aboutsummaryrefslogtreecommitdiff
path: root/libpod
diff options
context:
space:
mode:
Diffstat (limited to 'libpod')
-rw-r--r--libpod/container_internal_linux.go2
-rw-r--r--libpod/image/image.go2
-rw-r--r--libpod/image/pull.go3
-rw-r--r--libpod/image/utils.go27
-rw-r--r--libpod/options.go30
-rw-r--r--libpod/pod.go2
-rw-r--r--libpod/rootless_cni_linux.go2
-rw-r--r--libpod/runtime_img.go3
-rw-r--r--libpod/runtime_pod_infra_linux.go25
9 files changed, 58 insertions, 38 deletions
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index 3bdf28e8c..dde7cafb1 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -635,7 +635,7 @@ func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) erro
Destination: "/sys/fs/cgroup/systemd",
Type: "bind",
Source: "/sys/fs/cgroup/systemd",
- Options: []string{"bind", "nodev", "nosuid", "rprivate"},
+ Options: []string{"bind", "nodev", "noexec", "nosuid", "rprivate"},
}
g.AddMount(systemdMnt)
g.AddLinuxMaskedPaths("/sys/fs/cgroup/systemd/release_agent")
diff --git a/libpod/image/image.go b/libpod/image/image.go
index 850a48eae..5dfb33afb 100644
--- a/libpod/image/image.go
+++ b/libpod/image/image.go
@@ -1284,7 +1284,7 @@ func (ir *Runtime) Import(ctx context.Context, path, reference string, writer io
return nil, errors.Wrapf(err, "error updating image config")
}
- sc := GetSystemContext("", "", false)
+ sc := GetSystemContext(ir.SignaturePolicyPath, "", false)
// if reference not given, get the image digest
if reference == "" {
diff --git a/libpod/image/pull.go b/libpod/image/pull.go
index 94d6af4c2..65acdf427 100644
--- a/libpod/image/pull.go
+++ b/libpod/image/pull.go
@@ -255,6 +255,9 @@ func (ir *Runtime) pullImageFromHeuristicSource(ctx context.Context, inputName s
sc.ArchitectureChoice = dockerOptions.ArchitectureChoice
sc.VariantChoice = dockerOptions.VariantChoice
}
+ if signaturePolicyPath == "" {
+ sc.SignaturePolicyPath = ir.SignaturePolicyPath
+ }
sc.BlobInfoCacheDir = filepath.Join(ir.store.GraphRoot(), "cache")
srcRef, err := alltransports.ParseImageName(inputName)
if err != nil {
diff --git a/libpod/image/utils.go b/libpod/image/utils.go
index b7ea63c66..918314476 100644
--- a/libpod/image/utils.go
+++ b/libpod/image/utils.go
@@ -86,33 +86,6 @@ func hasTransport(image string) bool {
return strings.Contains(image, "://")
}
-// ReposToMap parses the specified repotags and returns a map with repositories
-// as keys and the corresponding arrays of tags or digests-as-strings as values.
-func ReposToMap(names []string) (map[string][]string, error) {
- // map format is repo -> []tag-or-digest
- repos := make(map[string][]string)
- for _, name := range names {
- var repository, tag string
- if len(name) > 0 {
- named, err := reference.ParseNormalizedNamed(name)
- if err != nil {
- return nil, err
- }
- repository = named.Name()
- if ref, ok := named.(reference.NamedTagged); ok {
- tag = ref.Tag()
- } else if ref, ok := named.(reference.Canonical); ok {
- tag = ref.Digest().String()
- }
- }
- repos[repository] = append(repos[repository], tag)
- }
- if len(repos) == 0 {
- repos["<none>"] = []string{"<none>"}
- }
- return repos, nil
-}
-
// GetAdditionalTags returns a list of reference.NamedTagged for the
// additional tags given in images
func GetAdditionalTags(images []string) ([]reference.NamedTagged, error) {
diff --git a/libpod/options.go b/libpod/options.go
index d592124bc..f7b3419e5 100644
--- a/libpod/options.go
+++ b/libpod/options.go
@@ -1659,6 +1659,36 @@ func WithUmask(umask string) CtrCreateOption {
// Pod Creation Options
+// WithInfraImage sets the infra image for libpod.
+// An infra image is used for inter-container kernel
+// namespace sharing within a pod. Typically, an infra
+// container is lightweight and is there to reap
+// zombie processes within its pid namespace.
+func WithInfraImage(img string) PodCreateOption {
+ return func(pod *Pod) error {
+ if pod.valid {
+ return define.ErrPodFinalized
+ }
+
+ pod.config.InfraContainer.InfraImage = img
+
+ return nil
+ }
+}
+
+// WithInfraCommand sets the command to
+// run on pause container start up.
+func WithInfraCommand(cmd []string) PodCreateOption {
+ return func(pod *Pod) error {
+ if pod.valid {
+ return define.ErrPodFinalized
+ }
+
+ pod.config.InfraContainer.InfraCommand = cmd
+ return nil
+ }
+}
+
// WithPodName sets the name of the pod.
func WithPodName(name string) PodCreateOption {
return func(pod *Pod) error {
diff --git a/libpod/pod.go b/libpod/pod.go
index 422966b94..709184008 100644
--- a/libpod/pod.go
+++ b/libpod/pod.go
@@ -105,6 +105,8 @@ type InfraContainerConfig struct {
HostAdd []string `json:"hostsAdd,omitempty"`
Networks []string `json:"networks,omitempty"`
ExitCommand []string `json:"exitCommand,omitempty"`
+ InfraImage string `json:"infraImage,omitempty"`
+ InfraCommand []string `json:"infraCommand,omitempty"`
}
// ID retrieves the pod's ID
diff --git a/libpod/rootless_cni_linux.go b/libpod/rootless_cni_linux.go
index 31097dd16..7feec6b44 100644
--- a/libpod/rootless_cni_linux.go
+++ b/libpod/rootless_cni_linux.go
@@ -255,7 +255,7 @@ func startRootlessCNIInfraContainer(ctx context.Context, r *Runtime) (*Container
Destination: "/etc/cni/net.d",
Type: "bind",
Source: r.config.Network.NetworkConfigDir,
- Options: []string{"ro"},
+ Options: []string{"ro", "bind"},
}
g.AddMount(etcCNINetD)
diff --git a/libpod/runtime_img.go b/libpod/runtime_img.go
index eb4512f8d..e57890fa2 100644
--- a/libpod/runtime_img.go
+++ b/libpod/runtime_img.go
@@ -174,7 +174,7 @@ func (r *Runtime) Build(ctx context.Context, options imagebuildah.BuildOptions,
}
// Import is called as an intermediary to the image library Import
-func (r *Runtime) Import(ctx context.Context, source string, reference string, changes []string, history string, quiet bool) (string, error) {
+func (r *Runtime) Import(ctx context.Context, source, reference, signaturePolicyPath string, changes []string, history string, quiet bool) (string, error) {
var (
writer io.Writer
err error
@@ -223,6 +223,7 @@ func (r *Runtime) Import(ctx context.Context, source string, reference string, c
source = file
}
+ r.imageRuntime.SignaturePolicyPath = signaturePolicyPath
newImage, err := r.imageRuntime.Import(ctx, source, reference, writer, image.SigningOptions{}, config)
if err != nil {
return "", err
diff --git a/libpod/runtime_pod_infra_linux.go b/libpod/runtime_pod_infra_linux.go
index b2f21d946..164068638 100644
--- a/libpod/runtime_pod_infra_linux.go
+++ b/libpod/runtime_pod_infra_linux.go
@@ -36,22 +36,26 @@ func (r *Runtime) makeInfraContainer(ctx context.Context, p *Pod, imgName, rawIm
isRootless := rootless.IsRootless()
- entryCmd := []string{r.config.Engine.InfraCommand}
+ entrypointSet := len(p.config.InfraContainer.InfraCommand) > 0
+ entryPoint := p.config.InfraContainer.InfraCommand
+ entryCmd := []string{}
var options []CtrCreateOption
// I've seen circumstances where config is being passed as nil.
// Let's err on the side of safety and make sure it's safe to use.
if config != nil {
- setEntrypoint := false
// default to entrypoint in image if there is one
- if len(config.Entrypoint) > 0 {
- entryCmd = config.Entrypoint
- setEntrypoint = true
+ if !entrypointSet {
+ if len(config.Entrypoint) > 0 {
+ entrypointSet = true
+ entryPoint = config.Entrypoint
+ entryCmd = config.Entrypoint
+ }
}
if len(config.Cmd) > 0 {
// We can't use the default pause command, since we're
// sourcing from the image. If we didn't already set an
// entrypoint, set one now.
- if !setEntrypoint {
+ if !entrypointSet {
// Use the Docker default "/bin/sh -c"
// entrypoint, as we're overriding command.
// If an image doesn't want this, it can
@@ -136,6 +140,9 @@ func (r *Runtime) makeInfraContainer(ctx context.Context, p *Pod, imgName, rawIm
options = append(options, WithRootFSFromImage(imgID, imgName, rawImageName))
options = append(options, WithName(containerName))
options = append(options, withIsInfra())
+ if entrypointSet {
+ options = append(options, WithEntrypoint(entryPoint))
+ }
if len(p.config.InfraContainer.ConmonPidFile) > 0 {
options = append(options, WithConmonPidFile(p.config.InfraContainer.ConmonPidFile))
}
@@ -151,7 +158,11 @@ func (r *Runtime) createInfraContainer(ctx context.Context, p *Pod) (*Container,
return nil, define.ErrRuntimeStopped
}
- newImage, err := r.ImageRuntime().New(ctx, r.config.Engine.InfraImage, "", "", nil, nil, image.SigningOptions{}, nil, util.PullImageMissing)
+ img := p.config.InfraContainer.InfraImage
+ if img == "" {
+ img = r.config.Engine.InfraImage
+ }
+ newImage, err := r.ImageRuntime().New(ctx, img, "", "", nil, nil, image.SigningOptions{}, nil, util.PullImageMissing)
if err != nil {
return nil, err
}