diff options
Diffstat (limited to 'pkg/spec')
| -rw-r--r-- | pkg/spec/createconfig.go | 19 | ||||
| -rw-r--r-- | pkg/spec/spec.go | 1 |
2 files changed, 12 insertions, 8 deletions
diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go index ffc98e307..632d60b55 100644 --- a/pkg/spec/createconfig.go +++ b/pkg/spec/createconfig.go @@ -341,10 +341,9 @@ func (c *CreateConfig) createExitCommand() []string { } // GetContainerCreateOptions takes a CreateConfig and returns a slice of CtrCreateOptions -func (c *CreateConfig) GetContainerCreateOptions(runtime *libpod.Runtime) ([]libpod.CtrCreateOption, error) { +func (c *CreateConfig) GetContainerCreateOptions(runtime *libpod.Runtime, pod *libpod.Pod) ([]libpod.CtrCreateOption, error) { var options []libpod.CtrCreateOption var portBindings []ocicni.PortMapping - var pod *libpod.Pod var err error if c.Interactive { @@ -358,12 +357,14 @@ func (c *CreateConfig) GetContainerCreateOptions(runtime *libpod.Runtime) ([]lib logrus.Debugf("appending name %s", c.Name) options = append(options, libpod.WithName(c.Name)) } - if c.Pod != "" { - logrus.Debugf("adding container to pod %s", c.Pod) - pod, err = runtime.LookupPod(c.Pod) - if err != nil { - return nil, errors.Wrapf(err, "unable to add container to pod %s", c.Pod) + if c.Pod != "" || pod != nil { + if pod == nil { + pod, err = runtime.LookupPod(c.Pod) + if err != nil { + return nil, errors.Wrapf(err, "unable to add container to pod %s", c.Pod) + } } + logrus.Debugf("adding container to pod %s", c.Pod) options = append(options, runtime.WithPod(pod)) } if len(c.PortBindings) > 0 { @@ -518,7 +519,9 @@ func (c *CreateConfig) GetContainerCreateOptions(runtime *libpod.Runtime) ([]lib if c.CgroupParent != "" { options = append(options, libpod.WithCgroupParent(c.CgroupParent)) } - if c.Detach { + // For a rootless container always cleanup the storage/network as they + // run in a different namespace thus not reusable when we restart. + if c.Detach || rootless.IsRootless() { options = append(options, libpod.WithExitCommand(c.createExitCommand())) } diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index ffa999730..9ef0223f2 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -252,6 +252,7 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint } // SECURITY OPTS g.SetProcessNoNewPrivileges(config.NoNewPrivs) + g.SetProcessApparmorProfile(config.ApparmorProfile) blockAccessToKernelFilesystems(config, &g) |