diff options
Diffstat (limited to 'libpod')
| -rw-r--r-- | libpod/container_config.go | 2 | ||||
| -rw-r--r-- | libpod/container_internal_linux.go | 24 | ||||
| -rw-r--r-- | libpod/container_path_resolution.go | 2 | ||||
| -rw-r--r-- | libpod/options.go | 22 |
4 files changed, 41 insertions, 9 deletions
diff --git a/libpod/container_config.go b/libpod/container_config.go index a508b96ee..904c03f9b 100644 --- a/libpod/container_config.go +++ b/libpod/container_config.go @@ -373,4 +373,6 @@ type ContainerMiscConfig struct { PidFile string `json:"pid_file,omitempty"` // CDIDevices contains devices that use the CDI CDIDevices []string `json:"cdiDevices,omitempty"` + // EnvSecrets are secrets that are set as environment variables + EnvSecrets map[string]*secrets.Secret `json:"secret_env,omitempty"` } diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index f0608e2b2..7d57e8965 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -29,6 +29,7 @@ import ( "github.com/containers/common/pkg/apparmor" "github.com/containers/common/pkg/chown" "github.com/containers/common/pkg/config" + "github.com/containers/common/pkg/secrets" "github.com/containers/common/pkg/subscriptions" "github.com/containers/common/pkg/umask" "github.com/containers/podman/v3/libpod/define" @@ -377,14 +378,8 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { case "z": fallthrough case "Z": - if c.MountLabel() != "" { - if c.ProcessLabel() != "" { - if err := label.Relabel(m.Source, c.MountLabel(), label.IsShared(o)); err != nil { - return nil, err - } - } else { - logrus.Infof("Not relabeling volume %q in container %s as SELinux is disabled", m.Source, c.ID()) - } + if err := label.Relabel(m.Source, c.MountLabel(), label.IsShared(o)); err != nil { + return nil, err } default: @@ -763,6 +758,19 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { if c.state.ExtensionStageHooks, err = c.setupOCIHooks(ctx, g.Config); err != nil { return nil, errors.Wrapf(err, "error setting up OCI Hooks") } + if len(c.config.EnvSecrets) > 0 { + manager, err := secrets.NewManager(c.runtime.GetSecretsStorageDir()) + if err != nil { + return nil, err + } + for name, secr := range c.config.EnvSecrets { + _, data, err := manager.LookupSecretData(secr.Name) + if err != nil { + return nil, err + } + g.AddProcessEnv(name, string(data)) + } + } return g.Config, nil } diff --git a/libpod/container_path_resolution.go b/libpod/container_path_resolution.go index d798963b1..ec7306ca1 100644 --- a/libpod/container_path_resolution.go +++ b/libpod/container_path_resolution.go @@ -128,7 +128,7 @@ func isPathOnVolume(c *Container, containerPath string) bool { if cleanedContainerPath == filepath.Clean(vol.Dest) { return true } - for dest := vol.Dest; dest != "/"; dest = filepath.Dir(dest) { + for dest := vol.Dest; dest != "/" && dest != "."; dest = filepath.Dir(dest) { if cleanedContainerPath == dest { return true } diff --git a/libpod/options.go b/libpod/options.go index 391cf0147..be26ced99 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -1716,6 +1716,28 @@ func WithSecrets(secretNames []string) CtrCreateOption { } } +// WithSecrets adds environment variable secrets to the container +func WithEnvSecrets(envSecrets map[string]string) CtrCreateOption { + return func(ctr *Container) error { + ctr.config.EnvSecrets = make(map[string]*secrets.Secret) + if ctr.valid { + return define.ErrCtrFinalized + } + manager, err := secrets.NewManager(ctr.runtime.GetSecretsStorageDir()) + if err != nil { + return err + } + for target, src := range envSecrets { + secr, err := manager.Lookup(src) + if err != nil { + return err + } + ctr.config.EnvSecrets[target] = secr + } + return nil + } +} + // WithPidFile adds pidFile to the container func WithPidFile(pidFile string) CtrCreateOption { return func(ctr *Container) error { |