summaryrefslogtreecommitdiff
path: root/pkg/specgen/generate
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/specgen/generate')
-rw-r--r--pkg/specgen/generate/config_linux.go2
-rw-r--r--pkg/specgen/generate/config_linux_cgo.go6
-rw-r--r--pkg/specgen/generate/config_linux_nocgo.go4
-rw-r--r--pkg/specgen/generate/container.go12
-rw-r--r--pkg/specgen/generate/container_create.go25
-rw-r--r--pkg/specgen/generate/namespaces.go24
-rw-r--r--pkg/specgen/generate/oci.go32
-rw-r--r--pkg/specgen/generate/pod_create.go4
-rw-r--r--pkg/specgen/generate/ports.go4
-rw-r--r--pkg/specgen/generate/security.go38
-rw-r--r--pkg/specgen/generate/storage.go8
-rw-r--r--pkg/specgen/generate/validate.go4
12 files changed, 105 insertions, 58 deletions
diff --git a/pkg/specgen/generate/config_linux.go b/pkg/specgen/generate/config_linux.go
index 9b6bd2827..35508c023 100644
--- a/pkg/specgen/generate/config_linux.go
+++ b/pkg/specgen/generate/config_linux.go
@@ -7,7 +7,7 @@ import (
"path/filepath"
"strings"
- "github.com/containers/libpod/v2/pkg/rootless"
+ "github.com/containers/podman/v2/pkg/rootless"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate"
"github.com/pkg/errors"
diff --git a/pkg/specgen/generate/config_linux_cgo.go b/pkg/specgen/generate/config_linux_cgo.go
index 7ea4278a2..f35d56750 100644
--- a/pkg/specgen/generate/config_linux_cgo.go
+++ b/pkg/specgen/generate/config_linux_cgo.go
@@ -6,9 +6,9 @@ import (
"context"
"io/ioutil"
- "github.com/containers/libpod/v2/libpod/image"
- "github.com/containers/libpod/v2/pkg/seccomp"
- "github.com/containers/libpod/v2/pkg/specgen"
+ "github.com/containers/podman/v2/libpod/image"
+ "github.com/containers/podman/v2/pkg/seccomp"
+ "github.com/containers/podman/v2/pkg/specgen"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
goSeccomp "github.com/seccomp/containers-golang"
diff --git a/pkg/specgen/generate/config_linux_nocgo.go b/pkg/specgen/generate/config_linux_nocgo.go
index 8afd2f9dc..184122aeb 100644
--- a/pkg/specgen/generate/config_linux_nocgo.go
+++ b/pkg/specgen/generate/config_linux_nocgo.go
@@ -5,8 +5,8 @@ package generate
import (
"errors"
- "github.com/containers/libpod/v2/libpod/image"
- "github.com/containers/libpod/v2/pkg/specgen"
+ "github.com/containers/podman/v2/libpod/image"
+ "github.com/containers/podman/v2/pkg/specgen"
spec "github.com/opencontainers/runtime-spec/specs-go"
)
diff --git a/pkg/specgen/generate/container.go b/pkg/specgen/generate/container.go
index f0d52d0c3..65f8197bc 100644
--- a/pkg/specgen/generate/container.go
+++ b/pkg/specgen/generate/container.go
@@ -4,12 +4,12 @@ import (
"context"
"github.com/containers/image/v5/manifest"
- "github.com/containers/libpod/v2/libpod"
- "github.com/containers/libpod/v2/libpod/image"
- ann "github.com/containers/libpod/v2/pkg/annotations"
- envLib "github.com/containers/libpod/v2/pkg/env"
- "github.com/containers/libpod/v2/pkg/signal"
- "github.com/containers/libpod/v2/pkg/specgen"
+ "github.com/containers/podman/v2/libpod"
+ "github.com/containers/podman/v2/libpod/image"
+ ann "github.com/containers/podman/v2/pkg/annotations"
+ envLib "github.com/containers/podman/v2/pkg/env"
+ "github.com/containers/podman/v2/pkg/signal"
+ "github.com/containers/podman/v2/pkg/specgen"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
"golang.org/x/sys/unix"
diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go
index c1ceac69e..9dfb35be3 100644
--- a/pkg/specgen/generate/container_create.go
+++ b/pkg/specgen/generate/container_create.go
@@ -6,10 +6,10 @@ import (
"path/filepath"
"github.com/containers/common/pkg/config"
- "github.com/containers/libpod/v2/libpod"
- "github.com/containers/libpod/v2/libpod/image"
- "github.com/containers/libpod/v2/pkg/specgen"
- "github.com/containers/libpod/v2/pkg/util"
+ "github.com/containers/podman/v2/libpod"
+ "github.com/containers/podman/v2/libpod/image"
+ "github.com/containers/podman/v2/pkg/specgen"
+ "github.com/containers/podman/v2/pkg/util"
"github.com/containers/storage"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
@@ -145,6 +145,9 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.
if s.Timezone != "" {
options = append(options, libpod.WithTimezone(s.Timezone))
}
+ if s.Umask != "" {
+ options = append(options, libpod.WithUmask(s.Umask))
+ }
useSystemd := false
switch s.Systemd {
@@ -201,6 +204,9 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.
for _, volume := range volumes {
destinations = append(destinations, volume.Dest)
}
+ for _, overlayVolume := range s.OverlayVolumes {
+ destinations = append(destinations, overlayVolume.Destination)
+ }
options = append(options, libpod.WithUserVolumes(destinations))
if len(volumes) != 0 {
@@ -215,6 +221,17 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.
options = append(options, libpod.WithNamedVolumes(vols))
}
+ if len(s.OverlayVolumes) != 0 {
+ var vols []*libpod.ContainerOverlayVolume
+ for _, v := range s.OverlayVolumes {
+ vols = append(vols, &libpod.ContainerOverlayVolume{
+ Dest: v.Destination,
+ Source: v.Source,
+ })
+ }
+ options = append(options, libpod.WithOverlayVolumes(vols))
+ }
+
if s.Command != nil {
options = append(options, libpod.WithCommand(s.Command))
}
diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go
index 09d6ba445..b8ab1399e 100644
--- a/pkg/specgen/generate/namespaces.go
+++ b/pkg/specgen/generate/namespaces.go
@@ -2,16 +2,17 @@ package generate
import (
"context"
+ "fmt"
"os"
"strings"
"github.com/containers/common/pkg/config"
- "github.com/containers/libpod/v2/libpod"
- "github.com/containers/libpod/v2/libpod/define"
- "github.com/containers/libpod/v2/libpod/image"
- "github.com/containers/libpod/v2/pkg/rootless"
- "github.com/containers/libpod/v2/pkg/specgen"
- "github.com/containers/libpod/v2/pkg/util"
+ "github.com/containers/podman/v2/libpod"
+ "github.com/containers/podman/v2/libpod/define"
+ "github.com/containers/podman/v2/libpod/image"
+ "github.com/containers/podman/v2/pkg/rootless"
+ "github.com/containers/podman/v2/pkg/specgen"
+ "github.com/containers/podman/v2/pkg/util"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate"
"github.com/pkg/errors"
@@ -226,7 +227,11 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.
if err != nil {
return nil, err
}
- toReturn = append(toReturn, libpod.WithNetNS(portMappings, postConfigureNetNS, "slirp4netns", nil))
+ val := "slirp4netns"
+ if s.NetNS.Value != "" {
+ val = fmt.Sprintf("slirp4netns:%s", s.NetNS.Value)
+ }
+ toReturn = append(toReturn, libpod.WithNetNS(portMappings, postConfigureNetNS, val, nil))
case specgen.Bridge:
portMappings, err := createPortMappings(ctx, s, img)
if err != nil {
@@ -261,6 +266,9 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.
if s.StaticMAC != nil {
toReturn = append(toReturn, libpod.WithStaticMAC(*s.StaticMAC))
}
+ if s.NetworkOptions != nil {
+ toReturn = append(toReturn, libpod.WithNetworkOptions(s.NetworkOptions))
+ }
return toReturn, nil
}
@@ -465,7 +473,7 @@ func GetNamespaceOptions(ns []string) ([]libpod.PodCreateOption, error) {
case "pid":
options = append(options, libpod.WithPodPID())
case "user":
- return erroredOptions, errors.Errorf("User sharing functionality not supported on pod level")
+ continue
case "ipc":
options = append(options, libpod.WithPodIPC())
case "uts":
diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go
index 140dc5092..78cd32253 100644
--- a/pkg/specgen/generate/oci.go
+++ b/pkg/specgen/generate/oci.go
@@ -5,11 +5,11 @@ import (
"strings"
"github.com/containers/common/pkg/config"
- "github.com/containers/libpod/v2/libpod"
- "github.com/containers/libpod/v2/libpod/define"
- "github.com/containers/libpod/v2/libpod/image"
- "github.com/containers/libpod/v2/pkg/rootless"
- "github.com/containers/libpod/v2/pkg/specgen"
+ "github.com/containers/podman/v2/libpod"
+ "github.com/containers/podman/v2/libpod/define"
+ "github.com/containers/podman/v2/libpod/image"
+ "github.com/containers/podman/v2/pkg/rootless"
+ "github.com/containers/podman/v2/pkg/specgen"
"github.com/opencontainers/runc/libcontainer/user"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate"
@@ -20,10 +20,9 @@ import (
func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error {
var (
- kernelMax uint64 = 1048576
- isRootless = rootless.IsRootless()
- nofileSet = false
- nprocSet = false
+ isRootless = rootless.IsRootless()
+ nofileSet = false
+ nprocSet = false
)
if s.Rlimits == nil {
@@ -45,8 +44,8 @@ func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error {
// files and number of processes to the maximum they can be set to
// (without overriding a sysctl)
if !nofileSet {
- max := kernelMax
- current := kernelMax
+ max := define.RLimitDefaultValue
+ current := define.RLimitDefaultValue
if isRootless {
var rlimit unix.Rlimit
if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err != nil {
@@ -62,8 +61,8 @@ func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error {
g.AddProcessRlimits("RLIMIT_NOFILE", max, current)
}
if !nprocSet {
- max := kernelMax
- current := kernelMax
+ max := define.RLimitDefaultValue
+ current := define.RLimitDefaultValue
if isRootless {
var rlimit unix.Rlimit
if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err != nil {
@@ -286,13 +285,6 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
}
}
- // SECURITY OPTS
- g.SetProcessNoNewPrivileges(s.NoNewPrivileges)
-
- if !s.Privileged {
- g.SetProcessApparmorProfile(s.ApparmorProfile)
- }
-
BlockAccessToKernelFilesystems(s.Privileged, s.PidNS.IsHost(), &g)
for name, val := range s.Env {
diff --git a/pkg/specgen/generate/pod_create.go b/pkg/specgen/generate/pod_create.go
index 4fe1b6435..0cbfca2db 100644
--- a/pkg/specgen/generate/pod_create.go
+++ b/pkg/specgen/generate/pod_create.go
@@ -3,8 +3,8 @@ package generate
import (
"context"
- "github.com/containers/libpod/v2/libpod"
- "github.com/containers/libpod/v2/pkg/specgen"
+ "github.com/containers/podman/v2/libpod"
+ "github.com/containers/podman/v2/pkg/specgen"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
)
diff --git a/pkg/specgen/generate/ports.go b/pkg/specgen/generate/ports.go
index c8d1c27c5..1ad7e6f4d 100644
--- a/pkg/specgen/generate/ports.go
+++ b/pkg/specgen/generate/ports.go
@@ -6,8 +6,8 @@ import (
"strconv"
"strings"
- "github.com/containers/libpod/v2/libpod/image"
- "github.com/containers/libpod/v2/pkg/specgen"
+ "github.com/containers/podman/v2/libpod/image"
+ "github.com/containers/podman/v2/pkg/specgen"
"github.com/cri-o/ocicni/pkg/ocicni"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index 70493cd5f..4352ef718 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -3,12 +3,13 @@ package generate
import (
"strings"
+ "github.com/containers/common/pkg/apparmor"
"github.com/containers/common/pkg/capabilities"
"github.com/containers/common/pkg/config"
- "github.com/containers/libpod/v2/libpod"
- "github.com/containers/libpod/v2/libpod/image"
- "github.com/containers/libpod/v2/pkg/specgen"
- "github.com/containers/libpod/v2/pkg/util"
+ "github.com/containers/podman/v2/libpod"
+ "github.com/containers/podman/v2/libpod/image"
+ "github.com/containers/podman/v2/pkg/specgen"
+ "github.com/containers/podman/v2/pkg/util"
"github.com/opencontainers/runtime-tools/generate"
"github.com/opencontainers/selinux/go-selinux/label"
"github.com/pkg/errors"
@@ -56,6 +57,28 @@ func setLabelOpts(s *specgen.SpecGenerator, runtime *libpod.Runtime, pidConfig s
return nil
}
+func setupApparmor(s *specgen.SpecGenerator, rtc *config.Config, g *generate.Generator) error {
+ hasProfile := len(s.ApparmorProfile) > 0
+ if !apparmor.IsEnabled() {
+ if hasProfile {
+ return errors.Errorf("Apparmor profile %q specified, but Apparmor is not enabled on this system", s.ApparmorProfile)
+ }
+ return nil
+ }
+ // If privileged and caller did not specify apparmor profiles return
+ if s.Privileged && !hasProfile {
+ return nil
+ }
+ if !hasProfile {
+ s.ApparmorProfile = rtc.Containers.ApparmorProfile
+ }
+ if len(s.ApparmorProfile) > 0 {
+ g.SetProcessApparmorProfile(s.ApparmorProfile)
+ }
+
+ return nil
+}
+
func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, newImage *image.Image, rtc *config.Config) error {
var (
caplist []string
@@ -105,6 +128,13 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
}
}
}
+
+ g.SetProcessNoNewPrivileges(s.NoNewPrivileges)
+
+ if err := setupApparmor(s, rtc, g); err != nil {
+ return err
+ }
+
configSpec := g.Config
configSpec.Process.Capabilities.Bounding = caplist
diff --git a/pkg/specgen/generate/storage.go b/pkg/specgen/generate/storage.go
index f3b1a4e3d..182ae74a7 100644
--- a/pkg/specgen/generate/storage.go
+++ b/pkg/specgen/generate/storage.go
@@ -9,10 +9,10 @@ import (
"strings"
"github.com/containers/common/pkg/config"
- "github.com/containers/libpod/v2/libpod"
- "github.com/containers/libpod/v2/libpod/image"
- "github.com/containers/libpod/v2/pkg/specgen"
- "github.com/containers/libpod/v2/pkg/util"
+ "github.com/containers/podman/v2/libpod"
+ "github.com/containers/podman/v2/libpod/image"
+ "github.com/containers/podman/v2/pkg/specgen"
+ "github.com/containers/podman/v2/pkg/util"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
diff --git a/pkg/specgen/generate/validate.go b/pkg/specgen/generate/validate.go
index cd2f9ec22..dca45cc0e 100644
--- a/pkg/specgen/generate/validate.go
+++ b/pkg/specgen/generate/validate.go
@@ -2,8 +2,8 @@ package generate
import (
"github.com/containers/common/pkg/sysinfo"
- "github.com/containers/libpod/v2/pkg/cgroups"
- "github.com/containers/libpod/v2/pkg/specgen"
+ "github.com/containers/podman/v2/pkg/cgroups"
+ "github.com/containers/podman/v2/pkg/specgen"
"github.com/pkg/errors"
)
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-01-09 06:38:23 +0000