summaryrefslogtreecommitdiff
path: root/libpod
diff options
context:
space:
mode:
Diffstat (limited to 'libpod')
-rw-r--r--libpod/container_config.go2
-rw-r--r--libpod/container_internal.go12
-rw-r--r--libpod/kube.go64
-rw-r--r--libpod/options.go11
4 files changed, 67 insertions, 22 deletions
diff --git a/libpod/container_config.go b/libpod/container_config.go
index 54d102a71..33ea731fd 100644
--- a/libpod/container_config.go
+++ b/libpod/container_config.go
@@ -153,6 +153,8 @@ type ContainerRootFSConfig struct {
Secrets []*ContainerSecret `json:"secrets,omitempty"`
// SecretPath is the secrets location in storage
SecretsPath string `json:"secretsPath"`
+ // StorageOpts to be used when creating rootfs
+ StorageOpts map[string]string `json:"storageOpts"`
// Volatile specifies whether the container storage can be optimized
// at the cost of not syncing all the dirty files in memory.
Volatile bool `json:"volatile,omitempty"`
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index 43f5398a2..994ffeec7 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -445,6 +445,18 @@ func (c *Container) setupStorage(ctx context.Context) error {
},
LabelOpts: c.config.LabelOpts,
}
+
+ nopts := len(c.config.StorageOpts)
+ if nopts > 0 {
+ options.StorageOpt = make(map[string]string, nopts)
+ for _, opt := range c.config.StorageOpts {
+ split2 := strings.SplitN(opt, "=", 2)
+ if len(split2) > 2 {
+ return errors.Wrapf(define.ErrInvalidArg, "invalid storage options %q for %s", opt, c.ID())
+ }
+ options.StorageOpt[split2[0]] = split2[1]
+ }
+ }
if c.restoreFromCheckpoint && !c.config.Privileged {
// If restoring from a checkpoint, the root file-system
// needs to be mounted with the same SELinux labels as
diff --git a/libpod/kube.go b/libpod/kube.go
index d47f47f1c..02ac8ed98 100644
--- a/libpod/kube.go
+++ b/libpod/kube.go
@@ -332,7 +332,7 @@ func newPodObject(podName string, annotations map[string]string, initCtrs, conta
InitContainers: initCtrs,
Volumes: volumes,
}
- if dnsOptions != nil {
+ if dnsOptions != nil && (len(dnsOptions.Nameservers)+len(dnsOptions.Searches)+len(dnsOptions.Options) > 0) {
ps.DNSConfig = dnsOptions
}
p := v1.Pod{
@@ -447,11 +447,6 @@ func containerToV1Container(ctx context.Context, c *Container) (v1.Container, []
kubeVolumes = append(kubeVolumes, volumes...)
}
- envVariables, err := libpodEnvVarsToKubeEnvVars(c.config.Spec.Process.Env)
- if err != nil {
- return kubeContainer, kubeVolumes, nil, annotations, err
- }
-
portmappings, err := c.PortMappings()
if err != nil {
return kubeContainer, kubeVolumes, nil, annotations, err
@@ -489,15 +484,23 @@ func containerToV1Container(ctx context.Context, c *Container) (v1.Container, []
kubeContainer.Command = nil
}
+ if c.WorkingDir() != "/" && imgData.Config.WorkingDir != c.WorkingDir() {
+ kubeContainer.WorkingDir = c.WorkingDir()
+ }
+
if imgData.User == c.User() {
kubeSec.RunAsGroup, kubeSec.RunAsUser = nil, nil
}
- kubeContainer.WorkingDir = c.WorkingDir()
+ envVariables, err := libpodEnvVarsToKubeEnvVars(c.config.Spec.Process.Env, imgData.Config.Env)
+ if err != nil {
+ return kubeContainer, kubeVolumes, nil, annotations, err
+ }
+ kubeContainer.Env = envVariables
+
kubeContainer.Ports = ports
// This should not be applicable
//container.EnvFromSource =
- kubeContainer.Env = envVariables
kubeContainer.SecurityContext = kubeSec
kubeContainer.StdinOnce = false
kubeContainer.TTY = c.config.Spec.Process.Terminal
@@ -600,9 +603,14 @@ func ocicniPortMappingToContainerPort(portMappings []types.OCICNIPortMapping) ([
}
// libpodEnvVarsToKubeEnvVars converts a key=value string slice to []v1.EnvVar
-func libpodEnvVarsToKubeEnvVars(envs []string) ([]v1.EnvVar, error) {
+func libpodEnvVarsToKubeEnvVars(envs []string, imageEnvs []string) ([]v1.EnvVar, error) {
defaultEnv := env.DefaultEnvVariables()
envVars := make([]v1.EnvVar, 0, len(envs))
+ imageMap := make(map[string]string, len(imageEnvs))
+ for _, ie := range envs {
+ split := strings.SplitN(ie, "=", 2)
+ imageMap[split[0]] = split[1]
+ }
for _, e := range envs {
split := strings.SplitN(e, "=", 2)
if len(split) != 2 {
@@ -611,6 +619,9 @@ func libpodEnvVarsToKubeEnvVars(envs []string) ([]v1.EnvVar, error) {
if defaultEnv[split[0]] == split[1] {
continue
}
+ if imageMap[split[0]] == split[1] {
+ continue
+ }
ev := v1.EnvVar{
Name: split[0],
Value: split[1],
@@ -808,33 +819,42 @@ func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) {
capabilities = newCaps
}
+ sc := v1.SecurityContext{
+ // RunAsNonRoot is an optional parameter; our first implementations should be root only; however
+ // I'm leaving this as a bread-crumb for later
+ //RunAsNonRoot: &nonRoot,
+ }
+ if capabilities != nil {
+ sc.Capabilities = capabilities
+ }
var selinuxOpts v1.SELinuxOptions
opts := strings.SplitN(c.config.Spec.Annotations[define.InspectAnnotationLabel], ":", 2)
- if len(opts) == 2 {
+ switch len(opts) {
+ case 2:
switch opts[0] {
case "type":
selinuxOpts.Type = opts[1]
+ sc.SELinuxOptions = &selinuxOpts
case "level":
selinuxOpts.Level = opts[1]
+ sc.SELinuxOptions = &selinuxOpts
}
- }
- if len(opts) == 1 {
+ case 1:
if opts[0] == "disable" {
selinuxOpts.Type = "spc_t"
+ sc.SELinuxOptions = &selinuxOpts
}
}
- sc := v1.SecurityContext{
- Capabilities: capabilities,
- Privileged: &privileged,
- SELinuxOptions: &selinuxOpts,
- // RunAsNonRoot is an optional parameter; our first implementations should be root only; however
- // I'm leaving this as a bread-crumb for later
- //RunAsNonRoot: &nonRoot,
- ReadOnlyRootFilesystem: &ro,
- AllowPrivilegeEscalation: &allowPrivEscalation,
+ if !allowPrivEscalation {
+ sc.AllowPrivilegeEscalation = &allowPrivEscalation
+ }
+ if privileged {
+ sc.Privileged = &privileged
+ }
+ if ro {
+ sc.ReadOnlyRootFilesystem = &ro
}
-
if c.User() != "" {
if !c.batched {
c.lock.Lock()
diff --git a/libpod/options.go b/libpod/options.go
index 553af43fd..9762de67e 100644
--- a/libpod/options.go
+++ b/libpod/options.go
@@ -310,6 +310,17 @@ func WithCDI(devices []string) CtrCreateOption {
}
}
+// WithStorageOpts sets the devices to check for for CDI configuration.
+func WithStorageOpts(storageOpts map[string]string) CtrCreateOption {
+ return func(ctr *Container) error {
+ if ctr.valid {
+ return define.ErrCtrFinalized
+ }
+ ctr.config.StorageOpts = storageOpts
+ return nil
+ }
+}
+
// WithDefaultMountsFile sets the file to look at for default mounts (mainly
// secrets).
// Note we are not saving this in the database as it is for testing purposes
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-11-09 02:13:20 +0000