4 files changed, 91 insertions, 71 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index d44beb3e4..41054633f 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -20,12 +20,6 @@ import (
 
 const cpuPeriod = 100000
 
-type systemUlimit struct {
-	name string
-	max  uint64
-	cur  uint64
-}
-
 func getAvailableGids() (int64, error) {
 	idMap, err := user.ParseIDMapFile("/proc/self/gid_map")
 	if err != nil {
@@ -86,23 +80,41 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
 			g.AddLinuxMaskedPaths("/sys/kernel")
 		}
 	}
+	gid5Available := true
 	if isRootless {
 		nGids, err := getAvailableGids()
 		if err != nil {
 			return nil, err
 		}
-		if nGids < 5 {
-			// If we have no GID mappings, the gid=5 default option would fail, so drop it.
-			g.RemoveMount("/dev/pts")
-			devPts := spec.Mount{
-				Destination: "/dev/pts",
-				Type:        "devpts",
-				Source:      "devpts",
-				Options:     []string{"rprivate", "nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620"},
+		gid5Available = nGids >= 5
+	}
+	// When using a different user namespace, check that the GID 5 is mapped inside
+	// the container.
+	if gid5Available && len(config.IDMappings.GIDMap) > 0 {
+		mappingFound := false
+		for _, r := range config.IDMappings.GIDMap {
+			if r.ContainerID <= 5 && 5 < r.ContainerID+r.Size {
+				mappingFound = true
+				break
 			}
-			g.AddMount(devPts)
 		}
+		if !mappingFound {
+			gid5Available = false
+		}
+
+	}
+	if !gid5Available {
+		// If we have no GID mappings, the gid=5 default option would fail, so drop it.
+		g.RemoveMount("/dev/pts")
+		devPts := spec.Mount{
+			Destination: "/dev/pts",
+			Type:        "devpts",
+			Source:      "devpts",
+			Options:     []string{"rprivate", "nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620"},
+		}
+		g.AddMount(devPts)
 	}
+
 	if inUserNS && config.IpcMode.IsHost() {
 		g.RemoveMount("/dev/mqueue")
 		devMqueue := spec.Mount{
@@ -406,6 +418,62 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
 		}
 	}
 
+	// Add annotations
+	if configSpec.Annotations == nil {
+		configSpec.Annotations = make(map[string]string)
+	}
+
+	if config.CidFile != "" {
+		configSpec.Annotations[libpod.InspectAnnotationCIDFile] = config.CidFile
+	}
+
+	if config.Rm {
+		configSpec.Annotations[libpod.InspectAnnotationAutoremove] = libpod.InspectResponseTrue
+	} else {
+		configSpec.Annotations[libpod.InspectAnnotationAutoremove] = libpod.InspectResponseFalse
+	}
+
+	if len(config.VolumesFrom) > 0 {
+		configSpec.Annotations[libpod.InspectAnnotationVolumesFrom] = strings.Join(config.VolumesFrom, ",")
+	}
+
+	if config.Privileged {
+		configSpec.Annotations[libpod.InspectAnnotationPrivileged] = libpod.InspectResponseTrue
+	} else {
+		configSpec.Annotations[libpod.InspectAnnotationPrivileged] = libpod.InspectResponseFalse
+	}
+
+	if config.PublishAll {
+		configSpec.Annotations[libpod.InspectAnnotationPublishAll] = libpod.InspectResponseTrue
+	} else {
+		configSpec.Annotations[libpod.InspectAnnotationPublishAll] = libpod.InspectResponseFalse
+	}
+
+	if config.Init {
+		configSpec.Annotations[libpod.InspectAnnotationInit] = libpod.InspectResponseTrue
+	} else {
+		configSpec.Annotations[libpod.InspectAnnotationInit] = libpod.InspectResponseFalse
+	}
+
+	for _, opt := range config.SecurityOpts {
+		// Split on both : and =
+		splitOpt := strings.Split(opt, "=")
+		if len(splitOpt) == 1 {
+			splitOpt = strings.Split(opt, ":")
+		}
+		if len(splitOpt) < 2 {
+			continue
+		}
+		switch splitOpt[0] {
+		case "label":
+			configSpec.Annotations[libpod.InspectAnnotationLabel] = splitOpt[1]
+		case "seccomp":
+			configSpec.Annotations[libpod.InspectAnnotationSeccomp] = splitOpt[1]
+		case "apparmor":
+			configSpec.Annotations[libpod.InspectAnnotationApparmor] = splitOpt[1]
+		}
+	}
+
 	return configSpec, nil
 }
 
@@ -567,13 +635,7 @@ func addRlimits(config *CreateConfig, g *generate.Generator) error {
 			if len(config.Resources.Ulimit) != 1 {
 				return errors.New("ulimit can use host only once")
 			}
-			hostLimits, err := getHostRlimits()
-			if err != nil {
-				return err
-			}
-			for _, i := range hostLimits {
-				g.AddProcessRlimits(i.name, i.max, i.cur)
-			}
+			g.Config.Process.Rlimits = nil
 			break
 		}
 
diff --git a/pkg/spec/spec_linux.go b/pkg/spec/spec_linux.go
deleted file mode 100644
index fcdfc5c4e..000000000
--- a/pkg/spec/spec_linux.go
+++ /dev/null
@@ -1,42 +0,0 @@
-//+build linux
-
-package createconfig
-
-import (
-	"syscall"
-
-	"github.com/pkg/errors"
-)
-
-type systemRlimit struct {
-	name  string
-	value int
-}
-
-var systemLimits = []systemRlimit{
-	{"RLIMIT_AS", syscall.RLIMIT_AS},
-	{"RLIMIT_CORE", syscall.RLIMIT_CORE},
-	{"RLIMIT_CPU", syscall.RLIMIT_CPU},
-	{"RLIMIT_DATA", syscall.RLIMIT_DATA},
-	{"RLIMIT_FSIZE", syscall.RLIMIT_FSIZE},
-	{"RLIMIT_NOFILE", syscall.RLIMIT_NOFILE},
-	{"RLIMIT_STACK", syscall.RLIMIT_STACK},
-}
-
-func getHostRlimits() ([]systemUlimit, error) {
-	ret := []systemUlimit{}
-	for _, i := range systemLimits {
-		var l syscall.Rlimit
-		if err := syscall.Getrlimit(i.value, &l); err != nil {
-			return nil, errors.Wrapf(err, "cannot read limits for %s", i.name)
-		}
-		s := systemUlimit{
-			name: i.name,
-			max:  l.Max,
-			cur:  l.Cur,
-		}
-		ret = append(ret, s)
-	}
-	return ret, nil
-
-}
diff --git a/pkg/spec/spec_unsupported.go b/pkg/spec/spec_unsupported.go
deleted file mode 100644
index 0f6a9acdc..000000000
--- a/pkg/spec/spec_unsupported.go
+++ /dev/null
@@ -1,7 +0,0 @@
-//+build !linux
-
-package createconfig
-
-func getHostRlimits() ([]systemUlimit, error) {
-	return nil, nil
-}
diff --git a/pkg/spec/storage.go b/pkg/spec/storage.go
index ed767f5ba..88f1f6dc1 100644
--- a/pkg/spec/storage.go
+++ b/pkg/spec/storage.go
@@ -211,6 +211,13 @@ func (config *CreateConfig) parseVolumes(runtime *libpod.Runtime) ([]spec.Mount,
 			}
 			mount.Options = opts
 		}
+		if mount.Type == TypeBind {
+			absSrc, err := filepath.Abs(mount.Source)
+			if err != nil {
+				return nil, nil, errors.Wrapf(err, "error getting absolute path of %s", mount.Source)
+			}
+			mount.Source = absSrc
+		}
 		finalMounts = append(finalMounts, mount)
 	}
 	finalVolumes := make([]*libpod.ContainerNamedVolume, 0, len(baseVolumes))