diff options
Diffstat (limited to 'cmd/podman')
| -rw-r--r-- | cmd/podman/create.go | 11 | ||||
| -rw-r--r-- | cmd/podman/exec.go | 29 | ||||
| -rw-r--r-- | cmd/podman/images.go | 27 | ||||
| -rw-r--r-- | cmd/podman/play_kube.go | 22 | ||||
| -rw-r--r-- | cmd/podman/shared/container.go | 8 |
5 files changed, 64 insertions, 33 deletions
diff --git a/cmd/podman/create.go b/cmd/podman/create.go index fa8b9f57b..8a5d0cf73 100644 --- a/cmd/podman/create.go +++ b/cmd/podman/create.go @@ -893,7 +893,16 @@ func joinOrCreateRootlessUserNamespace(createConfig *cc.CreateConfig, runtime *l } return false, -1, errors.Errorf("dependency container %s is not running", ctr.ID()) } - return rootless.JoinNS(uint(pid), 0) + + data, err := ioutil.ReadFile(ctr.Config().ConmonPidFile) + if err != nil { + return false, -1, errors.Wrapf(err, "cannot read conmon PID file %q", ctr.Config().ConmonPidFile) + } + conmonPid, err := strconv.Atoi(string(data)) + if err != nil { + return false, -1, errors.Wrapf(err, "cannot parse PID %q", data) + } + return rootless.JoinDirectUserAndMountNS(uint(conmonPid)) } } return rootless.BecomeRootInUserNS() diff --git a/cmd/podman/exec.go b/cmd/podman/exec.go index c3bcec2ec..e4cea1f5e 100644 --- a/cmd/podman/exec.go +++ b/cmd/podman/exec.go @@ -106,16 +106,25 @@ func execCmd(c *cliconfig.ExecValues) error { } - pid, err := ctr.PID() - if err != nil { - return err - } - became, ret, err := rootless.JoinNS(uint(pid), c.PreserveFDs) - if err != nil { - return err - } - if became { - os.Exit(ret) + if os.Geteuid() != 0 { + var became bool + var ret int + + data, err := ioutil.ReadFile(ctr.Config().ConmonPidFile) + if err != nil { + return errors.Wrapf(err, "cannot read conmon PID file %q", ctr.Config().ConmonPidFile) + } + conmonPid, err := strconv.Atoi(string(data)) + if err != nil { + return errors.Wrapf(err, "cannot parse PID %q", data) + } + became, ret, err = rootless.JoinDirectUserAndMountNS(uint(conmonPid)) + if err != nil { + return err + } + if became { + os.Exit(ret) + } } // ENVIRONMENT VARIABLES diff --git a/cmd/podman/images.go b/cmd/podman/images.go index 78dc87ad5..f92e5d44d 100644 --- a/cmd/podman/images.go +++ b/cmd/podman/images.go @@ -2,6 +2,7 @@ package main import ( "context" + "fmt" "reflect" "sort" "strings" @@ -128,7 +129,7 @@ func init() { func imagesCmd(c *cliconfig.ImagesValues) error { var ( filterFuncs []imagefilters.ResultFilter - newImage *adapter.ContainerImage + image string ) runtime, err := adapter.GetRuntime(&c.PodmanCommand) @@ -137,23 +138,23 @@ func imagesCmd(c *cliconfig.ImagesValues) error { } defer runtime.Shutdown(false) if len(c.InputArgs) == 1 { - newImage, err = runtime.NewImageFromLocal(c.InputArgs[0]) - if err != nil { - return err - } + image = c.InputArgs[0] } - if len(c.InputArgs) > 1 { return errors.New("'podman images' requires at most 1 argument") } - + if len(c.Filter) > 0 && image != "" { + return errors.New("can not specify an image and a filter") + } ctx := getContext() - if len(c.Filter) > 0 || newImage != nil { - filterFuncs, err = CreateFilterFuncs(ctx, runtime, c.Filter, newImage) - if err != nil { - return err - } + if len(c.Filter) > 0 { + filterFuncs, err = CreateFilterFuncs(ctx, runtime, c.Filter, nil) + } else { + filterFuncs, err = CreateFilterFuncs(ctx, runtime, []string{fmt.Sprintf("reference=%s", image)}, nil) + } + if err != nil { + return err } opts := imagesOptions{ @@ -174,7 +175,7 @@ func imagesCmd(c *cliconfig.ImagesValues) error { var filteredImages []*adapter.ContainerImage //filter the images - if len(c.Filter) > 0 || newImage != nil { + if len(c.Filter) > 0 || len(c.InputArgs) == 1 { filteredImages = imagefilters.FilterImages(images, filterFuncs) } else { filteredImages = images diff --git a/cmd/podman/play_kube.go b/cmd/podman/play_kube.go index 980f3a09c..a9dfee33c 100644 --- a/cmd/podman/play_kube.go +++ b/cmd/podman/play_kube.go @@ -243,15 +243,17 @@ func kubeContainerToCreateConfig(containerYAML v1.Container, runtime *libpod.Run containerConfig.Name = containerYAML.Name containerConfig.Tty = containerYAML.TTY containerConfig.WorkDir = containerYAML.WorkingDir - if containerYAML.SecurityContext.ReadOnlyRootFilesystem != nil { - containerConfig.ReadOnlyRootfs = *containerYAML.SecurityContext.ReadOnlyRootFilesystem - } - if containerYAML.SecurityContext.Privileged != nil { - containerConfig.Privileged = *containerYAML.SecurityContext.Privileged - } + if containerConfig.SecurityOpts != nil { + if containerYAML.SecurityContext.ReadOnlyRootFilesystem != nil { + containerConfig.ReadOnlyRootfs = *containerYAML.SecurityContext.ReadOnlyRootFilesystem + } + if containerYAML.SecurityContext.Privileged != nil { + containerConfig.Privileged = *containerYAML.SecurityContext.Privileged + } - if containerYAML.SecurityContext.AllowPrivilegeEscalation != nil { - containerConfig.NoNewPrivs = !*containerYAML.SecurityContext.AllowPrivilegeEscalation + if containerYAML.SecurityContext.AllowPrivilegeEscalation != nil { + containerConfig.NoNewPrivs = !*containerYAML.SecurityContext.AllowPrivilegeEscalation + } } containerConfig.Command = containerYAML.Command @@ -268,7 +270,9 @@ func kubeContainerToCreateConfig(containerYAML v1.Container, runtime *libpod.Run // disabled in code review per mheon //containerConfig.PidMode = ns.PidMode(namespaces["pid"]) containerConfig.UsernsMode = ns.UsernsMode(namespaces["user"]) - + if len(containerConfig.WorkDir) == 0 { + containerConfig.WorkDir = "/" + } if len(containerYAML.Env) > 0 { envs = make(map[string]string) } diff --git a/cmd/podman/shared/container.go b/cmd/podman/shared/container.go index 81811e0f2..e191e8069 100644 --- a/cmd/podman/shared/container.go +++ b/cmd/podman/shared/container.go @@ -665,6 +665,14 @@ func GenerateRunlabelCommand(runLabel, imageName, name string, opts map[string]s return envmap["OPT2"] case "OPT3": return envmap["OPT3"] + case "PWD": + // I would prefer to use os.getenv but it appears PWD is not in the os env list + d, err := os.Getwd() + if err != nil { + logrus.Error("unable to determine current working directory") + return "" + } + return d } return "" } |