diff options
Diffstat (limited to 'pkg/spec')
| -rw-r--r-- | pkg/spec/createconfig.go | 4 | ||||
| -rw-r--r-- | pkg/spec/spec.go | 12 | ||||
| -rw-r--r-- | pkg/spec/spec_test.go | 38 | ||||
| -rw-r--r-- | pkg/spec/storage.go | 18 |
4 files changed, 57 insertions, 15 deletions
diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go index 3f70e5935..c17172016 100644 --- a/pkg/spec/createconfig.go +++ b/pkg/spec/createconfig.go @@ -64,6 +64,7 @@ type CreateConfig struct { CidFile string ConmonPidFile string Cgroupns string + Cgroups string CgroupParent string // cgroup-parent Command []string // Full command that will be used UserCommand []string // User-entered command (or image CMD) @@ -206,6 +207,9 @@ func (c *CreateConfig) getContainerCreateOptions(runtime *libpod.Runtime, pod *l logrus.Debugf("adding container to pod %s", c.Pod) options = append(options, runtime.WithPod(pod)) } + if c.Cgroups == "disabled" { + options = append(options, libpod.WithNoCgroups()) + } if len(c.PortBindings) > 0 { portBindings, err = c.CreatePortBindings() if err != nil { diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index 44bbda885..38f9c7306 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -396,6 +396,18 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM } } + switch config.Cgroups { + case "disabled": + if addedResources { + return nil, errors.New("cannot specify resource limits when cgroups are disabled is specified") + } + configSpec.Linux.Resources = &spec.LinuxResources{} + case "enabled", "": + // Do nothing + default: + return nil, errors.New("unrecognized option for cgroups; supported are 'default' and 'disabled'") + } + // Add annotations if configSpec.Annotations == nil { configSpec.Annotations = make(map[string]string) diff --git a/pkg/spec/spec_test.go b/pkg/spec/spec_test.go index 0abff491b..2f91e1b21 100644 --- a/pkg/spec/spec_test.go +++ b/pkg/spec/spec_test.go @@ -4,6 +4,8 @@ import ( "runtime" "testing" + "github.com/containers/libpod/pkg/cgroups" + "github.com/containers/libpod/pkg/rootless" "github.com/containers/libpod/pkg/sysinfo" "github.com/containers/storage" "github.com/containers/storage/pkg/idtools" @@ -26,14 +28,30 @@ func makeTestCreateConfig() *CreateConfig { return cc } -// TestPIDsLimit verifies the given pid-limit is correctly defined in the spec -func TestPIDsLimit(t *testing.T) { +func doCommonSkipChecks(t *testing.T) { // The default configuration of podman enables seccomp, which is not available on non-Linux systems. // Thus, any tests that use the default seccomp setting would fail. // Skip the tests on non-Linux platforms rather than explicitly disable seccomp in the test and possibly affect the test result. if runtime.GOOS != "linux" { t.Skip("seccomp, which is enabled by default, is only supported on Linux") } + + if rootless.IsRootless() { + isCgroupV2, err := cgroups.IsCgroup2UnifiedMode() + if err != nil { + t.Errorf("unexpected error: %v", err) + } + + if !isCgroupV2 { + t.Skip("cgroups v1 cannot be used when rootless") + } + } +} + +// TestPIDsLimit verifies the given pid-limit is correctly defined in the spec +func TestPIDsLimit(t *testing.T) { + doCommonSkipChecks(t) + if !sysInfo.PidsLimit { t.Skip("running test not supported by the host system") } @@ -50,12 +68,8 @@ func TestPIDsLimit(t *testing.T) { // TestBLKIOWeightDevice verifies the given blkio weight is correctly set in the // spec. func TestBLKIOWeightDevice(t *testing.T) { - // The default configuration of podman enables seccomp, which is not available on non-Linux systems. - // Thus, any tests that use the default seccomp setting would fail. - // Skip the tests on non-Linux platforms rather than explicitly disable seccomp in the test and possibly affect the test result. - if runtime.GOOS != "linux" { - t.Skip("seccomp, which is enabled by default, is only supported on Linux") - } + doCommonSkipChecks(t) + if !sysInfo.BlkioWeightDevice { t.Skip("running test not supported by the host system") } @@ -75,12 +89,8 @@ func TestBLKIOWeightDevice(t *testing.T) { // TestMemorySwap verifies that the given swap memory limit is correctly set in // the spec. func TestMemorySwap(t *testing.T) { - // The default configuration of podman enables seccomp, which is not available on non-Linux systems. - // Thus, any tests that use the default seccomp setting would fail. - // Skip the tests on non-Linux platforms rather than explicitly disable seccomp in the test and possibly affect the test result. - if runtime.GOOS != "linux" { - t.Skip("seccomp, which is enabled by default, is only supported on Linux") - } + doCommonSkipChecks(t) + if !sysInfo.SwapLimit { t.Skip("running test not supported by the host system") } diff --git a/pkg/spec/storage.go b/pkg/spec/storage.go index bc0eaad6d..cc091dcee 100644 --- a/pkg/spec/storage.go +++ b/pkg/spec/storage.go @@ -389,7 +389,7 @@ func getBindMount(args []string) (spec.Mount, error) { Type: TypeBind, } - var setSource, setDest, setRORW, setSuid, setDev, setExec bool + var setSource, setDest, setRORW, setSuid, setDev, setExec, setRelabel bool for _, val := range args { kv := strings.Split(val, "=") @@ -467,6 +467,22 @@ func getBindMount(args []string) (spec.Mount, error) { } newMount.Destination = kv[1] setDest = true + case "relabel": + if setRelabel { + return newMount, errors.Wrapf(optionArgError, "cannot pass 'relabel' option more than once") + } + setRelabel = true + if len(kv) != 2 { + return newMount, errors.Wrapf(util.ErrBadMntOption, "%s mount option must be 'private' or 'shared'", kv[0]) + } + switch kv[1] { + case "private": + newMount.Options = append(newMount.Options, "z") + case "shared": + newMount.Options = append(newMount.Options, "Z") + default: + return newMount, errors.Wrapf(util.ErrBadMntOption, "%s mount option must be 'private' or 'shared'", kv[0]) + } default: return newMount, errors.Wrapf(util.ErrBadMntOption, kv[0]) } |