summaryrefslogtreecommitdiff
path: root/libpod
diff options
context:
space:
mode:
Diffstat (limited to 'libpod')
-rw-r--r--libpod/container_config.go4
-rw-r--r--libpod/container_inspect.go1
-rw-r--r--libpod/container_internal_linux.go35
-rw-r--r--libpod/define/container_inspect.go4
-rw-r--r--libpod/options.go15
5 files changed, 55 insertions, 4 deletions
diff --git a/libpod/container_config.go b/libpod/container_config.go
index e56f1342a..0d9cd5723 100644
--- a/libpod/container_config.go
+++ b/libpod/container_config.go
@@ -165,6 +165,10 @@ type ContainerRootFSConfig struct {
Volatile bool `json:"volatile,omitempty"`
// Passwd allows to user to override podman's passwd/group file setup
Passwd *bool `json:"passwd,omitempty"`
+ // ChrootDirs is an additional set of directories that need to be
+ // treated as root directories. Standard bind mounts will be mounted
+ // into paths relative to these directories.
+ ChrootDirs []string `json:"chroot_directories,omitempty"`
}
// ContainerSecurityConfig is an embedded sub-config providing security configuration
diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go
index 3df6203e3..5fb32bd90 100644
--- a/libpod/container_inspect.go
+++ b/libpod/container_inspect.go
@@ -411,6 +411,7 @@ func (c *Container) generateInspectContainerConfig(spec *spec.Spec) *define.Insp
}
ctrConfig.Passwd = c.config.Passwd
+ ctrConfig.ChrootDirs = append(ctrConfig.ChrootDirs, c.config.ChrootDirs...)
return ctrConfig
}
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index 1517a7df7..75250b9b1 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -1811,6 +1811,17 @@ func (c *Container) getRootNetNsDepCtr() (depCtr *Container, err error) {
return depCtr, nil
}
+// Ensure standard bind mounts are mounted into all root directories (including chroot directories)
+func (c *Container) mountIntoRootDirs(mountName string, mountPath string) error {
+ c.state.BindMounts[mountName] = mountPath
+
+ for _, chrootDir := range c.config.ChrootDirs {
+ c.state.BindMounts[filepath.Join(chrootDir, mountName)] = mountPath
+ }
+
+ return nil
+}
+
// Make standard bind mounts to include in the container
func (c *Container) makeBindMounts() error {
if err := os.Chown(c.state.RunDir, c.RootUID(), c.RootGID()); err != nil {
@@ -1864,7 +1875,11 @@ func (c *Container) makeBindMounts() error {
// If it doesn't, don't copy them
resolvPath, exists := bindMounts["/etc/resolv.conf"]
if !c.config.UseImageResolvConf && exists {
- c.state.BindMounts["/etc/resolv.conf"] = resolvPath
+ err := c.mountIntoRootDirs("/etc/resolv.conf", resolvPath)
+
+ if err != nil {
+ return errors.Wrapf(err, "error assigning mounts to container %s", c.ID())
+ }
}
// check if dependency container has an /etc/hosts file.
@@ -1884,7 +1899,11 @@ func (c *Container) makeBindMounts() error {
depCtr.lock.Unlock()
// finally, save it in the new container
- c.state.BindMounts["/etc/hosts"] = hostsPath
+ err := c.mountIntoRootDirs("/etc/hosts", hostsPath)
+
+ if err != nil {
+ return errors.Wrapf(err, "error assigning mounts to container %s", c.ID())
+ }
}
if !hasCurrentUserMapped(c) {
@@ -1901,7 +1920,11 @@ func (c *Container) makeBindMounts() error {
if err != nil {
return errors.Wrapf(err, "error creating resolv.conf for container %s", c.ID())
}
- c.state.BindMounts["/etc/resolv.conf"] = newResolv
+ err = c.mountIntoRootDirs("/etc/resolv.conf", newResolv)
+
+ if err != nil {
+ return errors.Wrapf(err, "error assigning mounts to container %s", c.ID())
+ }
}
if !c.config.UseImageHosts {
@@ -2329,7 +2352,11 @@ func (c *Container) updateHosts(path string) error {
if err != nil {
return err
}
- c.state.BindMounts["/etc/hosts"] = newHosts
+
+ if err = c.mountIntoRootDirs("/etc/hosts", newHosts); err != nil {
+ return err
+ }
+
return nil
}
diff --git a/libpod/define/container_inspect.go b/libpod/define/container_inspect.go
index 804b2b143..ae2ce9724 100644
--- a/libpod/define/container_inspect.go
+++ b/libpod/define/container_inspect.go
@@ -75,6 +75,10 @@ type InspectContainerConfig struct {
StopTimeout uint `json:"StopTimeout"`
// Passwd determines whether or not podman can add entries to /etc/passwd and /etc/group
Passwd *bool `json:"Passwd,omitempty"`
+ // ChrootDirs is an additional set of directories that need to be
+ // treated as root directories. Standard bind mounts will be mounted
+ // into paths relative to these directories.
+ ChrootDirs []string `json:"ChrootDirs,omitempty"`
}
// InspectRestartPolicy holds information about the container's restart policy.
diff --git a/libpod/options.go b/libpod/options.go
index 1ee4e7322..2e5454393 100644
--- a/libpod/options.go
+++ b/libpod/options.go
@@ -2036,3 +2036,18 @@ func WithVolatile() CtrCreateOption {
return nil
}
}
+
+// WithChrootDirs is an additional set of directories that need to be
+// treated as root directories. Standard bind mounts will be mounted
+// into paths relative to these directories.
+func WithChrootDirs(dirs []string) CtrCreateOption {
+ return func(ctr *Container) error {
+ if ctr.valid {
+ return define.ErrCtrFinalized
+ }
+
+ ctr.config.ChrootDirs = dirs
+
+ return nil
+ }
+}