aboutsummaryrefslogtreecommitdiff
path: root/pkg/specgen/generate
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/specgen/generate')
-rw-r--r--pkg/specgen/generate/container.go15
-rw-r--r--pkg/specgen/generate/container_create.go16
-rw-r--r--pkg/specgen/generate/oci.go18
-rw-r--r--pkg/specgen/generate/security.go5
4 files changed, 37 insertions, 17 deletions
diff --git a/pkg/specgen/generate/container.go b/pkg/specgen/generate/container.go
index 65f8197bc..53d160442 100644
--- a/pkg/specgen/generate/container.go
+++ b/pkg/specgen/generate/container.go
@@ -135,15 +135,18 @@ func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerat
s.Annotations = annotations
// workdir
- if newImage != nil {
- workingDir, err := newImage.WorkingDir(ctx)
- if err != nil {
- return nil, err
- }
- if len(s.WorkDir) < 1 && len(workingDir) > 1 {
+ if s.WorkDir == "" {
+ if newImage != nil {
+ workingDir, err := newImage.WorkingDir(ctx)
+ if err != nil {
+ return nil, err
+ }
s.WorkDir = workingDir
}
}
+ if s.WorkDir == "" {
+ s.WorkDir = "/"
+ }
if len(s.SeccompProfilePath) < 1 {
p, err := libpod.DefaultSeccompPath()
diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go
index b61ac2c30..fda4c098c 100644
--- a/pkg/specgen/generate/container_create.go
+++ b/pkg/specgen/generate/container_create.go
@@ -164,13 +164,19 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.
}
if len(command) > 0 {
- if command[0] == "/usr/sbin/init" || command[0] == "/sbin/init" || (filepath.Base(command[0]) == "systemd") {
+ useSystemdCommands := map[string]bool{
+ "/sbin/init": true,
+ "/usr/sbin/init": true,
+ "/usr/local/sbin/init": true,
+ }
+ if useSystemdCommands[command[0]] || (filepath.Base(command[0]) == "systemd") {
useSystemd = true
}
}
default:
return nil, errors.Wrapf(err, "invalid value %q systemd option requires 'true, false, always'", s.Systemd)
}
+ logrus.Debugf("using systemd mode: %t", useSystemd)
if useSystemd {
// is StopSignal was not set by the user then set it to systemd
// expected StopSigal
@@ -241,13 +247,7 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.
// If the user did not set an workdir but the image did, ensure it is
// created.
if s.WorkDir == "" && img != nil {
- newWD, err := img.WorkingDir(ctx)
- if err != nil {
- return nil, err
- }
- if newWD != "" {
- options = append(options, libpod.WithCreateWorkingDir())
- }
+ options = append(options, libpod.WithCreateWorkingDir())
}
if s.StopSignal != nil {
options = append(options, libpod.WithStopSignal(*s.StopSignal))
diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go
index 78cd32253..fd324c6e1 100644
--- a/pkg/specgen/generate/oci.go
+++ b/pkg/specgen/generate/oci.go
@@ -18,6 +18,18 @@ import (
"golang.org/x/sys/unix"
)
+func setProcOpts(s *specgen.SpecGenerator, g *generate.Generator) {
+ if s.ProcOpts == nil {
+ return
+ }
+ for i := range g.Config.Mounts {
+ if g.Config.Mounts[i].Destination == "/proc" {
+ g.Config.Mounts[i].Options = s.ProcOpts
+ return
+ }
+ }
+}
+
func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error {
var (
isRootless = rootless.IsRootless()
@@ -96,8 +108,10 @@ func makeCommand(ctx context.Context, s *specgen.SpecGenerator, img *image.Image
finalCommand = append(finalCommand, entrypoint...)
+ // Only use image command if the user did not manually set an
+ // entrypoint.
command := s.Command
- if command == nil && img != nil {
+ if command == nil && img != nil && s.Entrypoint == nil {
newCmd, err := img.Cmd(ctx)
if err != nil {
return nil, err
@@ -339,6 +353,8 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
configSpec.Annotations[define.InspectAnnotationInit] = define.InspectResponseFalse
}
+ setProcOpts(s, &g)
+
return configSpec, nil
}
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index 4352ef718..5e4cc3399 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -158,8 +158,9 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
configSpec.Linux.Seccomp = seccompConfig
}
- // Clear default Seccomp profile from Generator for privileged containers
- if s.SeccompProfilePath == "unconfined" || s.Privileged {
+ // Clear default Seccomp profile from Generator for unconfined containers
+ // and privileged containers which do not specify a seccomp profile.
+ if s.SeccompProfilePath == "unconfined" || (s.Privileged && (s.SeccompProfilePath == config.SeccompOverridePath || s.SeccompProfilePath == config.SeccompDefaultPath)) {
configSpec.Linux.Seccomp = nil
}
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-12-26 06:13:35 +0000