diff options
Diffstat (limited to 'cmd/podman')
| -rw-r--r-- | cmd/podman/cliconfig/config.go | 1 | ||||
| -rw-r--r-- | cmd/podman/main_local.go | 22 | ||||
| -rw-r--r-- | cmd/podman/play_kube.go | 1 |
3 files changed, 22 insertions, 2 deletions
diff --git a/cmd/podman/cliconfig/config.go b/cmd/podman/cliconfig/config.go index 99f389799..6d98aaf0e 100644 --- a/cmd/podman/cliconfig/config.go +++ b/cmd/podman/cliconfig/config.go @@ -321,6 +321,7 @@ type KubePlayValues struct { Authfile string CertDir string Creds string + Network string Quiet bool SignaturePolicy string TlsVerify bool diff --git a/cmd/podman/main_local.go b/cmd/podman/main_local.go index 23b3f5ae7..a65e6acf8 100644 --- a/cmd/podman/main_local.go +++ b/cmd/podman/main_local.go @@ -11,7 +11,6 @@ import ( "os" "runtime/pprof" "strconv" - "strings" "syscall" "github.com/containers/common/pkg/config" @@ -192,7 +191,7 @@ func setupRootless(cmd *cobra.Command, args []string) error { } } - if os.Geteuid() == 0 || cmd == _searchCommand || cmd == _versionCommand || cmd == _mountCommand || cmd == _migrateCommand || strings.HasPrefix(cmd.Use, "help") { + if !executeCommandInUserNS(cmd) { return nil } @@ -243,6 +242,25 @@ func setupRootless(cmd *cobra.Command, args []string) error { return nil } +// Most podman commands when run in rootless mode, need to be executed in the +// users usernamespace. This function is updated with a list of commands that +// should NOT be run within the user namespace. +func executeCommandInUserNS(cmd *cobra.Command) bool { + if os.Geteuid() == 0 { + return false + } + switch cmd { + case _migrateCommand, + _mountCommand, + _renumberCommand, + _infoCommand, + _searchCommand, + _versionCommand: + return false + } + return true +} + func setRLimits() error { rlimits := new(syscall.Rlimit) rlimits.Cur = 1048576 diff --git a/cmd/podman/play_kube.go b/cmd/podman/play_kube.go index 2028d2ef4..a5669c595 100644 --- a/cmd/podman/play_kube.go +++ b/cmd/podman/play_kube.go @@ -51,6 +51,7 @@ func init() { flags.StringVar(&playKubeCommand.SeccompProfileRoot, "seccomp-profile-root", defaultSeccompRoot, "Directory path for seccomp profiles") markFlagHidden(flags, "signature-policy") } + flags.StringVar(&playKubeCommand.Network, "network", "", "Connect pod to CNI network(s)") } func playKubeCmd(c *cliconfig.KubePlayValues) error { |