diff options
Diffstat (limited to 'libpod')
| -rw-r--r-- | libpod/container_config.go | 2 | ||||
| -rw-r--r-- | libpod/container_internal_linux.go | 8 | ||||
| -rw-r--r-- | libpod/options.go | 11 | ||||
| -rw-r--r-- | libpod/runtime.go | 12 |
4 files changed, 31 insertions, 2 deletions
diff --git a/libpod/container_config.go b/libpod/container_config.go index e6c3be1bd..d0572fbc2 100644 --- a/libpod/container_config.go +++ b/libpod/container_config.go @@ -366,4 +366,6 @@ type ContainerMiscConfig struct { Umask string `json:"umask,omitempty"` // PidFile is the file that saves the pid of the container process PidFile string `json:"pid_file,omitempty"` + // CDIDevices contains devices that use the CDI + CDIDevices []string `json:"cdiDevices,omitempty"` } diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index 1986f7438..f4762b5ff 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -20,6 +20,7 @@ import ( "time" metadata "github.com/checkpoint-restore/checkpointctl/lib" + cdi "github.com/container-orchestrated-devices/container-device-interface/pkg" cnitypes "github.com/containernetworking/cni/pkg/types/current" "github.com/containernetworking/plugins/pkg/ns" "github.com/containers/buildah/pkg/chrootuser" @@ -704,6 +705,13 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { } g.SetLinuxCgroupsPath(cgroupPath) + // Warning: CDI may alter g.Config in place. + if len(c.config.CDIDevices) > 0 { + if err = cdi.UpdateOCISpecForDevices(g.Config, c.config.CDIDevices); err != nil { + return nil, errors.Wrapf(err, "error setting up CDI devices") + } + } + // Mounts need to be sorted so paths will not cover other paths mounts := sortMounts(g.Mounts()) g.ClearMounts() diff --git a/libpod/options.go b/libpod/options.go index 5cd0f7b88..103a9a80a 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -293,6 +293,17 @@ func WithHooksDir(hooksDirs ...string) RuntimeOption { } } +// WithCDI sets the devices to check for for CDI configuration. +func WithCDI(devices []string) CtrCreateOption { + return func(ctr *Container) error { + if ctr.valid { + return define.ErrCtrFinalized + } + ctr.config.CDIDevices = devices + return nil + } +} + // WithDefaultMountsFile sets the file to look at for default mounts (mainly // secrets). // Note we are not saving this in the database as it is for testing purposes diff --git a/libpod/runtime.go b/libpod/runtime.go index dc53d5ef1..3518ed25a 100644 --- a/libpod/runtime.go +++ b/libpod/runtime.go @@ -29,6 +29,7 @@ import ( "github.com/containers/podman/v3/pkg/rootless" "github.com/containers/podman/v3/pkg/util" "github.com/containers/storage" + "github.com/containers/storage/pkg/unshare" "github.com/cri-o/ocicni/pkg/ocicni" "github.com/docker/docker/pkg/namesgenerator" spec "github.com/opencontainers/runtime-spec/specs-go" @@ -338,9 +339,16 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (retErr error) { } logrus.Debugf("Set libpod namespace to %q", runtime.config.Engine.Namespace) + hasCapSysAdmin, err := unshare.HasCapSysAdmin() + if err != nil { + return err + } + + needsUserns := !hasCapSysAdmin + // Set up containers/storage var store storage.Store - if os.Geteuid() != 0 { + if needsUserns { logrus.Debug("Not configuring container store") } else if runtime.noStore { logrus.Debug("No store required. Not opening container store.") @@ -480,7 +488,7 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (retErr error) { // If we need to refresh, then it is safe to assume there are // no containers running. Create immediately a namespace, as // we will need to access the storage. - if os.Geteuid() != 0 { + if needsUserns { aliveLock.Unlock() // Unlock to avoid deadlock as BecomeRootInUserNS will reexec. pausePid, err := util.GetRootlessPauseProcessPidPathGivenDir(runtime.config.Engine.TmpDir) if err != nil { |