diff options
Diffstat (limited to 'cmd/podman/shared')
| -rw-r--r-- | cmd/podman/shared/container.go | 5 | ||||
| -rw-r--r-- | cmd/podman/shared/create.go | 37 | ||||
| -rw-r--r-- | cmd/podman/shared/intermediate.go | 3 | ||||
| -rw-r--r-- | cmd/podman/shared/intermediate_novarlink.go | 2 | ||||
| -rw-r--r-- | cmd/podman/shared/pod.go | 14 |
5 files changed, 39 insertions, 22 deletions
diff --git a/cmd/podman/shared/container.go b/cmd/podman/shared/container.go index 5f8df2e10..9459247ed 100644 --- a/cmd/podman/shared/container.go +++ b/cmd/podman/shared/container.go @@ -650,10 +650,7 @@ func getNamespaceInfo(path string) (string, error) { // getStrFromSquareBrackets gets the string inside [] from a string. func getStrFromSquareBrackets(cmd string) string { - reg, err := regexp.Compile(`.*\[|\].*`) - if err != nil { - return "" - } + reg := regexp.MustCompile(`.*\[|\].*`) arr := strings.Split(reg.ReplaceAllLiteralString(cmd, ""), ",") return strings.Join(arr, ",") } diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go index 58cf56eea..50a64b01c 100644 --- a/cmd/podman/shared/create.go +++ b/cmd/podman/shared/create.go @@ -31,6 +31,10 @@ import ( "github.com/sirupsen/logrus" ) +// seccompAnnotationKey is the key of the image annotation embedding a seccomp +// profile. +const seccompAnnotationKey = "io.containers.seccomp.profile" + func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod.Runtime) (*libpod.Container, *cc.CreateConfig, error) { var ( healthCheck *manifest.Schema2HealthConfig @@ -67,7 +71,7 @@ func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod. } imageName := "" - var data *inspect.ImageData = nil + var imageData *inspect.ImageData = nil // Set the storage if there is no rootfs specified if rootfs == "" { @@ -99,17 +103,17 @@ func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod. if err != nil { return nil, nil, err } - data, err = newImage.Inspect(ctx) + imageData, err = newImage.Inspect(ctx) if err != nil { return nil, nil, err } - if overrideOS == "" && data.Os != goruntime.GOOS { - return nil, nil, errors.Errorf("incompatible image OS %q on %q host", data.Os, goruntime.GOOS) + if overrideOS == "" && imageData.Os != goruntime.GOOS { + return nil, nil, errors.Errorf("incompatible image OS %q on %q host", imageData.Os, goruntime.GOOS) } - if overrideArch == "" && data.Architecture != goruntime.GOARCH { - return nil, nil, errors.Errorf("incompatible image architecture %q on %q host", data.Architecture, goruntime.GOARCH) + if overrideArch == "" && imageData.Architecture != goruntime.GOARCH { + return nil, nil, errors.Errorf("incompatible image architecture %q on %q host", imageData.Architecture, goruntime.GOARCH) } names := newImage.Names() @@ -171,7 +175,7 @@ func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod. } } - createConfig, err := ParseCreateOpts(ctx, c, runtime, imageName, data) + createConfig, err := ParseCreateOpts(ctx, c, runtime, imageName, imageData) if err != nil { return nil, nil, err } @@ -444,11 +448,12 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod. // USER user := c.String("user") if user == "" { - if usernsMode.IsKeepID() { + switch { + case usernsMode.IsKeepID(): user = fmt.Sprintf("%d:%d", rootless.GetRootlessUID(), rootless.GetRootlessGID()) - } else if data == nil { + case data == nil: user = "0" - } else { + default: user = data.Config.User } } @@ -711,6 +716,18 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod. return nil, err } + // SECCOMP + if data != nil { + if value, exists := data.Annotations[seccompAnnotationKey]; exists { + secConfig.SeccompProfileFromImage = value + } + } + if policy, err := cc.LookupSeccompPolicy(c.String("seccomp-policy")); err != nil { + return nil, err + } else { + secConfig.SeccompPolicy = policy + } + config := &cc.CreateConfig{ Annotations: annotations, BuiltinImgVolumes: ImageVolumes, diff --git a/cmd/podman/shared/intermediate.go b/cmd/podman/shared/intermediate.go index bc12bd2a5..d1f0e602e 100644 --- a/cmd/podman/shared/intermediate.go +++ b/cmd/podman/shared/intermediate.go @@ -8,7 +8,7 @@ import ( /* attention -in this file you will see alot of struct duplication. this was done because people wanted a strongly typed +in this file you will see a lot of struct duplication. this was done because people wanted a strongly typed varlink mechanism. this resulted in us creating this intermediate layer that allows us to take the input from the cli and make an intermediate layer which can be transferred as strongly typed structures over a varlink interface. @@ -463,6 +463,7 @@ func NewIntermediateLayer(c *cliconfig.PodmanCommand, remote bool) GenericCLIRes m["volume"] = newCRStringArray(c, "volume") m["volumes-from"] = newCRStringSlice(c, "volumes-from") m["workdir"] = newCRString(c, "workdir") + m["seccomp-policy"] = newCRString(c, "seccomp-policy") // global flag if !remote { m["authfile"] = newCRString(c, "authfile") diff --git a/cmd/podman/shared/intermediate_novarlink.go b/cmd/podman/shared/intermediate_novarlink.go index 26738ce48..c6f011fe0 100644 --- a/cmd/podman/shared/intermediate_novarlink.go +++ b/cmd/podman/shared/intermediate_novarlink.go @@ -6,7 +6,7 @@ package shared /* attention -in this file you will see alot of struct duplication. this was done because people wanted a strongly typed +in this file you will see a lot of struct duplication. this was done because people wanted a strongly typed varlink mechanism. this resulted in us creating this intermediate layer that allows us to take the input from the cli and make an intermediate layer which can be transferred as strongly typed structures over a varlink interface. diff --git a/cmd/podman/shared/pod.go b/cmd/podman/shared/pod.go index ab6d1f144..d8d69c8fc 100644 --- a/cmd/podman/shared/pod.go +++ b/cmd/podman/shared/pod.go @@ -59,18 +59,20 @@ func CreatePodStatusResults(ctrStatuses map[string]define.ContainerStatus) (stri } } - if statuses[PodStateRunning] > 0 { + switch { + case statuses[PodStateRunning] > 0: return PodStateRunning, nil - } else if statuses[PodStatePaused] == ctrNum { + case statuses[PodStatePaused] == ctrNum: return PodStatePaused, nil - } else if statuses[PodStateStopped] == ctrNum { + case statuses[PodStateStopped] == ctrNum: return PodStateExited, nil - } else if statuses[PodStateStopped] > 0 { + case statuses[PodStateStopped] > 0: return PodStateStopped, nil - } else if statuses[PodStateErrored] > 0 { + case statuses[PodStateErrored] > 0: return PodStateErrored, nil + default: + return PodStateCreated, nil } - return PodStateCreated, nil } // GetNamespaceOptions transforms a slice of kernel namespaces |