diff options
Diffstat (limited to 'libpod')
| -rw-r--r-- | libpod/container_config.go | 2 | ||||
| -rw-r--r-- | libpod/container_inspect.go | 2 | ||||
| -rw-r--r-- | libpod/define/container_inspect.go | 4 | ||||
| -rw-r--r-- | libpod/define/info.go | 1 | ||||
| -rw-r--r-- | libpod/image/prune.go | 2 | ||||
| -rw-r--r-- | libpod/image/pull_test.go | 6 | ||||
| -rw-r--r-- | libpod/info.go | 7 | ||||
| -rw-r--r-- | libpod/kube.go | 9 | ||||
| -rw-r--r-- | libpod/networking_linux.go | 2 | ||||
| -rw-r--r-- | libpod/networking_slirp4netns.go | 14 | ||||
| -rw-r--r-- | libpod/oci_conmon_linux.go | 4 | ||||
| -rw-r--r-- | libpod/options.go | 13 | ||||
| -rw-r--r-- | libpod/util.go | 10 |
13 files changed, 70 insertions, 6 deletions
diff --git a/libpod/container_config.go b/libpod/container_config.go index d0572fbc2..ede6b1aab 100644 --- a/libpod/container_config.go +++ b/libpod/container_config.go @@ -298,6 +298,8 @@ type ContainerMiscConfig struct { StopSignal uint `json:"stopSignal,omitempty"` // StopTimeout is the signal that will be used to stop the container StopTimeout uint `json:"stopTimeout,omitempty"` + // Timeout is maximimum time a container will run before getting the kill signal + Timeout uint `json:"timeout,omitempty"` // Time container was created CreatedTime time.Time `json:"createdTime"` // CgroupManager is the cgroup manager used to create this container. diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go index 61cc43314..5b2103c92 100644 --- a/libpod/container_inspect.go +++ b/libpod/container_inspect.go @@ -304,6 +304,8 @@ func (c *Container) generateInspectContainerConfig(spec *spec.Spec) *define.Insp ctrConfig.WorkingDir = spec.Process.Cwd } + ctrConfig.StopTimeout = c.config.StopTimeout + ctrConfig.Timeout = c.config.Timeout ctrConfig.OpenStdin = c.config.Stdin ctrConfig.Image = c.config.RootfsImageName ctrConfig.SystemdMode = c.config.Systemd diff --git a/libpod/define/container_inspect.go b/libpod/define/container_inspect.go index 1a38f5b0a..c236f35b0 100644 --- a/libpod/define/container_inspect.go +++ b/libpod/define/container_inspect.go @@ -64,6 +64,10 @@ type InspectContainerConfig struct { Umask string `json:"Umask,omitempty"` // Secrets are the secrets mounted in the container Secrets []*InspectSecret `json:"Secrets,omitempty"` + // Timeout is time before container is killed by conmon + Timeout uint `json:"Timeout"` + // StopTimeout is time before container is stoped when calling stop + StopTimeout uint `json:"StopTimeout"` } // InspectRestartPolicy holds information about the container's restart policy. diff --git a/libpod/define/info.go b/libpod/define/info.go index 00146da48..87935be2d 100644 --- a/libpod/define/info.go +++ b/libpod/define/info.go @@ -17,6 +17,7 @@ type SecurityInfo struct { DefaultCapabilities string `json:"capabilities"` Rootless bool `json:"rootless"` SECCOMPEnabled bool `json:"seccompEnabled"` + SECCOMPProfilePath string `json:"seccompProfilePath"` SELinuxEnabled bool `json:"selinuxEnabled"` } diff --git a/libpod/image/prune.go b/libpod/image/prune.go index 0e41fde44..e0480d3d1 100644 --- a/libpod/image/prune.go +++ b/libpod/image/prune.go @@ -30,7 +30,7 @@ func generatePruneFilterFuncs(filter, filterValue string) (ImageFilter, error) { return nil, err } return func(i *Image) bool { - if !until.IsZero() && i.Created().After((until)) { + if !until.IsZero() && i.Created().Before(until) { return true } return false diff --git a/libpod/image/pull_test.go b/libpod/image/pull_test.go index 2e1464ad3..d2930451c 100644 --- a/libpod/image/pull_test.go +++ b/libpod/image/pull_test.go @@ -308,6 +308,12 @@ func TestPullGoalFromPossiblyUnqualifiedName(t *testing.T) { sc.UserShortNameAliasConfPath = aliasesConf.Name() sc.SystemRegistriesConfPath = registriesConf.Name() + // Make sure to not sure the system's registries.conf.d + dir, err := ioutil.TempDir("", "example") + require.NoError(t, err) + sc.SystemRegistriesConfDirPath = dir + defer os.RemoveAll(dir) // clean up + for _, c := range []struct { input string expected []pullRefStrings diff --git a/libpod/info.go b/libpod/info.go index ef0c83a2a..7a28a4cf7 100644 --- a/libpod/info.go +++ b/libpod/info.go @@ -87,6 +87,12 @@ func (r *Runtime) hostInfo() (*define.HostInfo, error) { if err != nil { return nil, errors.Wrapf(err, "error getting hostname") } + + seccompProfilePath, err := DefaultSeccompPath() + if err != nil { + return nil, errors.Wrapf(err, "error getting Seccomp profile path") + } + info := define.HostInfo{ Arch: runtime.GOARCH, BuildahVersion: buildah.Version, @@ -106,6 +112,7 @@ func (r *Runtime) hostInfo() (*define.HostInfo, error) { DefaultCapabilities: strings.Join(r.config.Containers.DefaultCapabilities, ","), Rootless: rootless.IsRootless(), SECCOMPEnabled: seccomp.IsEnabled(), + SECCOMPProfilePath: seccompProfilePath, SELinuxEnabled: selinux.GetEnabled(), }, Slirp4NetNS: define.SlirpInfo{}, diff --git a/libpod/kube.go b/libpod/kube.go index 11ccaeadc..adcfe92c9 100644 --- a/libpod/kube.go +++ b/libpod/kube.go @@ -1,6 +1,7 @@ package libpod import ( + "fmt" "math/rand" "os" "strconv" @@ -539,11 +540,17 @@ func libpodMountsToKubeVolumeMounts(c *Container) ([]v1.VolumeMount, []v1.Volume namedVolumes, mounts := c.sortUserVolumes(c.config.Spec) vms := make([]v1.VolumeMount, 0, len(mounts)) vos := make([]v1.Volume, 0, len(mounts)) - for _, m := range mounts { + + var suffix string + for index, m := range mounts { vm, vo, err := generateKubeVolumeMount(m) if err != nil { return vms, vos, err } + // Name will be the same, so use the index as suffix + suffix = fmt.Sprintf("-%d", index) + vm.Name += suffix + vo.Name += suffix vms = append(vms, vm) vos = append(vos, vo) } diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go index 6e2c2880f..cfed5a1f2 100644 --- a/libpod/networking_linux.go +++ b/libpod/networking_linux.go @@ -577,7 +577,7 @@ func (r *Runtime) setupRootlessNetNS(ctr *Container) error { // set up port forwarder for CNI-in-slirp4netns netnsPath := ctr.state.NetNS.Path() // TODO: support slirp4netns port forwarder as well - return r.setupRootlessPortMappingViaRLK(ctr, netnsPath) + return r.setupRootlessPortMappingViaRLK(ctr, netnsPath, "") } return nil } diff --git a/libpod/networking_slirp4netns.go b/libpod/networking_slirp4netns.go index 72ab3c919..c46dc6972 100644 --- a/libpod/networking_slirp4netns.go +++ b/libpod/networking_slirp4netns.go @@ -312,7 +312,7 @@ func (r *Runtime) setupSlirp4netns(ctr *Container) error { if netOptions.isSlirpHostForward { return r.setupRootlessPortMappingViaSlirp(ctr, cmd, apiSocket) } - return r.setupRootlessPortMappingViaRLK(ctr, netnsPath) + return r.setupRootlessPortMappingViaRLK(ctr, netnsPath, netOptions.cidr) } return nil } @@ -363,7 +363,7 @@ func waitForSync(syncR *os.File, cmd *exec.Cmd, logFile io.ReadSeeker, timeout t return nil } -func (r *Runtime) setupRootlessPortMappingViaRLK(ctr *Container, netnsPath string) error { +func (r *Runtime) setupRootlessPortMappingViaRLK(ctr *Container, netnsPath, slirp4CIDR string) error { syncR, syncW, err := os.Pipe() if err != nil { return errors.Wrapf(err, "failed to open pipe") @@ -391,6 +391,16 @@ func (r *Runtime) setupRootlessPortMappingViaRLK(ctr *Container, netnsPath strin } childIP := slirp4netnsIP + // set the correct childIP when a custom cidr is set + if slirp4CIDR != "" { + _, cidr, err := net.ParseCIDR(slirp4CIDR) + if err != nil { + return errors.Wrap(err, "failed to parse slirp4netns cidr") + } + // the slirp container ip is always the hundredth ip in the subnet + cidr.IP[len(cidr.IP)-1] = cidr.IP[len(cidr.IP)-1] + 100 + childIP = cidr.IP.String() + } outer: for _, r := range ctr.state.NetworkStatus { for _, i := range r.IPs { diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go index c1acec977..1b1d4ad59 100644 --- a/libpod/oci_conmon_linux.go +++ b/libpod/oci_conmon_linux.go @@ -1024,6 +1024,10 @@ func (r *ConmonOCIRuntime) createOCIContainer(ctr *Container, restoreOptions *Co args = append(args, "-i") } + if ctr.config.Timeout > 0 { + args = append(args, fmt.Sprintf("--timeout=%d", ctr.config.Timeout)) + } + if !r.enableKeyring { args = append(args, "--no-new-keyring") } diff --git a/libpod/options.go b/libpod/options.go index 103a9a80a..39415a817 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -769,6 +769,19 @@ func WithStopTimeout(timeout uint) CtrCreateOption { } } +// WithTimeout sets the maximum time a container is allowed to run" +func WithTimeout(timeout uint) CtrCreateOption { + return func(ctr *Container) error { + if ctr.valid { + return define.ErrCtrFinalized + } + + ctr.config.Timeout = timeout + + return nil + } +} + // WithIDMappings sets the idmappings for the container func WithIDMappings(idmappings storage.IDMappingOptions) CtrCreateOption { return func(ctr *Container) error { diff --git a/libpod/util.go b/libpod/util.go index b75c9179a..7f4a01f28 100644 --- a/libpod/util.go +++ b/libpod/util.go @@ -194,7 +194,15 @@ func programVersion(mountProgram string) (string, error) { // if it exists, first it checks OverrideSeccomp and then default. // If neither exist function returns "" func DefaultSeccompPath() (string, error) { - _, err := os.Stat(config.SeccompOverridePath) + def, err := config.Default() + if err != nil { + return "", err + } + if def.Containers.SeccompProfile != "" { + return def.Containers.SeccompProfile, nil + } + + _, err = os.Stat(config.SeccompOverridePath) if err == nil { return config.SeccompOverridePath, nil } |