summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--libpod/volume.go12
-rw-r--r--pkg/api/handlers/compat/networks.go2
-rw-r--r--pkg/api/server/server.go4
-rw-r--r--pkg/domain/filters/volumes.go23
-rw-r--r--pkg/domain/infra/abi/system.go2
-rw-r--r--pkg/specgen/generate/oci.go20
-rw-r--r--pkg/systemd/generate/common.go5
-rw-r--r--pkg/systemd/generate/common_test.go9
-rw-r--r--test/e2e/inspect_test.go26
-rw-r--r--test/e2e/volume_ls_test.go27
10 files changed, 119 insertions, 11 deletions
diff --git a/libpod/volume.go b/libpod/volume.go
index 82f389833..b29ac7ddf 100644
--- a/libpod/volume.go
+++ b/libpod/volume.go
@@ -137,7 +137,7 @@ func (v *Volume) Config() (*VolumeConfig, error) {
// VolumeInUse goes through the container dependencies of a volume
// and checks if the volume is being used by any container.
-func (v *Volume) VolumesInUse() ([]string, error) {
+func (v *Volume) VolumeInUse() ([]string, error) {
v.lock.Lock()
defer v.lock.Unlock()
@@ -146,3 +146,13 @@ func (v *Volume) VolumesInUse() ([]string, error) {
}
return v.runtime.state.VolumeInUse(v)
}
+
+// IsDangling returns whether this volume is dangling (unused by any
+// containers).
+func (v *Volume) IsDangling() (bool, error) {
+ ctrs, err := v.VolumeInUse()
+ if err != nil {
+ return false, err
+ }
+ return len(ctrs) == 0, nil
+}
diff --git a/pkg/api/handlers/compat/networks.go b/pkg/api/handlers/compat/networks.go
index 0f1eca5e5..7209255d7 100644
--- a/pkg/api/handlers/compat/networks.go
+++ b/pkg/api/handlers/compat/networks.go
@@ -285,7 +285,7 @@ func RemoveNetwork(w http.ResponseWriter, r *http.Request) {
return
}
if !exists {
- utils.Error(w, "network not found", http.StatusNotFound, err)
+ utils.Error(w, "network not found", http.StatusNotFound, network.ErrNetworkNotFound)
return
}
if err := network.RemoveNetwork(config, name); err != nil {
diff --git a/pkg/api/server/server.go b/pkg/api/server/server.go
index bd6a99b96..5b2f8bea2 100644
--- a/pkg/api/server/server.go
+++ b/pkg/api/server/server.go
@@ -173,6 +173,10 @@ func (s *APIServer) Serve() error {
}()
}
+ // Before we start serving, ensure umask is properly set for container
+ // creation.
+ _ = syscall.Umask(0022)
+
go func() {
err := s.Server.Serve(s.Listener)
if err != nil && err != http.ErrServerClosed {
diff --git a/pkg/domain/filters/volumes.go b/pkg/domain/filters/volumes.go
index f97c3f570..b1b5e6319 100644
--- a/pkg/domain/filters/volumes.go
+++ b/pkg/domain/filters/volumes.go
@@ -61,6 +61,29 @@ func GenerateVolumeFilters(filters map[string][]string) ([]libpod.VolumeFilter,
}
return false
})
+ case "dangling":
+ danglingVal := val
+ invert := false
+ switch strings.ToLower(danglingVal) {
+ case "true", "1":
+ // Do nothing
+ case "false", "0":
+ // Dangling=false requires that we
+ // invert the result of IsDangling.
+ invert = true
+ default:
+ return nil, errors.Errorf("%q is not a valid value for the \"dangling\" filter - must be true or false", danglingVal)
+ }
+ vf = append(vf, func(v *libpod.Volume) bool {
+ dangling, err := v.IsDangling()
+ if err != nil {
+ return false
+ }
+ if invert {
+ return !dangling
+ }
+ return dangling
+ })
default:
return nil, errors.Errorf("%q is in an invalid volume filter", filter)
}
diff --git a/pkg/domain/infra/abi/system.go b/pkg/domain/infra/abi/system.go
index 90002326e..0511289ab 100644
--- a/pkg/domain/infra/abi/system.go
+++ b/pkg/domain/infra/abi/system.go
@@ -330,7 +330,7 @@ func (ic *ContainerEngine) SystemDf(ctx context.Context, options entities.System
if err != nil {
return nil, err
}
- inUse, err := v.VolumesInUse()
+ inUse, err := v.VolumeInUse()
if err != nil {
return nil, err
}
diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go
index 1c34f622b..badb34999 100644
--- a/pkg/specgen/generate/oci.go
+++ b/pkg/specgen/generate/oci.go
@@ -52,10 +52,14 @@ func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error {
if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err != nil {
logrus.Warnf("failed to return RLIMIT_NOFILE ulimit %q", err)
}
- current = rlimit.Cur
- max = rlimit.Max
+ if rlimit.Cur < current {
+ current = rlimit.Cur
+ }
+ if rlimit.Max < max {
+ max = rlimit.Max
+ }
}
- g.AddProcessRlimits("RLIMIT_NOFILE", current, max)
+ g.AddProcessRlimits("RLIMIT_NOFILE", max, current)
}
if !nprocSet {
max := kernelMax
@@ -65,10 +69,14 @@ func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error {
if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err != nil {
logrus.Warnf("failed to return RLIMIT_NPROC ulimit %q", err)
}
- current = rlimit.Cur
- max = rlimit.Max
+ if rlimit.Cur < current {
+ current = rlimit.Cur
+ }
+ if rlimit.Max < max {
+ max = rlimit.Max
+ }
}
- g.AddProcessRlimits("RLIMIT_NPROC", current, max)
+ g.AddProcessRlimits("RLIMIT_NPROC", max, current)
}
return nil
diff --git a/pkg/systemd/generate/common.go b/pkg/systemd/generate/common.go
index fe56dc874..d6d18a810 100644
--- a/pkg/systemd/generate/common.go
+++ b/pkg/systemd/generate/common.go
@@ -1,6 +1,8 @@
package generate
import (
+ "strings"
+
"github.com/pkg/errors"
)
@@ -44,6 +46,9 @@ func filterPodFlags(command []string) []string {
i++
continue
}
+ if strings.HasPrefix(s, "--pod=") || strings.HasPrefix(s, "--pod-id-file=") {
+ continue
+ }
processed = append(processed, s)
}
return processed
diff --git a/pkg/systemd/generate/common_test.go b/pkg/systemd/generate/common_test.go
index f53bb7828..389c30f59 100644
--- a/pkg/systemd/generate/common_test.go
+++ b/pkg/systemd/generate/common_test.go
@@ -1,6 +1,7 @@
package generate
import (
+ "strings"
"testing"
"github.com/stretchr/testify/assert"
@@ -14,12 +15,16 @@ func TestFilterPodFlags(t *testing.T) {
{[]string{"podman", "pod", "create"}},
{[]string{"podman", "pod", "create", "--name", "foo"}},
{[]string{"podman", "pod", "create", "--pod-id-file", "foo"}},
+ {[]string{"podman", "pod", "create", "--pod-id-file=foo"}},
{[]string{"podman", "run", "--pod", "foo"}},
+ {[]string{"podman", "run", "--pod=foo"}},
}
for _, test := range tests {
processed := filterPodFlags(test.input)
- assert.NotContains(t, processed, "--pod-id-file")
- assert.NotContains(t, processed, "--pod")
+ for _, s := range processed {
+ assert.False(t, strings.HasPrefix(s, "--pod-id-file"))
+ assert.False(t, strings.HasPrefix(s, "--pod"))
+ }
}
}
diff --git a/test/e2e/inspect_test.go b/test/e2e/inspect_test.go
index 2fad38a36..ed7876d8a 100644
--- a/test/e2e/inspect_test.go
+++ b/test/e2e/inspect_test.go
@@ -7,6 +7,7 @@ import (
. "github.com/containers/libpod/test/utils"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
+ "github.com/opencontainers/selinux/go-selinux"
)
var _ = Describe("Podman inspect", func() {
@@ -263,4 +264,29 @@ var _ = Describe("Podman inspect", func() {
Expect(len(baseJSON)).To(Equal(1))
Expect(baseJSON[0].Name).To(Equal(ctrName))
})
+
+ It("podman inspect - HostConfig.SecurityOpt ", func() {
+ if !selinux.GetEnabled() {
+ Skip("SELinux not enabled")
+ }
+
+ ctrName := "hugo"
+ create := podmanTest.PodmanNoCache([]string{
+ "create", "--name", ctrName,
+ "--security-opt", "seccomp=unconfined",
+ "--security-opt", "label=type:spc_t",
+ "--security-opt", "label=level:s0",
+ ALPINE, "sh"})
+
+ create.WaitWithDefaultTimeout()
+ Expect(create.ExitCode()).To(Equal(0))
+
+ baseInspect := podmanTest.Podman([]string{"inspect", ctrName})
+ baseInspect.WaitWithDefaultTimeout()
+ Expect(baseInspect.ExitCode()).To(Equal(0))
+ baseJSON := baseInspect.InspectContainerToJSON()
+ Expect(len(baseJSON)).To(Equal(1))
+ Expect(baseJSON[0].HostConfig.SecurityOpt).To(Equal([]string{"label=type:spc_t,label=level:s0", "seccomp=unconfined"}))
+ })
+
})
diff --git a/test/e2e/volume_ls_test.go b/test/e2e/volume_ls_test.go
index 7664e64bb..d2d75af9e 100644
--- a/test/e2e/volume_ls_test.go
+++ b/test/e2e/volume_ls_test.go
@@ -1,6 +1,7 @@
package integration
import (
+ "fmt"
"os"
. "github.com/containers/libpod/test/utils"
@@ -82,4 +83,30 @@ var _ = Describe("Podman volume ls", func() {
Expect(len(session.OutputToStringArray())).To(Equal(2))
Expect(session.OutputToStringArray()[1]).To(ContainSubstring(volName))
})
+
+ It("podman volume ls with --filter dangling", func() {
+ volName1 := "volume1"
+ session := podmanTest.Podman([]string{"volume", "create", volName1})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+
+ volName2 := "volume2"
+ session2 := podmanTest.Podman([]string{"volume", "create", volName2})
+ session2.WaitWithDefaultTimeout()
+ Expect(session2.ExitCode()).To(Equal(0))
+
+ ctr := podmanTest.Podman([]string{"create", "-v", fmt.Sprintf("%s:/test", volName2), ALPINE, "sh"})
+ ctr.WaitWithDefaultTimeout()
+ Expect(ctr.ExitCode()).To(Equal(0))
+
+ lsNoDangling := podmanTest.Podman([]string{"volume", "ls", "--filter", "dangling=false", "--quiet"})
+ lsNoDangling.WaitWithDefaultTimeout()
+ Expect(lsNoDangling.ExitCode()).To(Equal(0))
+ Expect(lsNoDangling.OutputToString()).To(ContainSubstring(volName2))
+
+ lsDangling := podmanTest.Podman([]string{"volume", "ls", "--filter", "dangling=true", "--quiet"})
+ lsDangling.WaitWithDefaultTimeout()
+ Expect(lsDangling.ExitCode()).To(Equal(0))
+ Expect(lsDangling.OutputToString()).To(ContainSubstring(volName1))
+ })
})