diff options
Diffstat (limited to 'pkg/spec')
| -rw-r--r-- | pkg/spec/createconfig.go | 4 | ||||
| -rw-r--r-- | pkg/spec/spec.go | 1 |
2 files changed, 4 insertions, 1 deletions
diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go index ffc98e307..87fce7e2e 100644 --- a/pkg/spec/createconfig.go +++ b/pkg/spec/createconfig.go @@ -518,7 +518,9 @@ func (c *CreateConfig) GetContainerCreateOptions(runtime *libpod.Runtime) ([]lib if c.CgroupParent != "" { options = append(options, libpod.WithCgroupParent(c.CgroupParent)) } - if c.Detach { + // For a rootless container always cleanup the storage/network as they + // run in a different namespace thus not reusable when we restart. + if c.Detach || rootless.IsRootless() { options = append(options, libpod.WithExitCommand(c.createExitCommand())) } diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index ffa999730..9ef0223f2 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -252,6 +252,7 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint } // SECURITY OPTS g.SetProcessNoNewPrivileges(config.NoNewPrivs) + g.SetProcessApparmorProfile(config.ApparmorProfile) blockAccessToKernelFilesystems(config, &g) |