diff options
Diffstat (limited to 'libpod')
| -rw-r--r-- | libpod/container_internal_linux.go | 2 | ||||
| -rw-r--r-- | libpod/image/image.go | 2 | ||||
| -rw-r--r-- | libpod/image/pull.go | 3 | ||||
| -rw-r--r-- | libpod/image/utils.go | 27 | ||||
| -rw-r--r-- | libpod/kube.go | 18 | ||||
| -rw-r--r-- | libpod/oci_attach_linux.go | 2 | ||||
| -rw-r--r-- | libpod/options.go | 30 | ||||
| -rw-r--r-- | libpod/pod.go | 2 | ||||
| -rw-r--r-- | libpod/rootless_cni_linux.go | 28 | ||||
| -rw-r--r-- | libpod/runtime_img.go | 3 | ||||
| -rw-r--r-- | libpod/runtime_pod_infra_linux.go | 29 |
11 files changed, 101 insertions, 45 deletions
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index 3bdf28e8c..dde7cafb1 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -635,7 +635,7 @@ func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) erro Destination: "/sys/fs/cgroup/systemd", Type: "bind", Source: "/sys/fs/cgroup/systemd", - Options: []string{"bind", "nodev", "nosuid", "rprivate"}, + Options: []string{"bind", "nodev", "noexec", "nosuid", "rprivate"}, } g.AddMount(systemdMnt) g.AddLinuxMaskedPaths("/sys/fs/cgroup/systemd/release_agent") diff --git a/libpod/image/image.go b/libpod/image/image.go index 850a48eae..5dfb33afb 100644 --- a/libpod/image/image.go +++ b/libpod/image/image.go @@ -1284,7 +1284,7 @@ func (ir *Runtime) Import(ctx context.Context, path, reference string, writer io return nil, errors.Wrapf(err, "error updating image config") } - sc := GetSystemContext("", "", false) + sc := GetSystemContext(ir.SignaturePolicyPath, "", false) // if reference not given, get the image digest if reference == "" { diff --git a/libpod/image/pull.go b/libpod/image/pull.go index 94d6af4c2..65acdf427 100644 --- a/libpod/image/pull.go +++ b/libpod/image/pull.go @@ -255,6 +255,9 @@ func (ir *Runtime) pullImageFromHeuristicSource(ctx context.Context, inputName s sc.ArchitectureChoice = dockerOptions.ArchitectureChoice sc.VariantChoice = dockerOptions.VariantChoice } + if signaturePolicyPath == "" { + sc.SignaturePolicyPath = ir.SignaturePolicyPath + } sc.BlobInfoCacheDir = filepath.Join(ir.store.GraphRoot(), "cache") srcRef, err := alltransports.ParseImageName(inputName) if err != nil { diff --git a/libpod/image/utils.go b/libpod/image/utils.go index b7ea63c66..918314476 100644 --- a/libpod/image/utils.go +++ b/libpod/image/utils.go @@ -86,33 +86,6 @@ func hasTransport(image string) bool { return strings.Contains(image, "://") } -// ReposToMap parses the specified repotags and returns a map with repositories -// as keys and the corresponding arrays of tags or digests-as-strings as values. -func ReposToMap(names []string) (map[string][]string, error) { - // map format is repo -> []tag-or-digest - repos := make(map[string][]string) - for _, name := range names { - var repository, tag string - if len(name) > 0 { - named, err := reference.ParseNormalizedNamed(name) - if err != nil { - return nil, err - } - repository = named.Name() - if ref, ok := named.(reference.NamedTagged); ok { - tag = ref.Tag() - } else if ref, ok := named.(reference.Canonical); ok { - tag = ref.Digest().String() - } - } - repos[repository] = append(repos[repository], tag) - } - if len(repos) == 0 { - repos["<none>"] = []string{"<none>"} - } - return repos, nil -} - // GetAdditionalTags returns a list of reference.NamedTagged for the // additional tags given in images func GetAdditionalTags(images []string) ([]reference.NamedTagged, error) { diff --git a/libpod/kube.go b/libpod/kube.go index 9d5cbe68b..f83e99d82 100644 --- a/libpod/kube.go +++ b/libpod/kube.go @@ -77,6 +77,24 @@ func (p *Pod) GenerateForKube() (*v1.Pod, []v1.ServicePort, error) { } pod.Spec.HostAliases = extraHost + // vendor/k8s.io/api/core/v1/types.go: v1.Container cannot save restartPolicy + // so set it at here + for _, ctr := range allContainers { + if !ctr.IsInfra() { + switch ctr.Config().RestartPolicy { + case RestartPolicyAlways: + pod.Spec.RestartPolicy = v1.RestartPolicyAlways + case RestartPolicyOnFailure: + pod.Spec.RestartPolicy = v1.RestartPolicyOnFailure + case RestartPolicyNo: + pod.Spec.RestartPolicy = v1.RestartPolicyNever + default: // some pod create from cmdline, such as "", so set it to Never + pod.Spec.RestartPolicy = v1.RestartPolicyNever + } + break + } + } + if p.SharesPID() { // unfortunately, go doesn't have a nice way to specify a pointer to a bool b := true diff --git a/libpod/oci_attach_linux.go b/libpod/oci_attach_linux.go index 74af449ed..149ee813b 100644 --- a/libpod/oci_attach_linux.go +++ b/libpod/oci_attach_linux.go @@ -14,7 +14,7 @@ import ( "github.com/containers/podman/v2/pkg/errorhandling" "github.com/containers/podman/v2/pkg/kubeutils" "github.com/containers/podman/v2/utils" - "github.com/docker/docker/pkg/term" + "github.com/moby/term" "github.com/pkg/errors" "github.com/sirupsen/logrus" "golang.org/x/sys/unix" diff --git a/libpod/options.go b/libpod/options.go index d592124bc..f7b3419e5 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -1659,6 +1659,36 @@ func WithUmask(umask string) CtrCreateOption { // Pod Creation Options +// WithInfraImage sets the infra image for libpod. +// An infra image is used for inter-container kernel +// namespace sharing within a pod. Typically, an infra +// container is lightweight and is there to reap +// zombie processes within its pid namespace. +func WithInfraImage(img string) PodCreateOption { + return func(pod *Pod) error { + if pod.valid { + return define.ErrPodFinalized + } + + pod.config.InfraContainer.InfraImage = img + + return nil + } +} + +// WithInfraCommand sets the command to +// run on pause container start up. +func WithInfraCommand(cmd []string) PodCreateOption { + return func(pod *Pod) error { + if pod.valid { + return define.ErrPodFinalized + } + + pod.config.InfraContainer.InfraCommand = cmd + return nil + } +} + // WithPodName sets the name of the pod. func WithPodName(name string) PodCreateOption { return func(pod *Pod) error { diff --git a/libpod/pod.go b/libpod/pod.go index 422966b94..709184008 100644 --- a/libpod/pod.go +++ b/libpod/pod.go @@ -105,6 +105,8 @@ type InfraContainerConfig struct { HostAdd []string `json:"hostsAdd,omitempty"` Networks []string `json:"networks,omitempty"` ExitCommand []string `json:"exitCommand,omitempty"` + InfraImage string `json:"infraImage,omitempty"` + InfraCommand []string `json:"infraCommand,omitempty"` } // ID retrieves the pod's ID diff --git a/libpod/rootless_cni_linux.go b/libpod/rootless_cni_linux.go index 76dbfdcae..7feec6b44 100644 --- a/libpod/rootless_cni_linux.go +++ b/libpod/rootless_cni_linux.go @@ -13,6 +13,7 @@ import ( "github.com/containernetworking/plugins/pkg/ns" "github.com/containers/podman/v2/libpod/define" "github.com/containers/podman/v2/libpod/image" + "github.com/containers/podman/v2/pkg/env" "github.com/containers/podman/v2/pkg/util" "github.com/containers/storage/pkg/lockfile" "github.com/hashicorp/go-multierror" @@ -22,10 +23,9 @@ import ( "github.com/sirupsen/logrus" ) +// Built from ../contrib/rootless-cni-infra. var rootlessCNIInfraImage = map[string]string{ - // Built from ../contrib/rootless-cni-infra - // TODO: move to Podman's official quay - "amd64": "ghcr.io/akihirosuda/podman-rootless-cni-infra:gd34868a13-amd64", + "amd64": "quay.io/libpod/rootless-cni-infra@sha256:8aa681c4c08dee3ec5d46ff592fddd0259a35626717006d6b77ee786b1d02967", // 1-amd64 } const ( @@ -255,12 +255,26 @@ func startRootlessCNIInfraContainer(ctx context.Context, r *Runtime) (*Container Destination: "/etc/cni/net.d", Type: "bind", Source: r.config.Network.NetworkConfigDir, - Options: []string{"ro"}, + Options: []string{"ro", "bind"}, } g.AddMount(etcCNINetD) - // FIXME: how to propagate ProcessArgs and Envs from Dockerfile? - g.SetProcessArgs([]string{"sleep", "infinity"}) - g.AddProcessEnv("CNI_PATH", "/opt/cni/bin") + + inspectData, err := newImage.Inspect(ctx) + if err != nil { + return nil, err + } + imageEnv, err := env.ParseSlice(inspectData.Config.Env) + if err != nil { + return nil, err + } + for k, v := range imageEnv { + g.AddProcessEnv(k, v) + } + if len(inspectData.Config.Cmd) == 0 { + return nil, errors.Errorf("rootless CNI infra image %q has no command specified", imageName) + } + g.SetProcessArgs(inspectData.Config.Cmd) + var options []CtrCreateOption options = append(options, WithRootFSFromImage(newImage.ID(), imageName, imageName)) options = append(options, WithCtrNamespace(rootlessCNIInfraContainerNamespace)) diff --git a/libpod/runtime_img.go b/libpod/runtime_img.go index eb4512f8d..e57890fa2 100644 --- a/libpod/runtime_img.go +++ b/libpod/runtime_img.go @@ -174,7 +174,7 @@ func (r *Runtime) Build(ctx context.Context, options imagebuildah.BuildOptions, } // Import is called as an intermediary to the image library Import -func (r *Runtime) Import(ctx context.Context, source string, reference string, changes []string, history string, quiet bool) (string, error) { +func (r *Runtime) Import(ctx context.Context, source, reference, signaturePolicyPath string, changes []string, history string, quiet bool) (string, error) { var ( writer io.Writer err error @@ -223,6 +223,7 @@ func (r *Runtime) Import(ctx context.Context, source string, reference string, c source = file } + r.imageRuntime.SignaturePolicyPath = signaturePolicyPath newImage, err := r.imageRuntime.Import(ctx, source, reference, writer, image.SigningOptions{}, config) if err != nil { return "", err diff --git a/libpod/runtime_pod_infra_linux.go b/libpod/runtime_pod_infra_linux.go index b2f21d946..570cdd38f 100644 --- a/libpod/runtime_pod_infra_linux.go +++ b/libpod/runtime_pod_infra_linux.go @@ -36,22 +36,30 @@ func (r *Runtime) makeInfraContainer(ctx context.Context, p *Pod, imgName, rawIm isRootless := rootless.IsRootless() - entryCmd := []string{r.config.Engine.InfraCommand} + entrypointSet := len(p.config.InfraContainer.InfraCommand) > 0 + entryPoint := p.config.InfraContainer.InfraCommand + entryCmd := []string{} var options []CtrCreateOption // I've seen circumstances where config is being passed as nil. // Let's err on the side of safety and make sure it's safe to use. if config != nil { - setEntrypoint := false // default to entrypoint in image if there is one - if len(config.Entrypoint) > 0 { - entryCmd = config.Entrypoint - setEntrypoint = true + if !entrypointSet { + if len(config.Entrypoint) > 0 { + entrypointSet = true + entryPoint = config.Entrypoint + entryCmd = config.Entrypoint + } + } else { // so use the InfraCommand + entrypointSet = true + entryCmd = entryPoint } + if len(config.Cmd) > 0 { // We can't use the default pause command, since we're // sourcing from the image. If we didn't already set an // entrypoint, set one now. - if !setEntrypoint { + if !entrypointSet { // Use the Docker default "/bin/sh -c" // entrypoint, as we're overriding command. // If an image doesn't want this, it can @@ -136,6 +144,9 @@ func (r *Runtime) makeInfraContainer(ctx context.Context, p *Pod, imgName, rawIm options = append(options, WithRootFSFromImage(imgID, imgName, rawImageName)) options = append(options, WithName(containerName)) options = append(options, withIsInfra()) + if entrypointSet { + options = append(options, WithEntrypoint(entryPoint)) + } if len(p.config.InfraContainer.ConmonPidFile) > 0 { options = append(options, WithConmonPidFile(p.config.InfraContainer.ConmonPidFile)) } @@ -151,7 +162,11 @@ func (r *Runtime) createInfraContainer(ctx context.Context, p *Pod) (*Container, return nil, define.ErrRuntimeStopped } - newImage, err := r.ImageRuntime().New(ctx, r.config.Engine.InfraImage, "", "", nil, nil, image.SigningOptions{}, nil, util.PullImageMissing) + img := p.config.InfraContainer.InfraImage + if img == "" { + img = r.config.Engine.InfraImage + } + newImage, err := r.ImageRuntime().New(ctx, img, "", "", nil, nil, image.SigningOptions{}, nil, util.PullImageMissing) if err != nil { return nil, err } |