diff options
Diffstat (limited to 'cmd/podman')
-rw-r--r-- | cmd/podman/cliconfig/config.go | 4 | ||||
-rw-r--r-- | cmd/podman/commands.go | 1 | ||||
-rw-r--r-- | cmd/podman/common.go | 4 | ||||
-rw-r--r-- | cmd/podman/main_local.go | 80 | ||||
-rw-r--r-- | cmd/podman/shared/create.go | 1 | ||||
-rw-r--r-- | cmd/podman/shared/intermediate.go | 2 | ||||
-rw-r--r-- | cmd/podman/trust.go | 16 |
7 files changed, 89 insertions, 19 deletions
diff --git a/cmd/podman/cliconfig/config.go b/cmd/podman/cliconfig/config.go index 812cc1f51..bf88e853b 100644 --- a/cmd/podman/cliconfig/config.go +++ b/cmd/podman/cliconfig/config.go @@ -518,6 +518,10 @@ type SearchValues struct { TlsVerify bool } +type TrustValues struct { + PodmanCommand +} + type SignValues struct { PodmanCommand Directory string diff --git a/cmd/podman/commands.go b/cmd/podman/commands.go index 77c76d1b7..31f1b3ba4 100644 --- a/cmd/podman/commands.go +++ b/cmd/podman/commands.go @@ -33,6 +33,7 @@ func getMainCommands() []*cobra.Command { func getImageSubCommands() []*cobra.Command { return []*cobra.Command{ _signCommand, + _trustCommand, } } diff --git a/cmd/podman/common.go b/cmd/podman/common.go index 9724d18c6..0115e6ef1 100644 --- a/cmd/podman/common.go +++ b/cmd/podman/common.go @@ -135,6 +135,10 @@ func getCreateFlags(c *cliconfig.PodmanCommand) { "cgroup namespace to use", ) createFlags.String( + "cgroups", "enabled", + "control container cgroup configuration", + ) + createFlags.String( "cgroup-parent", "", "Optional parent cgroup for the container", ) diff --git a/cmd/podman/main_local.go b/cmd/podman/main_local.go index 0feba609b..cad256615 100644 --- a/cmd/podman/main_local.go +++ b/cmd/podman/main_local.go @@ -5,9 +5,12 @@ package main import ( "context" + "fmt" + "io/ioutil" "log/syslog" "os" "runtime/pprof" + "strconv" "strings" "syscall" @@ -18,6 +21,7 @@ import ( "github.com/containers/libpod/pkg/rootless" "github.com/containers/libpod/pkg/tracing" "github.com/containers/libpod/pkg/util" + "github.com/containers/libpod/utils" "github.com/opentracing/opentracing-go" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -119,7 +123,29 @@ func profileOff(cmd *cobra.Command) error { return nil } +func movePauseProcessToScope() error { + pausePidPath, err := util.GetRootlessPauseProcessPidPath() + if err != nil { + return errors.Wrapf(err, "could not get pause process pid file path") + } + + data, err := ioutil.ReadFile(pausePidPath) + if err != nil { + return errors.Wrapf(err, "cannot read pause pid file") + } + pid, err := strconv.ParseUint(string(data), 10, 0) + if err != nil { + return errors.Wrapf(err, "cannot parse pid file %s", pausePidPath) + } + + return utils.RunUnderSystemdScope(int(pid), "user.slice", "podman-pause.scope") +} + func setupRootless(cmd *cobra.Command, args []string) error { + if !rootless.IsRootless() { + return nil + } + matches, err := rootless.ConfigurationMatches() if err != nil { return err @@ -128,9 +154,6 @@ func setupRootless(cmd *cobra.Command, args []string) error { logrus.Warningf("the current user namespace doesn't match the configuration in /etc/subuid or /etc/subgid") logrus.Warningf("you can use `%s system migrate` to recreate the user namespace and restart the containers", os.Args[0]) } - if os.Geteuid() == 0 || cmd == _searchCommand || cmd == _versionCommand || cmd == _mountCommand || cmd == _migrateCommand || strings.HasPrefix(cmd.Use, "help") { - return nil - } podmanCmd := cliconfig.PodmanCommand{ Command: cmd, @@ -139,6 +162,39 @@ func setupRootless(cmd *cobra.Command, args []string) error { Remote: remoteclient, } + runtime, err := libpodruntime.GetRuntime(getContext(), &podmanCmd) + if err != nil { + return errors.Wrapf(err, "could not get runtime") + } + defer runtime.DeferredShutdown(false) + + // do it only after podman has already re-execed and running with uid==0. + if os.Geteuid() == 0 { + ownsCgroup, err := cgroups.UserOwnsCurrentSystemdCgroup() + if err != nil { + return err + } + + if !ownsCgroup { + unitName := fmt.Sprintf("podman-%d.scope", os.Getpid()) + if err := utils.RunUnderSystemdScope(os.Getpid(), "user.slice", unitName); err != nil { + conf, err := runtime.GetConfig() + if err != nil { + return err + } + if conf.CgroupManager == libpod.SystemdCgroupsManager { + logrus.Warnf("Failed to add podman to systemd sandbox cgroup: %v", err) + } else { + logrus.Debugf("Failed to add podman to systemd sandbox cgroup: %v", err) + } + } + } + } + + if os.Geteuid() == 0 || cmd == _searchCommand || cmd == _versionCommand || cmd == _mountCommand || cmd == _migrateCommand || strings.HasPrefix(cmd.Use, "help") { + return nil + } + pausePidPath, err := util.GetRootlessPauseProcessPidPath() if err != nil { return errors.Wrapf(err, "could not get pause process pid file path") @@ -158,13 +214,6 @@ func setupRootless(cmd *cobra.Command, args []string) error { } // if there is no pid file, try to join existing containers, and create a pause process. - - runtime, err := libpodruntime.GetRuntime(getContext(), &podmanCmd) - if err != nil { - return errors.Wrapf(err, "could not get runtime") - } - defer runtime.DeferredShutdown(false) - ctrs, err := runtime.GetRunningContainers() if err != nil { logrus.Errorf(err.Error()) @@ -177,6 +226,17 @@ func setupRootless(cmd *cobra.Command, args []string) error { } became, ret, err := rootless.TryJoinFromFilePaths(pausePidPath, true, paths) + if err := movePauseProcessToScope(); err != nil { + conf, err := runtime.GetConfig() + if err != nil { + return err + } + if conf.CgroupManager == libpod.SystemdCgroupsManager { + logrus.Warnf("Failed to add pause process to systemd sandbox cgroup: %v", err) + } else { + logrus.Debugf("Failed to add pause process to systemd sandbox cgroup: %v", err) + } + } if err != nil { logrus.Errorf(err.Error()) os.Exit(1) diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go index acbd53dba..fc8197721 100644 --- a/cmd/podman/shared/create.go +++ b/cmd/podman/shared/create.go @@ -695,6 +695,7 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod. CapDrop: c.StringSlice("cap-drop"), CidFile: c.String("cidfile"), Cgroupns: c.String("cgroupns"), + Cgroups: c.String("cgroups"), CgroupParent: c.String("cgroup-parent"), Command: command, UserCommand: userCommand, diff --git a/cmd/podman/shared/intermediate.go b/cmd/podman/shared/intermediate.go index 5aaac8687..cccdd1bea 100644 --- a/cmd/podman/shared/intermediate.go +++ b/cmd/podman/shared/intermediate.go @@ -370,6 +370,8 @@ func NewIntermediateLayer(c *cliconfig.PodmanCommand, remote bool) GenericCLIRes m["blkio-weight-device"] = newCRStringSlice(c, "blkio-weight-device") m["cap-add"] = newCRStringSlice(c, "cap-add") m["cap-drop"] = newCRStringSlice(c, "cap-drop") + m["cgroupns"] = newCRString(c, "cgroupns") + m["cgroups"] = newCRString(c, "cgroups") m["cgroup-parent"] = newCRString(c, "cgroup-parent") m["cidfile"] = newCRString(c, "cidfile") m["conmon-pidfile"] = newCRString(c, "conmon-pidfile") diff --git a/cmd/podman/trust.go b/cmd/podman/trust.go index 0a79e1570..f13af96bc 100644 --- a/cmd/podman/trust.go +++ b/cmd/podman/trust.go @@ -6,22 +6,20 @@ import ( ) var ( + trustCommand cliconfig.TrustValues trustDescription = `Manages which registries you trust as a source of container images based on its location. - The location is determined by the transport and the registry host of the image. Using this container image docker://docker.io/library/busybox as an example, docker is the transport and docker.io is the registry host.` - trustCommand = cliconfig.PodmanCommand{ - Command: &cobra.Command{ - Use: "trust", - Short: "Manage container image trust policy", - Long: trustDescription, - RunE: commandRunE(), - }, + _trustCommand = &cobra.Command{ + Use: "trust", + Short: "Manage container image trust policy", + Long: trustDescription, + RunE: commandRunE(), } ) func init() { + trustCommand.Command = _trustCommand trustCommand.SetHelpTemplate(HelpTemplate()) trustCommand.SetUsageTemplate(UsageTemplate()) trustCommand.AddCommand(getTrustSubCommands()...) - imageCommand.AddCommand(trustCommand.Command) } |