3 files changed, 76 insertions, 97 deletions

diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go
index 12dfed8c3..daa997104 100644
--- a/pkg/spec/createconfig.go
+++ b/pkg/spec/createconfig.go
@@ -196,6 +196,7 @@ func (c *CreateConfig) createExitCommand(runtime *libpod.Runtime) ([]string, err
 	if err != nil {
 		return nil, err
 	}
+	storageConfig := runtime.StorageConfig()
 
 	// We need a cleanup process for containers in the current model.
 	// But we can't assume that the caller is Podman - it could be another
@@ -208,23 +209,23 @@ func (c *CreateConfig) createExitCommand(runtime *libpod.Runtime) ([]string, err
 	}
 
 	command := []string{cmd,
-		"--root", config.StorageConfig.GraphRoot,
-		"--runroot", config.StorageConfig.RunRoot,
+		"--root", storageConfig.GraphRoot,
+		"--runroot", storageConfig.RunRoot,
 		"--log-level", logrus.GetLevel().String(),
-		"--cgroup-manager", config.CgroupManager,
-		"--tmpdir", config.TmpDir,
+		"--cgroup-manager", config.Engine.CgroupManager,
+		"--tmpdir", config.Engine.TmpDir,
 	}
-	if config.OCIRuntime != "" {
-		command = append(command, []string{"--runtime", config.OCIRuntime}...)
+	if config.Engine.OCIRuntime != "" {
+		command = append(command, []string{"--runtime", config.Engine.OCIRuntime}...)
 	}
-	if config.StorageConfig.GraphDriverName != "" {
-		command = append(command, []string{"--storage-driver", config.StorageConfig.GraphDriverName}...)
+	if storageConfig.GraphDriverName != "" {
+		command = append(command, []string{"--storage-driver", storageConfig.GraphDriverName}...)
 	}
-	for _, opt := range config.StorageConfig.GraphDriverOptions {
+	for _, opt := range storageConfig.GraphDriverOptions {
 		command = append(command, []string{"--storage-opt", opt}...)
 	}
-	if config.EventsLogger != "" {
-		command = append(command, []string{"--events-backend", config.EventsLogger}...)
+	if config.Engine.EventsLogger != "" {
+		command = append(command, []string{"--events-backend", config.Engine.EventsLogger}...)
 	}
 
 	if c.Syslog {
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index 8f0630b85..5de07fc28 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -4,9 +4,8 @@ import (
 	"strings"
 
 	"github.com/containers/common/pkg/capabilities"
+	cconfig "github.com/containers/common/pkg/config"
 	"github.com/containers/libpod/libpod"
-	libpodconfig "github.com/containers/libpod/libpod/config"
-	"github.com/containers/libpod/libpod/define"
 	"github.com/containers/libpod/pkg/cgroups"
 	"github.com/containers/libpod/pkg/env"
 	"github.com/containers/libpod/pkg/rootless"
@@ -81,6 +80,37 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
 			g.AddLinuxMaskedPaths("/sys/kernel")
 		}
 	}
+	var runtimeConfig *cconfig.Config
+
+	if runtime != nil {
+		runtimeConfig, err = runtime.GetConfig()
+		if err != nil {
+			return nil, err
+		}
+		g.Config.Process.Capabilities.Bounding = runtimeConfig.Containers.DefaultCapabilities
+		sysctls, err := util.ValidateSysctls(runtimeConfig.Containers.DefaultSysctls)
+		if err != nil {
+			return nil, err
+		}
+
+		for name, val := range config.Security.Sysctl {
+			sysctls[name] = val
+		}
+		config.Security.Sysctl = sysctls
+		if !util.StringInSlice("host", config.Resources.Ulimit) {
+			config.Resources.Ulimit = append(runtimeConfig.Containers.DefaultUlimits, config.Resources.Ulimit...)
+		}
+		if config.Resources.PidsLimit < 0 && !config.cgroupDisabled() {
+			config.Resources.PidsLimit = runtimeConfig.Containers.PidsLimit
+		}
+
+	} else {
+		g.Config.Process.Capabilities.Bounding = cconfig.DefaultCapabilities
+		if config.Resources.PidsLimit < 0 && !config.cgroupDisabled() {
+			config.Resources.PidsLimit = cconfig.DefaultPidsLimit
+		}
+	}
+
 	gid5Available := true
 	if isRootless {
 		nGids, err := GetAvailableGids()
@@ -242,16 +272,6 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
 		}
 	}
 
-	// SECURITY OPTS
-	var runtimeConfig *libpodconfig.Config
-
-	if runtime != nil {
-		runtimeConfig, err = runtime.GetConfig()
-		if err != nil {
-			return nil, err
-		}
-	}
-
 	g.SetProcessNoNewPrivileges(config.Security.NoNewPrivs)
 
 	if !config.Security.Privileged {
@@ -261,7 +281,7 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
 	// Unless already set via the CLI, check if we need to disable process
 	// labels or set the defaults.
 	if len(config.Security.LabelOpts) == 0 && runtimeConfig != nil {
-		if !runtimeConfig.EnableLabeling {
+		if !runtimeConfig.Containers.EnableLabeling {
 			// Disabled in the config.
 			config.Security.LabelOpts = append(config.Security.LabelOpts, "disable")
 		} else if err := config.Security.SetLabelOpts(runtime, &config.Pid, &config.Ipc); err != nil {
@@ -284,7 +304,7 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
 			if err != nil {
 				return nil, err
 			}
-			if (!cgroup2 || (runtimeConfig != nil && runtimeConfig.CgroupManager != define.SystemdCgroupsManager)) && config.Resources.PidsLimit == sysinfo.GetDefaultPidsLimit() {
+			if (!cgroup2 || (runtimeConfig != nil && runtimeConfig.Engine.CgroupManager != cconfig.SystemdCgroupsManager)) && config.Resources.PidsLimit == sysinfo.GetDefaultPidsLimit() {
 				setPidLimit = false
 			}
 		}
@@ -296,7 +316,17 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
 
 	// Make sure to always set the default variables unless overridden in the
 	// config.
-	config.Env = env.Join(env.DefaultEnvVariables, config.Env)
+	var defaultEnv map[string]string
+	if runtimeConfig == nil {
+		defaultEnv = env.DefaultEnvVariables
+	} else {
+		defaultEnv, err = env.ParseSlice(runtimeConfig.Containers.Env)
+		if err != nil {
+			return nil, errors.Wrap(err, "Env fields in containers.conf failed ot parse")
+		}
+		defaultEnv = env.Join(env.DefaultEnvVariables, defaultEnv)
+	}
+	config.Env = env.Join(defaultEnv, config.Env)
 	for name, val := range config.Env {
 		g.AddProcessEnv(name, val)
 	}
@@ -351,11 +381,9 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
 	// BIND MOUNTS
 	configSpec.Mounts = SupercedeUserMounts(userMounts, configSpec.Mounts)
 	// Process mounts to ensure correct options
-	finalMounts, err := InitFSMounts(configSpec.Mounts)
-	if err != nil {
+	if err := InitFSMounts(configSpec.Mounts); err != nil {
 		return nil, err
 	}
-	configSpec.Mounts = finalMounts
 
 	// BLOCK IO
 	blkio, err := config.CreateBlockIO()
@@ -376,7 +404,7 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
 			configSpec.Linux.Resources = &spec.LinuxResources{}
 		}
 
-		canUseResources := cgroup2 && runtimeConfig != nil && (runtimeConfig.CgroupManager == define.SystemdCgroupsManager)
+		canUseResources := cgroup2 && runtimeConfig != nil && (runtimeConfig.Engine.CgroupManager == cconfig.SystemdCgroupsManager)
 
 		if addedResources && !canUseResources {
 			return nil, errors.New("invalid configuration, cannot specify resource limits without cgroups v2 and --cgroup-manager=systemd")
@@ -433,6 +461,10 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
 	return configSpec, nil
 }
 
+func (config *CreateConfig) cgroupDisabled() bool {
+	return config.Cgroup.Cgroups == "disabled"
+}
+
 func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, g *generate.Generator) {
 	if !privileged {
 		for _, mp := range []string{
diff --git a/pkg/spec/storage.go b/pkg/spec/storage.go
index c365701de..68a84d638 100644
--- a/pkg/spec/storage.go
+++ b/pkg/spec/storage.go
@@ -10,7 +10,6 @@ import (
 	"github.com/containers/buildah/pkg/parse"
 	"github.com/containers/libpod/libpod"
 	"github.com/containers/libpod/pkg/util"
-	pmount "github.com/containers/storage/pkg/mount"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -124,7 +123,7 @@ func (config *CreateConfig) parseVolumes(runtime *libpod.Runtime) ([]spec.Mount,
 			if err != nil {
 				return nil, nil, err
 			}
-			initPath = rtc.InitPath
+			initPath = rtc.Engine.InitPath
 		}
 		initMount, err := config.addContainerInitBinary(initPath)
 		if err != nil {
@@ -855,75 +854,22 @@ func SupercedeUserMounts(mounts []spec.Mount, configMount []spec.Mount) []spec.M
 }
 
 // Ensure mount options on all mounts are correct
-func InitFSMounts(inputMounts []spec.Mount) ([]spec.Mount, error) {
-	// We need to look up mounts so we can figure out the proper mount flags
-	// to apply.
-	systemMounts, err := pmount.GetMounts()
-	if err != nil {
-		return nil, errors.Wrapf(err, "error retrieving system mounts to look up mount options")
-	}
-
-	// TODO: We probably don't need to re-build the mounts array
-	var mounts []spec.Mount
-	for _, m := range inputMounts {
-		if m.Type == TypeBind {
-			baseMnt, err := findMount(m.Destination, systemMounts)
+func InitFSMounts(mounts []spec.Mount) error {
+	for i, m := range mounts {
+		switch {
+		case m.Type == TypeBind:
+			opts, err := util.ProcessOptions(m.Options, false, m.Source)
 			if err != nil {
-				return nil, errors.Wrapf(err, "error looking up mountpoint for mount %s", m.Destination)
-			}
-			var noexec, nosuid, nodev bool
-			for _, baseOpt := range strings.Split(baseMnt.Opts, ",") {
-				switch baseOpt {
-				case "noexec":
-					noexec = true
-				case "nosuid":
-					nosuid = true
-				case "nodev":
-					nodev = true
-				}
+				return err
 			}
-
-			defaultMountOpts := new(util.DefaultMountOptions)
-			defaultMountOpts.Noexec = noexec
-			defaultMountOpts.Nosuid = nosuid
-			defaultMountOpts.Nodev = nodev
-
-			opts, err := util.ProcessOptions(m.Options, false, defaultMountOpts)
+			mounts[i].Options = opts
+		case m.Type == TypeTmpfs && filepath.Clean(m.Destination) != "/dev":
+			opts, err := util.ProcessOptions(m.Options, true, "")
 			if err != nil {
-				return nil, err
+				return err
 			}
-			m.Options = opts
-		}
-		if m.Type == TypeTmpfs && filepath.Clean(m.Destination) != "/dev" {
-			opts, err := util.ProcessOptions(m.Options, true, nil)
-			if err != nil {
-				return nil, err
-			}
-			m.Options = opts
-		}
-
-		mounts = append(mounts, m)
-	}
-	return mounts, nil
-}
-
-// TODO: We could make this a bit faster by building a tree of the mountpoints
-// and traversing it to identify the correct mount.
-func findMount(target string, mounts []*pmount.Info) (*pmount.Info, error) {
-	var err error
-	target, err = filepath.Abs(target)
-	if err != nil {
-		return nil, errors.Wrapf(err, "cannot resolve %s", target)
-	}
-	var bestSoFar *pmount.Info
-	for _, i := range mounts {
-		if bestSoFar != nil && len(bestSoFar.Mountpoint) > len(i.Mountpoint) {
-			// Won't be better than what we have already found
-			continue
-		}
-		if strings.HasPrefix(target, i.Mountpoint) {
-			bestSoFar = i
+			mounts[i].Options = opts
 		}
 	}
-	return bestSoFar, nil
+	return nil
 }