diff options
-rw-r--r-- | cmd/podman/common/specgen.go | 32 | ||||
-rw-r--r-- | cmd/podman/containers/create.go | 17 | ||||
-rw-r--r-- | cmd/podman/containers/run.go | 8 | ||||
-rw-r--r-- | go.mod | 2 | ||||
-rw-r--r-- | go.sum | 4 | ||||
-rw-r--r-- | libpod/container_internal.go | 4 | ||||
-rw-r--r-- | pkg/selinux/selinux.go | 8 | ||||
-rw-r--r-- | pkg/specgen/container_validate.go | 2 | ||||
-rw-r--r-- | pkg/specgen/generate/config_linux_cgo.go | 3 | ||||
-rw-r--r-- | pkg/specgen/generate/container.go | 6 | ||||
-rw-r--r-- | pkg/specgen/generate/container_create.go | 21 | ||||
-rw-r--r-- | pkg/specgen/generate/namespaces.go | 2 | ||||
-rw-r--r-- | pkg/specgen/specgen.go | 9 | ||||
-rw-r--r-- | test/e2e/run_cgroup_parent_test.go | 1 | ||||
-rw-r--r-- | test/e2e/run_test.go | 10 | ||||
-rw-r--r-- | vendor/github.com/containers/common/pkg/config/default.go | 7 | ||||
-rw-r--r-- | vendor/modules.txt | 2 |
17 files changed, 91 insertions, 47 deletions
diff --git a/cmd/podman/common/specgen.go b/cmd/podman/common/specgen.go index b90030f7f..abec1213c 100644 --- a/cmd/podman/common/specgen.go +++ b/cmd/podman/common/specgen.go @@ -119,13 +119,13 @@ func getIOLimits(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string) ( func getPidsLimits(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string) (*specs.LinuxPids, error) { pids := &specs.LinuxPids{} hasLimits := false + if c.CGroupsMode == "disabled" && c.PIDsLimit > 0 { + return nil, nil + } if c.PIDsLimit > 0 { pids.Limit = c.PIDsLimit hasLimits = true } - if c.CGroupsMode == "disabled" && c.PIDsLimit > 0 { - s.ResourceLimits.Pids.Limit = -1 - } if !hasLimits { return nil, nil } @@ -288,7 +288,23 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string if c.EnvHost { env = envLib.Join(env, osEnv) + } else if c.HTTPProxy { + for _, envSpec := range []string{ + "http_proxy", + "HTTP_PROXY", + "https_proxy", + "HTTPS_PROXY", + "ftp_proxy", + "FTP_PROXY", + "no_proxy", + "NO_PROXY", + } { + if v, ok := osEnv[envSpec]; ok { + env[envSpec] = v + } + } } + // env-file overrides any previous variables for _, f := range c.EnvFile { fileEnv, err := envLib.ParseFile(f) @@ -449,6 +465,7 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string } s.CgroupParent = c.CGroupParent s.CgroupsMode = c.CGroupsMode + s.Groups = c.GroupAdd // TODO WTF //cgroup := &cc.CgroupConfig{ // Cgroupns: c.String("cgroupns"), @@ -585,7 +602,14 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string if len(split) < 2 { return errors.Errorf("invalid log option %q", o) } - logOpts[split[0]] = split[1] + switch { + case split[0] == "driver": + s.LogConfiguration.Driver = split[1] + case split[0] == "path": + s.LogConfiguration.Path = split[1] + default: + logOpts[split[0]] = split[1] + } } s.LogConfiguration.Options = logOpts s.Name = c.Name diff --git a/cmd/podman/containers/create.go b/cmd/podman/containers/create.go index 8f140e2b8..da550b606 100644 --- a/cmd/podman/containers/create.go +++ b/cmd/podman/containers/create.go @@ -75,8 +75,7 @@ func init() { func create(cmd *cobra.Command, args []string) error { var ( - err error - rawImageInput string + err error ) cliVals.Net, err = common.NetFlagsToNetOptions(cmd) if err != nil { @@ -92,20 +91,16 @@ func create(cmd *cobra.Command, args []string) error { defer errorhandling.SyncQuiet(cidFile) } - if rfs := cliVals.RootFS; !rfs { - rawImageInput = args[0] - } - if err := createInit(cmd); err != nil { return err } - if err := pullImage(args[0]); err != nil { - return err + if !cliVals.RootFS { + if err := pullImage(args[0]); err != nil { + return err + } } - - //TODO rootfs still - s := specgen.NewSpecGenerator(rawImageInput) + s := specgen.NewSpecGenerator(args[0], cliVals.RootFS) if err := common.FillOutSpecGen(s, &cliVals, args); err != nil { return err } diff --git a/cmd/podman/containers/run.go b/cmd/podman/containers/run.go index 409b72198..e3fe4cd0b 100644 --- a/cmd/podman/containers/run.go +++ b/cmd/podman/containers/run.go @@ -104,8 +104,10 @@ func run(cmd *cobra.Command, args []string) error { return err } - if err := pullImage(args[0]); err != nil { - return err + if !cliVals.RootFS { + if err := pullImage(args[0]); err != nil { + return err + } } // If -i is not set, clear stdin @@ -136,7 +138,7 @@ func run(cmd *cobra.Command, args []string) error { } runOpts.Detach = cliVals.Detach runOpts.DetachKeys = cliVals.DetachKeys - s := specgen.NewSpecGenerator(args[0]) + s := specgen.NewSpecGenerator(args[0], cliVals.RootFS) if err := common.FillOutSpecGen(s, &cliVals, args); err != nil { return err } @@ -10,7 +10,7 @@ require ( github.com/containernetworking/cni v0.7.2-0.20200304161608-4fae32b84921 github.com/containernetworking/plugins v0.8.5 github.com/containers/buildah v1.14.8 - github.com/containers/common v0.9.4 + github.com/containers/common v0.9.5 github.com/containers/conmon v2.0.14+incompatible github.com/containers/image/v5 v5.4.3 github.com/containers/psgo v1.4.0 @@ -66,8 +66,8 @@ github.com/containernetworking/plugins v0.8.5/go.mod h1:UZ2539umj8djuRQmBxuazHeJ github.com/containers/buildah v1.14.8 h1:JbMI0QSOmyZ30Mr2633uCXAj+Fajgh/EFS9xX/Y14oQ= github.com/containers/buildah v1.14.8/go.mod h1:ytEjHJQnRXC1ygXMyc0FqYkjcoCydqBQkOdxbH563QU= github.com/containers/common v0.8.1/go.mod h1:VxDJbaA1k6N1TNv9Rt6bQEF4hyKVHNfOfGA5L91ADEs= -github.com/containers/common v0.9.4 h1:Rh4vZRT4XJ+lQouE2XpOXr/xV/+wxv4pE7ZmdxmjRt8= -github.com/containers/common v0.9.4/go.mod h1:9YGKPwu6NFYQG2NtSP9bRhNGA8mgd1mUCCkOU2tr+Pc= +github.com/containers/common v0.9.5 h1:rqGMfYuD1euB38kW2sbQQTRelnrXPQ1E2vkcOP9HNnA= +github.com/containers/common v0.9.5/go.mod h1:9YGKPwu6NFYQG2NtSP9bRhNGA8mgd1mUCCkOU2tr+Pc= github.com/containers/conmon v2.0.14+incompatible h1:knU1O1QxXy5YxtjMQVKEyCajROaehizK9FHaICl+P5Y= github.com/containers/conmon v2.0.14+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I= github.com/containers/image/v5 v5.4.3 h1:zn2HR7uu4hpvT5QQHgjqonOzKDuM1I1UHUEmzZT5sbs= diff --git a/libpod/container_internal.go b/libpod/container_internal.go index 4cb80a98b..3fcf687ec 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -435,12 +435,12 @@ func (c *Container) setupStorage(ctx context.Context) error { processLabel := containerInfo.ProcessLabel switch { case c.ociRuntime.SupportsKVM(): - processLabel, err = selinux.SELinuxKVMLabel(processLabel) + processLabel, err = selinux.KVMLabel(processLabel) if err != nil { return err } case c.config.Systemd: - processLabel, err = selinux.SELinuxInitLabel(processLabel) + processLabel, err = selinux.InitLabel(processLabel) if err != nil { return err } diff --git a/pkg/selinux/selinux.go b/pkg/selinux/selinux.go index 975519cce..6b6d065f7 100644 --- a/pkg/selinux/selinux.go +++ b/pkg/selinux/selinux.go @@ -4,8 +4,8 @@ import ( "github.com/opencontainers/selinux/go-selinux" ) -// SELinuxKVMLabel returns labels for running kvm isolated containers -func SELinuxKVMLabel(cLabel string) (string, error) { +// KVMLabel returns labels for running kvm isolated containers +func KVMLabel(cLabel string) (string, error) { if cLabel == "" { // selinux is disabled return "", nil @@ -15,8 +15,8 @@ func SELinuxKVMLabel(cLabel string) (string, error) { return swapSELinuxLabel(cLabel, processLabel) } -// SELinuxInitLabel returns labels for running systemd based containers -func SELinuxInitLabel(cLabel string) (string, error) { +// InitLabel returns labels for running systemd based containers +func InitLabel(cLabel string) (string, error) { if cLabel == "" { // selinux is disabled return "", nil diff --git a/pkg/specgen/container_validate.go b/pkg/specgen/container_validate.go index 56c1a7ea9..87fc59dfe 100644 --- a/pkg/specgen/container_validate.go +++ b/pkg/specgen/container_validate.go @@ -34,7 +34,7 @@ func (s *SpecGenerator) Validate() error { } // Cannot set hostname and utsns if len(s.ContainerBasicConfig.Hostname) > 0 && !s.ContainerBasicConfig.UtsNS.IsPrivate() { - return errors.Wrap(ErrInvalidSpecConfig, "cannot set hostname when creating an UTS namespace") + return errors.Wrap(ErrInvalidSpecConfig, "cannot set hostname when running in the host UTS namespace") } // systemd values must be true, false, or always if len(s.ContainerBasicConfig.Systemd) > 0 && !util.StringInSlice(strings.ToLower(s.ContainerBasicConfig.Systemd), SystemDValues) { diff --git a/pkg/specgen/generate/config_linux_cgo.go b/pkg/specgen/generate/config_linux_cgo.go index b06ef5c9a..5d629a6e6 100644 --- a/pkg/specgen/generate/config_linux_cgo.go +++ b/pkg/specgen/generate/config_linux_cgo.go @@ -24,6 +24,9 @@ func getSeccompConfig(s *specgen.SpecGenerator, configSpec *spec.Spec, img *imag } if scp == seccomp.PolicyImage { + if img == nil { + return nil, errors.New("cannot read seccomp profile without a valid image") + } labels, err := img.Labels(context.Background()) if err != nil { return nil, err diff --git a/pkg/specgen/generate/container.go b/pkg/specgen/generate/container.go index de3239fda..9797ad572 100644 --- a/pkg/specgen/generate/container.go +++ b/pkg/specgen/generate/container.go @@ -15,7 +15,11 @@ import ( func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerator) error { var appendEntryPoint bool - // TODO add support for raw rootfs + // If a rootfs is used, then there is no image data + if s.ContainerStorageConfig.Rootfs != "" { + return nil + } + newImage, err := r.ImageRuntime().NewFromLocal(s.Image) if err != nil { return err diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go index 1be77d315..49a717c5d 100644 --- a/pkg/specgen/generate/container_create.go +++ b/pkg/specgen/generate/container_create.go @@ -7,6 +7,7 @@ import ( "github.com/containers/common/pkg/config" "github.com/containers/libpod/libpod" "github.com/containers/libpod/libpod/define" + "github.com/containers/libpod/libpod/image" "github.com/containers/libpod/pkg/specgen" "github.com/containers/storage" "github.com/pkg/errors" @@ -15,9 +16,6 @@ import ( // MakeContainer creates a container based on the SpecGenerator func MakeContainer(rt *libpod.Runtime, s *specgen.SpecGenerator) (*libpod.Container, error) { - if err := s.Validate(); err != nil { - return nil, errors.Wrap(err, "invalid config provided") - } rtc, err := rt.GetConfig() if err != nil { return nil, err @@ -87,12 +85,19 @@ func MakeContainer(rt *libpod.Runtime, s *specgen.SpecGenerator) (*libpod.Contai return nil, err } options = append(options, createExitCommandOption(s, rt.StorageConfig(), rtc, podmanPath)) - newImage, err := rt.ImageRuntime().NewFromLocal(s.Image) - if err != nil { - return nil, err + var newImage *image.Image + if s.Rootfs != "" { + options = append(options, libpod.WithRootFS(s.Rootfs)) + } else { + newImage, err = rt.ImageRuntime().NewFromLocal(s.Image) + if err != nil { + return nil, err + } + options = append(options, libpod.WithRootFSFromImage(newImage.ID(), s.Image, s.RawImageName)) + } + if err := s.Validate(); err != nil { + return nil, errors.Wrap(err, "invalid config provided") } - - options = append(options, libpod.WithRootFSFromImage(newImage.ID(), s.Image, s.RawImageName)) runtimeSpec, err := SpecGenToOCI(s, rt, newImage) if err != nil { diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go index 2aaeb9513..2e0e088bf 100644 --- a/pkg/specgen/generate/namespaces.go +++ b/pkg/specgen/generate/namespaces.go @@ -26,7 +26,7 @@ func GetDefaultNamespaceMode(nsType string, cfg *config.Config, pod *libpod.Pod) nsType = strings.ToLower(nsType) // If the pod is not nil - check shared namespaces - if pod != nil { + if pod != nil && pod.HasInfraContainer() { podMode := false switch { case nsType == "pid" && pod.SharesPID(): diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go index 37f2b3190..275af1f49 100644 --- a/pkg/specgen/specgen.go +++ b/pkg/specgen/specgen.go @@ -402,8 +402,13 @@ type NamedVolume struct { } // NewSpecGenerator returns a SpecGenerator struct given one of two mandatory inputs -func NewSpecGenerator(image string) *SpecGenerator { - csc := ContainerStorageConfig{Image: image} +func NewSpecGenerator(arg string, rootfs bool) *SpecGenerator { + csc := ContainerStorageConfig{} + if rootfs { + csc.Rootfs = arg + } else { + csc.Image = arg + } return &SpecGenerator{ ContainerStorageConfig: csc, } diff --git a/test/e2e/run_cgroup_parent_test.go b/test/e2e/run_cgroup_parent_test.go index 69b4f920c..14294eeac 100644 --- a/test/e2e/run_cgroup_parent_test.go +++ b/test/e2e/run_cgroup_parent_test.go @@ -18,7 +18,6 @@ var _ = Describe("Podman run with --cgroup-parent", func() { ) BeforeEach(func() { - Skip(v2fail) SkipIfRootless() tempdir, err = CreateTempDirInTempDir() if err != nil { diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index c84bbe91f..7d4039819 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -29,7 +29,6 @@ var _ = Describe("Podman run", func() { ) BeforeEach(func() { - Skip(v2fail) tempdir, err = CreateTempDirInTempDir() if err != nil { os.Exit(1) @@ -252,14 +251,15 @@ var _ = Describe("Podman run", func() { }) It("podman run --host-env environment test", func() { - os.Setenv("FOO", "BAR") - session := podmanTest.Podman([]string{"run", "--rm", "--env-host", ALPINE, "printenv", "FOO"}) + env := append(os.Environ(), "FOO=BAR") + session := podmanTest.PodmanAsUser([]string{"run", "--rm", "--env-host", ALPINE, "/bin/printenv", "FOO"}, 0, 0, "", env) + session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) match, _ := session.GrepString("BAR") Expect(match).Should(BeTrue()) - session = podmanTest.Podman([]string{"run", "--rm", "--env", "FOO=BAR1", "--env-host", ALPINE, "printenv", "FOO"}) + session = podmanTest.PodmanAsUser([]string{"run", "--rm", "--env", "FOO=BAR1", "--env-host", ALPINE, "/bin/printenv", "FOO"}, 0, 0, "", env) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) match, _ = session.GrepString("BAR1") @@ -708,6 +708,7 @@ USER mail` }) It("podman run --volumes-from flag with built-in volumes", func() { + Skip(v2fail) session := podmanTest.Podman([]string{"create", redis, "sh"}) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) @@ -802,6 +803,7 @@ USER mail` }) It("podman run --pod automatically", func() { + Skip(v2fail) session := podmanTest.Podman([]string{"run", "--pod", "new:foobar", ALPINE, "ls"}) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) diff --git a/vendor/github.com/containers/common/pkg/config/default.go b/vendor/github.com/containers/common/pkg/config/default.go index d0f8649c5..446382ac7 100644 --- a/vendor/github.com/containers/common/pkg/config/default.go +++ b/vendor/github.com/containers/common/pkg/config/default.go @@ -141,13 +141,18 @@ func DefaultConfig() (*Config, error) { netns = "slirp4netns" } + cgroupNS := "host" + if cgroup2, _ := cgroupv2.Enabled(); cgroup2 { + cgroupNS = "private" + } + return &Config{ Containers: ContainersConfig{ Devices: []string{}, Volumes: []string{}, Annotations: []string{}, ApparmorProfile: DefaultApparmorProfile, - CgroupNS: "private", + CgroupNS: cgroupNS, Cgroups: "enabled", DefaultCapabilities: DefaultCapabilities, DefaultSysctls: []string{}, diff --git a/vendor/modules.txt b/vendor/modules.txt index ba7990fb7..782a905a1 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -82,7 +82,7 @@ github.com/containers/buildah/pkg/secrets github.com/containers/buildah/pkg/supplemented github.com/containers/buildah/pkg/umask github.com/containers/buildah/util -# github.com/containers/common v0.9.4 +# github.com/containers/common v0.9.5 github.com/containers/common/pkg/apparmor github.com/containers/common/pkg/auth github.com/containers/common/pkg/capabilities |