diff options
| -rw-r--r-- | cmd/podman/common/completion.go | 5 | ||||
| -rw-r--r-- | cmd/podman/containers/create.go | 13 | ||||
| -rw-r--r-- | cmd/podman/containers/run.go | 8 | ||||
| -rw-r--r-- | cmd/podman/root.go | 5 | ||||
| -rw-r--r-- | docs/source/markdown/podman-create.1.md | 6 | ||||
| -rw-r--r-- | docs/source/markdown/podman-run.1.md | 7 | ||||
| -rw-r--r-- | go.mod | 1 | ||||
| -rw-r--r-- | libpod/container.go | 19 | ||||
| -rw-r--r-- | libpod/container_api.go | 4 | ||||
| -rw-r--r-- | libpod/container_exec.go | 2 | ||||
| -rw-r--r-- | libpod/container_internal.go | 4 | ||||
| -rw-r--r-- | libpod/container_log.go | 4 | ||||
| -rw-r--r-- | libpod/define/config.go | 3 | ||||
| -rw-r--r-- | libpod/kube.go | 6 | ||||
| -rw-r--r-- | libpod/oci_attach_linux.go | 39 | ||||
| -rw-r--r-- | libpod/oci_conmon_linux.go | 2 | ||||
| -rw-r--r-- | libpod/options.go | 2 | ||||
| -rw-r--r-- | libpod/runtime.go | 19 | ||||
| -rw-r--r-- | libpod/runtime_ctr.go | 7 | ||||
| -rw-r--r-- | pkg/bindings/connection.go | 4 | ||||
| -rw-r--r-- | pkg/domain/infra/abi/secrets.go | 2 | ||||
| -rw-r--r-- | pkg/machine/ignition.go | 88 | ||||
| -rw-r--r-- | pkg/specgen/generate/container.go | 2 | ||||
| -rw-r--r-- | pkg/specgen/generate/container_create.go | 2 |
24 files changed, 206 insertions, 48 deletions
diff --git a/cmd/podman/common/completion.go b/cmd/podman/common/completion.go index 90522438d..ea453a331 100644 --- a/cmd/podman/common/completion.go +++ b/cmd/podman/common/completion.go @@ -771,10 +771,13 @@ func AutocompleteImageVolume(cmd *cobra.Command, args []string, toComplete strin } // AutocompleteLogDriver - Autocomplete log-driver options. -// -> "journald", "none", "k8s-file" +// -> "journald", "none", "k8s-file", "passthrough" func AutocompleteLogDriver(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { // don't show json-file logDrivers := []string{define.JournaldLogging, define.NoLogging, define.KubernetesLogging} + if !registry.IsRemote() { + logDrivers = append(logDrivers, define.PassthroughLogging) + } return logDrivers, cobra.ShellCompDirectiveNoFileComp } diff --git a/cmd/podman/containers/create.go b/cmd/podman/containers/create.go index 8b27de53e..2593b4c44 100644 --- a/cmd/podman/containers/create.go +++ b/cmd/podman/containers/create.go @@ -19,6 +19,7 @@ import ( "github.com/containers/podman/v3/pkg/specgen" "github.com/containers/podman/v3/pkg/specgenutil" "github.com/containers/podman/v3/pkg/util" + "github.com/mattn/go-isatty" "github.com/pkg/errors" "github.com/spf13/cobra" ) @@ -161,7 +162,9 @@ func create(cmd *cobra.Command, args []string) error { } } - fmt.Println(report.Id) + if cliVals.LogDriver != define.PassthroughLogging { + fmt.Println(report.Id) + } return nil } @@ -188,6 +191,14 @@ func CreateInit(c *cobra.Command, vals entities.ContainerCreateOptions, isInfra vals.UserNS = "private" } } + if cliVals.LogDriver == define.PassthroughLogging { + if isatty.IsTerminal(0) || isatty.IsTerminal(1) || isatty.IsTerminal(2) { + return vals, errors.New("the '--log-driver passthrough' option cannot be used on a TTY") + } + if registry.IsRemote() { + return vals, errors.New("the '--log-driver passthrough' option is not supported in remote mode") + } + } if !isInfra { if c.Flag("shm-size").Changed { diff --git a/cmd/podman/containers/run.go b/cmd/podman/containers/run.go index d14961829..071708b76 100644 --- a/cmd/podman/containers/run.go +++ b/cmd/podman/containers/run.go @@ -158,8 +158,13 @@ func run(cmd *cobra.Command, args []string) error { runOpts.InputStream = nil } + passthrough := cliVals.LogDriver == define.PassthroughLogging + // If attach is set, clear stdin/stdout/stderr and only attach requested if cmd.Flag("attach").Changed { + if passthrough { + return errors.Wrapf(define.ErrInvalidArg, "cannot specify --attach with --log-driver=passthrough") + } runOpts.OutputStream = nil runOpts.ErrorStream = nil if !cliVals.Interactive { @@ -179,6 +184,7 @@ func run(cmd *cobra.Command, args []string) error { } } } + cliVals.PreserveFDs = runOpts.PreserveFDs s := specgen.NewSpecGenerator(imageName, cliVals.RootFS) if err := specgenutil.FillOutSpecGen(s, &cliVals, args); err != nil { @@ -200,7 +206,7 @@ func run(cmd *cobra.Command, args []string) error { return err } - if runOpts.Detach { + if runOpts.Detach && !passthrough { fmt.Println(report.Id) return nil } diff --git a/cmd/podman/root.go b/cmd/podman/root.go index 58cab0268..eb30f1ef6 100644 --- a/cmd/podman/root.go +++ b/cmd/podman/root.go @@ -92,6 +92,11 @@ func Execute() { if registry.GetExitCode() == 0 { registry.SetExitCode(define.ExecErrorCodeGeneric) } + if registry.IsRemote() { + if strings.Contains(err.Error(), "unable to connect to Podman") { + fmt.Fprintln(os.Stderr, "Cannot connect to Podman. Please verify your connection to the Linux system using `podman system connection list`, or try `podman machine init` and `podman machine start` to manage a new Linux VM") + } + } fmt.Fprintln(os.Stderr, formatError(err)) } os.Exit(registry.GetExitCode()) diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index f63f5ca9c..0630c8be9 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -513,7 +513,11 @@ Not implemented #### **--log-driver**="*k8s-file*" -Logging driver for the container. Currently available options are *k8s-file*, *journald*, and *none*, with *json-file* aliased to *k8s-file* for scripting compatibility. +Logging driver for the container. Currently available options are *k8s-file*, *journald*, *none* and *passthrough*, with *json-file* aliased to *k8s-file* for scripting compatibility. + +The *passthrough* driver passes down the standard streams (stdin, stdout, stderr) to the +container. It is not allowed with the remote Podman client and on a tty, since it is +vulnerable to attacks via TIOCSTI. #### **--log-opt**=*name*=*value* diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index 6d68fd62b..43b6d5cc6 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -538,7 +538,12 @@ Not implemented. #### **--log-driver**="*driver*" -Logging driver for the container. Currently available options are **k8s-file**, **journald**, and **none**, with **json-file** aliased to **k8s-file** for scripting compatibility. +Logging driver for the container. Currently available options are **k8s-file**, **journald**, **none** and **passthrough**, with **json-file** aliased to **k8s-file** for scripting compatibility. + +The **passthrough** driver passes down the standard streams (stdin, stdout, stderr) to the +container. It is not allowed with the remote Podman client and on a tty, since it is +vulnerable to attacks via TIOCSTI. + #### **--log-opt**=*name*=*value* @@ -41,6 +41,7 @@ require ( github.com/hpcloud/tail v1.0.0 github.com/json-iterator/go v1.1.12 github.com/mattn/go-colorable v0.1.8 // indirect + github.com/mattn/go-isatty v0.0.12 github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 github.com/mrunalp/fileutils v0.5.0 github.com/onsi/ginkgo v1.16.4 diff --git a/libpod/container.go b/libpod/container.go index 5c56ff036..4d15c04c5 100644 --- a/libpod/container.go +++ b/libpod/container.go @@ -774,9 +774,9 @@ func (c *Container) ExecSessions() ([]string, error) { return ids, nil } -// ExecSession retrieves detailed information on a single active exec session in -// a container -func (c *Container) ExecSession(id string) (*ExecSession, error) { +// execSessionNoCopy returns the associated exec session to id. +// Note that the session is not a deep copy. +func (c *Container) execSessionNoCopy(id string) (*ExecSession, error) { if !c.batched { c.lock.Lock() defer c.lock.Unlock() @@ -791,6 +791,17 @@ func (c *Container) ExecSession(id string) (*ExecSession, error) { return nil, errors.Wrapf(define.ErrNoSuchExecSession, "no exec session with ID %s found in container %s", id, c.ID()) } + return session, nil +} + +// ExecSession retrieves detailed information on a single active exec session in +// a container +func (c *Container) ExecSession(id string) (*ExecSession, error) { + session, err := c.execSessionNoCopy(id) + if err != nil { + return nil, err + } + returnSession := new(ExecSession) if err := JSONDeepCopy(session, returnSession); err != nil { return nil, errors.Wrapf(err, "error copying contents of container %s exec session %s", c.ID(), session.ID()) @@ -1095,7 +1106,7 @@ func (c *Container) AutoRemove() bool { if spec.Annotations == nil { return false } - return c.Spec().Annotations[define.InspectAnnotationAutoremove] == define.InspectResponseTrue + return spec.Annotations[define.InspectAnnotationAutoremove] == define.InspectResponseTrue } // Timezone returns the timezone configured inside the container. diff --git a/libpod/container_api.go b/libpod/container_api.go index 2d5b07a35..50be0eea4 100644 --- a/libpod/container_api.go +++ b/libpod/container_api.go @@ -229,6 +229,10 @@ func (c *Container) Kill(signal uint) error { // This function returns when the attach finishes. It does not hold the lock for // the duration of its runtime, only using it at the beginning to verify state. func (c *Container) Attach(streams *define.AttachStreams, keys string, resize <-chan define.TerminalSize) error { + switch c.LogDriver() { + case define.PassthroughLogging: + return errors.Wrapf(define.ErrNoLogs, "this container is using the 'passthrough' log driver, cannot attach") + } if !c.batched { c.lock.Lock() if err := c.syncContainer(); err != nil { diff --git a/libpod/container_exec.go b/libpod/container_exec.go index 1cb45a118..f99fb7d3f 100644 --- a/libpod/container_exec.go +++ b/libpod/container_exec.go @@ -747,7 +747,7 @@ func (c *Container) Exec(config *ExecConfig, streams *define.AttachStreams, resi return -1, err } - session, err := c.ExecSession(sessionID) + session, err := c.execSessionNoCopy(sessionID) if err != nil { if errors.Cause(err) == define.ErrNoSuchExecSession { // TODO: If a proper Context is ever plumbed in here, we diff --git a/libpod/container_internal.go b/libpod/container_internal.go index e81f2ec5f..3f9738411 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -2004,7 +2004,7 @@ func (c *Container) setupOCIHooks(ctx context.Context, config *spec.Spec) (map[s } return nil, err } - ociHooks, err := manager.Hooks(config, c.Spec().Annotations, len(c.config.UserVolumes) > 0) + ociHooks, err := manager.Hooks(config, c.config.Spec.Annotations, len(c.config.UserVolumes) > 0) if err != nil { return nil, err } @@ -2021,7 +2021,7 @@ func (c *Container) setupOCIHooks(ctx context.Context, config *spec.Spec) (map[s return nil, err } - allHooks, err = manager.Hooks(config, c.Spec().Annotations, len(c.config.UserVolumes) > 0) + allHooks, err = manager.Hooks(config, c.config.Spec.Annotations, len(c.config.UserVolumes) > 0) if err != nil { return nil, err } diff --git a/libpod/container_log.go b/libpod/container_log.go index a65b2a44f..18840bff2 100644 --- a/libpod/container_log.go +++ b/libpod/container_log.go @@ -18,7 +18,7 @@ import ( var logDrivers []string func init() { - logDrivers = append(logDrivers, define.KubernetesLogging, define.NoLogging) + logDrivers = append(logDrivers, define.KubernetesLogging, define.NoLogging, define.PassthroughLogging) } // Log is a runtime function that can read one or more container logs. @@ -34,6 +34,8 @@ func (r *Runtime) Log(ctx context.Context, containers []*Container, options *log // ReadLog reads a containers log based on the input options and returns log lines over a channel. func (c *Container) ReadLog(ctx context.Context, options *logs.LogOptions, logChannel chan *logs.LogLine) error { switch c.LogDriver() { + case define.PassthroughLogging: + return errors.Wrapf(define.ErrNoLogs, "this container is using the 'passthrough' log driver, cannot read logs") case define.NoLogging: return errors.Wrapf(define.ErrNoLogs, "this container is using the 'none' log driver, cannot read logs") case define.JournaldLogging: diff --git a/libpod/define/config.go b/libpod/define/config.go index 6c426f2ec..7a0d39e42 100644 --- a/libpod/define/config.go +++ b/libpod/define/config.go @@ -78,6 +78,9 @@ const JSONLogging = "json-file" // NoLogging is the string conmon expects when specifying to use no log driver whatsoever const NoLogging = "none" +// PassthroughLogging is the string conmon expects when specifying to use the passthrough driver +const PassthroughLogging = "passthrough" + // Strings used for --sdnotify option to podman const ( SdNotifyModeContainer = "container" diff --git a/libpod/kube.go b/libpod/kube.go index d17ca1114..57d99f3ef 100644 --- a/libpod/kube.go +++ b/libpod/kube.go @@ -253,7 +253,9 @@ func (p *Pod) podWithContainers(ctx context.Context, containers []*Container, po // We add the original port declarations from the libpod infra container // to the first kubernetes container description because otherwise we loose // the original container/port bindings. - if first && len(ports) > 0 { + // Add the port configuration to the first regular container or the first + // init container if only init containers have been created in the pod. + if first && len(ports) > 0 && (!isInit || len(containers) == 2) { ctr.Ports = ports first = false } @@ -424,7 +426,7 @@ func containerToV1Container(ctx context.Context, c *Container) (v1.Container, [] // NOTE: a privileged container mounts all of /dev/*. if !c.Privileged() && len(c.config.Spec.Linux.Devices) > 0 { // TODO Enable when we can support devices and their names - kubeContainer.VolumeDevices = generateKubeVolumeDeviceFromLinuxDevice(c.Spec().Linux.Devices) + kubeContainer.VolumeDevices = generateKubeVolumeDeviceFromLinuxDevice(c.config.Spec.Linux.Devices) return kubeContainer, kubeVolumes, nil, errors.Wrapf(define.ErrNotImplemented, "linux devices") } diff --git a/libpod/oci_attach_linux.go b/libpod/oci_attach_linux.go index 9ae46eeda..d4d4a1076 100644 --- a/libpod/oci_attach_linux.go +++ b/libpod/oci_attach_linux.go @@ -40,7 +40,9 @@ func openUnixSocket(path string) (*net.UnixConn, error) { // Does not check if state is appropriate // started is only required if startContainer is true func (c *Container) attach(streams *define.AttachStreams, keys string, resize <-chan define.TerminalSize, startContainer bool, started chan bool, attachRdy chan<- bool) error { - if !streams.AttachOutput && !streams.AttachError && !streams.AttachInput { + passthrough := c.LogDriver() == define.PassthroughLogging + + if !streams.AttachOutput && !streams.AttachError && !streams.AttachInput && !passthrough { return errors.Wrapf(define.ErrInvalidArg, "must provide at least one stream to attach to") } if startContainer && started == nil { @@ -52,24 +54,27 @@ func (c *Container) attach(streams *define.AttachStreams, keys string, resize <- return err } - logrus.Debugf("Attaching to container %s", c.ID()) + var conn *net.UnixConn + if !passthrough { + logrus.Debugf("Attaching to container %s", c.ID()) - registerResizeFunc(resize, c.bundlePath()) + registerResizeFunc(resize, c.bundlePath()) - attachSock, err := c.AttachSocketPath() - if err != nil { - return err - } + attachSock, err := c.AttachSocketPath() + if err != nil { + return err + } - conn, err := openUnixSocket(attachSock) - if err != nil { - return errors.Wrapf(err, "failed to connect to container's attach socket: %v", attachSock) - } - defer func() { - if err := conn.Close(); err != nil { - logrus.Errorf("Unable to close socket: %q", err) + conn, err = openUnixSocket(attachSock) + if err != nil { + return errors.Wrapf(err, "failed to connect to container's attach socket: %v", attachSock) } - }() + defer func() { + if err := conn.Close(); err != nil { + logrus.Errorf("unable to close socket: %q", err) + } + }() + } // If starting was requested, start the container and notify when that's // done. @@ -80,6 +85,10 @@ func (c *Container) attach(streams *define.AttachStreams, keys string, resize <- started <- true } + if passthrough { + return nil + } + receiveStdoutError, stdinDone := setupStdioChannels(streams, conn, detachKeys) if attachRdy != nil { attachRdy <- true diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go index f82fc4ce6..71a7b29fa 100644 --- a/libpod/oci_conmon_linux.go +++ b/libpod/oci_conmon_linux.go @@ -1288,6 +1288,8 @@ func (r *ConmonOCIRuntime) sharedConmonArgs(ctr *Container, cuuid, bundlePath, p logDriverArg = define.JournaldLogging case define.NoLogging: logDriverArg = define.NoLogging + case define.PassthroughLogging: + logDriverArg = define.PassthroughLogging case define.JSONLogging: fallthrough //lint:ignore ST1015 the default case has to be here diff --git a/libpod/options.go b/libpod/options.go index a80f51c6a..553af43fd 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -1114,7 +1114,7 @@ func WithLogDriver(driver string) CtrCreateOption { switch driver { case "": return errors.Wrapf(define.ErrInvalidArg, "log driver must be set") - case define.JournaldLogging, define.KubernetesLogging, define.JSONLogging, define.NoLogging: + case define.JournaldLogging, define.KubernetesLogging, define.JSONLogging, define.NoLogging, define.PassthroughLogging: break default: return errors.Wrapf(define.ErrInvalidArg, "invalid log driver") diff --git a/libpod/runtime.go b/libpod/runtime.go index 161d5a533..27885bf5c 100644 --- a/libpod/runtime.go +++ b/libpod/runtime.go @@ -706,19 +706,32 @@ func (r *Runtime) TmpDir() (string, error) { return r.config.Engine.TmpDir, nil } -// GetConfig returns a copy of the configuration used by the runtime -func (r *Runtime) GetConfig() (*config.Config, error) { +// GetConfig returns the configuration used by the runtime. +// Note that the returned value is not a copy and must hence +// only be used in a reading fashion. +func (r *Runtime) GetConfigNoCopy() (*config.Config, error) { r.lock.RLock() defer r.lock.RUnlock() if !r.valid { return nil, define.ErrRuntimeStopped } + return r.config, nil +} + +// GetConfig returns a copy of the configuration used by the runtime. +// Please use GetConfigNoCopy() in case you only want to read from +// but not write to the returned config. +func (r *Runtime) GetConfig() (*config.Config, error) { + rtConfig, err := r.GetConfigNoCopy() + if err != nil { + return nil, err + } config := new(config.Config) // Copy so the caller won't be able to modify the actual config - if err := JSONDeepCopy(r.config, config); err != nil { + if err := JSONDeepCopy(rtConfig, config); err != nil { return nil, errors.Wrapf(err, "error copying config") } diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go index 93bfdd54b..00979a500 100644 --- a/libpod/runtime_ctr.go +++ b/libpod/runtime_ctr.go @@ -193,10 +193,7 @@ func (r *Runtime) initContainerVariables(rSpec *spec.Spec, config *ContainerConf ctr.config.LogPath = "" } - ctr.config.Spec = new(spec.Spec) - if err := JSONDeepCopy(rSpec, ctr.config.Spec); err != nil { - return nil, errors.Wrapf(err, "error copying runtime spec while creating container") - } + ctr.config.Spec = rSpec ctr.config.CreatedTime = time.Now() ctr.state.BindMounts = make(map[string]string) @@ -481,7 +478,7 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Contai } switch ctr.config.LogDriver { - case define.NoLogging: + case define.NoLogging, define.PassthroughLogging: break case define.JournaldLogging: ctr.initializeJournal(ctx) diff --git a/pkg/bindings/connection.go b/pkg/bindings/connection.go index 4127ad2f0..e2c46e481 100644 --- a/pkg/bindings/connection.go +++ b/pkg/bindings/connection.go @@ -112,12 +112,12 @@ func NewConnectionWithIdentity(ctx context.Context, uri string, identity string) return nil, errors.Errorf("unable to create connection. %q is not a supported schema", _url.Scheme) } if err != nil { - return nil, errors.Wrapf(err, "failed to create %sClient", _url.Scheme) + return nil, errors.Wrapf(err, "unable to connect to Podman. failed to create %sClient", _url.Scheme) } ctx = context.WithValue(ctx, clientKey, &connection) if err := pingNewConnection(ctx); err != nil { - return nil, errors.Wrap(err, "cannot connect to the Podman socket, please verify the connection to the Linux system, or use `podman machine` to create/start a Linux VM.") + return nil, errors.Wrap(err, "unable to connect to Podman socket") } return ctx, nil } diff --git a/pkg/domain/infra/abi/secrets.go b/pkg/domain/infra/abi/secrets.go index 2bf8eaae3..34c230e75 100644 --- a/pkg/domain/infra/abi/secrets.go +++ b/pkg/domain/infra/abi/secrets.go @@ -21,7 +21,7 @@ func (ic *ContainerEngine) SecretCreate(ctx context.Context, name string, reader // set defaults from config for the case they are not set by an upper layer // (-> i.e. tests that talk directly to the api) - cfg, err := ic.Libpod.GetConfig() + cfg, err := ic.Libpod.GetConfigNoCopy() if err != nil { return nil, err } diff --git a/pkg/machine/ignition.go b/pkg/machine/ignition.go index 89b556b14..e211f5ea6 100644 --- a/pkg/machine/ignition.go +++ b/pkg/machine/ignition.go @@ -6,6 +6,7 @@ import ( "encoding/json" "fmt" "io/ioutil" + "net/url" ) /* @@ -80,6 +81,7 @@ func NewIgnitionFile(ign DynamicIgnition) error { // so a listening host knows it can being interacting with it ready := `[Unit] Requires=dev-virtio\\x2dports-%s.device +After=remove-moby.service OnFailure=emergency.target OnFailureJobMode=isolate [Service] @@ -89,6 +91,23 @@ ExecStart=/bin/sh -c '/usr/bin/echo Ready >/dev/%s' [Install] RequiredBy=multi-user.target ` + deMoby := `[Unit] +Description=Remove moby-engine +# Run once for the machine +After=systemd-machine-id-commit.service +Before=zincati.service +ConditionPathExists=!/var/lib/%N.stamp + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/rpm-ostree override remove moby-engine +ExecStart=/usr/bin/rpm-ostree ex apply-live --allow-replacement +ExecStartPost=/bin/touch /var/lib/%N.stamp + +[Install] +WantedBy=multi-user.target + ` _ = ready ignSystemd := Systemd{ Units: []Unit{ @@ -101,6 +120,21 @@ RequiredBy=multi-user.target Name: "ready.service", Contents: strToPtr(fmt.Sprintf(ready, "vport1p1", "vport1p1")), }, + { + Enabled: boolToPtr(false), + Name: "docker.service", + Mask: boolToPtr(true), + }, + { + Enabled: boolToPtr(false), + Name: "docker.socket", + Mask: boolToPtr(true), + }, + { + Enabled: boolToPtr(true), + Name: "remove-moby.service", + Contents: &deMoby, + }, }} ignConfig := Config{ Ignition: ignVersion, @@ -161,6 +195,22 @@ func getFiles(usrName string) []File { var ( files []File ) + + lingerExample := `[Unit] +Description=A systemd user unit demo +After=network-online.target +Wants=network-online.target podman.socket +[Service] +ExecStart=/usr/bin/sleep infinity +` + containers := `[containers] +netns="bridge" +rootless_networking="cni" +` + rootContainers := `[engine] +machine_enabled=true +` + // Add a fake systemd service to get the user socket rolling files = append(files, File{ Node: Node{ @@ -171,7 +221,7 @@ func getFiles(usrName string) []File { FileEmbedded1: FileEmbedded1{ Append: nil, Contents: Resource{ - Source: strToPtr("data:,%5BUnit%5D%0ADescription%3DA%20systemd%20user%20unit%20demo%0AAfter%3Dnetwork-online.target%0AWants%3Dnetwork-online.target%20podman.socket%0A%5BService%5D%0AExecStart%3D%2Fusr%2Fbin%2Fsleep%20infinity%0A"), + Source: encodeDataURLPtr(lingerExample), }, Mode: intToPtr(0744), }, @@ -188,7 +238,7 @@ func getFiles(usrName string) []File { FileEmbedded1: FileEmbedded1{ Append: nil, Contents: Resource{ - Source: strToPtr("data:,%5Bcontainers%5D%0D%0Anetns%3D%22bridge%22%0D%0Arootless_networking%3D%22cni%22"), + Source: encodeDataURLPtr(containers), }, Mode: intToPtr(0744), }, @@ -213,7 +263,7 @@ func getFiles(usrName string) []File { FileEmbedded1: FileEmbedded1{ Append: nil, Contents: Resource{ - Source: strToPtr("data:,%5Bengine%5D%0Amachine_enabled%3Dtrue%0A"), + Source: encodeDataURLPtr(rootContainers), }, Mode: intToPtr(0644), }, @@ -233,7 +283,22 @@ func getFiles(usrName string) []File { FileEmbedded1: FileEmbedded1{ Append: nil, Contents: Resource{ - Source: strToPtr("data:,unqualified-search-registries%3D%5B%22docker.io%22%5D"), + Source: encodeDataURLPtr("unqualified-search-registries=[\"docker.io\"]\n"), + }, + Mode: intToPtr(0644), + }, + }) + + files = append(files, File{ + Node: Node{ + Path: "/etc/tmpfiles.d/podman-docker.conf", + }, + FileEmbedded1: FileEmbedded1{ + Append: nil, + // Create a symlink from the docker socket to the podman socket. + // Taken from https://github.com/containers/podman/blob/main/contrib/systemd/system/podman-docker.conf + Contents: Resource{ + Source: encodeDataURLPtr("L+ /run/docker.sock - - - - /run/podman/podman.sock\n"), }, Mode: intToPtr(0644), }, @@ -253,5 +318,20 @@ func getLinks(usrName string) []Link { Hard: boolToPtr(false), Target: "/home/" + usrName + "/.config/systemd/user/linger-example.service", }, + }, { + Node: Node{ + Group: getNodeGrp("root"), + Path: "/usr/local/bin/docker", + Overwrite: boolToPtr(true), + User: getNodeUsr("root"), + }, + LinkEmbedded1: LinkEmbedded1{ + Hard: boolToPtr(false), + Target: "/usr/bin/podman", + }, }} } + +func encodeDataURLPtr(contents string) *string { + return strToPtr(fmt.Sprintf("data:,%s", url.PathEscape(contents))) +} diff --git a/pkg/specgen/generate/container.go b/pkg/specgen/generate/container.go index ae26807a9..71b882510 100644 --- a/pkg/specgen/generate/container.go +++ b/pkg/specgen/generate/container.go @@ -54,7 +54,7 @@ func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerat } } - rtc, err := r.GetConfig() + rtc, err := r.GetConfigNoCopy() if err != nil { return nil, err } diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go index b6263332e..6100e7a5b 100644 --- a/pkg/specgen/generate/container_create.go +++ b/pkg/specgen/generate/container_create.go @@ -23,7 +23,7 @@ import ( // Returns the created, container and any warnings resulting from creating the // container, or an error. func MakeContainer(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGenerator) (*spec.Spec, *specgen.SpecGenerator, []libpod.CtrCreateOption, error) { - rtc, err := rt.GetConfig() + rtc, err := rt.GetConfigNoCopy() if err != nil { return nil, nil, nil, err } |