diff options
-rw-r--r-- | libpod/volume.go | 12 | ||||
-rw-r--r-- | pkg/api/handlers/compat/networks.go | 2 | ||||
-rw-r--r-- | pkg/api/server/server.go | 4 | ||||
-rw-r--r-- | pkg/domain/filters/volumes.go | 23 | ||||
-rw-r--r-- | pkg/domain/infra/abi/system.go | 2 | ||||
-rw-r--r-- | pkg/specgen/generate/oci.go | 20 | ||||
-rw-r--r-- | pkg/systemd/generate/common.go | 5 | ||||
-rw-r--r-- | pkg/systemd/generate/common_test.go | 9 | ||||
-rw-r--r-- | test/e2e/inspect_test.go | 26 | ||||
-rw-r--r-- | test/e2e/volume_ls_test.go | 27 |
10 files changed, 119 insertions, 11 deletions
diff --git a/libpod/volume.go b/libpod/volume.go index 82f389833..b29ac7ddf 100644 --- a/libpod/volume.go +++ b/libpod/volume.go @@ -137,7 +137,7 @@ func (v *Volume) Config() (*VolumeConfig, error) { // VolumeInUse goes through the container dependencies of a volume // and checks if the volume is being used by any container. -func (v *Volume) VolumesInUse() ([]string, error) { +func (v *Volume) VolumeInUse() ([]string, error) { v.lock.Lock() defer v.lock.Unlock() @@ -146,3 +146,13 @@ func (v *Volume) VolumesInUse() ([]string, error) { } return v.runtime.state.VolumeInUse(v) } + +// IsDangling returns whether this volume is dangling (unused by any +// containers). +func (v *Volume) IsDangling() (bool, error) { + ctrs, err := v.VolumeInUse() + if err != nil { + return false, err + } + return len(ctrs) == 0, nil +} diff --git a/pkg/api/handlers/compat/networks.go b/pkg/api/handlers/compat/networks.go index 0f1eca5e5..7209255d7 100644 --- a/pkg/api/handlers/compat/networks.go +++ b/pkg/api/handlers/compat/networks.go @@ -285,7 +285,7 @@ func RemoveNetwork(w http.ResponseWriter, r *http.Request) { return } if !exists { - utils.Error(w, "network not found", http.StatusNotFound, err) + utils.Error(w, "network not found", http.StatusNotFound, network.ErrNetworkNotFound) return } if err := network.RemoveNetwork(config, name); err != nil { diff --git a/pkg/api/server/server.go b/pkg/api/server/server.go index bd6a99b96..5b2f8bea2 100644 --- a/pkg/api/server/server.go +++ b/pkg/api/server/server.go @@ -173,6 +173,10 @@ func (s *APIServer) Serve() error { }() } + // Before we start serving, ensure umask is properly set for container + // creation. + _ = syscall.Umask(0022) + go func() { err := s.Server.Serve(s.Listener) if err != nil && err != http.ErrServerClosed { diff --git a/pkg/domain/filters/volumes.go b/pkg/domain/filters/volumes.go index f97c3f570..b1b5e6319 100644 --- a/pkg/domain/filters/volumes.go +++ b/pkg/domain/filters/volumes.go @@ -61,6 +61,29 @@ func GenerateVolumeFilters(filters map[string][]string) ([]libpod.VolumeFilter, } return false }) + case "dangling": + danglingVal := val + invert := false + switch strings.ToLower(danglingVal) { + case "true", "1": + // Do nothing + case "false", "0": + // Dangling=false requires that we + // invert the result of IsDangling. + invert = true + default: + return nil, errors.Errorf("%q is not a valid value for the \"dangling\" filter - must be true or false", danglingVal) + } + vf = append(vf, func(v *libpod.Volume) bool { + dangling, err := v.IsDangling() + if err != nil { + return false + } + if invert { + return !dangling + } + return dangling + }) default: return nil, errors.Errorf("%q is in an invalid volume filter", filter) } diff --git a/pkg/domain/infra/abi/system.go b/pkg/domain/infra/abi/system.go index 90002326e..0511289ab 100644 --- a/pkg/domain/infra/abi/system.go +++ b/pkg/domain/infra/abi/system.go @@ -330,7 +330,7 @@ func (ic *ContainerEngine) SystemDf(ctx context.Context, options entities.System if err != nil { return nil, err } - inUse, err := v.VolumesInUse() + inUse, err := v.VolumeInUse() if err != nil { return nil, err } diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go index 1c34f622b..badb34999 100644 --- a/pkg/specgen/generate/oci.go +++ b/pkg/specgen/generate/oci.go @@ -52,10 +52,14 @@ func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error { if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err != nil { logrus.Warnf("failed to return RLIMIT_NOFILE ulimit %q", err) } - current = rlimit.Cur - max = rlimit.Max + if rlimit.Cur < current { + current = rlimit.Cur + } + if rlimit.Max < max { + max = rlimit.Max + } } - g.AddProcessRlimits("RLIMIT_NOFILE", current, max) + g.AddProcessRlimits("RLIMIT_NOFILE", max, current) } if !nprocSet { max := kernelMax @@ -65,10 +69,14 @@ func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error { if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err != nil { logrus.Warnf("failed to return RLIMIT_NPROC ulimit %q", err) } - current = rlimit.Cur - max = rlimit.Max + if rlimit.Cur < current { + current = rlimit.Cur + } + if rlimit.Max < max { + max = rlimit.Max + } } - g.AddProcessRlimits("RLIMIT_NPROC", current, max) + g.AddProcessRlimits("RLIMIT_NPROC", max, current) } return nil diff --git a/pkg/systemd/generate/common.go b/pkg/systemd/generate/common.go index fe56dc874..d6d18a810 100644 --- a/pkg/systemd/generate/common.go +++ b/pkg/systemd/generate/common.go @@ -1,6 +1,8 @@ package generate import ( + "strings" + "github.com/pkg/errors" ) @@ -44,6 +46,9 @@ func filterPodFlags(command []string) []string { i++ continue } + if strings.HasPrefix(s, "--pod=") || strings.HasPrefix(s, "--pod-id-file=") { + continue + } processed = append(processed, s) } return processed diff --git a/pkg/systemd/generate/common_test.go b/pkg/systemd/generate/common_test.go index f53bb7828..389c30f59 100644 --- a/pkg/systemd/generate/common_test.go +++ b/pkg/systemd/generate/common_test.go @@ -1,6 +1,7 @@ package generate import ( + "strings" "testing" "github.com/stretchr/testify/assert" @@ -14,12 +15,16 @@ func TestFilterPodFlags(t *testing.T) { {[]string{"podman", "pod", "create"}}, {[]string{"podman", "pod", "create", "--name", "foo"}}, {[]string{"podman", "pod", "create", "--pod-id-file", "foo"}}, + {[]string{"podman", "pod", "create", "--pod-id-file=foo"}}, {[]string{"podman", "run", "--pod", "foo"}}, + {[]string{"podman", "run", "--pod=foo"}}, } for _, test := range tests { processed := filterPodFlags(test.input) - assert.NotContains(t, processed, "--pod-id-file") - assert.NotContains(t, processed, "--pod") + for _, s := range processed { + assert.False(t, strings.HasPrefix(s, "--pod-id-file")) + assert.False(t, strings.HasPrefix(s, "--pod")) + } } } diff --git a/test/e2e/inspect_test.go b/test/e2e/inspect_test.go index 2fad38a36..ed7876d8a 100644 --- a/test/e2e/inspect_test.go +++ b/test/e2e/inspect_test.go @@ -7,6 +7,7 @@ import ( . "github.com/containers/libpod/test/utils" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" + "github.com/opencontainers/selinux/go-selinux" ) var _ = Describe("Podman inspect", func() { @@ -263,4 +264,29 @@ var _ = Describe("Podman inspect", func() { Expect(len(baseJSON)).To(Equal(1)) Expect(baseJSON[0].Name).To(Equal(ctrName)) }) + + It("podman inspect - HostConfig.SecurityOpt ", func() { + if !selinux.GetEnabled() { + Skip("SELinux not enabled") + } + + ctrName := "hugo" + create := podmanTest.PodmanNoCache([]string{ + "create", "--name", ctrName, + "--security-opt", "seccomp=unconfined", + "--security-opt", "label=type:spc_t", + "--security-opt", "label=level:s0", + ALPINE, "sh"}) + + create.WaitWithDefaultTimeout() + Expect(create.ExitCode()).To(Equal(0)) + + baseInspect := podmanTest.Podman([]string{"inspect", ctrName}) + baseInspect.WaitWithDefaultTimeout() + Expect(baseInspect.ExitCode()).To(Equal(0)) + baseJSON := baseInspect.InspectContainerToJSON() + Expect(len(baseJSON)).To(Equal(1)) + Expect(baseJSON[0].HostConfig.SecurityOpt).To(Equal([]string{"label=type:spc_t,label=level:s0", "seccomp=unconfined"})) + }) + }) diff --git a/test/e2e/volume_ls_test.go b/test/e2e/volume_ls_test.go index 7664e64bb..d2d75af9e 100644 --- a/test/e2e/volume_ls_test.go +++ b/test/e2e/volume_ls_test.go @@ -1,6 +1,7 @@ package integration import ( + "fmt" "os" . "github.com/containers/libpod/test/utils" @@ -82,4 +83,30 @@ var _ = Describe("Podman volume ls", func() { Expect(len(session.OutputToStringArray())).To(Equal(2)) Expect(session.OutputToStringArray()[1]).To(ContainSubstring(volName)) }) + + It("podman volume ls with --filter dangling", func() { + volName1 := "volume1" + session := podmanTest.Podman([]string{"volume", "create", volName1}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + volName2 := "volume2" + session2 := podmanTest.Podman([]string{"volume", "create", volName2}) + session2.WaitWithDefaultTimeout() + Expect(session2.ExitCode()).To(Equal(0)) + + ctr := podmanTest.Podman([]string{"create", "-v", fmt.Sprintf("%s:/test", volName2), ALPINE, "sh"}) + ctr.WaitWithDefaultTimeout() + Expect(ctr.ExitCode()).To(Equal(0)) + + lsNoDangling := podmanTest.Podman([]string{"volume", "ls", "--filter", "dangling=false", "--quiet"}) + lsNoDangling.WaitWithDefaultTimeout() + Expect(lsNoDangling.ExitCode()).To(Equal(0)) + Expect(lsNoDangling.OutputToString()).To(ContainSubstring(volName2)) + + lsDangling := podmanTest.Podman([]string{"volume", "ls", "--filter", "dangling=true", "--quiet"}) + lsDangling.WaitWithDefaultTimeout() + Expect(lsDangling.ExitCode()).To(Equal(0)) + Expect(lsDangling.OutputToString()).To(ContainSubstring(volName1)) + }) }) |