summaryrefslogtreecommitdiff
path: root/libpod
diff options
context:
space:
mode:
Diffstat (limited to 'libpod')
-rw-r--r--libpod/container_inspect.go17
-rw-r--r--libpod/container_internal.go37
-rw-r--r--libpod/container_internal_linux.go13
-rw-r--r--libpod/define/pod_inspect.go6
-rw-r--r--libpod/networking_linux.go16
-rw-r--r--libpod/pod_api.go41
-rw-r--r--libpod/util.go45
7 files changed, 124 insertions, 51 deletions
diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go
index b1d86b0a5..680776dba 100644
--- a/libpod/container_inspect.go
+++ b/libpod/container_inspect.go
@@ -613,22 +613,11 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named
// Port bindings.
// Only populate if we're using CNI to configure the network.
- portBindings := make(map[string][]define.InspectHostPort)
if c.config.CreateNetNS {
- for _, port := range c.config.PortMappings {
- key := fmt.Sprintf("%d/%s", port.ContainerPort, port.Protocol)
- hostPorts := portBindings[key]
- if hostPorts == nil {
- hostPorts = []define.InspectHostPort{}
- }
- hostPorts = append(hostPorts, define.InspectHostPort{
- HostIP: port.HostIP,
- HostPort: fmt.Sprintf("%d", port.HostPort),
- })
- portBindings[key] = hostPorts
- }
+ hostConfig.PortBindings = makeInspectPortBindings(c.config.PortMappings)
+ } else {
+ hostConfig.PortBindings = make(map[string][]define.InspectHostPort)
}
- hostConfig.PortBindings = portBindings
// Cap add and cap drop.
// We need a default set of capabilities to compare against.
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index e98e20b9b..a79b9e5a8 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -28,7 +28,6 @@ import (
securejoin "github.com/cyphar/filepath-securejoin"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate"
- "github.com/opencontainers/selinux/go-selinux/label"
"github.com/opentracing/opentracing-go"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
@@ -1759,32 +1758,40 @@ func (c *Container) postDeleteHooks(ctx context.Context) error {
return nil
}
-// writeStringToRundir copies the provided file to the runtimedir
-func (c *Container) writeStringToRundir(destFile, output string) (string, error) {
+// writeStringToRundir writes the given string to a file with the given name in
+// the container's temporary files directory. The file will be chown'd to the
+// container's root user and have an appropriate SELinux label set.
+// If a file with the same name already exists, it will be deleted and recreated
+// with the new contents.
+// Returns the full path to the new file.
+func (c *Container) writeStringToRundir(destFile, contents string) (string, error) {
destFileName := filepath.Join(c.state.RunDir, destFile)
if err := os.Remove(destFileName); err != nil && !os.IsNotExist(err) {
return "", errors.Wrapf(err, "error removing %s for container %s", destFile, c.ID())
}
- f, err := os.Create(destFileName)
- if err != nil {
- return "", errors.Wrapf(err, "unable to create %s", destFileName)
- }
- defer f.Close()
- if err := f.Chown(c.RootUID(), c.RootGID()); err != nil {
+ if err := writeStringToPath(destFileName, contents, c.config.MountLabel, c.RootUID(), c.RootGID()); err != nil {
return "", err
}
- if _, err := f.WriteString(output); err != nil {
- return "", errors.Wrapf(err, "unable to write %s", destFileName)
- }
- // Relabel runDirResolv for the container
- if err := label.Relabel(destFileName, c.config.MountLabel, false); err != nil {
+ return destFileName, nil
+}
+
+// writeStringToStaticDir writes the given string to a file with the given name
+// in the container's permanent files directory. The file will be chown'd to the
+// container's root user and have an appropriate SELinux label set.
+// Unlike writeStringToRundir, will *not* delete and re-create if the file
+// already exists (will instead error).
+// Returns the full path to the new file.
+func (c *Container) writeStringToStaticDir(filename, contents string) (string, error) {
+ destFileName := filepath.Join(c.config.StaticDir, filename)
+
+ if err := writeStringToPath(destFileName, contents, c.config.MountLabel, c.RootUID(), c.RootGID()); err != nil {
return "", err
}
- return filepath.Join(c.state.RunDir, destFile), nil
+ return destFileName, nil
}
// appendStringToRundir appends the provided string to the runtimedir file
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index b2711745e..255505416 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -214,6 +214,9 @@ func (c *Container) getUserOverrides() *lookup.Overrides {
}
}
}
+ if path, ok := c.state.BindMounts["/etc/passwd"]; ok {
+ overrides.ContainerEtcPasswdPath = path
+ }
return &overrides
}
@@ -1513,6 +1516,14 @@ func (c *Container) generatePasswd() (string, error) {
if !c.config.AddCurrentUserPasswdEntry && c.config.User == "" {
return "", nil
}
+ if MountExists(c.config.Spec.Mounts, "/etc/passwd") {
+ return "", nil
+ }
+ // Re-use passwd if possible
+ passwdPath := filepath.Join(c.config.StaticDir, "passwd")
+ if _, err := os.Stat(passwdPath); err == nil {
+ return passwdPath, nil
+ }
pwd := ""
if c.config.User != "" {
entry, err := c.generateUserPasswdEntry()
@@ -1536,7 +1547,7 @@ func (c *Container) generatePasswd() (string, error) {
if err != nil && !os.IsNotExist(err) {
return "", errors.Wrapf(err, "unable to read passwd file %s", originPasswdFile)
}
- passwdFile, err := c.writeStringToRundir("passwd", string(orig)+pwd)
+ passwdFile, err := c.writeStringToStaticDir("passwd", string(orig)+pwd)
if err != nil {
return "", errors.Wrapf(err, "failed to create temporary passwd file")
}
diff --git a/libpod/define/pod_inspect.go b/libpod/define/pod_inspect.go
index 7f06e16fc..634cbb728 100644
--- a/libpod/define/pod_inspect.go
+++ b/libpod/define/pod_inspect.go
@@ -3,8 +3,6 @@ package define
import (
"net"
"time"
-
- "github.com/cri-o/ocicni/pkg/ocicni"
)
// InspectPodData contains detailed information on a pod's configuration and
@@ -60,7 +58,7 @@ type InspectPodData struct {
type InspectPodInfraConfig struct {
// PortBindings are ports that will be forwarded to the infra container
// and then shared with the pod.
- PortBindings []ocicni.PortMapping
+ PortBindings map[string][]InspectHostPort
// HostNetwork is whether the infra container (and thus the whole pod)
// will use the host's network and not create a network namespace.
HostNetwork bool
@@ -89,6 +87,8 @@ type InspectPodInfraConfig struct {
// HostAdd adds a number of hosts to the infra container's resolv.conf
// which will be shared with the rest of the pod.
HostAdd []string
+ // Networks is a list of CNI networks te pod will join.
+ Networks []string
}
// InspectPodContainerInfo contains information on a container in a pod.
diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go
index 8b08d3d5f..35e58f916 100644
--- a/libpod/networking_linux.go
+++ b/libpod/networking_linux.go
@@ -715,21 +715,7 @@ func getContainerNetIO(ctr *Container) (*netlink.LinkStatistics, error) {
// network.
func (c *Container) getContainerNetworkInfo() (*define.InspectNetworkSettings, error) {
settings := new(define.InspectNetworkSettings)
- settings.Ports = make(map[string][]define.InspectHostPort)
- if c.config.PortMappings != nil {
- for _, port := range c.config.PortMappings {
- key := fmt.Sprintf("%d/%s", port.ContainerPort, port.Protocol)
- mapping := settings.Ports[key]
- if mapping == nil {
- mapping = []define.InspectHostPort{}
- }
- mapping = append(mapping, define.InspectHostPort{
- HostIP: port.HostIP,
- HostPort: fmt.Sprintf("%d", port.HostPort),
- })
- settings.Ports[key] = mapping
- }
- }
+ settings.Ports = makeInspectPortBindings(c.config.PortMappings)
// We can't do more if the network is down.
if c.state.NetNS == nil {
diff --git a/libpod/pod_api.go b/libpod/pod_api.go
index a02b171e1..f2ef81bec 100644
--- a/libpod/pod_api.go
+++ b/libpod/pod_api.go
@@ -481,6 +481,41 @@ func (p *Pod) Inspect() (*define.InspectPodData, error) {
}
}
+ // Infra config contains detailed information on the pod's infra
+ // container.
+ var infraConfig *define.InspectPodInfraConfig
+ if p.config.InfraContainer != nil && p.config.InfraContainer.HasInfraContainer {
+ infraConfig = new(define.InspectPodInfraConfig)
+ infraConfig.HostNetwork = p.config.InfraContainer.HostNetwork
+ infraConfig.StaticIP = p.config.InfraContainer.StaticIP
+ infraConfig.StaticMAC = p.config.InfraContainer.StaticMAC
+ infraConfig.NoManageResolvConf = p.config.InfraContainer.UseImageResolvConf
+ infraConfig.NoManageHosts = p.config.InfraContainer.UseImageHosts
+
+ if len(p.config.InfraContainer.DNSServer) > 0 {
+ infraConfig.DNSServer = make([]string, 0, len(p.config.InfraContainer.DNSServer))
+ infraConfig.DNSServer = append(infraConfig.DNSServer, p.config.InfraContainer.DNSServer...)
+ }
+ if len(p.config.InfraContainer.DNSSearch) > 0 {
+ infraConfig.DNSSearch = make([]string, 0, len(p.config.InfraContainer.DNSSearch))
+ infraConfig.DNSSearch = append(infraConfig.DNSSearch, p.config.InfraContainer.DNSSearch...)
+ }
+ if len(p.config.InfraContainer.DNSOption) > 0 {
+ infraConfig.DNSOption = make([]string, 0, len(p.config.InfraContainer.DNSOption))
+ infraConfig.DNSOption = append(infraConfig.DNSOption, p.config.InfraContainer.DNSOption...)
+ }
+ if len(p.config.InfraContainer.HostAdd) > 0 {
+ infraConfig.HostAdd = make([]string, 0, len(p.config.InfraContainer.HostAdd))
+ infraConfig.HostAdd = append(infraConfig.HostAdd, p.config.InfraContainer.HostAdd...)
+ }
+ if len(p.config.InfraContainer.Networks) > 0 {
+ infraConfig.Networks = make([]string, 0, len(p.config.InfraContainer.Networks))
+ infraConfig.Networks = append(infraConfig.Networks, p.config.InfraContainer.Networks...)
+ }
+
+ infraConfig.PortBindings = makeInspectPortBindings(p.config.InfraContainer.PortBindings)
+ }
+
inspectData := define.InspectPodData{
ID: p.ID(),
Name: p.Name(),
@@ -490,12 +525,12 @@ func (p *Pod) Inspect() (*define.InspectPodData, error) {
State: podState,
Hostname: p.config.Hostname,
Labels: p.Labels(),
- CreateCgroup: false,
+ CreateCgroup: p.config.UsePodCgroup,
CgroupParent: p.CgroupParent(),
CgroupPath: p.state.CgroupPath,
- CreateInfra: false,
+ CreateInfra: infraConfig != nil,
InfraContainerID: p.state.InfraContainerID,
- InfraConfig: nil,
+ InfraConfig: infraConfig,
SharedNamespaces: sharesNS,
NumContainers: uint(len(containers)),
Containers: ctrs,
diff --git a/libpod/util.go b/libpod/util.go
index 7504295f0..a8d405b5f 100644
--- a/libpod/util.go
+++ b/libpod/util.go
@@ -15,8 +15,10 @@ import (
"github.com/containers/common/pkg/config"
"github.com/containers/libpod/v2/libpod/define"
"github.com/containers/libpod/v2/utils"
+ "github.com/cri-o/ocicni/pkg/ocicni"
"github.com/fsnotify/fsnotify"
spec "github.com/opencontainers/runtime-spec/specs-go"
+ "github.com/opencontainers/selinux/go-selinux/label"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
)
@@ -254,3 +256,46 @@ func makeHTTPAttachHeader(stream byte, length uint32) []byte {
binary.BigEndian.PutUint32(header[4:], length)
return header
}
+
+// Convert OCICNI port bindings into Inspect-formatted port bindings.
+func makeInspectPortBindings(bindings []ocicni.PortMapping) map[string][]define.InspectHostPort {
+ portBindings := make(map[string][]define.InspectHostPort)
+ for _, port := range bindings {
+ key := fmt.Sprintf("%d/%s", port.ContainerPort, port.Protocol)
+ hostPorts := portBindings[key]
+ if hostPorts == nil {
+ hostPorts = []define.InspectHostPort{}
+ }
+ hostPorts = append(hostPorts, define.InspectHostPort{
+ HostIP: port.HostIP,
+ HostPort: fmt.Sprintf("%d", port.HostPort),
+ })
+ portBindings[key] = hostPorts
+ }
+ return portBindings
+}
+
+// Write a given string to a new file at a given path.
+// Will error if a file with the given name already exists.
+// Will be chown'd to the UID/GID provided and have the provided SELinux label
+// set.
+func writeStringToPath(path, contents, mountLabel string, uid, gid int) error {
+ f, err := os.Create(path)
+ if err != nil {
+ return errors.Wrapf(err, "unable to create %s", path)
+ }
+ defer f.Close()
+ if err := f.Chown(uid, gid); err != nil {
+ return err
+ }
+
+ if _, err := f.WriteString(contents); err != nil {
+ return errors.Wrapf(err, "unable to write %s", path)
+ }
+ // Relabel runDirResolv for the container
+ if err := label.Relabel(path, mountLabel, false); err != nil {
+ return err
+ }
+
+ return nil
+}
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-11-18 13:48:13 +0000