summaryrefslogtreecommitdiff
path: root/pkg/adapter/pods.go
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/adapter/pods.go')
-rw-r--r--pkg/adapter/pods.go1049
1 files changed, 0 insertions, 1049 deletions
diff --git a/pkg/adapter/pods.go b/pkg/adapter/pods.go
deleted file mode 100644
index 102eabd8b..000000000
--- a/pkg/adapter/pods.go
+++ /dev/null
@@ -1,1049 +0,0 @@
-// +build !remoteclient
-
-package adapter
-
-import (
- "context"
- "fmt"
- "io"
- "io/ioutil"
- "net"
- "os"
- "path/filepath"
- "strings"
-
- "github.com/containers/buildah/pkg/parse"
- "github.com/containers/image/v5/docker/reference"
- "github.com/containers/image/v5/types"
- "github.com/containers/libpod/cmd/podman/cliconfig"
- "github.com/containers/libpod/cmd/podman/shared"
- "github.com/containers/libpod/libpod"
- "github.com/containers/libpod/libpod/define"
- "github.com/containers/libpod/libpod/image"
- "github.com/containers/libpod/pkg/adapter/shortcuts"
- ann "github.com/containers/libpod/pkg/annotations"
- envLib "github.com/containers/libpod/pkg/env"
- ns "github.com/containers/libpod/pkg/namespaces"
- createconfig "github.com/containers/libpod/pkg/spec"
- "github.com/containers/libpod/pkg/util"
- "github.com/containers/storage"
- "github.com/cri-o/ocicni/pkg/ocicni"
- "github.com/ghodss/yaml"
- "github.com/pkg/errors"
- "github.com/sirupsen/logrus"
- v1 "k8s.io/api/core/v1"
-)
-
-const (
- // https://kubernetes.io/docs/concepts/storage/volumes/#hostpath
- createDirectoryPermission = 0755
- // https://kubernetes.io/docs/concepts/storage/volumes/#hostpath
- createFilePermission = 0644
-)
-
-// PodContainerStats is struct containing an adapter Pod and a libpod
-// ContainerStats and is used primarily for outputting pod stats.
-type PodContainerStats struct {
- Pod *Pod
- ContainerStats map[string]*libpod.ContainerStats
-}
-
-// PrunePods removes pods
-func (r *LocalRuntime) PrunePods(ctx context.Context, cli *cliconfig.PodPruneValues) ([]string, map[string]error, error) {
- var (
- ok = []string{}
- failures = map[string]error{}
- )
-
- maxWorkers := shared.DefaultPoolSize("rm")
- if cli.GlobalIsSet("max-workers") {
- maxWorkers = cli.GlobalFlags.MaxWorks
- }
- logrus.Debugf("Setting maximum rm workers to %d", maxWorkers)
-
- states := []string{define.PodStateStopped, define.PodStateExited}
- if cli.Force {
- states = append(states, define.PodStateRunning)
- }
-
- pods, err := r.GetPodsByStatus(states)
- if err != nil {
- return ok, failures, err
- }
- if len(pods) < 1 {
- return ok, failures, nil
- }
-
- pool := shared.NewPool("pod_prune", maxWorkers, len(pods))
- for _, p := range pods {
- p := p
-
- pool.Add(shared.Job{
- ID: p.ID(),
- Fn: func() error {
- err := r.Runtime.RemovePod(ctx, p, true, cli.Force)
- if err != nil {
- logrus.Debugf("Failed to remove pod %s: %s", p.ID(), err.Error())
- }
- return err
- },
- })
- }
- return pool.Run()
-}
-
-// RemovePods ...
-func (r *LocalRuntime) RemovePods(ctx context.Context, cli *cliconfig.PodRmValues) ([]string, []error) {
- var (
- errs []error
- podids []string
- )
- pods, err := shortcuts.GetPodsByContext(cli.All, cli.Latest, cli.InputArgs, r.Runtime)
- if err != nil && !(cli.Ignore && errors.Cause(err) == define.ErrNoSuchPod) {
- errs = append(errs, err)
- return nil, errs
- }
-
- for _, p := range pods {
- if err := r.Runtime.RemovePod(ctx, p, true, cli.Force); err != nil {
- errs = append(errs, err)
- } else {
- podids = append(podids, p.ID())
- }
- }
- return podids, errs
-}
-
-// GetLatestPod gets the latest pod and wraps it in an adapter pod
-func (r *LocalRuntime) GetLatestPod() (*Pod, error) {
- pod := Pod{}
- p, err := r.Runtime.GetLatestPod()
- pod.Pod = p
- return &pod, err
-}
-
-// GetPodsWithFilters gets the filtered list of pods based on the filter parameters provided.
-func (r *LocalRuntime) GetPodsWithFilters(filters string) ([]*Pod, error) {
- pods, err := shared.GetPodsWithFilters(r.Runtime, filters)
- if err != nil {
- return nil, err
- }
- return r.podstoAdapterPods(pods)
-}
-
-func (r *LocalRuntime) podstoAdapterPods(pod []*libpod.Pod) ([]*Pod, error) {
- var pods []*Pod
- for _, i := range pod {
-
- pods = append(pods, &Pod{i})
- }
- return pods, nil
-}
-
-// GetAllPods gets all pods and wraps it in an adapter pod
-func (r *LocalRuntime) GetAllPods() ([]*Pod, error) {
- allPods, err := r.Runtime.GetAllPods()
- if err != nil {
- return nil, err
- }
- return r.podstoAdapterPods(allPods)
-}
-
-// LookupPod gets a pod by name or id and wraps it in an adapter pod
-func (r *LocalRuntime) LookupPod(nameOrID string) (*Pod, error) {
- pod := Pod{}
- p, err := r.Runtime.LookupPod(nameOrID)
- pod.Pod = p
- return &pod, err
-}
-
-// StopPods is a wrapper to libpod to stop pods based on a cli context
-func (r *LocalRuntime) StopPods(ctx context.Context, cli *cliconfig.PodStopValues) ([]string, []error) {
- timeout := -1
- if cli.Flags().Changed("timeout") {
- timeout = int(cli.Timeout)
- }
- var (
- errs []error
- podids []string
- )
- pods, err := shortcuts.GetPodsByContext(cli.All, cli.Latest, cli.InputArgs, r.Runtime)
- if err != nil && !(cli.Ignore && errors.Cause(err) == define.ErrNoSuchPod) {
- errs = append(errs, err)
- return nil, errs
- }
-
- for _, p := range pods {
- stopped := true
- conErrs, stopErr := p.StopWithTimeout(ctx, true, timeout)
- if stopErr != nil {
- errs = append(errs, stopErr)
- stopped = false
- }
- if conErrs != nil {
- stopped = false
- for _, err := range conErrs {
- errs = append(errs, err)
- }
- }
- if stopped {
- podids = append(podids, p.ID())
- }
- }
- return podids, errs
-}
-
-// KillPods is a wrapper to libpod to start pods based on the cli context
-func (r *LocalRuntime) KillPods(ctx context.Context, cli *cliconfig.PodKillValues, signal uint) ([]string, []error) {
- var (
- errs []error
- podids []string
- )
- pods, err := shortcuts.GetPodsByContext(cli.All, cli.Latest, cli.InputArgs, r.Runtime)
- if err != nil {
- errs = append(errs, err)
- return nil, errs
- }
- for _, p := range pods {
- killed := true
- conErrs, killErr := p.Kill(signal)
- if killErr != nil {
- errs = append(errs, killErr)
- killed = false
- }
- if conErrs != nil {
- killed = false
- for _, err := range conErrs {
- errs = append(errs, err)
- }
- }
- if killed {
- podids = append(podids, p.ID())
- }
- }
- return podids, errs
-}
-
-// StartPods is a wrapper to start pods based on the cli context
-func (r *LocalRuntime) StartPods(ctx context.Context, cli *cliconfig.PodStartValues) ([]string, []error) {
- var (
- errs []error
- podids []string
- )
- pods, err := shortcuts.GetPodsByContext(cli.All, cli.Latest, cli.InputArgs, r.Runtime)
- if err != nil {
- errs = append(errs, err)
- return nil, errs
- }
- for _, p := range pods {
- started := true
- conErrs, startErr := p.Start(ctx)
- if startErr != nil {
- errs = append(errs, startErr)
- started = false
- }
- if conErrs != nil {
- started = false
- for _, err := range conErrs {
- errs = append(errs, err)
- }
- }
- if started {
- podids = append(podids, p.ID())
- }
- }
- return podids, errs
-}
-
-// CreatePod is a wrapper for libpod and creating a new pod from the cli context
-func (r *LocalRuntime) CreatePod(ctx context.Context, cli *cliconfig.PodCreateValues, labels map[string]string) (string, error) {
- var (
- options []libpod.PodCreateOption
- err error
- )
-
- // This needs to be first, as a lot of options depend on
- // WithInfraContainer()
- if cli.Infra {
- options = append(options, libpod.WithInfraContainer())
- nsOptions, err := shared.GetNamespaceOptions(strings.Split(cli.Share, ","))
- if err != nil {
- return "", err
- }
- options = append(options, nsOptions...)
- }
-
- if cli.Flag("cgroup-parent").Changed {
- options = append(options, libpod.WithPodCgroupParent(cli.CgroupParent))
- }
-
- if len(labels) != 0 {
- options = append(options, libpod.WithPodLabels(labels))
- }
-
- if cli.Flag("name").Changed {
- options = append(options, libpod.WithPodName(cli.Name))
- }
-
- if cli.Flag("hostname").Changed {
- options = append(options, libpod.WithPodHostname(cli.Hostname))
- }
-
- if cli.Flag("add-host").Changed {
- options = append(options, libpod.WithPodHosts(cli.StringSlice("add-host")))
- }
- if cli.Flag("dns").Changed {
- dns := cli.StringSlice("dns")
- foundHost := false
- for _, entry := range dns {
- if entry == "host" {
- foundHost = true
- }
- }
- if foundHost && len(dns) > 1 {
- return "", errors.Errorf("cannot set dns=host and still provide other DNS servers")
- }
- if foundHost {
- options = append(options, libpod.WithPodUseImageResolvConf())
- } else {
- options = append(options, libpod.WithPodDNS(cli.StringSlice("dns")))
- }
- }
- if cli.Flag("dns-opt").Changed {
- options = append(options, libpod.WithPodDNSOption(cli.StringSlice("dns-opt")))
- }
- if cli.Flag("dns-search").Changed {
- options = append(options, libpod.WithPodDNSSearch(cli.StringSlice("dns-search")))
- }
- if cli.Flag("ip").Changed {
- ip := net.ParseIP(cli.String("ip"))
- if ip == nil {
- return "", errors.Errorf("invalid IP address %q passed to --ip", cli.String("ip"))
- }
-
- options = append(options, libpod.WithPodStaticIP(ip))
- }
- if cli.Flag("mac-address").Changed {
- mac, err := net.ParseMAC(cli.String("mac-address"))
- if err != nil {
- return "", errors.Wrapf(err, "invalid MAC address %q passed to --mac-address", cli.String("mac-address"))
- }
-
- options = append(options, libpod.WithPodStaticMAC(mac))
- }
- if cli.Flag("network").Changed {
- netValue := cli.String("network")
- switch strings.ToLower(netValue) {
- case "bridge":
- // Do nothing.
- // TODO: Maybe this should be split between slirp and
- // bridge? Better to wait until someone asks...
- logrus.Debugf("Pod using default network mode")
- case "host":
- logrus.Debugf("Pod will use host networking")
- options = append(options, libpod.WithPodHostNetwork())
- case "":
- return "", errors.Errorf("invalid value passed to --net: must provide a comma-separated list of CNI networks or host")
- default:
- // We'll assume this is a comma-separated list of CNI
- // networks.
- networks := strings.Split(netValue, ",")
- logrus.Debugf("Pod joining CNI networks: %v", networks)
- options = append(options, libpod.WithPodNetworks(networks))
- }
- }
- if cli.Flag("no-hosts").Changed {
- if cli.Bool("no-hosts") {
- options = append(options, libpod.WithPodUseImageHosts())
- }
- }
-
- publish := cli.StringSlice("publish")
- if len(publish) > 0 {
- portBindings, err := shared.CreatePortBindings(publish)
- if err != nil {
- return "", err
- }
- options = append(options, libpod.WithInfraContainerPorts(portBindings))
-
- }
- // always have containers use pod cgroups
- // User Opt out is not yet supported
- options = append(options, libpod.WithPodCgroups())
-
- pod, err := r.NewPod(ctx, options...)
- if err != nil {
- return "", err
- }
- return pod.ID(), nil
-}
-
-// GetPodStatus is a wrapper to get the status of a local libpod pod
-func (p *Pod) GetPodStatus() (string, error) {
- return shared.GetPodStatus(p.Pod)
-}
-
-// BatchContainerOp is a wrapper for the shared function of the same name
-func BatchContainerOp(ctr *libpod.Container, opts shared.PsOptions) (shared.BatchContainerStruct, error) {
- return shared.BatchContainerOp(ctr, opts)
-}
-
-// PausePods is a wrapper for pausing pods via libpod
-func (r *LocalRuntime) PausePods(c *cliconfig.PodPauseValues) ([]string, map[string]error, []error) {
- var (
- pauseIDs []string
- pauseErrors []error
- )
- containerErrors := make(map[string]error)
-
- pods, err := shortcuts.GetPodsByContext(c.All, c.Latest, c.InputArgs, r.Runtime)
- if err != nil {
- pauseErrors = append(pauseErrors, err)
- return nil, containerErrors, pauseErrors
- }
-
- for _, pod := range pods {
- ctrErrs, err := pod.Pause()
- if err != nil {
- pauseErrors = append(pauseErrors, err)
- continue
- }
- if ctrErrs != nil {
- for ctr, err := range ctrErrs {
- containerErrors[ctr] = err
- }
- continue
- }
- pauseIDs = append(pauseIDs, pod.ID())
-
- }
- return pauseIDs, containerErrors, pauseErrors
-}
-
-// UnpausePods is a wrapper for unpausing pods via libpod
-func (r *LocalRuntime) UnpausePods(c *cliconfig.PodUnpauseValues) ([]string, map[string]error, []error) {
- var (
- unpauseIDs []string
- unpauseErrors []error
- )
- containerErrors := make(map[string]error)
-
- pods, err := shortcuts.GetPodsByContext(c.All, c.Latest, c.InputArgs, r.Runtime)
- if err != nil {
- unpauseErrors = append(unpauseErrors, err)
- return nil, containerErrors, unpauseErrors
- }
-
- for _, pod := range pods {
- ctrErrs, err := pod.Unpause()
- if err != nil {
- unpauseErrors = append(unpauseErrors, err)
- continue
- }
- if ctrErrs != nil {
- for ctr, err := range ctrErrs {
- containerErrors[ctr] = err
- }
- continue
- }
- unpauseIDs = append(unpauseIDs, pod.ID())
-
- }
- return unpauseIDs, containerErrors, unpauseErrors
-}
-
-// RestartPods is a wrapper to restart pods via libpod
-func (r *LocalRuntime) RestartPods(ctx context.Context, c *cliconfig.PodRestartValues) ([]string, map[string]error, []error) {
- var (
- restartIDs []string
- restartErrors []error
- )
- containerErrors := make(map[string]error)
-
- pods, err := shortcuts.GetPodsByContext(c.All, c.Latest, c.InputArgs, r.Runtime)
- if err != nil {
- restartErrors = append(restartErrors, err)
- return nil, containerErrors, restartErrors
- }
-
- for _, pod := range pods {
- ctrErrs, err := pod.Restart(ctx)
- if err != nil {
- restartErrors = append(restartErrors, err)
- continue
- }
- if ctrErrs != nil {
- for ctr, err := range ctrErrs {
- containerErrors[ctr] = err
- }
- continue
- }
- restartIDs = append(restartIDs, pod.ID())
-
- }
- return restartIDs, containerErrors, restartErrors
-
-}
-
-// PodTop is a wrapper function to call GetPodPidInformation in libpod and return its results
-// for output
-func (r *LocalRuntime) PodTop(c *cliconfig.PodTopValues, descriptors []string) ([]string, error) {
- var (
- pod *Pod
- err error
- )
-
- if c.Latest {
- pod, err = r.GetLatestPod()
- } else {
- pod, err = r.LookupPod(c.InputArgs[0])
- }
- if err != nil {
- return nil, errors.Wrapf(err, "unable to lookup requested container")
- }
- podStatus, err := pod.GetPodStatus()
- if err != nil {
- return nil, errors.Wrapf(err, "unable to get status for pod %s", pod.ID())
- }
- if podStatus != "Running" {
- return nil, errors.Errorf("pod top can only be used on pods with at least one running container")
- }
- return pod.GetPodPidInformation(descriptors)
-}
-
-// GetStatPods returns pods for use in pod stats
-func (r *LocalRuntime) GetStatPods(c *cliconfig.PodStatsValues) ([]*Pod, error) {
- var (
- adapterPods []*Pod
- pods []*libpod.Pod
- err error
- )
-
- if len(c.InputArgs) > 0 || c.Latest || c.All {
- pods, err = shortcuts.GetPodsByContext(c.All, c.Latest, c.InputArgs, r.Runtime)
- } else {
- pods, err = r.Runtime.GetRunningPods()
- }
- if err != nil {
- return nil, err
- }
- // convert libpod pods to adapter pods
- for _, p := range pods {
- adapterPod := Pod{
- p,
- }
- adapterPods = append(adapterPods, &adapterPod)
- }
- return adapterPods, nil
-}
-
-// PlayKubeYAML creates pods and containers from a kube YAML file
-func (r *LocalRuntime) PlayKubeYAML(ctx context.Context, c *cliconfig.KubePlayValues, yamlFile string) (*Pod, error) {
- var (
- containers []*libpod.Container
- pod *libpod.Pod
- podOptions []libpod.PodCreateOption
- podYAML v1.Pod
- registryCreds *types.DockerAuthConfig
- writer io.Writer
- )
-
- content, err := ioutil.ReadFile(yamlFile)
- if err != nil {
- return nil, err
- }
-
- if err := yaml.Unmarshal(content, &podYAML); err != nil {
- return nil, errors.Wrapf(err, "unable to read %s as YAML", yamlFile)
- }
-
- if podYAML.Kind != "Pod" {
- return nil, errors.Errorf("Invalid YAML kind: %s. Pod is the only supported Kubernetes YAML kind", podYAML.Kind)
- }
-
- // check for name collision between pod and container
- podName := podYAML.ObjectMeta.Name
- if podName == "" {
- return nil, errors.Errorf("pod does not have a name")
- }
- for _, n := range podYAML.Spec.Containers {
- if n.Name == podName {
- fmt.Printf("a container exists with the same name (%s) as the pod in your YAML file; changing pod name to %s_pod\n", podName, podName)
- podName = fmt.Sprintf("%s_pod", podName)
- }
- }
-
- podOptions = append(podOptions, libpod.WithInfraContainer())
- podOptions = append(podOptions, libpod.WithPodName(podName))
- // TODO for now we just used the default kernel namespaces; we need to add/subtract this from yaml
-
- hostname := podYAML.Spec.Hostname
- if hostname == "" {
- hostname = podName
- }
- podOptions = append(podOptions, libpod.WithPodHostname(hostname))
-
- if podYAML.Spec.HostNetwork {
- podOptions = append(podOptions, libpod.WithPodHostNetwork())
- }
-
- nsOptions, err := shared.GetNamespaceOptions(strings.Split(shared.DefaultKernelNamespaces, ","))
- if err != nil {
- return nil, err
- }
- podOptions = append(podOptions, nsOptions...)
- podPorts := getPodPorts(podYAML.Spec.Containers)
- podOptions = append(podOptions, libpod.WithInfraContainerPorts(podPorts))
-
- // Create the Pod
- pod, err = r.NewPod(ctx, podOptions...)
- if err != nil {
- return nil, err
- }
-
- podInfraID, err := pod.InfraContainerID()
- if err != nil {
- return nil, err
- }
- hasUserns := false
- if podInfraID != "" {
- podCtr, err := r.GetContainer(podInfraID)
- if err != nil {
- return nil, err
- }
- mappings, err := podCtr.IDMappings()
- if err != nil {
- return nil, err
- }
- hasUserns = len(mappings.UIDMap) > 0
- }
-
- namespaces := map[string]string{
- // Disabled during code review per mheon
- //"pid": fmt.Sprintf("container:%s", podInfraID),
- "net": fmt.Sprintf("container:%s", podInfraID),
- "ipc": fmt.Sprintf("container:%s", podInfraID),
- "uts": fmt.Sprintf("container:%s", podInfraID),
- }
- if hasUserns {
- namespaces["user"] = fmt.Sprintf("container:%s", podInfraID)
- }
- if !c.Quiet {
- writer = os.Stderr
- }
-
- dockerRegistryOptions := image.DockerRegistryOptions{
- DockerRegistryCreds: registryCreds,
- DockerCertPath: c.CertDir,
- }
- if c.Flag("tls-verify").Changed {
- dockerRegistryOptions.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!c.TlsVerify)
- }
-
- // map from name to mount point
- volumes := make(map[string]string)
- for _, volume := range podYAML.Spec.Volumes {
- hostPath := volume.VolumeSource.HostPath
- if hostPath == nil {
- return nil, errors.Errorf("HostPath is currently the only supported VolumeSource")
- }
- if hostPath.Type != nil {
- switch *hostPath.Type {
- case v1.HostPathDirectoryOrCreate:
- if _, err := os.Stat(hostPath.Path); os.IsNotExist(err) {
- if err := os.Mkdir(hostPath.Path, createDirectoryPermission); err != nil {
- return nil, errors.Errorf("Error creating HostPath %s at %s", volume.Name, hostPath.Path)
- }
- }
- // Label a newly created volume
- if err := libpod.LabelVolumePath(hostPath.Path); err != nil {
- return nil, errors.Wrapf(err, "Error giving %s a label", hostPath.Path)
- }
- case v1.HostPathFileOrCreate:
- if _, err := os.Stat(hostPath.Path); os.IsNotExist(err) {
- f, err := os.OpenFile(hostPath.Path, os.O_RDONLY|os.O_CREATE, createFilePermission)
- if err != nil {
- return nil, errors.Errorf("Error creating HostPath %s at %s", volume.Name, hostPath.Path)
- }
- if err := f.Close(); err != nil {
- logrus.Warnf("Error in closing newly created HostPath file: %v", err)
- }
- }
- // unconditionally label a newly created volume
- if err := libpod.LabelVolumePath(hostPath.Path); err != nil {
- return nil, errors.Wrapf(err, "Error giving %s a label", hostPath.Path)
- }
- case v1.HostPathDirectory:
- case v1.HostPathFile:
- case v1.HostPathUnset:
- // do nothing here because we will verify the path exists in validateVolumeHostDir
- break
- default:
- return nil, errors.Errorf("Directories are the only supported HostPath type")
- }
- }
-
- if err := parse.ValidateVolumeHostDir(hostPath.Path); err != nil {
- return nil, errors.Wrapf(err, "Error in parsing HostPath in YAML")
- }
- volumes[volume.Name] = hostPath.Path
- }
-
- seccompPaths, err := initializeSeccompPaths(podYAML.ObjectMeta.Annotations, c.SeccompProfileRoot)
- if err != nil {
- return nil, err
- }
-
- for _, container := range podYAML.Spec.Containers {
- pullPolicy := util.PullImageMissing
- if len(container.ImagePullPolicy) > 0 {
- pullPolicy, err = util.ValidatePullType(string(container.ImagePullPolicy))
- if err != nil {
- return nil, err
- }
- }
- named, err := reference.ParseNormalizedNamed(container.Image)
- if err != nil {
- return nil, err
- }
- // In kube, if the image is tagged with latest, it should always pull
- if tagged, isTagged := named.(reference.NamedTagged); isTagged {
- if tagged.Tag() == image.LatestTag {
- pullPolicy = util.PullImageAlways
- }
- }
- newImage, err := r.ImageRuntime().New(ctx, container.Image, c.SignaturePolicy, c.Authfile, writer, &dockerRegistryOptions, image.SigningOptions{}, nil, pullPolicy)
- if err != nil {
- return nil, err
- }
- createConfig, err := kubeContainerToCreateConfig(ctx, container, r.Runtime, newImage, namespaces, volumes, pod.ID(), podInfraID, seccompPaths)
- if err != nil {
- return nil, err
- }
- ctr, err := shared.CreateContainerFromCreateConfig(r.Runtime, createConfig, ctx, pod)
- if err != nil {
- return nil, err
- }
- containers = append(containers, ctr)
- }
-
- // start the containers
- for _, ctr := range containers {
- if err := ctr.Start(ctx, true); err != nil {
- // Making this a hard failure here to avoid a mess
- // the other containers are in created status
- return nil, err
- }
- }
-
- // We've now successfully converted this YAML into a pod
- // print our pod and containers, signifying we succeeded
- fmt.Printf("Pod:\n%s\n", pod.ID())
- if len(containers) == 1 {
- fmt.Printf("Container:\n")
- }
- if len(containers) > 1 {
- fmt.Printf("Containers:\n")
- }
- for _, ctr := range containers {
- fmt.Println(ctr.ID())
- }
-
- if err := playcleanup(ctx, r, pod, nil); err != nil {
- logrus.Errorf("unable to remove pod %s after failing to play kube", pod.ID())
- }
- return nil, nil
-}
-
-func playcleanup(ctx context.Context, runtime *LocalRuntime, pod *libpod.Pod, err error) error {
- if err != nil && pod != nil {
- return runtime.RemovePod(ctx, pod, true, true)
- }
- return nil
-}
-
-// getPodPorts converts a slice of kube container descriptions to an
-// array of ocicni portmapping descriptions usable in libpod
-func getPodPorts(containers []v1.Container) []ocicni.PortMapping {
- var infraPorts []ocicni.PortMapping
- for _, container := range containers {
- for _, p := range container.Ports {
- if p.HostPort != 0 && p.ContainerPort == 0 {
- p.ContainerPort = p.HostPort
- }
- if p.Protocol == "" {
- p.Protocol = "tcp"
- }
- portBinding := ocicni.PortMapping{
- HostPort: p.HostPort,
- ContainerPort: p.ContainerPort,
- Protocol: strings.ToLower(string(p.Protocol)),
- }
- if p.HostIP != "" {
- logrus.Debug("HostIP on port bindings is not supported")
- }
- // only hostPort is utilized in podman context, all container ports
- // are accessible inside the shared network namespace
- if p.HostPort != 0 {
- infraPorts = append(infraPorts, portBinding)
- }
-
- }
- }
- return infraPorts
-}
-
-func setupSecurityContext(securityConfig *createconfig.SecurityConfig, userConfig *createconfig.UserConfig, containerYAML v1.Container) {
- if containerYAML.SecurityContext == nil {
- return
- }
- if containerYAML.SecurityContext.ReadOnlyRootFilesystem != nil {
- securityConfig.ReadOnlyRootfs = *containerYAML.SecurityContext.ReadOnlyRootFilesystem
- }
- if containerYAML.SecurityContext.Privileged != nil {
- securityConfig.Privileged = *containerYAML.SecurityContext.Privileged
- }
-
- if containerYAML.SecurityContext.AllowPrivilegeEscalation != nil {
- securityConfig.NoNewPrivs = !*containerYAML.SecurityContext.AllowPrivilegeEscalation
- }
-
- if seopt := containerYAML.SecurityContext.SELinuxOptions; seopt != nil {
- if seopt.User != "" {
- securityConfig.SecurityOpts = append(securityConfig.SecurityOpts, fmt.Sprintf("label=user:%s", seopt.User))
- securityConfig.LabelOpts = append(securityConfig.LabelOpts, fmt.Sprintf("user:%s", seopt.User))
- }
- if seopt.Role != "" {
- securityConfig.SecurityOpts = append(securityConfig.SecurityOpts, fmt.Sprintf("label=role:%s", seopt.Role))
- securityConfig.LabelOpts = append(securityConfig.LabelOpts, fmt.Sprintf("role:%s", seopt.Role))
- }
- if seopt.Type != "" {
- securityConfig.SecurityOpts = append(securityConfig.SecurityOpts, fmt.Sprintf("label=type:%s", seopt.Type))
- securityConfig.LabelOpts = append(securityConfig.LabelOpts, fmt.Sprintf("type:%s", seopt.Type))
- }
- if seopt.Level != "" {
- securityConfig.SecurityOpts = append(securityConfig.SecurityOpts, fmt.Sprintf("label=level:%s", seopt.Level))
- securityConfig.LabelOpts = append(securityConfig.LabelOpts, fmt.Sprintf("level:%s", seopt.Level))
- }
- }
- if caps := containerYAML.SecurityContext.Capabilities; caps != nil {
- for _, capability := range caps.Add {
- securityConfig.CapAdd = append(securityConfig.CapAdd, string(capability))
- }
- for _, capability := range caps.Drop {
- securityConfig.CapDrop = append(securityConfig.CapDrop, string(capability))
- }
- }
- if containerYAML.SecurityContext.RunAsUser != nil {
- userConfig.User = fmt.Sprintf("%d", *containerYAML.SecurityContext.RunAsUser)
- }
- if containerYAML.SecurityContext.RunAsGroup != nil {
- if userConfig.User == "" {
- userConfig.User = "0"
- }
- userConfig.User = fmt.Sprintf("%s:%d", userConfig.User, *containerYAML.SecurityContext.RunAsGroup)
- }
-}
-
-// kubeContainerToCreateConfig takes a v1.Container and returns a createconfig describing a container
-func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container, runtime *libpod.Runtime, newImage *image.Image, namespaces map[string]string, volumes map[string]string, podID, infraID string, seccompPaths *kubeSeccompPaths) (*createconfig.CreateConfig, error) {
- var (
- containerConfig createconfig.CreateConfig
- pidConfig createconfig.PidConfig
- networkConfig createconfig.NetworkConfig
- cgroupConfig createconfig.CgroupConfig
- utsConfig createconfig.UtsConfig
- ipcConfig createconfig.IpcConfig
- userConfig createconfig.UserConfig
- securityConfig createconfig.SecurityConfig
- )
-
- // The default for MemorySwappiness is -1, not 0
- containerConfig.Resources.MemorySwappiness = -1
-
- containerConfig.Image = containerYAML.Image
- containerConfig.ImageID = newImage.ID()
- containerConfig.Name = containerYAML.Name
- containerConfig.Tty = containerYAML.TTY
-
- containerConfig.Pod = podID
-
- imageData, _ := newImage.Inspect(ctx)
-
- userConfig.User = "0"
- if imageData != nil {
- userConfig.User = imageData.Config.User
- }
-
- setupSecurityContext(&securityConfig, &userConfig, containerYAML)
-
- securityConfig.SeccompProfilePath = seccompPaths.findForContainer(containerConfig.Name)
-
- containerConfig.Command = []string{}
- if imageData != nil && imageData.Config != nil {
- containerConfig.Command = append(containerConfig.Command, imageData.Config.Entrypoint...)
- }
- if len(containerYAML.Command) != 0 {
- containerConfig.Command = append(containerConfig.Command, containerYAML.Command...)
- } else if imageData != nil && imageData.Config != nil {
- containerConfig.Command = append(containerConfig.Command, imageData.Config.Cmd...)
- }
- if imageData != nil && len(containerConfig.Command) == 0 {
- return nil, errors.Errorf("No command specified in container YAML or as CMD or ENTRYPOINT in this image for %s", containerConfig.Name)
- }
-
- containerConfig.UserCommand = containerConfig.Command
-
- containerConfig.StopSignal = 15
-
- containerConfig.WorkDir = "/"
- if imageData != nil {
- // FIXME,
- // we are currently ignoring imageData.Config.ExposedPorts
- containerConfig.BuiltinImgVolumes = imageData.Config.Volumes
- if imageData.Config.WorkingDir != "" {
- containerConfig.WorkDir = imageData.Config.WorkingDir
- }
- containerConfig.Labels = imageData.Config.Labels
- if imageData.Config.StopSignal != "" {
- stopSignal, err := util.ParseSignal(imageData.Config.StopSignal)
- if err != nil {
- return nil, err
- }
- containerConfig.StopSignal = stopSignal
- }
- }
-
- if containerYAML.WorkingDir != "" {
- containerConfig.WorkDir = containerYAML.WorkingDir
- }
- // If the user does not pass in ID mappings, just set to basics
- if userConfig.IDMappings == nil {
- userConfig.IDMappings = &storage.IDMappingOptions{}
- }
-
- networkConfig.NetMode = ns.NetworkMode(namespaces["net"])
- ipcConfig.IpcMode = ns.IpcMode(namespaces["ipc"])
- utsConfig.UtsMode = ns.UTSMode(namespaces["uts"])
- // disabled in code review per mheon
- //containerConfig.PidMode = ns.PidMode(namespaces["pid"])
- userConfig.UsernsMode = ns.UsernsMode(namespaces["user"])
- if len(containerConfig.WorkDir) == 0 {
- containerConfig.WorkDir = "/"
- }
-
- containerConfig.Pid = pidConfig
- containerConfig.Network = networkConfig
- containerConfig.Uts = utsConfig
- containerConfig.Ipc = ipcConfig
- containerConfig.Cgroup = cgroupConfig
- containerConfig.User = userConfig
- containerConfig.Security = securityConfig
-
- annotations := make(map[string]string)
- if infraID != "" {
- annotations[ann.SandboxID] = infraID
- annotations[ann.ContainerType] = ann.ContainerTypeContainer
- }
- containerConfig.Annotations = annotations
-
- // Environment Variables
- envs := map[string]string{}
- if imageData != nil {
- imageEnv, err := envLib.ParseSlice(imageData.Config.Env)
- if err != nil {
- return nil, errors.Wrap(err, "error parsing image environment variables")
- }
- envs = imageEnv
- }
- for _, e := range containerYAML.Env {
- envs[e.Name] = e.Value
- }
- containerConfig.Env = envs
-
- for _, volume := range containerYAML.VolumeMounts {
- hostPath, exists := volumes[volume.Name]
- if !exists {
- return nil, errors.Errorf("Volume mount %s specified for container but not configured in volumes", volume.Name)
- }
- if err := parse.ValidateVolumeCtrDir(volume.MountPath); err != nil {
- return nil, errors.Wrapf(err, "error in parsing MountPath")
- }
- containerConfig.Volumes = append(containerConfig.Volumes, fmt.Sprintf("%s:%s", hostPath, volume.MountPath))
- }
- return &containerConfig, nil
-}
-
-// kubeSeccompPaths holds information about a pod YAML's seccomp configuration
-// it holds both container and pod seccomp paths
-type kubeSeccompPaths struct {
- containerPaths map[string]string
- podPath string
-}
-
-// findForContainer checks whether a container has a seccomp path configured for it
-// if not, it returns the podPath, which should always have a value
-func (k *kubeSeccompPaths) findForContainer(ctrName string) string {
- if path, ok := k.containerPaths[ctrName]; ok {
- return path
- }
- return k.podPath
-}
-
-// initializeSeccompPaths takes annotations from the pod object metadata and finds annotations pertaining to seccomp
-// it parses both pod and container level
-// if the annotation is of the form "localhost/%s", the seccomp profile will be set to profileRoot/%s
-func initializeSeccompPaths(annotations map[string]string, profileRoot string) (*kubeSeccompPaths, error) {
- seccompPaths := &kubeSeccompPaths{containerPaths: make(map[string]string)}
- var err error
- if annotations != nil {
- for annKeyValue, seccomp := range annotations {
- // check if it is prefaced with container.seccomp.security.alpha.kubernetes.io/
- prefixAndCtr := strings.Split(annKeyValue, "/")
- if prefixAndCtr[0]+"/" != v1.SeccompContainerAnnotationKeyPrefix {
- continue
- } else if len(prefixAndCtr) != 2 {
- // this could be caused by a user inputting either of
- // container.seccomp.security.alpha.kubernetes.io{,/}
- // both of which are invalid
- return nil, errors.Errorf("Invalid seccomp path: %s", prefixAndCtr[0])
- }
-
- path, err := verifySeccompPath(seccomp, profileRoot)
- if err != nil {
- return nil, err
- }
- seccompPaths.containerPaths[prefixAndCtr[1]] = path
- }
-
- podSeccomp, ok := annotations[v1.SeccompPodAnnotationKey]
- if ok {
- seccompPaths.podPath, err = verifySeccompPath(podSeccomp, profileRoot)
- } else {
- seccompPaths.podPath, err = libpod.DefaultSeccompPath()
- }
- if err != nil {
- return nil, err
- }
- }
- return seccompPaths, nil
-}
-
-// verifySeccompPath takes a path and checks whether it is a default, unconfined, or a path
-// the available options are parsed as defined in https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
-func verifySeccompPath(path string, profileRoot string) (string, error) {
- switch path {
- case v1.DeprecatedSeccompProfileDockerDefault:
- fallthrough
- case v1.SeccompProfileRuntimeDefault:
- return libpod.DefaultSeccompPath()
- case "unconfined":
- return path, nil
- default:
- parts := strings.Split(path, "/")
- if parts[0] == "localhost" {
- return filepath.Join(profileRoot, parts[1]), nil
- }
- return "", errors.Errorf("invalid seccomp path: %s", path)
- }
-}