diff options
Diffstat (limited to 'libpod')
| -rw-r--r-- | libpod/container_config.go | 2 | ||||
| -rw-r--r-- | libpod/container_internal_linux.go | 8 | ||||
| -rw-r--r-- | libpod/image/prune.go | 2 | ||||
| -rw-r--r-- | libpod/image/pull_test.go | 6 | ||||
| -rw-r--r-- | libpod/kube.go | 9 | ||||
| -rw-r--r-- | libpod/networking_linux.go | 2 | ||||
| -rw-r--r-- | libpod/networking_slirp4netns.go | 14 | ||||
| -rw-r--r-- | libpod/options.go | 11 | ||||
| -rw-r--r-- | libpod/runtime.go | 12 |
9 files changed, 59 insertions, 7 deletions
diff --git a/libpod/container_config.go b/libpod/container_config.go index 379e17285..ede6b1aab 100644 --- a/libpod/container_config.go +++ b/libpod/container_config.go @@ -368,4 +368,6 @@ type ContainerMiscConfig struct { Umask string `json:"umask,omitempty"` // PidFile is the file that saves the pid of the container process PidFile string `json:"pid_file,omitempty"` + // CDIDevices contains devices that use the CDI + CDIDevices []string `json:"cdiDevices,omitempty"` } diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index 1986f7438..f4762b5ff 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -20,6 +20,7 @@ import ( "time" metadata "github.com/checkpoint-restore/checkpointctl/lib" + cdi "github.com/container-orchestrated-devices/container-device-interface/pkg" cnitypes "github.com/containernetworking/cni/pkg/types/current" "github.com/containernetworking/plugins/pkg/ns" "github.com/containers/buildah/pkg/chrootuser" @@ -704,6 +705,13 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { } g.SetLinuxCgroupsPath(cgroupPath) + // Warning: CDI may alter g.Config in place. + if len(c.config.CDIDevices) > 0 { + if err = cdi.UpdateOCISpecForDevices(g.Config, c.config.CDIDevices); err != nil { + return nil, errors.Wrapf(err, "error setting up CDI devices") + } + } + // Mounts need to be sorted so paths will not cover other paths mounts := sortMounts(g.Mounts()) g.ClearMounts() diff --git a/libpod/image/prune.go b/libpod/image/prune.go index 0e41fde44..e0480d3d1 100644 --- a/libpod/image/prune.go +++ b/libpod/image/prune.go @@ -30,7 +30,7 @@ func generatePruneFilterFuncs(filter, filterValue string) (ImageFilter, error) { return nil, err } return func(i *Image) bool { - if !until.IsZero() && i.Created().After((until)) { + if !until.IsZero() && i.Created().Before(until) { return true } return false diff --git a/libpod/image/pull_test.go b/libpod/image/pull_test.go index 2e1464ad3..d2930451c 100644 --- a/libpod/image/pull_test.go +++ b/libpod/image/pull_test.go @@ -308,6 +308,12 @@ func TestPullGoalFromPossiblyUnqualifiedName(t *testing.T) { sc.UserShortNameAliasConfPath = aliasesConf.Name() sc.SystemRegistriesConfPath = registriesConf.Name() + // Make sure to not sure the system's registries.conf.d + dir, err := ioutil.TempDir("", "example") + require.NoError(t, err) + sc.SystemRegistriesConfDirPath = dir + defer os.RemoveAll(dir) // clean up + for _, c := range []struct { input string expected []pullRefStrings diff --git a/libpod/kube.go b/libpod/kube.go index 11ccaeadc..adcfe92c9 100644 --- a/libpod/kube.go +++ b/libpod/kube.go @@ -1,6 +1,7 @@ package libpod import ( + "fmt" "math/rand" "os" "strconv" @@ -539,11 +540,17 @@ func libpodMountsToKubeVolumeMounts(c *Container) ([]v1.VolumeMount, []v1.Volume namedVolumes, mounts := c.sortUserVolumes(c.config.Spec) vms := make([]v1.VolumeMount, 0, len(mounts)) vos := make([]v1.Volume, 0, len(mounts)) - for _, m := range mounts { + + var suffix string + for index, m := range mounts { vm, vo, err := generateKubeVolumeMount(m) if err != nil { return vms, vos, err } + // Name will be the same, so use the index as suffix + suffix = fmt.Sprintf("-%d", index) + vm.Name += suffix + vo.Name += suffix vms = append(vms, vm) vos = append(vos, vo) } diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go index 6e2c2880f..cfed5a1f2 100644 --- a/libpod/networking_linux.go +++ b/libpod/networking_linux.go @@ -577,7 +577,7 @@ func (r *Runtime) setupRootlessNetNS(ctr *Container) error { // set up port forwarder for CNI-in-slirp4netns netnsPath := ctr.state.NetNS.Path() // TODO: support slirp4netns port forwarder as well - return r.setupRootlessPortMappingViaRLK(ctr, netnsPath) + return r.setupRootlessPortMappingViaRLK(ctr, netnsPath, "") } return nil } diff --git a/libpod/networking_slirp4netns.go b/libpod/networking_slirp4netns.go index 72ab3c919..c46dc6972 100644 --- a/libpod/networking_slirp4netns.go +++ b/libpod/networking_slirp4netns.go @@ -312,7 +312,7 @@ func (r *Runtime) setupSlirp4netns(ctr *Container) error { if netOptions.isSlirpHostForward { return r.setupRootlessPortMappingViaSlirp(ctr, cmd, apiSocket) } - return r.setupRootlessPortMappingViaRLK(ctr, netnsPath) + return r.setupRootlessPortMappingViaRLK(ctr, netnsPath, netOptions.cidr) } return nil } @@ -363,7 +363,7 @@ func waitForSync(syncR *os.File, cmd *exec.Cmd, logFile io.ReadSeeker, timeout t return nil } -func (r *Runtime) setupRootlessPortMappingViaRLK(ctr *Container, netnsPath string) error { +func (r *Runtime) setupRootlessPortMappingViaRLK(ctr *Container, netnsPath, slirp4CIDR string) error { syncR, syncW, err := os.Pipe() if err != nil { return errors.Wrapf(err, "failed to open pipe") @@ -391,6 +391,16 @@ func (r *Runtime) setupRootlessPortMappingViaRLK(ctr *Container, netnsPath strin } childIP := slirp4netnsIP + // set the correct childIP when a custom cidr is set + if slirp4CIDR != "" { + _, cidr, err := net.ParseCIDR(slirp4CIDR) + if err != nil { + return errors.Wrap(err, "failed to parse slirp4netns cidr") + } + // the slirp container ip is always the hundredth ip in the subnet + cidr.IP[len(cidr.IP)-1] = cidr.IP[len(cidr.IP)-1] + 100 + childIP = cidr.IP.String() + } outer: for _, r := range ctr.state.NetworkStatus { for _, i := range r.IPs { diff --git a/libpod/options.go b/libpod/options.go index c5c23ee16..39415a817 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -293,6 +293,17 @@ func WithHooksDir(hooksDirs ...string) RuntimeOption { } } +// WithCDI sets the devices to check for for CDI configuration. +func WithCDI(devices []string) CtrCreateOption { + return func(ctr *Container) error { + if ctr.valid { + return define.ErrCtrFinalized + } + ctr.config.CDIDevices = devices + return nil + } +} + // WithDefaultMountsFile sets the file to look at for default mounts (mainly // secrets). // Note we are not saving this in the database as it is for testing purposes diff --git a/libpod/runtime.go b/libpod/runtime.go index dc53d5ef1..3518ed25a 100644 --- a/libpod/runtime.go +++ b/libpod/runtime.go @@ -29,6 +29,7 @@ import ( "github.com/containers/podman/v3/pkg/rootless" "github.com/containers/podman/v3/pkg/util" "github.com/containers/storage" + "github.com/containers/storage/pkg/unshare" "github.com/cri-o/ocicni/pkg/ocicni" "github.com/docker/docker/pkg/namesgenerator" spec "github.com/opencontainers/runtime-spec/specs-go" @@ -338,9 +339,16 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (retErr error) { } logrus.Debugf("Set libpod namespace to %q", runtime.config.Engine.Namespace) + hasCapSysAdmin, err := unshare.HasCapSysAdmin() + if err != nil { + return err + } + + needsUserns := !hasCapSysAdmin + // Set up containers/storage var store storage.Store - if os.Geteuid() != 0 { + if needsUserns { logrus.Debug("Not configuring container store") } else if runtime.noStore { logrus.Debug("No store required. Not opening container store.") @@ -480,7 +488,7 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (retErr error) { // If we need to refresh, then it is safe to assume there are // no containers running. Create immediately a namespace, as // we will need to access the storage. - if os.Geteuid() != 0 { + if needsUserns { aliveLock.Unlock() // Unlock to avoid deadlock as BecomeRootInUserNS will reexec. pausePid, err := util.GetRootlessPauseProcessPidPathGivenDir(runtime.config.Engine.TmpDir) if err != nil { |