraMinimal, "cat", "/proc/self/cgroup"}) run.WaitWithDefaultTimeout() Expect(run.ExitCode()).To(Equal(0)) ok, _ := run.GrepString(cgroup) @@ -64,7 +64,7 @@ var _ = Describe("Podman run with --cgroup-parent", func() { Skip("Requires Systemd cgroup manager support") } cgroup := "aaaa.slice" - run := podmanTest.Podman([]string{"run", "--cgroup-parent", cgroup, fedoraMinimal, "cat", "/proc/1/cgroup"}) + run := podmanTest.Podman([]string{"run", "--cgroupns=host", "--cgroup-parent", cgroup, fedoraMinimal, "cat", "/proc/1/cgroup"}) run.WaitWithDefaultTimeout() Expect(run.ExitCode()).To(Equal(0)) ok, _ := run.GrepString(cgroup) diff --git a/test/e2e/test.yaml b/test/e2e/test.yaml new file mode 100644 index 000000000..319d6a4a0 --- /dev/null +++ b/test/e2e/test.yaml @@ -0,0 +1,34 @@ +# Save the output of this file and use kubectl create -f to import +# it into Kubernetes. +# +# Created with podman-1.6.2 +apiVersion: v1 +kind: Pod +metadata: + labels: + app: test + name: test +spec: + containers: + - command: + - sleep + - "100" + env: + - name: PATH + value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + - name: TERM + value: xterm + - name: container + value: podman + image: docker.io/library/fedora:latest + name: test + resources: {} + securityContext: + allowPrivilegeEscalation: true + capabilities: {} + privileged: false + seLinuxOptions: + level: "s0:c1,c2" + readOnlyRootFilesystem: false + workingDir: / +status: {} |