diff options
Diffstat (limited to 'cmd/kpod/create.go')
| -rw-r--r-- | cmd/kpod/create.go | 81 |
1 files changed, 63 insertions, 18 deletions
diff --git a/cmd/kpod/create.go b/cmd/kpod/create.go index 57dce6fbf..9a4539c14 100644 --- a/cmd/kpod/create.go +++ b/cmd/kpod/create.go @@ -81,20 +81,20 @@ type createConfig struct { groupAdd []uint32 // group-add hostname string //hostname image string - interactive bool //interactive - ip6Address string //ipv6 - ipAddress string //ip - labels map[string]string //label - linkLocalIP []string // link-local-ip - logDriver string // log-driver - logDriverOpt []string // log-opt - macAddress string //mac-address - name string //name - network string //network - networkAlias []string //network-alias - nsIPC string // ipc - nsNET string //net - pidMode container.PidMode //pid + interactive bool //interactive + ipcMode container.IpcMode //ipc + ip6Address string //ipv6 + ipAddress string //ip + labels map[string]string //label + linkLocalIP []string // link-local-ip + logDriver string // log-driver + logDriverOpt []string // log-opt + macAddress string //mac-address + name string //name + netMode container.NetworkMode //net + network string //network + networkAlias []string //network-alias + pidMode container.PidMode //pid nsUser string pod string //pod privileged bool //privileged @@ -102,7 +102,8 @@ type createConfig struct { publishAll bool //publish-all readOnlyRootfs bool //read-only resources createResourceConfig - rm bool //rm + rm bool //rm + shmDir string sigProxy bool //sig-proxy stopSignal string // stop-signal stopTimeout int64 // stop-timeout @@ -112,6 +113,7 @@ type createConfig struct { tty bool //tty user uint32 //user group uint32 // group + utsMode container.UTSMode //uts volumes []string //volume volumesFrom []string //volumes-from workDir string //workdir @@ -201,7 +203,8 @@ func createCmd(c *cli.Context) error { } // Gather up the options for NewContainer which consist of With... funcs options = append(options, libpod.WithRootFSFromImage(imageID, imageName, false)) - options = append(options, libpod.WithSELinuxMountLabel(createConfig.mountLabel)) + options = append(options, libpod.WithSELinuxLabels(createConfig.processLabel, createConfig.mountLabel)) + options = append(options, libpod.WithShmDir(createConfig.shmDir)) ctr, err := runtime.NewContainer(runtimeSpec, options...) if err != nil { return err @@ -230,6 +233,26 @@ func parseSecurityOpt(config *createConfig, securityOpts []string) error { err error ) + if config.pidMode.IsHost() { + labelOpts = append(labelOpts, label.DisableSecOpt()...) + } else if config.pidMode.IsContainer() { + ctr, err := config.runtime.LookupContainer(config.pidMode.Container()) + if err != nil { + return errors.Wrapf(err, "container %q not found", config.pidMode.Container()) + } + labelOpts = append(labelOpts, label.DupSecOpt(ctr.ProcessLabel())...) + } + + if config.ipcMode.IsHost() { + labelOpts = append(labelOpts, label.DisableSecOpt()...) + } else if config.ipcMode.IsContainer() { + ctr, err := config.runtime.LookupContainer(config.ipcMode.Container()) + if err != nil { + return errors.Wrapf(err, "container %q not found", config.ipcMode.Container()) + } + labelOpts = append(labelOpts, label.DupSecOpt(ctr.ProcessLabel())...) + } + for _, opt := range securityOpts { if opt == "no-new-privileges" { config.noNewPrivileges = true @@ -354,6 +377,7 @@ func parseCreateOpts(c *cli.Context, runtime *libpod.Runtime) (*createConfig, er if !c.Bool("detach") && !tty { tty = true } + pidMode := container.PidMode(c.String("pid")) if !pidMode.Valid() { return nil, errors.Errorf("--pid %q is not valid", c.String("pid")) @@ -363,6 +387,25 @@ func parseCreateOpts(c *cli.Context, runtime *libpod.Runtime) (*createConfig, er return nil, errors.Errorf("--rm and --detach can not be specified together") } + utsMode := container.UTSMode(c.String("uts")) + if !utsMode.Valid() { + return nil, errors.Errorf("--uts %q is not valid", c.String("uts")) + } + ipcMode := container.IpcMode(c.String("ipc")) + if !ipcMode.Valid() { + return nil, errors.Errorf("--ipc %q is not valid", ipcMode) + } + shmDir := "" + if ipcMode.IsHost() { + shmDir = "/dev/shm" + } else if ipcMode.IsContainer() { + ctr, err := runtime.LookupContainer(ipcMode.Container()) + if err != nil { + return nil, errors.Wrapf(err, "container %q not found", ipcMode.Container()) + } + shmDir = ctr.ShmDir() + } + config := &createConfig{ runtime: runtime, capAdd: c.StringSlice("cap-add"), @@ -390,8 +433,9 @@ func parseCreateOpts(c *cli.Context, runtime *libpod.Runtime) (*createConfig, er name: c.String("name"), network: c.String("network"), networkAlias: c.StringSlice("network-alias"), - nsIPC: c.String("ipc"), - nsNET: c.String("net"), + ipcMode: ipcMode, + netMode: container.NetworkMode(c.String("network")), + utsMode: utsMode, pidMode: pidMode, pod: c.String("pod"), privileged: c.Bool("privileged"), @@ -426,6 +470,7 @@ func parseCreateOpts(c *cli.Context, runtime *libpod.Runtime) (*createConfig, er ulimit: c.StringSlice("ulimit"), }, rm: c.Bool("rm"), + shmDir: shmDir, sigProxy: c.Bool("sig-proxy"), stopSignal: c.String("stop-signal"), stopTimeout: c.Int64("stop-timeout"), |