summaryrefslogtreecommitdiff
path: root/cmd/podman/shared
diff options
context:
space:
mode:
Diffstat (limited to 'cmd/podman/shared')
-rw-r--r--cmd/podman/shared/create.go837
-rw-r--r--cmd/podman/shared/create_cli.go394
-rw-r--r--cmd/podman/shared/create_cli_test.go70
-rw-r--r--cmd/podman/shared/parse/parse.go504
-rw-r--r--cmd/podman/shared/pod.go2
5 files changed, 1807 insertions, 0 deletions
diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go
new file mode 100644
index 000000000..bfd05d53e
--- /dev/null
+++ b/cmd/podman/shared/create.go
@@ -0,0 +1,837 @@
+package shared
+
+import (
+ "context"
+ "encoding/json"
+ "fmt"
+ "io"
+ "io/ioutil"
+ "os"
+ "path/filepath"
+ "strconv"
+ "strings"
+ "syscall"
+
+ "github.com/containers/image/manifest"
+ "github.com/containers/libpod/cmd/podman/cliconfig"
+ "github.com/containers/libpod/cmd/podman/shared/parse"
+ "github.com/containers/libpod/libpod"
+ "github.com/containers/libpod/libpod/image"
+ ann "github.com/containers/libpod/pkg/annotations"
+ "github.com/containers/libpod/pkg/inspect"
+ ns "github.com/containers/libpod/pkg/namespaces"
+ "github.com/containers/libpod/pkg/rootless"
+ cc "github.com/containers/libpod/pkg/spec"
+ "github.com/containers/libpod/pkg/util"
+ "github.com/docker/docker/pkg/signal"
+ "github.com/docker/go-connections/nat"
+ "github.com/docker/go-units"
+ spec "github.com/opencontainers/runtime-spec/specs-go"
+ "github.com/opencontainers/selinux/go-selinux/label"
+ "github.com/opentracing/opentracing-go"
+ "github.com/pkg/errors"
+ "github.com/sirupsen/logrus"
+)
+
+// getContext returns a non-nil, empty context
+func getContext() context.Context {
+ return context.TODO()
+}
+
+func CreateContainer(ctx context.Context, c *cliconfig.PodmanCommand, runtime *libpod.Runtime) (*libpod.Container, *cc.CreateConfig, error) {
+ var (
+ hasHealthCheck bool
+ healthCheck *manifest.Schema2HealthConfig
+ )
+ if c.Bool("trace") {
+ span, _ := opentracing.StartSpanFromContext(ctx, "createContainer")
+ defer span.Finish()
+ }
+
+ rtc := runtime.GetConfig()
+ rootfs := ""
+ if c.Bool("rootfs") {
+ rootfs = c.InputArgs[0]
+ }
+
+ var err error
+ var cidFile *os.File
+ if c.IsSet("cidfile") && os.Geteuid() == 0 {
+ cidFile, err = libpod.OpenExclusiveFile(c.String("cidfile"))
+ if err != nil && os.IsExist(err) {
+ return nil, nil, errors.Errorf("container id file exists. Ensure another container is not using it or delete %s", c.String("cidfile"))
+ }
+ if err != nil {
+ return nil, nil, errors.Errorf("error opening cidfile %s", c.String("cidfile"))
+ }
+ defer cidFile.Close()
+ defer cidFile.Sync()
+ }
+
+ imageName := ""
+ var data *inspect.ImageData = nil
+
+ if rootfs == "" && !rootless.SkipStorageSetup() {
+ var writer io.Writer
+ if !c.Bool("quiet") {
+ writer = os.Stderr
+ }
+
+ newImage, err := runtime.ImageRuntime().New(ctx, c.InputArgs[0], rtc.SignaturePolicyPath, "", writer, nil, image.SigningOptions{}, false, nil)
+ if err != nil {
+ return nil, nil, err
+ }
+ data, err = newImage.Inspect(ctx)
+ names := newImage.Names()
+ if len(names) > 0 {
+ imageName = names[0]
+ } else {
+ imageName = newImage.ID()
+ }
+
+ // add healthcheck if it exists AND is correct mediatype
+ _, mediaType, err := newImage.Manifest(ctx)
+ if err != nil {
+ return nil, nil, errors.Wrapf(err, "unable to determine mediatype of image %s", newImage.ID())
+ }
+ if mediaType == manifest.DockerV2Schema2MediaType {
+ healthCheck, err = newImage.GetHealthCheck(ctx)
+ if err != nil {
+ return nil, nil, errors.Wrapf(err, "unable to get healthcheck for %s", c.InputArgs[0])
+ }
+ if healthCheck != nil {
+ hasHealthCheck = true
+ }
+ }
+ }
+ createConfig, err := ParseCreateOpts(ctx, c, runtime, imageName, data)
+ if err != nil {
+ return nil, nil, err
+ }
+
+ // Because parseCreateOpts does derive anything from the image, we add health check
+ // at this point. The rest is done by WithOptions.
+ createConfig.HasHealthCheck = hasHealthCheck
+ createConfig.HealthCheck = healthCheck
+
+ ctr, err := CreateContainerFromCreateConfig(runtime, createConfig, ctx, nil)
+ if err != nil {
+ return nil, nil, err
+ }
+ if cidFile != nil {
+ _, err = cidFile.WriteString(ctr.ID())
+ if err != nil {
+ logrus.Error(err)
+ }
+
+ }
+
+ logrus.Debugf("New container created %q", ctr.ID())
+ return ctr, createConfig, nil
+}
+
+func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string) error {
+ var (
+ labelOpts []string
+ )
+
+ if config.PidMode.IsHost() {
+ labelOpts = append(labelOpts, label.DisableSecOpt()...)
+ } else if config.PidMode.IsContainer() {
+ ctr, err := config.Runtime.LookupContainer(config.PidMode.Container())
+ if err != nil {
+ return errors.Wrapf(err, "container %q not found", config.PidMode.Container())
+ }
+ secopts, err := label.DupSecOpt(ctr.ProcessLabel())
+ if err != nil {
+ return errors.Wrapf(err, "failed to duplicate label %q ", ctr.ProcessLabel())
+ }
+ labelOpts = append(labelOpts, secopts...)
+ }
+
+ if config.IpcMode.IsHost() {
+ labelOpts = append(labelOpts, label.DisableSecOpt()...)
+ } else if config.IpcMode.IsContainer() {
+ ctr, err := config.Runtime.LookupContainer(config.IpcMode.Container())
+ if err != nil {
+ return errors.Wrapf(err, "container %q not found", config.IpcMode.Container())
+ }
+ secopts, err := label.DupSecOpt(ctr.ProcessLabel())
+ if err != nil {
+ return errors.Wrapf(err, "failed to duplicate label %q ", ctr.ProcessLabel())
+ }
+ labelOpts = append(labelOpts, secopts...)
+ }
+
+ for _, opt := range securityOpts {
+ if opt == "no-new-privileges" {
+ config.NoNewPrivs = true
+ } else {
+ con := strings.SplitN(opt, "=", 2)
+ if len(con) != 2 {
+ return fmt.Errorf("Invalid --security-opt 1: %q", opt)
+ }
+
+ switch con[0] {
+ case "label":
+ labelOpts = append(labelOpts, con[1])
+ case "apparmor":
+ config.ApparmorProfile = con[1]
+ case "seccomp":
+ config.SeccompProfilePath = con[1]
+ default:
+ return fmt.Errorf("Invalid --security-opt 2: %q", opt)
+ }
+ }
+ }
+
+ if config.SeccompProfilePath == "" {
+ if _, err := os.Stat(libpod.SeccompOverridePath); err == nil {
+ config.SeccompProfilePath = libpod.SeccompOverridePath
+ } else {
+ if !os.IsNotExist(err) {
+ return errors.Wrapf(err, "can't check if %q exists", libpod.SeccompOverridePath)
+ }
+ if _, err := os.Stat(libpod.SeccompDefaultPath); err != nil {
+ if !os.IsNotExist(err) {
+ return errors.Wrapf(err, "can't check if %q exists", libpod.SeccompDefaultPath)
+ }
+ } else {
+ config.SeccompProfilePath = libpod.SeccompDefaultPath
+ }
+ }
+ }
+ config.LabelOpts = labelOpts
+ return nil
+}
+
+func configureEntrypoint(c *cliconfig.PodmanCommand, data *inspect.ImageData) []string {
+ entrypoint := []string{}
+ if c.IsSet("entrypoint") {
+ // Force entrypoint to ""
+ if c.String("entrypoint") == "" {
+ return entrypoint
+ }
+ // Check if entrypoint specified is json
+ if err := json.Unmarshal([]byte(c.String("entrypoint")), &entrypoint); err == nil {
+ return entrypoint
+ }
+ // Return entrypoint as a single command
+ return []string{c.String("entrypoint")}
+ }
+ if data != nil {
+ return data.Config.Entrypoint
+ }
+ return entrypoint
+}
+
+func configurePod(c *cliconfig.PodmanCommand, runtime *libpod.Runtime, namespaces map[string]string, podName string) (map[string]string, error) {
+ pod, err := runtime.LookupPod(podName)
+ if err != nil {
+ return namespaces, err
+ }
+ podInfraID, err := pod.InfraContainerID()
+ if err != nil {
+ return namespaces, err
+ }
+ if (namespaces["pid"] == cc.Pod) || (!c.IsSet("pid") && pod.SharesPID()) {
+ namespaces["pid"] = fmt.Sprintf("container:%s", podInfraID)
+ }
+ if (namespaces["net"] == cc.Pod) || (!c.IsSet("net") && !c.IsSet("network") && pod.SharesNet()) {
+ namespaces["net"] = fmt.Sprintf("container:%s", podInfraID)
+ }
+ if (namespaces["user"] == cc.Pod) || (!c.IsSet("user") && pod.SharesUser()) {
+ namespaces["user"] = fmt.Sprintf("container:%s", podInfraID)
+ }
+ if (namespaces["ipc"] == cc.Pod) || (!c.IsSet("ipc") && pod.SharesIPC()) {
+ namespaces["ipc"] = fmt.Sprintf("container:%s", podInfraID)
+ }
+ if (namespaces["uts"] == cc.Pod) || (!c.IsSet("uts") && pod.SharesUTS()) {
+ namespaces["uts"] = fmt.Sprintf("container:%s", podInfraID)
+ }
+ return namespaces, nil
+}
+
+// Parses CLI options related to container creation into a config which can be
+// parsed into an OCI runtime spec
+func ParseCreateOpts(ctx context.Context, c *cliconfig.PodmanCommand, runtime *libpod.Runtime, imageName string, data *inspect.ImageData) (*cc.CreateConfig, error) {
+ var (
+ inputCommand, command []string
+ memoryLimit, memoryReservation, memorySwap, memoryKernel int64
+ blkioWeight uint16
+ namespaces map[string]string
+ )
+ if c.IsSet("restart") {
+ return nil, errors.Errorf("--restart option is not supported.\nUse systemd unit files for restarting containers")
+ }
+
+ idmappings, err := util.ParseIDMapping(c.StringSlice("uidmap"), c.StringSlice("gidmap"), c.String("subuidname"), c.String("subgidname"))
+ if err != nil {
+ return nil, err
+ }
+
+ if c.String("mac-address") != "" {
+ return nil, errors.Errorf("--mac-address option not currently supported")
+ }
+
+ imageID := ""
+
+ inputCommand = c.InputArgs[1:]
+ if data != nil {
+ imageID = data.ID
+ }
+
+ rootfs := ""
+ if c.Bool("rootfs") {
+ rootfs = c.InputArgs[0]
+ }
+
+ sysctl, err := validateSysctl(c.StringSlice("sysctl"))
+ if err != nil {
+ return nil, errors.Wrapf(err, "invalid value for sysctl")
+ }
+
+ if c.String("memory") != "" {
+ memoryLimit, err = units.RAMInBytes(c.String("memory"))
+ if err != nil {
+ return nil, errors.Wrapf(err, "invalid value for memory")
+ }
+ }
+ if c.String("memory-reservation") != "" {
+ memoryReservation, err = units.RAMInBytes(c.String("memory-reservation"))
+ if err != nil {
+ return nil, errors.Wrapf(err, "invalid value for memory-reservation")
+ }
+ }
+ if c.String("memory-swap") != "" {
+ memorySwap, err = units.RAMInBytes(c.String("memory-swap"))
+ if err != nil {
+ return nil, errors.Wrapf(err, "invalid value for memory-swap")
+ }
+ }
+ if c.String("kernel-memory") != "" {
+ memoryKernel, err = units.RAMInBytes(c.String("kernel-memory"))
+ if err != nil {
+ return nil, errors.Wrapf(err, "invalid value for kernel-memory")
+ }
+ }
+ if c.String("blkio-weight") != "" {
+ u, err := strconv.ParseUint(c.String("blkio-weight"), 10, 16)
+ if err != nil {
+ return nil, errors.Wrapf(err, "invalid value for blkio-weight")
+ }
+ blkioWeight = uint16(u)
+ }
+ var mountList []spec.Mount
+ if mountList, err = parseMounts(c.StringArray("mount")); err != nil {
+ return nil, err
+ }
+
+ if err = parseVolumes(c.StringArray("volume")); err != nil {
+ return nil, err
+ }
+
+ if err = parseVolumesFrom(c.StringSlice("volumes-from")); err != nil {
+ return nil, err
+ }
+
+ tty := c.Bool("tty")
+
+ if c.Flag("cpu-period").Changed && c.Flag("cpus").Changed {
+ return nil, errors.Errorf("--cpu-period and --cpus cannot be set together")
+ }
+ if c.Flag("cpu-quota").Changed && c.Flag("cpus").Changed {
+ return nil, errors.Errorf("--cpu-quota and --cpus cannot be set together")
+ }
+
+ // EXPOSED PORTS
+ var portBindings map[nat.Port][]nat.PortBinding
+ if data != nil {
+ portBindings, err = cc.ExposedPorts(c.StringSlice("expose"), c.StringSlice("publish"), c.Bool("publish-all"), data.Config.ExposedPorts)
+ if err != nil {
+ return nil, err
+ }
+ }
+
+ // Kernel Namespaces
+ // TODO Fix handling of namespace from pod
+ // Instead of integrating here, should be done in libpod
+ // However, that also involves setting up security opts
+ // when the pod's namespace is integrated
+ namespaceNet := c.String("network")
+ if c.Flag("net").Changed {
+ namespaceNet = c.String("net")
+ }
+ namespaces = map[string]string{
+ "pid": c.String("pid"),
+ "net": namespaceNet,
+ "ipc": c.String("ipc"),
+ "user": c.String("userns"),
+ "uts": c.String("uts"),
+ }
+
+ originalPodName := c.String("pod")
+ podName := strings.Replace(originalPodName, "new:", "", 1)
+ // after we strip out :new, make sure there is something left for a pod name
+ if len(podName) < 1 && c.IsSet("pod") {
+ return nil, errors.Errorf("new pod name must be at least one character")
+ }
+ if c.IsSet("pod") {
+ if strings.HasPrefix(originalPodName, "new:") {
+ if rootless.IsRootless() {
+ // To create a new pod, we must immediately create the userns.
+ became, ret, err := rootless.BecomeRootInUserNS()
+ if err != nil {
+ return nil, err
+ }
+ if became {
+ os.Exit(ret)
+ }
+ }
+ // pod does not exist; lets make it
+ var podOptions []libpod.PodCreateOption
+ podOptions = append(podOptions, libpod.WithPodName(podName), libpod.WithInfraContainer(), libpod.WithPodCgroups())
+ if len(portBindings) > 0 {
+ ociPortBindings, err := cc.NatToOCIPortBindings(portBindings)
+ if err != nil {
+ return nil, err
+ }
+ podOptions = append(podOptions, libpod.WithInfraContainerPorts(ociPortBindings))
+ }
+
+ podNsOptions, err := GetNamespaceOptions(strings.Split(DefaultKernelNamespaces, ","))
+ if err != nil {
+ return nil, err
+ }
+ podOptions = append(podOptions, podNsOptions...)
+ // make pod
+ pod, err := runtime.NewPod(ctx, podOptions...)
+ if err != nil {
+ return nil, err
+ }
+ logrus.Debugf("pod %s created by new container request", pod.ID())
+
+ // The container now cannot have port bindings; so we reset the map
+ portBindings = make(map[nat.Port][]nat.PortBinding)
+ }
+ namespaces, err = configurePod(c, runtime, namespaces, podName)
+ if err != nil {
+ return nil, err
+ }
+ }
+
+ pidMode := ns.PidMode(namespaces["pid"])
+ if !cc.Valid(string(pidMode), pidMode) {
+ return nil, errors.Errorf("--pid %q is not valid", c.String("pid"))
+ }
+
+ usernsMode := ns.UsernsMode(namespaces["user"])
+ if !cc.Valid(string(usernsMode), usernsMode) {
+ return nil, errors.Errorf("--userns %q is not valid", namespaces["user"])
+ }
+
+ utsMode := ns.UTSMode(namespaces["uts"])
+ if !cc.Valid(string(utsMode), utsMode) {
+ return nil, errors.Errorf("--uts %q is not valid", namespaces["uts"])
+ }
+
+ ipcMode := ns.IpcMode(namespaces["ipc"])
+ if !cc.Valid(string(ipcMode), ipcMode) {
+ return nil, errors.Errorf("--ipc %q is not valid", ipcMode)
+ }
+
+ // Make sure if network is set to container namespace, port binding is not also being asked for
+ netMode := ns.NetworkMode(namespaces["net"])
+ if netMode.IsContainer() {
+ if len(portBindings) > 0 {
+ return nil, errors.Errorf("cannot set port bindings on an existing container network namespace")
+ }
+ }
+
+ // USER
+ user := c.String("user")
+ if user == "" {
+ if data == nil {
+ user = "0"
+ } else {
+ user = data.Config.User
+ }
+ }
+
+ // STOP SIGNAL
+ stopSignal := syscall.SIGTERM
+ signalString := ""
+ if data != nil {
+ signalString = data.Config.StopSignal
+ }
+ if c.IsSet("stop-signal") {
+ signalString = c.String("stop-signal")
+ }
+ if signalString != "" {
+ stopSignal, err = signal.ParseSignal(signalString)
+ if err != nil {
+ return nil, err
+ }
+ }
+
+ // ENVIRONMENT VARIABLES
+ env := defaultEnvVariables
+ if data != nil {
+ for _, e := range data.Config.Env {
+ split := strings.SplitN(e, "=", 2)
+ if len(split) > 1 {
+ env[split[0]] = split[1]
+ } else {
+ env[split[0]] = ""
+ }
+ }
+ }
+ if err := parse.ReadKVStrings(env, c.StringSlice("env-file"), c.StringSlice("env")); err != nil {
+ return nil, errors.Wrapf(err, "unable to process environment variables")
+ }
+
+ // LABEL VARIABLES
+ labels, err := GetAllLabels(c.StringSlice("label-file"), c.StringArray("label"))
+ if err != nil {
+ return nil, errors.Wrapf(err, "unable to process labels")
+ }
+ if data != nil {
+ for key, val := range data.Config.Labels {
+ if _, ok := labels[key]; !ok {
+ labels[key] = val
+ }
+ }
+ }
+
+ // ANNOTATIONS
+ annotations := make(map[string]string)
+ // First, add our default annotations
+ annotations[ann.ContainerType] = "sandbox"
+ annotations[ann.TTY] = "false"
+ if tty {
+ annotations[ann.TTY] = "true"
+ }
+ if data != nil {
+ // Next, add annotations from the image
+ for key, value := range data.Annotations {
+ annotations[key] = value
+ }
+ }
+ // Last, add user annotations
+ for _, annotation := range c.StringSlice("annotation") {
+ splitAnnotation := strings.SplitN(annotation, "=", 2)
+ if len(splitAnnotation) < 2 {
+ return nil, errors.Errorf("Annotations must be formatted KEY=VALUE")
+ }
+ annotations[splitAnnotation[0]] = splitAnnotation[1]
+ }
+
+ // WORKING DIRECTORY
+ workDir := "/"
+ if c.IsSet("workdir") || c.IsSet("w") {
+ workDir = c.String("workdir")
+ } else if data != nil && data.Config.WorkingDir != "" {
+ workDir = data.Config.WorkingDir
+ }
+
+ entrypoint := configureEntrypoint(c, data)
+ // Build the command
+ // If we have an entry point, it goes first
+ if len(entrypoint) > 0 {
+ command = entrypoint
+ }
+ if len(inputCommand) > 0 {
+ // User command overrides data CMD
+ command = append(command, inputCommand...)
+ } else if data != nil && len(data.Config.Cmd) > 0 && !c.IsSet("entrypoint") {
+ // If not user command, add CMD
+ command = append(command, data.Config.Cmd...)
+ }
+
+ if data != nil && len(command) == 0 {
+ return nil, errors.Errorf("No command specified on command line or as CMD or ENTRYPOINT in this image")
+ }
+
+ // SHM Size
+ shmSize, err := units.FromHumanSize(c.String("shm-size"))
+ if err != nil {
+ return nil, errors.Wrapf(err, "unable to translate --shm-size")
+ }
+
+ // Verify the additional hosts are in correct format
+ for _, host := range c.StringSlice("add-host") {
+ if _, err := parse.ValidateExtraHost(host); err != nil {
+ return nil, err
+ }
+ }
+
+ // Check for . and dns-search domains
+ if util.StringInSlice(".", c.StringSlice("dns-search")) && len(c.StringSlice("dns-search")) > 1 {
+ return nil, errors.Errorf("cannot pass additional search domains when also specifying '.'")
+ }
+
+ // Validate domains are good
+ for _, dom := range c.StringSlice("dns-search") {
+ if _, err := parse.ValidateDomain(dom); err != nil {
+ return nil, err
+ }
+ }
+
+ var ImageVolumes map[string]struct{}
+ if data != nil && c.String("image-volume") != "ignore" {
+ ImageVolumes = data.Config.Volumes
+ }
+
+ var imageVolType = map[string]string{
+ "bind": "",
+ "tmpfs": "",
+ "ignore": "",
+ }
+ if _, ok := imageVolType[c.String("image-volume")]; !ok {
+ return nil, errors.Errorf("invalid image-volume type %q. Pick one of bind, tmpfs, or ignore", c.String("image-volume"))
+ }
+
+ var systemd bool
+ if command != nil && c.Bool("systemd") && ((filepath.Base(command[0]) == "init") || (filepath.Base(command[0]) == "systemd")) {
+ systemd = true
+ if signalString == "" {
+ stopSignal, err = signal.ParseSignal("RTMIN+3")
+ if err != nil {
+ return nil, errors.Wrapf(err, "error parsing systemd signal")
+ }
+ }
+ }
+ // This is done because cobra cannot have two aliased flags. So we have to check
+ // both
+ network := c.String("network")
+ if c.Flag("net").Changed {
+ network = c.String("net")
+ }
+
+ var memorySwappiness int64
+ if c.Flags().Lookup("memory-swappiness") != nil {
+ memorySwappiness, _ = c.Flags().GetInt64("memory-swappiness")
+ }
+ config := &cc.CreateConfig{
+ Runtime: runtime,
+ Annotations: annotations,
+ BuiltinImgVolumes: ImageVolumes,
+ ConmonPidFile: c.String("conmon-pidfile"),
+ ImageVolumeType: c.String("image-volume"),
+ CapAdd: c.StringSlice("cap-add"),
+ CapDrop: c.StringSlice("cap-drop"),
+ CgroupParent: c.String("cgroup-parent"),
+ Command: command,
+ Detach: c.Bool("detach"),
+ Devices: c.StringSlice("device"),
+ DNSOpt: c.StringSlice("dns-opt"),
+ DNSSearch: c.StringSlice("dns-search"),
+ DNSServers: c.StringSlice("dns"),
+ Entrypoint: entrypoint,
+ Env: env,
+ //ExposedPorts: ports,
+ GroupAdd: c.StringSlice("group-add"),
+ Hostname: c.String("hostname"),
+ HostAdd: c.StringSlice("add-host"),
+ IDMappings: idmappings,
+ Image: imageName,
+ ImageID: imageID,
+ Interactive: c.Bool("interactive"),
+ //IP6Address: c.String("ipv6"), // Not implemented yet - needs CNI support for static v6
+ IPAddress: c.String("ip"),
+ Labels: labels,
+ //LinkLocalIP: c.StringSlice("link-local-ip"), // Not implemented yet
+ LogDriver: c.String("log-driver"),
+ LogDriverOpt: c.StringSlice("log-opt"),
+ MacAddress: c.String("mac-address"),
+ Name: c.String("name"),
+ Network: network,
+ //NetworkAlias: c.StringSlice("network-alias"), // Not implemented - does this make sense in Podman?
+ IpcMode: ipcMode,
+ NetMode: netMode,
+ UtsMode: utsMode,
+ PidMode: pidMode,
+ Pod: podName,
+ Privileged: c.Bool("privileged"),
+ Publish: c.StringSlice("publish"),
+ PublishAll: c.Bool("publish-all"),
+ PortBindings: portBindings,
+ Quiet: c.Bool("quiet"),
+ ReadOnlyRootfs: c.Bool("read-only"),
+ Resources: cc.CreateResourceConfig{
+ BlkioWeight: blkioWeight,
+ BlkioWeightDevice: c.StringSlice("blkio-weight-device"),
+ CPUShares: c.Uint64("cpu-shares"),
+ CPUPeriod: c.Uint64("cpu-period"),
+ CPUsetCPUs: c.String("cpuset-cpus"),
+ CPUsetMems: c.String("cpuset-mems"),
+ CPUQuota: c.Int64("cpu-quota"),
+ CPURtPeriod: c.Uint64("cpu-rt-period"),
+ CPURtRuntime: c.Int64("cpu-rt-runtime"),
+ CPUs: c.Float64("cpus"),
+ DeviceReadBps: c.StringSlice("device-read-bps"),
+ DeviceReadIOps: c.StringSlice("device-read-iops"),
+ DeviceWriteBps: c.StringSlice("device-write-bps"),
+ DeviceWriteIOps: c.StringSlice("device-write-iops"),
+ DisableOomKiller: c.Bool("oom-kill-disable"),
+ ShmSize: shmSize,
+ Memory: memoryLimit,
+ MemoryReservation: memoryReservation,
+ MemorySwap: memorySwap,
+ MemorySwappiness: int(memorySwappiness),
+ KernelMemory: memoryKernel,
+ OomScoreAdj: c.Int("oom-score-adj"),
+ PidsLimit: c.Int64("pids-limit"),
+ Ulimit: c.StringSlice("ulimit"),
+ },
+ Rm: c.Bool("rm"),
+ StopSignal: stopSignal,
+ StopTimeout: c.Uint("stop-timeout"),
+ Sysctl: sysctl,
+ Systemd: systemd,
+ Tmpfs: c.StringSlice("tmpfs"),
+ Tty: tty,
+ User: user,
+ UsernsMode: usernsMode,
+ Mounts: mountList,
+ Volumes: c.StringArray("volume"),
+ WorkDir: workDir,
+ Rootfs: rootfs,
+ VolumesFrom: c.StringSlice("volumes-from"),
+ Syslog: c.GlobalFlags.Syslog,
+ }
+ if c.Bool("init") {
+ initPath := c.String("init-path")
+ if initPath == "" {
+ initPath = runtime.GetConfig().InitPath
+ }
+ if err := config.AddContainerInitBinary(initPath); err != nil {
+ return nil, err
+ }
+ }
+
+ if config.Privileged {
+ config.LabelOpts = label.DisableSecOpt()
+ } else {
+ if err := parseSecurityOpt(config, c.StringArray("security-opt")); err != nil {
+ return nil, err
+ }
+ }
+ config.SecurityOpts = c.StringArray("security-opt")
+ warnings, err := verifyContainerResources(config, false)
+ if err != nil {
+ return nil, err
+ }
+ for _, warning := range warnings {
+ fmt.Fprintln(os.Stderr, warning)
+ }
+ return config, nil
+}
+
+type namespace interface {
+ IsContainer() bool
+ Container() string
+}
+
+func joinOrCreateRootlessUserNamespace(createConfig *cc.CreateConfig, runtime *libpod.Runtime) (bool, int, error) {
+ if os.Geteuid() == 0 {
+ return false, 0, nil
+ }
+
+ if createConfig.Pod != "" {
+ pod, err := runtime.LookupPod(createConfig.Pod)
+ if err != nil {
+ return false, -1, err
+ }
+ inspect, err := pod.Inspect()
+ for _, ctr := range inspect.Containers {
+ prevCtr, err := runtime.LookupContainer(ctr.ID)
+ if err != nil {
+ return false, -1, err
+ }
+ s, err := prevCtr.State()
+ if err != nil {
+ return false, -1, err
+ }
+ if s != libpod.ContainerStateRunning && s != libpod.ContainerStatePaused {
+ continue
+ }
+ data, err := ioutil.ReadFile(prevCtr.Config().ConmonPidFile)
+ if err != nil {
+ return false, -1, errors.Wrapf(err, "cannot read conmon PID file %q", prevCtr.Config().ConmonPidFile)
+ }
+ conmonPid, err := strconv.Atoi(string(data))
+ if err != nil {
+ return false, -1, errors.Wrapf(err, "cannot parse PID %q", data)
+ }
+ return rootless.JoinDirectUserAndMountNS(uint(conmonPid))
+ }
+ }
+
+ namespacesStr := []string{string(createConfig.IpcMode), string(createConfig.NetMode), string(createConfig.UsernsMode), string(createConfig.PidMode), string(createConfig.UtsMode)}
+ for _, i := range namespacesStr {
+ if cc.IsNS(i) {
+ return rootless.JoinNSPath(cc.NS(i))
+ }
+ }
+
+ namespaces := []namespace{createConfig.IpcMode, createConfig.NetMode, createConfig.UsernsMode, createConfig.PidMode, createConfig.UtsMode}
+ for _, i := range namespaces {
+ if i.IsContainer() {
+ ctr, err := runtime.LookupContainer(i.Container())
+ if err != nil {
+ return false, -1, err
+ }
+ pid, err := ctr.PID()
+ if err != nil {
+ return false, -1, err
+ }
+ if pid == 0 {
+ if createConfig.Pod != "" {
+ continue
+ }
+ return false, -1, errors.Errorf("dependency container %s is not running", ctr.ID())
+ }
+ return rootless.JoinNS(uint(pid), 0)
+ }
+ }
+ return rootless.BecomeRootInUserNS()
+}
+
+func CreateContainerFromCreateConfig(r *libpod.Runtime, createConfig *cc.CreateConfig, ctx context.Context, pod *libpod.Pod) (*libpod.Container, error) {
+ runtimeSpec, err := cc.CreateConfigToOCISpec(createConfig)
+ if err != nil {
+ return nil, err
+ }
+
+ options, err := createConfig.GetContainerCreateOptions(r, pod)
+ if err != nil {
+ return nil, err
+ }
+ became, ret, err := joinOrCreateRootlessUserNamespace(createConfig, r)
+ if err != nil {
+ return nil, err
+ }
+ if became {
+ os.Exit(ret)
+ }
+
+ ctr, err := r.NewContainer(ctx, runtimeSpec, options...)
+ if err != nil {
+ return nil, err
+ }
+
+ createConfigJSON, err := json.Marshal(createConfig)
+ if err != nil {
+ return nil, err
+ }
+ if err := ctr.AddArtifact("create-config", createConfigJSON); err != nil {
+ return nil, err
+ }
+ return ctr, nil
+}
+
+var defaultEnvVariables = map[string]string{
+ "PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+ "TERM": "xterm",
+}
diff --git a/cmd/podman/shared/create_cli.go b/cmd/podman/shared/create_cli.go
new file mode 100644
index 000000000..4f9cb1699
--- /dev/null
+++ b/cmd/podman/shared/create_cli.go
@@ -0,0 +1,394 @@
+package shared
+
+import (
+ "fmt"
+ "os"
+ "path/filepath"
+ "strings"
+
+ "github.com/containers/libpod/cmd/podman/shared/parse"
+ cc "github.com/containers/libpod/pkg/spec"
+ "github.com/containers/libpod/pkg/sysinfo"
+ "github.com/docker/go-units"
+ spec "github.com/opencontainers/runtime-spec/specs-go"
+ "github.com/pkg/errors"
+ "github.com/sirupsen/logrus"
+)
+
+const (
+ // It's not kernel limit, we want this 4M limit to supply a reasonable functional container
+ linuxMinMemory = 4194304
+)
+
+// GetAllLabels ...
+func GetAllLabels(labelFile, inputLabels []string) (map[string]string, error) {
+ labels := make(map[string]string)
+ labelErr := parse.ReadKVStrings(labels, labelFile, inputLabels)
+ if labelErr != nil {
+ return labels, errors.Wrapf(labelErr, "unable to process labels from --label and label-file")
+ }
+ return labels, nil
+}
+
+// validateSysctl validates a sysctl and returns it.
+func validateSysctl(strSlice []string) (map[string]string, error) {
+ sysctl := make(map[string]string)
+ validSysctlMap := map[string]bool{
+ "kernel.msgmax": true,
+ "kernel.msgmnb": true,
+ "kernel.msgmni": true,
+ "kernel.sem": true,
+ "kernel.shmall": true,
+ "kernel.shmmax": true,
+ "kernel.shmmni": true,
+ "kernel.shm_rmid_forced": true,
+ }
+ validSysctlPrefixes := []string{
+ "net.",
+ "fs.mqueue.",
+ }
+
+ for _, val := range strSlice {
+ foundMatch := false
+ arr := strings.Split(val, "=")
+ if len(arr) < 2 {
+ return nil, errors.Errorf("%s is invalid, sysctl values must be in the form of KEY=VALUE", val)
+ }
+ if validSysctlMap[arr[0]] {
+ sysctl[arr[0]] = arr[1]
+ continue
+ }
+
+ for _, prefix := range validSysctlPrefixes {
+ if strings.HasPrefix(arr[0], prefix) {
+ sysctl[arr[0]] = arr[1]
+ foundMatch = true
+ break
+ }
+ }
+ if !foundMatch {
+ return nil, errors.Errorf("sysctl '%s' is not whitelisted", arr[0])
+ }
+ }
+ return sysctl, nil
+}
+
+func addWarning(warnings []string, msg string) []string {
+ logrus.Warn(msg)
+ return append(warnings, msg)
+}
+
+// Format supported.
+// podman run --mount type=bind,src=/etc/resolv.conf,target=/etc/resolv.conf ...
+// podman run --mount type=tmpfs,target=/dev/shm ..
+func parseMounts(mounts []string) ([]spec.Mount, error) {
+ // TODO(vrothberg): the manual parsing can be replaced with a regular expression
+ // to allow a more robust parsing of the mount format and to give
+ // precise errors regarding supported format versus suppored options.
+ var mountList []spec.Mount
+ errInvalidSyntax := errors.Errorf("incorrect mount format: should be --mount type=<bind|tmpfs>,[src=<host-dir>,]target=<ctr-dir>[,options]")
+ for _, mount := range mounts {
+ var tokenCount int
+ var mountInfo spec.Mount
+
+ arr := strings.SplitN(mount, ",", 2)
+ if len(arr) < 2 {
+ return nil, errors.Wrapf(errInvalidSyntax, "%q", mount)
+ }
+ kv := strings.Split(arr[0], "=")
+ if kv[0] != "type" {
+ return nil, errors.Wrapf(errInvalidSyntax, "%q", mount)
+ }
+ switch kv[1] {
+ case "bind":
+ mountInfo.Type = string(cc.TypeBind)
+ case "tmpfs":
+ mountInfo.Type = string(cc.TypeTmpfs)
+ mountInfo.Source = string(cc.TypeTmpfs)
+ mountInfo.Options = append(mountInfo.Options, []string{"rprivate", "noexec", "nosuid", "nodev", "size=65536k"}...)
+
+ default:
+ return nil, errors.Errorf("invalid filesystem type %q", kv[1])
+ }
+
+ tokens := strings.Split(arr[1], ",")
+ for i, val := range tokens {
+ if i == (tokenCount - 1) {
+ //Parse tokens before options.
+ break
+ }
+ kv := strings.Split(val, "=")
+ switch kv[0] {
+ case "ro", "nosuid", "nodev", "noexec":
+ mountInfo.Options = append(mountInfo.Options, kv[0])
+ case "shared", "rshared", "private", "rprivate", "slave", "rslave", "Z", "z":
+ if mountInfo.Type != "bind" {
+ return nil, errors.Errorf("%s can only be used with bind mounts", kv[0])
+ }
+ mountInfo.Options = append(mountInfo.Options, kv[0])
+ case "tmpfs-mode":
+ if mountInfo.Type != "tmpfs" {
+ return nil, errors.Errorf("%s can only be used with tmpfs mounts", kv[0])
+ }
+ mountInfo.Options = append(mountInfo.Options, fmt.Sprintf("mode=%s", kv[1]))
+ case "tmpfs-size":
+ if mountInfo.Type != "tmpfs" {
+ return nil, errors.Errorf("%s can only be used with tmpfs mounts", kv[0])
+ }
+ shmSize, err := units.FromHumanSize(kv[1])
+ if err != nil {
+ return nil, errors.Wrapf(err, "unable to translate tmpfs-size")
+ }
+
+ mountInfo.Options = append(mountInfo.Options, fmt.Sprintf("size=%d", shmSize))
+
+ case "bind-propagation":
+ if mountInfo.Type != "bind" {
+ return nil, errors.Errorf("%s can only be used with bind mounts", kv[0])
+ }
+ mountInfo.Options = append(mountInfo.Options, kv[1])
+ case "src", "source":
+ if mountInfo.Type == "tmpfs" {
+ return nil, errors.Errorf("cannot use src= on a tmpfs file system")
+ }
+ if err := ValidateVolumeHostDir(kv[1]); err != nil {
+ return nil, err
+ }
+ mountInfo.Source = kv[1]
+ case "target", "dst", "destination":
+ if err := ValidateVolumeCtrDir(kv[1]); err != nil {
+ return nil, err
+ }
+ mountInfo.Destination = kv[1]
+ default:
+ return nil, errors.Errorf("incorrect mount option : %s", kv[0])
+ }
+ }
+ mountList = append(mountList, mountInfo)
+ }
+ return mountList, nil
+}
+
+func parseVolumes(volumes []string) error {
+ for _, volume := range volumes {
+ arr := strings.SplitN(volume, ":", 3)
+ if len(arr) < 2 {
+ return errors.Errorf("incorrect volume format %q, should be host-dir:ctr-dir[:option]", volume)
+ }
+ if err := ValidateVolumeHostDir(arr[0]); err != nil {
+ return err
+ }
+ if err := ValidateVolumeCtrDir(arr[1]); err != nil {
+ return err
+ }
+ if len(arr) > 2 {
+ if err := validateVolumeOpts(arr[2]); err != nil {
+ return err
+ }
+ }
+ }
+ return nil
+}
+
+func parseVolumesFrom(volumesFrom []string) error {
+ for _, vol := range volumesFrom {
+ arr := strings.SplitN(vol, ":", 2)
+ if len(arr) == 2 {
+ if strings.Contains(arr[1], "Z") || strings.Contains(arr[1], "private") || strings.Contains(arr[1], "slave") || strings.Contains(arr[1], "shared") {
+ return errors.Errorf("invalid options %q, can only specify 'ro', 'rw', and 'z", arr[1])
+ }
+ if err := validateVolumeOpts(arr[1]); err != nil {
+ return err
+ }
+ }
+ }
+ return nil
+}
+
+// ValidateVolumeHostDir ...
+func ValidateVolumeHostDir(hostDir string) error {
+ if len(hostDir) == 0 {
+ return errors.Errorf("host directory cannot be empty")
+ }
+ if filepath.IsAbs(hostDir) {
+ if _, err := os.Stat(hostDir); err != nil {
+ return errors.Wrapf(err, "error checking path %q", hostDir)
+ }
+ }
+ // If hostDir is not an absolute path, that means the user wants to create a
+ // named volume. This will be done later on in the code.
+ return nil
+}
+
+// ValidateVolumeCtrDir ...
+func ValidateVolumeCtrDir(ctrDir string) error {
+ if len(ctrDir) == 0 {
+ return errors.Errorf("container directory cannot be empty")
+ }
+ if !filepath.IsAbs(ctrDir) {
+ return errors.Errorf("invalid container path, must be an absolute path %q", ctrDir)
+ }
+ return nil
+}
+
+func validateVolumeOpts(option string) error {
+ var foundRootPropagation, foundRWRO, foundLabelChange int
+ options := strings.Split(option, ",")
+ for _, opt := range options {
+ switch opt {
+ case "rw", "ro":
+ foundRWRO++
+ if foundRWRO > 1 {
+ return errors.Errorf("invalid options %q, can only specify 1 'rw' or 'ro' option", option)
+ }
+ case "z", "Z":
+ foundLabelChange++
+ if foundLabelChange > 1 {
+ return errors.Errorf("invalid options %q, can only specify 1 'z' or 'Z' option", option)
+ }
+ case "private", "rprivate", "shared", "rshared", "slave", "rslave":
+ foundRootPropagation++
+ if foundRootPropagation > 1 {
+ return errors.Errorf("invalid options %q, can only specify 1 '[r]shared', '[r]private' or '[r]slave' option", option)
+ }
+ default:
+ return errors.Errorf("invalid option type %q", option)
+ }
+ }
+ return nil
+}
+
+func verifyContainerResources(config *cc.CreateConfig, update bool) ([]string, error) {
+ warnings := []string{}
+ sysInfo := sysinfo.New(true)
+
+ // memory subsystem checks and adjustments
+ if config.Resources.Memory != 0 && config.Resources.Memory < linuxMinMemory {
+ return warnings, fmt.Errorf("minimum memory limit allowed is 4MB")
+ }
+ if config.Resources.Memory > 0 && !sysInfo.MemoryLimit {
+ warnings = addWarning(warnings, "Your kernel does not support memory limit capabilities or the cgroup is not mounted. Limitation discarded.")
+ config.Resources.Memory = 0
+ config.Resources.MemorySwap = -1
+ }
+ if config.Resources.Memory > 0 && config.Resources.MemorySwap != -1 && !sysInfo.SwapLimit {
+ warnings = addWarning(warnings, "Your kernel does not support swap limit capabilities,or the cgroup is not mounted. Memory limited without swap.")
+ config.Resources.MemorySwap = -1
+ }
+ if config.Resources.Memory > 0 && config.Resources.MemorySwap > 0 && config.Resources.MemorySwap < config.Resources.Memory {
+ return warnings, fmt.Errorf("minimum memoryswap limit should be larger than memory limit, see usage")
+ }
+ if config.Resources.Memory == 0 && config.Resources.MemorySwap > 0 && !update {
+ return warnings, fmt.Errorf("you should always set the memory limit when using memoryswap limit, see usage")
+ }
+ if config.Resources.MemorySwappiness != -1 {
+ if !sysInfo.MemorySwappiness {
+ msg := "Your kernel does not support memory swappiness capabilities, or the cgroup is not mounted. Memory swappiness discarded."
+ warnings = addWarning(warnings, msg)
+ config.Resources.MemorySwappiness = -1
+ } else {
+ swappiness := config.Resources.MemorySwappiness
+ if swappiness < -1 || swappiness > 100 {
+ return warnings, fmt.Errorf("invalid value: %v, valid memory swappiness range is 0-100", swappiness)
+ }
+ }
+ }
+ if config.Resources.MemoryReservation > 0 && !sysInfo.MemoryReservation {
+ warnings = addWarning(warnings, "Your kernel does not support memory soft limit capabilities or the cgroup is not mounted. Limitation discarded.")
+ config.Resources.MemoryReservation = 0
+ }
+ if config.Resources.MemoryReservation > 0 && config.Resources.MemoryReservation < linuxMinMemory {
+ return warnings, fmt.Errorf("minimum memory reservation allowed is 4MB")
+ }
+ if config.Resources.Memory > 0 && config.Resources.MemoryReservation > 0 && config.Resources.Memory < config.Resources.MemoryReservation {
+ return warnings, fmt.Errorf("minimum memory limit cannot be less than memory reservation limit, see usage")
+ }
+ if config.Resources.KernelMemory > 0 && !sysInfo.KernelMemory {
+ warnings = addWarning(warnings, "Your kernel does not support kernel memory limit capabilities or the cgroup is not mounted. Limitation discarded.")
+ config.Resources.KernelMemory = 0
+ }
+ if config.Resources.KernelMemory > 0 && config.Resources.KernelMemory < linuxMinMemory {
+ return warnings, fmt.Errorf("minimum kernel memory limit allowed is 4MB")
+ }
+ if config.Resources.DisableOomKiller == true && !sysInfo.OomKillDisable {
+ // only produce warnings if the setting wasn't to *disable* the OOM Kill; no point
+ // warning the caller if they already wanted the feature to be off
+ warnings = addWarning(warnings, "Your kernel does not support OomKillDisable. OomKillDisable discarded.")
+ config.Resources.DisableOomKiller = false
+ }
+
+ if config.Resources.PidsLimit != 0 && !sysInfo.PidsLimit {
+ warnings = addWarning(warnings, "Your kernel does not support pids limit capabilities or the cgroup is not mounted. PIDs limit discarded.")
+ config.Resources.PidsLimit = 0
+ }
+
+ if config.Resources.CPUShares > 0 && !sysInfo.CPUShares {
+ warnings = addWarning(warnings, "Your kernel does not support CPU shares or the cgroup is not mounted. Shares discarded.")
+ config.Resources.CPUShares = 0
+ }
+ if config.Resources.CPUPeriod > 0 && !sysInfo.CPUCfsPeriod {
+ warnings = addWarning(warnings, "Your kernel does not support CPU cfs period or the cgroup is not mounted. Period discarded.")
+ config.Resources.CPUPeriod = 0
+ }
+ if config.Resources.CPUPeriod != 0 && (config.Resources.CPUPeriod < 1000 || config.Resources.CPUPeriod > 1000000) {
+ return warnings, fmt.Errorf("CPU cfs period cannot be less than 1ms (i.e. 1000) or larger than 1s (i.e. 1000000)")
+ }
+ if config.Resources.CPUQuota > 0 && !sysInfo.CPUCfsQuota {
+ warnings = addWarning(warnings, "Your kernel does not support CPU cfs quota or the cgroup is not mounted. Quota discarded.")
+ config.Resources.CPUQuota = 0
+ }
+ if config.Resources.CPUQuota > 0 && config.Resources.CPUQuota < 1000 {
+ return warnings, fmt.Errorf("CPU cfs quota cannot be less than 1ms (i.e. 1000)")
+ }
+ // cpuset subsystem checks and adjustments
+ if (config.Resources.CPUsetCPUs != "" || config.Resources.CPUsetMems != "") && !sysInfo.Cpuset {
+ warnings = addWarning(warnings, "Your kernel does not support cpuset or the cgroup is not mounted. CPUset discarded.")
+ config.Resources.CPUsetCPUs = ""
+ config.Resources.CPUsetMems = ""
+ }
+ cpusAvailable, err := sysInfo.IsCpusetCpusAvailable(config.Resources.CPUsetCPUs)
+ if err != nil {
+ return warnings, fmt.Errorf("invalid value %s for cpuset cpus", config.Resources.CPUsetCPUs)
+ }
+ if !cpusAvailable {
+ return warnings, fmt.Errorf("requested CPUs are not available - requested %s, available: %s", config.Resources.CPUsetCPUs, sysInfo.Cpus)
+ }
+ memsAvailable, err := sysInfo.IsCpusetMemsAvailable(config.Resources.CPUsetMems)
+ if err != nil {
+ return warnings, fmt.Errorf("invalid value %s for cpuset mems", config.Resources.CPUsetMems)
+ }
+ if !memsAvailable {
+ return warnings, fmt.Errorf("requested memory nodes are not available - requested %s, available: %s", config.Resources.CPUsetMems, sysInfo.Mems)
+ }
+
+ // blkio subsystem checks and adjustments
+ if config.Resources.BlkioWeight > 0 && !sysInfo.BlkioWeight {
+ warnings = addWarning(warnings, "Your kernel does not support Block I/O weight or the cgroup is not mounted. Weight discarded.")
+ config.Resources.BlkioWeight = 0
+ }
+ if config.Resources.BlkioWeight > 0 && (config.Resources.BlkioWeight < 10 || config.Resources.BlkioWeight > 1000) {
+ return warnings, fmt.Errorf("range of blkio weight is from 10 to 1000")
+ }
+ if len(config.Resources.BlkioWeightDevice) > 0 && !sysInfo.BlkioWeightDevice {
+ warnings = addWarning(warnings, "Your kernel does not support Block I/O weight_device or the cgroup is not mounted. Weight-device discarded.")
+ config.Resources.BlkioWeightDevice = []string{}
+ }
+ if len(config.Resources.DeviceReadBps) > 0 && !sysInfo.BlkioReadBpsDevice {
+ warnings = addWarning(warnings, "Your kernel does not support BPS Block I/O read limit or the cgroup is not mounted. Block I/O BPS read limit discarded")
+ config.Resources.DeviceReadBps = []string{}
+ }
+ if len(config.Resources.DeviceWriteBps) > 0 && !sysInfo.BlkioWriteBpsDevice {
+ warnings = addWarning(warnings, "Your kernel does not support BPS Block I/O write limit or the cgroup is not mounted. Block I/O BPS write limit discarded.")
+ config.Resources.DeviceWriteBps = []string{}
+ }
+ if len(config.Resources.DeviceReadIOps) > 0 && !sysInfo.BlkioReadIOpsDevice {
+ warnings = addWarning(warnings, "Your kernel does not support IOPS Block read limit or the cgroup is not mounted. Block I/O IOPS read limit discarded.")
+ config.Resources.DeviceReadIOps = []string{}
+ }
+ if len(config.Resources.DeviceWriteIOps) > 0 && !sysInfo.BlkioWriteIOpsDevice {
+ warnings = addWarning(warnings, "Your kernel does not support IOPS Block I/O write limit or the cgroup is not mounted. Block I/O IOPS write limit discarded.")
+ config.Resources.DeviceWriteIOps = []string{}
+ }
+
+ return warnings, nil
+}
diff --git a/cmd/podman/shared/create_cli_test.go b/cmd/podman/shared/create_cli_test.go
new file mode 100644
index 000000000..fea1a2390
--- /dev/null
+++ b/cmd/podman/shared/create_cli_test.go
@@ -0,0 +1,70 @@
+package shared
+
+import (
+ "io/ioutil"
+ "os"
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+)
+
+var (
+ Var1 = []string{"ONE=1", "TWO=2"}
+)
+
+func createTmpFile(content []byte) (string, error) {
+ tmpfile, err := ioutil.TempFile(os.TempDir(), "unittest")
+ if err != nil {
+ return "", err
+ }
+
+ if _, err := tmpfile.Write(content); err != nil {
+ return "", err
+
+ }
+ if err := tmpfile.Close(); err != nil {
+ return "", err
+ }
+ return tmpfile.Name(), nil
+}
+
+func TestValidateSysctl(t *testing.T) {
+ strSlice := []string{"net.core.test1=4", "kernel.msgmax=2"}
+ result, _ := validateSysctl(strSlice)
+ assert.Equal(t, result["net.core.test1"], "4")
+}
+
+func TestValidateSysctlBadSysctl(t *testing.T) {
+ strSlice := []string{"BLAU=BLUE", "GELB^YELLOW"}
+ _, err := validateSysctl(strSlice)
+ assert.Error(t, err)
+}
+
+func TestGetAllLabels(t *testing.T) {
+ fileLabels := []string{}
+ labels, _ := GetAllLabels(fileLabels, Var1)
+ assert.Equal(t, len(labels), 2)
+}
+
+func TestGetAllLabelsBadKeyValue(t *testing.T) {
+ inLabels := []string{"=badValue", "="}
+ fileLabels := []string{}
+ _, err := GetAllLabels(fileLabels, inLabels)
+ assert.Error(t, err, assert.AnError)
+}
+
+func TestGetAllLabelsBadLabelFile(t *testing.T) {
+ fileLabels := []string{"/foobar5001/be"}
+ _, err := GetAllLabels(fileLabels, Var1)
+ assert.Error(t, err, assert.AnError)
+}
+
+func TestGetAllLabelsFile(t *testing.T) {
+ content := []byte("THREE=3")
+ tFile, err := createTmpFile(content)
+ defer os.Remove(tFile)
+ assert.NoError(t, err)
+ fileLabels := []string{tFile}
+ result, _ := GetAllLabels(fileLabels, Var1)
+ assert.Equal(t, len(result), 3)
+}
diff --git a/cmd/podman/shared/parse/parse.go b/cmd/podman/shared/parse/parse.go
new file mode 100644
index 000000000..a3751835b
--- /dev/null
+++ b/cmd/podman/shared/parse/parse.go
@@ -0,0 +1,504 @@
+//nolint
+// most of these validate and parse functions have been taken from projectatomic/docker
+// and modified for cri-o
+package parse
+
+import (
+ "bufio"
+ "bytes"
+ "encoding/json"
+ "fmt"
+ "io/ioutil"
+ "net"
+ "os"
+ "path"
+ "regexp"
+ "strconv"
+ "strings"
+
+ "github.com/pkg/errors"
+)
+
+const (
+ Protocol_TCP Protocol = 0
+ Protocol_UDP Protocol = 1
+)
+
+type Protocol int32
+
+// PortMapping specifies the port mapping configurations of a sandbox.
+type PortMapping struct {
+ // Protocol of the port mapping.
+ Protocol Protocol `protobuf:"varint,1,opt,name=protocol,proto3,enum=runtime.Protocol" json:"protocol,omitempty"`
+ // Port number within the container. Default: 0 (not specified).
+ ContainerPort int32 `protobuf:"varint,2,opt,name=container_port,json=containerPort,proto3" json:"container_port,omitempty"`
+ // Port number on the host. Default: 0 (not specified).
+ HostPort int32 `protobuf:"varint,3,opt,name=host_port,json=hostPort,proto3" json:"host_port,omitempty"`
+ // Host IP.
+ HostIp string `protobuf:"bytes,4,opt,name=host_ip,json=hostIp,proto3" json:"host_ip,omitempty"`
+}
+
+// Note: for flags that are in the form <number><unit>, use the RAMInBytes function
+// from the units package in docker/go-units/size.go
+
+var (
+ whiteSpaces = " \t"
+ alphaRegexp = regexp.MustCompile(`[a-zA-Z]`)
+ domainRegexp = regexp.MustCompile(`^(:?(:?[a-zA-Z0-9]|(:?[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9]))(:?\.(:?[a-zA-Z0-9]|(:?[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])))*)\.?\s*$`)
+)
+
+// validateExtraHost validates that the specified string is a valid extrahost and returns it.
+// ExtraHost is in the form of name:ip where the ip has to be a valid ip (ipv4 or ipv6).
+// for add-host flag
+func ValidateExtraHost(val string) (string, error) { //nolint
+ // allow for IPv6 addresses in extra hosts by only splitting on first ":"
+ arr := strings.SplitN(val, ":", 2)
+ if len(arr) != 2 || len(arr[0]) == 0 {
+ return "", fmt.Errorf("bad format for add-host: %q", val)
+ }
+ if _, err := validateIPAddress(arr[1]); err != nil {
+ return "", fmt.Errorf("invalid IP address in add-host: %q", arr[1])
+ }
+ return val, nil
+}
+
+// validateIPAddress validates an Ip address.
+// for dns, ip, and ip6 flags also
+func validateIPAddress(val string) (string, error) {
+ var ip = net.ParseIP(strings.TrimSpace(val))
+ if ip != nil {
+ return ip.String(), nil
+ }
+ return "", fmt.Errorf("%s is not an ip address", val)
+}
+
+// validateAttach validates that the specified string is a valid attach option.
+// for attach flag
+func validateAttach(val string) (string, error) { //nolint
+ s := strings.ToLower(val)
+ for _, str := range []string{"stdin", "stdout", "stderr"} {
+ if s == str {
+ return s, nil
+ }
+ }
+ return val, fmt.Errorf("valid streams are STDIN, STDOUT and STDERR")
+}
+
+// validate the blkioWeight falls in the range of 10 to 1000
+// for blkio-weight flag
+func validateBlkioWeight(val int64) (int64, error) { //nolint
+ if val >= 10 && val <= 1000 {
+ return val, nil
+ }
+ return -1, errors.Errorf("invalid blkio weight %q, should be between 10 and 1000", val)
+}
+
+func validatePath(val string, validator func(string) bool) (string, error) {
+ var containerPath string
+ var mode string
+
+ if strings.Count(val, ":") > 2 {
+ return val, fmt.Errorf("bad format for path: %s", val)
+ }
+
+ split := strings.SplitN(val, ":", 3)
+ if split[0] == "" {
+ return val, fmt.Errorf("bad format for path: %s", val)
+ }
+ switch len(split) {
+ case 1:
+ containerPath = split[0]
+ val = path.Clean(containerPath)
+ case 2:
+ if isValid := validator(split[1]); isValid {
+ containerPath = split[0]
+ mode = split[1]
+ val = fmt.Sprintf("%s:%s", path.Clean(containerPath), mode)
+ } else {
+ containerPath = split[1]
+ val = fmt.Sprintf("%s:%s", split[0], path.Clean(containerPath))
+ }
+ case 3:
+ containerPath = split[1]
+ mode = split[2]
+ if isValid := validator(split[2]); !isValid {
+ return val, fmt.Errorf("bad mode specified: %s", mode)
+ }
+ val = fmt.Sprintf("%s:%s:%s", split[0], containerPath, mode)
+ }
+
+ if !path.IsAbs(containerPath) {
+ return val, fmt.Errorf("%s is not an absolute path", containerPath)
+ }
+ return val, nil
+}
+
+// validateDNSSearch validates domain for resolvconf search configuration.
+// A zero length domain is represented by a dot (.).
+// for dns-search flag
+func validateDNSSearch(val string) (string, error) { //nolint
+ if val = strings.Trim(val, " "); val == "." {
+ return val, nil
+ }
+ return ValidateDomain(val)
+}
+
+func ValidateDomain(val string) (string, error) {
+ if alphaRegexp.FindString(val) == "" {
+ return "", fmt.Errorf("%s is not a valid domain", val)
+ }
+ ns := domainRegexp.FindSubmatch([]byte(val))
+ if len(ns) > 0 && len(ns[1]) < 255 {
+ return string(ns[1]), nil
+ }
+ return "", fmt.Errorf("%s is not a valid domain", val)
+}
+
+// validateEnv validates an environment variable and returns it.
+// If no value is specified, it returns the current value using os.Getenv.
+// for env flag
+func validateEnv(val string) (string, error) { //nolint
+ arr := strings.Split(val, "=")
+ if len(arr) > 1 {
+ return val, nil
+ }
+ if !doesEnvExist(val) {
+ return val, nil
+ }
+ return fmt.Sprintf("%s=%s", val, os.Getenv(val)), nil
+}
+
+func doesEnvExist(name string) bool {
+ for _, entry := range os.Environ() {
+ parts := strings.SplitN(entry, "=", 2)
+ if parts[0] == name {
+ return true
+ }
+ }
+ return false
+}
+
+// reads a file of line terminated key=value pairs, and overrides any keys
+// present in the file with additional pairs specified in the override parameter
+// for env-file and labels-file flags
+func ReadKVStrings(env map[string]string, files []string, override []string) error {
+ for _, ef := range files {
+ if err := parseEnvFile(env, ef); err != nil {
+ return err
+ }
+ }
+ for _, line := range override {
+ if err := parseEnv(env, line); err != nil {
+ return err
+ }
+ }
+ return nil
+}
+
+func parseEnv(env map[string]string, line string) error {
+ data := strings.SplitN(line, "=", 2)
+
+ // catch invalid variables such as "=" or "=A"
+ if data[0] == "" {
+ return errors.Errorf("invalid environment variable: %q", line)
+ }
+
+ // trim the front of a variable, but nothing else
+ name := strings.TrimLeft(data[0], whiteSpaces)
+ if strings.ContainsAny(name, whiteSpaces) {
+ return errors.Errorf("name %q has white spaces, poorly formatted name", name)
+ }
+
+ if len(data) > 1 {
+ env[name] = data[1]
+ } else {
+ // if only a pass-through variable is given, clean it up.
+ val, _ := os.LookupEnv(name)
+ env[name] = val
+ }
+ return nil
+}
+
+// parseEnvFile reads a file with environment variables enumerated by lines
+func parseEnvFile(env map[string]string, filename string) error {
+ fh, err := os.Open(filename)
+ if err != nil {
+ return err
+ }
+ defer fh.Close()
+
+ scanner := bufio.NewScanner(fh)
+ for scanner.Scan() {
+ // trim the line from all leading whitespace first
+ line := strings.TrimLeft(scanner.Text(), whiteSpaces)
+ // line is not empty, and not starting with '#'
+ if len(line) > 0 && !strings.HasPrefix(line, "#") {
+ if err := parseEnv(env, line); err != nil {
+ return err
+ }
+ }
+ }
+ return scanner.Err()
+}
+
+// validateLabel validates that the specified string is a valid label, and returns it.
+// Labels are in the form on key=value.
+// for label flag
+func validateLabel(val string) (string, error) { //nolint
+ if strings.Count(val, "=") < 1 {
+ return "", fmt.Errorf("bad attribute format: %s", val)
+ }
+ return val, nil
+}
+
+// validateMACAddress validates a MAC address.
+// for mac-address flag
+func validateMACAddress(val string) (string, error) { //nolint
+ _, err := net.ParseMAC(strings.TrimSpace(val))
+ if err != nil {
+ return "", err
+ }
+ return val, nil
+}
+
+// parseLoggingOpts validates the logDriver and logDriverOpts
+// for log-opt and log-driver flags
+func parseLoggingOpts(logDriver string, logDriverOpt []string) (map[string]string, error) { //nolint
+ logOptsMap := convertKVStringsToMap(logDriverOpt)
+ if logDriver == "none" && len(logDriverOpt) > 0 {
+ return map[string]string{}, errors.Errorf("invalid logging opts for driver %s", logDriver)
+ }
+ return logOptsMap, nil
+}
+
+// parsePortSpecs receives port specs in the format of ip:public:private/proto and parses
+// these in to the internal types
+// for publish, publish-all, and expose flags
+func parsePortSpecs(ports []string) ([]*PortMapping, error) { //nolint
+ var portMappings []*PortMapping
+ for _, rawPort := range ports {
+ portMapping, err := parsePortSpec(rawPort)
+ if err != nil {
+ return nil, err
+ }
+
+ portMappings = append(portMappings, portMapping...)
+ }
+ return portMappings, nil
+}
+
+func validateProto(proto string) bool {
+ for _, availableProto := range []string{"tcp", "udp"} {
+ if availableProto == proto {
+ return true
+ }
+ }
+ return false
+}
+
+// parsePortSpec parses a port specification string into a slice of PortMappings
+func parsePortSpec(rawPort string) ([]*PortMapping, error) {
+ var proto string
+ rawIP, hostPort, containerPort := splitParts(rawPort)
+ proto, containerPort = splitProtoPort(containerPort)
+
+ // Strip [] from IPV6 addresses
+ ip, _, err := net.SplitHostPort(rawIP + ":")
+ if err != nil {
+ return nil, fmt.Errorf("Invalid ip address %v: %s", rawIP, err)
+ }
+ if ip != "" && net.ParseIP(ip) == nil {
+ return nil, fmt.Errorf("Invalid ip address: %s", ip)
+ }
+ if containerPort == "" {
+ return nil, fmt.Errorf("No port specified: %s<empty>", rawPort)
+ }
+
+ startPort, endPort, err := parsePortRange(containerPort)
+ if err != nil {
+ return nil, fmt.Errorf("Invalid containerPort: %s", containerPort)
+ }
+
+ var startHostPort, endHostPort uint64 = 0, 0
+ if len(hostPort) > 0 {
+ startHostPort, endHostPort, err = parsePortRange(hostPort)
+ if err != nil {
+ return nil, fmt.Errorf("Invalid hostPort: %s", hostPort)
+ }
+ }
+
+ if hostPort != "" && (endPort-startPort) != (endHostPort-startHostPort) {
+ // Allow host port range iff containerPort is not a range.
+ // In this case, use the host port range as the dynamic
+ // host port range to allocate into.
+ if endPort != startPort {
+ return nil, fmt.Errorf("Invalid ranges specified for container and host Ports: %s and %s", containerPort, hostPort)
+ }
+ }
+
+ if !validateProto(strings.ToLower(proto)) {
+ return nil, fmt.Errorf("invalid proto: %s", proto)
+ }
+
+ protocol := Protocol_TCP
+ if strings.ToLower(proto) == "udp" {
+ protocol = Protocol_UDP
+ }
+
+ var ports []*PortMapping
+ for i := uint64(0); i <= (endPort - startPort); i++ {
+ containerPort = strconv.FormatUint(startPort+i, 10)
+ if len(hostPort) > 0 {
+ hostPort = strconv.FormatUint(startHostPort+i, 10)
+ }
+ // Set hostPort to a range only if there is a single container port
+ // and a dynamic host port.
+ if startPort == endPort && startHostPort != endHostPort {
+ hostPort = fmt.Sprintf("%s-%s", hostPort, strconv.FormatUint(endHostPort, 10))
+ }
+
+ ctrPort, err := strconv.ParseInt(containerPort, 10, 32)
+ if err != nil {
+ return nil, err
+ }
+ hPort, err := strconv.ParseInt(hostPort, 10, 32)
+ if err != nil {
+ return nil, err
+ }
+
+ port := &PortMapping{
+ Protocol: protocol,
+ ContainerPort: int32(ctrPort),
+ HostPort: int32(hPort),
+ HostIp: ip,
+ }
+
+ ports = append(ports, port)
+ }
+ return ports, nil
+}
+
+// parsePortRange parses and validates the specified string as a port-range (8000-9000)
+func parsePortRange(ports string) (uint64, uint64, error) {
+ if ports == "" {
+ return 0, 0, fmt.Errorf("empty string specified for ports")
+ }
+ if !strings.Contains(ports, "-") {
+ start, err := strconv.ParseUint(ports, 10, 16)
+ end := start
+ return start, end, err
+ }
+
+ parts := strings.Split(ports, "-")
+ start, err := strconv.ParseUint(parts[0], 10, 16)
+ if err != nil {
+ return 0, 0, err
+ }
+ end, err := strconv.ParseUint(parts[1], 10, 16)
+ if err != nil {
+ return 0, 0, err
+ }
+ if end < start {
+ return 0, 0, fmt.Errorf("Invalid range specified for the Port: %s", ports)
+ }
+ return start, end, nil
+}
+
+// splitParts separates the different parts of rawPort
+func splitParts(rawport string) (string, string, string) {
+ parts := strings.Split(rawport, ":")
+ n := len(parts)
+ containerport := parts[n-1]
+
+ switch n {
+ case 1:
+ return "", "", containerport
+ case 2:
+ return "", parts[0], containerport
+ case 3:
+ return parts[0], parts[1], containerport
+ default:
+ return strings.Join(parts[:n-2], ":"), parts[n-2], containerport
+ }
+}
+
+// splitProtoPort splits a port in the format of port/proto
+func splitProtoPort(rawPort string) (string, string) {
+ parts := strings.Split(rawPort, "/")
+ l := len(parts)
+ if len(rawPort) == 0 || l == 0 || len(parts[0]) == 0 {
+ return "", ""
+ }
+ if l == 1 {
+ return "tcp", rawPort
+ }
+ if len(parts[1]) == 0 {
+ return "tcp", parts[0]
+ }
+ return parts[1], parts[0]
+}
+
+// takes a local seccomp file and reads its file contents
+// for security-opt flag
+func parseSecurityOpts(securityOpts []string) ([]string, error) { //nolint
+ for key, opt := range securityOpts {
+ con := strings.SplitN(opt, "=", 2)
+ if len(con) == 1 && con[0] != "no-new-privileges" {
+ if strings.Index(opt, ":") != -1 {
+ con = strings.SplitN(opt, ":", 2)
+ } else {
+ return securityOpts, fmt.Errorf("Invalid --security-opt: %q", opt)
+ }
+ }
+ if con[0] == "seccomp" && con[1] != "unconfined" {
+ f, err := ioutil.ReadFile(con[1])
+ if err != nil {
+ return securityOpts, fmt.Errorf("opening seccomp profile (%s) failed: %v", con[1], err)
+ }
+ b := bytes.NewBuffer(nil)
+ if err := json.Compact(b, f); err != nil {
+ return securityOpts, fmt.Errorf("compacting json for seccomp profile (%s) failed: %v", con[1], err)
+ }
+ securityOpts[key] = fmt.Sprintf("seccomp=%s", b.Bytes())
+ }
+ }
+
+ return securityOpts, nil
+}
+
+// convertKVStringsToMap converts ["key=value"] to {"key":"value"}
+func convertKVStringsToMap(values []string) map[string]string {
+ result := make(map[string]string, len(values))
+ for _, value := range values {
+ kv := strings.SplitN(value, "=", 2)
+ if len(kv) == 1 {
+ result[kv[0]] = ""
+ } else {
+ result[kv[0]] = kv[1]
+ }
+ }
+
+ return result
+}
+
+// Takes a stringslice and converts to a uint32slice
+func stringSlicetoUint32Slice(inputSlice []string) ([]uint32, error) {
+ var outputSlice []uint32
+ for _, v := range inputSlice {
+ u, err := strconv.ParseUint(v, 10, 32)
+ if err != nil {
+ return outputSlice, err
+ }
+ outputSlice = append(outputSlice, uint32(u))
+ }
+ return outputSlice, nil
+}
+
+// ValidateFileName returns an error if filename contains ":"
+// as it is currently not supported
+func ValidateFileName(filename string) error {
+ if strings.Contains(filename, ":") {
+ return errors.Errorf("invalid filename (should not contain ':') %q", filename)
+ }
+ return nil
+}
diff --git a/cmd/podman/shared/pod.go b/cmd/podman/shared/pod.go
index 5f65c40ac..4d936d61c 100644
--- a/cmd/podman/shared/pod.go
+++ b/cmd/podman/shared/pod.go
@@ -136,3 +136,5 @@ func CreatePortBindings(ports []string) ([]ocicni.PortMapping, error) {
}
return portBindings, nil
}
+
+var DefaultKernelNamespaces = "cgroup,ipc,net,uts"