diff options
Diffstat (limited to 'cmd/podman')
-rw-r--r-- | cmd/podman/create.go | 82 | ||||
-rw-r--r-- | cmd/podman/main.go | 18 | ||||
-rw-r--r-- | cmd/podman/sign.go | 22 |
3 files changed, 25 insertions, 97 deletions
diff --git a/cmd/podman/create.go b/cmd/podman/create.go index 395a64b3b..d98b78bd4 100644 --- a/cmd/podman/create.go +++ b/cmd/podman/create.go @@ -15,13 +15,11 @@ import ( "github.com/containers/libpod/libpod" "github.com/containers/libpod/libpod/image" ann "github.com/containers/libpod/pkg/annotations" - "github.com/containers/libpod/pkg/apparmor" "github.com/containers/libpod/pkg/inspect" ns "github.com/containers/libpod/pkg/namespaces" "github.com/containers/libpod/pkg/rootless" cc "github.com/containers/libpod/pkg/spec" "github.com/containers/libpod/pkg/util" - libpodVersion "github.com/containers/libpod/version" "github.com/docker/docker/pkg/signal" "github.com/docker/go-connections/nat" "github.com/docker/go-units" @@ -162,83 +160,9 @@ func createContainer(c *cli.Context, runtime *libpod.Runtime) (*libpod.Container return ctr, createConfig, nil } -// Checks if a user-specified AppArmor profile is loaded, or loads the default profile if -// AppArmor is enabled. -// Any interaction with AppArmor requires root permissions. -func loadAppArmor(config *cc.CreateConfig) error { - if rootless.IsRootless() { - noAAMsg := "AppArmor security is not available in rootless mode" - switch config.ApparmorProfile { - case "": - logrus.Warn(noAAMsg) - case "unconfined": - default: - return fmt.Errorf(noAAMsg) - } - return nil - } - - if config.ApparmorProfile == "" && apparmor.IsEnabled() { - // Unless specified otherwise, make sure that the default AppArmor - // profile is installed. To avoid redundantly loading the profile - // on each invocation, check if it's loaded before installing it. - // Suffix the profile with the current libpod version to allow - // loading the new, potentially updated profile after an update. - profile := fmt.Sprintf("%s-%s", apparmor.DefaultLibpodProfile, libpodVersion.Version) - - loadProfile := func() error { - isLoaded, err := apparmor.IsLoaded(profile) - if err != nil { - return err - } - if !isLoaded { - err = apparmor.InstallDefault(profile) - if err != nil { - return err - } - - } - return nil - } - - if err := loadProfile(); err != nil { - switch err { - case apparmor.ErrApparmorUnsupported: - // do not set the profile when AppArmor isn't supported - logrus.Debugf("AppArmor is not supported: setting empty profile") - default: - return err - } - } else { - logrus.Infof("Sucessfully loaded AppAmor profile '%s'", profile) - config.ApparmorProfile = profile - } - } else if config.ApparmorProfile != "" && config.ApparmorProfile != "unconfined" { - if !apparmor.IsEnabled() { - return fmt.Errorf("Profile specified but AppArmor is disabled on the host") - } - - isLoaded, err := apparmor.IsLoaded(config.ApparmorProfile) - if err != nil { - switch err { - case apparmor.ErrApparmorUnsupported: - return fmt.Errorf("Profile specified but AppArmor is not supported") - default: - return fmt.Errorf("Error checking if AppArmor profile is loaded: %v", err) - } - } - if !isLoaded { - return fmt.Errorf("The specified AppArmor profile '%s' is not loaded", config.ApparmorProfile) - } - } - - return nil -} - func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string) error { var ( labelOpts []string - err error ) if config.PidMode.IsHost() { @@ -283,10 +207,6 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string) error { } } - if err := loadAppArmor(config); err != nil { - return err - } - if config.SeccompProfilePath == "" { if _, err := os.Stat(libpod.SeccompOverridePath); err == nil { config.SeccompProfilePath = libpod.SeccompOverridePath @@ -304,7 +224,7 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string) error { } } config.LabelOpts = labelOpts - return err + return nil } // isPortInPortBindings determines if an exposed host port is in user diff --git a/cmd/podman/main.go b/cmd/podman/main.go index 43804ee35..604404827 100644 --- a/cmd/podman/main.go +++ b/cmd/podman/main.go @@ -148,16 +148,20 @@ func main() { logrus.SetLevel(level) } - // Only if not rootless, set rlimits for open files. - // We open numerous FDs for ports opened - if !rootless.IsRootless() { - rlimits := new(syscall.Rlimit) - rlimits.Cur = 1048576 - rlimits.Max = 1048576 + rlimits := new(syscall.Rlimit) + rlimits.Cur = 1048576 + rlimits.Max = 1048576 + if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil { + if err := syscall.Getrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil { + return errors.Wrapf(err, "error getting rlimits") + } + rlimits.Cur = rlimits.Max if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil { return errors.Wrapf(err, "error setting new rlimits") } - } else { + } + + if rootless.IsRootless() { logrus.Info("running as rootless") } diff --git a/cmd/podman/sign.go b/cmd/podman/sign.go index 790b6031d..1d9aecdc9 100644 --- a/cmd/podman/sign.go +++ b/cmd/podman/sign.go @@ -1,10 +1,10 @@ package main import ( - "fmt" "io/ioutil" "net/url" "os" + "path/filepath" "strconv" "strings" @@ -59,7 +59,7 @@ func signCmd(c *cli.Context) error { signby := c.String("sign-by") if signby == "" { - return errors.Errorf("You must provide an identity") + return errors.Errorf("please provide an identity") } var sigStoreDir string @@ -72,11 +72,11 @@ func signCmd(c *cli.Context) error { mech, err := signature.NewGPGSigningMechanism() if err != nil { - return errors.Wrap(err, "Error initializing GPG") + return errors.Wrap(err, "error initializing GPG") } defer mech.Close() if err := mech.SupportsSigning(); err != nil { - return errors.Wrap(err, "Signing is not supported") + return errors.Wrap(err, "signing is not supported") } systemRegistriesDirPath := trust.RegistriesDirPath(runtime.SystemContext()) @@ -100,7 +100,7 @@ func signCmd(c *cli.Context) error { } dockerReference := rawSource.Reference().DockerReference() if dockerReference == nil { - return errors.Errorf("Cannot determine canonical Docker reference for destination %s", transports.ImageName(rawSource.Reference())) + return errors.Errorf("cannot determine canonical Docker reference for destination %s", transports.ImageName(rawSource.Reference())) } // create the signstore file @@ -126,7 +126,10 @@ func signCmd(c *cli.Context) error { sigStoreDir = SignatureStoreDir } - repos := newImage.RepoDigests() + repos, err := newImage.RepoDigests() + if err != nil { + return errors.Wrapf(err, "error calculating repo digests for %s", signimage) + } if len(repos) == 0 { logrus.Errorf("no repodigests associated with the image %s", signimage) continue @@ -138,7 +141,8 @@ func signCmd(c *cli.Context) error { return errors.Wrapf(err, "error creating new signature") } - sigStoreDir = fmt.Sprintf("%s/%s", sigStoreDir, strings.Replace(repos[0][strings.Index(repos[0], "/")+1:len(repos[0])], ":", "=", 1)) + trimmedDigest := strings.TrimPrefix(repos[0], strings.Split(repos[0], "/")[0]) + sigStoreDir = filepath.Join(sigStoreDir, strings.Replace(trimmedDigest, ":", "=", 1)) if err := os.MkdirAll(sigStoreDir, 0751); err != nil { // The directory is allowed to exist if !os.IsExist(err) { @@ -151,7 +155,7 @@ func signCmd(c *cli.Context) error { logrus.Errorf("error creating sigstore file: %v", err) continue } - err = ioutil.WriteFile(sigStoreDir+"/"+sigFilename, newSig, 0644) + err = ioutil.WriteFile(filepath.Join(sigStoreDir, sigFilename), newSig, 0644) if err != nil { logrus.Errorf("error storing signature for %s", rawSource.Reference().DockerReference().String()) continue @@ -187,7 +191,7 @@ func isValidSigStoreDir(sigStoreDir string) (string, error) { } _, exists := writeURIs[url.Scheme] if !exists { - return sigStoreDir, errors.Errorf("Writing to %s is not supported. Use a supported scheme", sigStoreDir) + return sigStoreDir, errors.Errorf("writing to %s is not supported. Use a supported scheme", sigStoreDir) } sigStoreDir = url.Path return sigStoreDir, nil |