diff options
Diffstat (limited to 'pkg/specgen')
| -rw-r--r-- | pkg/specgen/config_unsupported.go | 2 | ||||
| -rw-r--r-- | pkg/specgen/container_validate.go | 19 | ||||
| -rw-r--r-- | pkg/specgen/generate/config_linux.go | 2 | ||||
| -rw-r--r-- | pkg/specgen/generate/config_linux_cgo.go | 6 | ||||
| -rw-r--r-- | pkg/specgen/generate/config_linux_nocgo.go | 4 | ||||
| -rw-r--r-- | pkg/specgen/generate/container.go | 12 | ||||
| -rw-r--r-- | pkg/specgen/generate/container_create.go | 25 | ||||
| -rw-r--r-- | pkg/specgen/generate/namespaces.go | 24 | ||||
| -rw-r--r-- | pkg/specgen/generate/oci.go | 32 | ||||
| -rw-r--r-- | pkg/specgen/generate/pod_create.go | 4 | ||||
| -rw-r--r-- | pkg/specgen/generate/ports.go | 4 | ||||
| -rw-r--r-- | pkg/specgen/generate/security.go | 38 | ||||
| -rw-r--r-- | pkg/specgen/generate/storage.go | 8 | ||||
| -rw-r--r-- | pkg/specgen/generate/validate.go | 4 | ||||
| -rw-r--r-- | pkg/specgen/namespaces.go | 14 | ||||
| -rw-r--r-- | pkg/specgen/pod_validate.go | 13 | ||||
| -rw-r--r-- | pkg/specgen/specgen.go | 27 |
17 files changed, 165 insertions, 73 deletions
diff --git a/pkg/specgen/config_unsupported.go b/pkg/specgen/config_unsupported.go index 6b6ba6181..85ff1e9fd 100644 --- a/pkg/specgen/config_unsupported.go +++ b/pkg/specgen/config_unsupported.go @@ -3,7 +3,7 @@ package specgen import ( - "github.com/containers/libpod/v2/libpod/image" + "github.com/containers/podman/v2/libpod/image" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/pkg/errors" ) diff --git a/pkg/specgen/container_validate.go b/pkg/specgen/container_validate.go index bf03ff0e7..1a1bb4526 100644 --- a/pkg/specgen/container_validate.go +++ b/pkg/specgen/container_validate.go @@ -3,9 +3,9 @@ package specgen import ( "strings" - "github.com/containers/libpod/v2/libpod/define" - "github.com/containers/libpod/v2/pkg/rootless" - "github.com/containers/libpod/v2/pkg/util" + "github.com/containers/podman/v2/libpod/define" + "github.com/containers/podman/v2/pkg/rootless" + "github.com/containers/podman/v2/pkg/util" "github.com/pkg/errors" ) @@ -28,6 +28,15 @@ func exclusiveOptions(opt1, opt2 string) error { // input for creating a container. func (s *SpecGenerator) Validate() error { + if rootless.IsRootless() { + if s.StaticIP != nil || s.StaticIPv6 != nil { + return ErrNoStaticIPRootless + } + if s.StaticMAC != nil { + return ErrNoStaticMACRootless + } + } + // // ContainerBasicConfig // @@ -72,10 +81,6 @@ func (s *SpecGenerator) Validate() error { if len(s.CapAdd) > 0 && s.Privileged { return exclusiveOptions("CapAdd", "privileged") } - // apparmor and privileged are exclusive - if len(s.ApparmorProfile) > 0 && s.Privileged { - return exclusiveOptions("AppArmorProfile", "privileged") - } // userns and idmappings conflict if s.UserNS.IsPrivate() && s.IDMappings == nil { return errors.Wrap(ErrInvalidSpecConfig, "IDMappings are required when not creating a User namespace") diff --git a/pkg/specgen/generate/config_linux.go b/pkg/specgen/generate/config_linux.go index 9b6bd2827..35508c023 100644 --- a/pkg/specgen/generate/config_linux.go +++ b/pkg/specgen/generate/config_linux.go @@ -7,7 +7,7 @@ import ( "path/filepath" "strings" - "github.com/containers/libpod/v2/pkg/rootless" + "github.com/containers/podman/v2/pkg/rootless" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" "github.com/pkg/errors" diff --git a/pkg/specgen/generate/config_linux_cgo.go b/pkg/specgen/generate/config_linux_cgo.go index 7ea4278a2..f35d56750 100644 --- a/pkg/specgen/generate/config_linux_cgo.go +++ b/pkg/specgen/generate/config_linux_cgo.go @@ -6,9 +6,9 @@ import ( "context" "io/ioutil" - "github.com/containers/libpod/v2/libpod/image" - "github.com/containers/libpod/v2/pkg/seccomp" - "github.com/containers/libpod/v2/pkg/specgen" + "github.com/containers/podman/v2/libpod/image" + "github.com/containers/podman/v2/pkg/seccomp" + "github.com/containers/podman/v2/pkg/specgen" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/pkg/errors" goSeccomp "github.com/seccomp/containers-golang" diff --git a/pkg/specgen/generate/config_linux_nocgo.go b/pkg/specgen/generate/config_linux_nocgo.go index 8afd2f9dc..184122aeb 100644 --- a/pkg/specgen/generate/config_linux_nocgo.go +++ b/pkg/specgen/generate/config_linux_nocgo.go @@ -5,8 +5,8 @@ package generate import ( "errors" - "github.com/containers/libpod/v2/libpod/image" - "github.com/containers/libpod/v2/pkg/specgen" + "github.com/containers/podman/v2/libpod/image" + "github.com/containers/podman/v2/pkg/specgen" spec "github.com/opencontainers/runtime-spec/specs-go" ) diff --git a/pkg/specgen/generate/container.go b/pkg/specgen/generate/container.go index f0d52d0c3..65f8197bc 100644 --- a/pkg/specgen/generate/container.go +++ b/pkg/specgen/generate/container.go @@ -4,12 +4,12 @@ import ( "context" "github.com/containers/image/v5/manifest" - "github.com/containers/libpod/v2/libpod" - "github.com/containers/libpod/v2/libpod/image" - ann "github.com/containers/libpod/v2/pkg/annotations" - envLib "github.com/containers/libpod/v2/pkg/env" - "github.com/containers/libpod/v2/pkg/signal" - "github.com/containers/libpod/v2/pkg/specgen" + "github.com/containers/podman/v2/libpod" + "github.com/containers/podman/v2/libpod/image" + ann "github.com/containers/podman/v2/pkg/annotations" + envLib "github.com/containers/podman/v2/pkg/env" + "github.com/containers/podman/v2/pkg/signal" + "github.com/containers/podman/v2/pkg/specgen" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/pkg/errors" "golang.org/x/sys/unix" diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go index c1ceac69e..9dfb35be3 100644 --- a/pkg/specgen/generate/container_create.go +++ b/pkg/specgen/generate/container_create.go @@ -6,10 +6,10 @@ import ( "path/filepath" "github.com/containers/common/pkg/config" - "github.com/containers/libpod/v2/libpod" - "github.com/containers/libpod/v2/libpod/image" - "github.com/containers/libpod/v2/pkg/specgen" - "github.com/containers/libpod/v2/pkg/util" + "github.com/containers/podman/v2/libpod" + "github.com/containers/podman/v2/libpod/image" + "github.com/containers/podman/v2/pkg/specgen" + "github.com/containers/podman/v2/pkg/util" "github.com/containers/storage" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -145,6 +145,9 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen. if s.Timezone != "" { options = append(options, libpod.WithTimezone(s.Timezone)) } + if s.Umask != "" { + options = append(options, libpod.WithUmask(s.Umask)) + } useSystemd := false switch s.Systemd { @@ -201,6 +204,9 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen. for _, volume := range volumes { destinations = append(destinations, volume.Dest) } + for _, overlayVolume := range s.OverlayVolumes { + destinations = append(destinations, overlayVolume.Destination) + } options = append(options, libpod.WithUserVolumes(destinations)) if len(volumes) != 0 { @@ -215,6 +221,17 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen. options = append(options, libpod.WithNamedVolumes(vols)) } + if len(s.OverlayVolumes) != 0 { + var vols []*libpod.ContainerOverlayVolume + for _, v := range s.OverlayVolumes { + vols = append(vols, &libpod.ContainerOverlayVolume{ + Dest: v.Destination, + Source: v.Source, + }) + } + options = append(options, libpod.WithOverlayVolumes(vols)) + } + if s.Command != nil { options = append(options, libpod.WithCommand(s.Command)) } diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go index 09d6ba445..b8ab1399e 100644 --- a/pkg/specgen/generate/namespaces.go +++ b/pkg/specgen/generate/namespaces.go @@ -2,16 +2,17 @@ package generate import ( "context" + "fmt" "os" "strings" "github.com/containers/common/pkg/config" - "github.com/containers/libpod/v2/libpod" - "github.com/containers/libpod/v2/libpod/define" - "github.com/containers/libpod/v2/libpod/image" - "github.com/containers/libpod/v2/pkg/rootless" - "github.com/containers/libpod/v2/pkg/specgen" - "github.com/containers/libpod/v2/pkg/util" + "github.com/containers/podman/v2/libpod" + "github.com/containers/podman/v2/libpod/define" + "github.com/containers/podman/v2/libpod/image" + "github.com/containers/podman/v2/pkg/rootless" + "github.com/containers/podman/v2/pkg/specgen" + "github.com/containers/podman/v2/pkg/util" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" "github.com/pkg/errors" @@ -226,7 +227,11 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod. if err != nil { return nil, err } - toReturn = append(toReturn, libpod.WithNetNS(portMappings, postConfigureNetNS, "slirp4netns", nil)) + val := "slirp4netns" + if s.NetNS.Value != "" { + val = fmt.Sprintf("slirp4netns:%s", s.NetNS.Value) + } + toReturn = append(toReturn, libpod.WithNetNS(portMappings, postConfigureNetNS, val, nil)) case specgen.Bridge: portMappings, err := createPortMappings(ctx, s, img) if err != nil { @@ -261,6 +266,9 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod. if s.StaticMAC != nil { toReturn = append(toReturn, libpod.WithStaticMAC(*s.StaticMAC)) } + if s.NetworkOptions != nil { + toReturn = append(toReturn, libpod.WithNetworkOptions(s.NetworkOptions)) + } return toReturn, nil } @@ -465,7 +473,7 @@ func GetNamespaceOptions(ns []string) ([]libpod.PodCreateOption, error) { case "pid": options = append(options, libpod.WithPodPID()) case "user": - return erroredOptions, errors.Errorf("User sharing functionality not supported on pod level") + continue case "ipc": options = append(options, libpod.WithPodIPC()) case "uts": diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go index 140dc5092..78cd32253 100644 --- a/pkg/specgen/generate/oci.go +++ b/pkg/specgen/generate/oci.go @@ -5,11 +5,11 @@ import ( "strings" "github.com/containers/common/pkg/config" - "github.com/containers/libpod/v2/libpod" - "github.com/containers/libpod/v2/libpod/define" - "github.com/containers/libpod/v2/libpod/image" - "github.com/containers/libpod/v2/pkg/rootless" - "github.com/containers/libpod/v2/pkg/specgen" + "github.com/containers/podman/v2/libpod" + "github.com/containers/podman/v2/libpod/define" + "github.com/containers/podman/v2/libpod/image" + "github.com/containers/podman/v2/pkg/rootless" + "github.com/containers/podman/v2/pkg/specgen" "github.com/opencontainers/runc/libcontainer/user" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" @@ -20,10 +20,9 @@ import ( func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error { var ( - kernelMax uint64 = 1048576 - isRootless = rootless.IsRootless() - nofileSet = false - nprocSet = false + isRootless = rootless.IsRootless() + nofileSet = false + nprocSet = false ) if s.Rlimits == nil { @@ -45,8 +44,8 @@ func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error { // files and number of processes to the maximum they can be set to // (without overriding a sysctl) if !nofileSet { - max := kernelMax - current := kernelMax + max := define.RLimitDefaultValue + current := define.RLimitDefaultValue if isRootless { var rlimit unix.Rlimit if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err != nil { @@ -62,8 +61,8 @@ func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error { g.AddProcessRlimits("RLIMIT_NOFILE", max, current) } if !nprocSet { - max := kernelMax - current := kernelMax + max := define.RLimitDefaultValue + current := define.RLimitDefaultValue if isRootless { var rlimit unix.Rlimit if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err != nil { @@ -286,13 +285,6 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt } } - // SECURITY OPTS - g.SetProcessNoNewPrivileges(s.NoNewPrivileges) - - if !s.Privileged { - g.SetProcessApparmorProfile(s.ApparmorProfile) - } - BlockAccessToKernelFilesystems(s.Privileged, s.PidNS.IsHost(), &g) for name, val := range s.Env { diff --git a/pkg/specgen/generate/pod_create.go b/pkg/specgen/generate/pod_create.go index 4fe1b6435..0cbfca2db 100644 --- a/pkg/specgen/generate/pod_create.go +++ b/pkg/specgen/generate/pod_create.go @@ -3,8 +3,8 @@ package generate import ( "context" - "github.com/containers/libpod/v2/libpod" - "github.com/containers/libpod/v2/pkg/specgen" + "github.com/containers/podman/v2/libpod" + "github.com/containers/podman/v2/pkg/specgen" "github.com/pkg/errors" "github.com/sirupsen/logrus" ) diff --git a/pkg/specgen/generate/ports.go b/pkg/specgen/generate/ports.go index c8d1c27c5..1ad7e6f4d 100644 --- a/pkg/specgen/generate/ports.go +++ b/pkg/specgen/generate/ports.go @@ -6,8 +6,8 @@ import ( "strconv" "strings" - "github.com/containers/libpod/v2/libpod/image" - "github.com/containers/libpod/v2/pkg/specgen" + "github.com/containers/podman/v2/libpod/image" + "github.com/containers/podman/v2/pkg/specgen" "github.com/cri-o/ocicni/pkg/ocicni" "github.com/pkg/errors" "github.com/sirupsen/logrus" diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go index 70493cd5f..4352ef718 100644 --- a/pkg/specgen/generate/security.go +++ b/pkg/specgen/generate/security.go @@ -3,12 +3,13 @@ package generate import ( "strings" + "github.com/containers/common/pkg/apparmor" "github.com/containers/common/pkg/capabilities" "github.com/containers/common/pkg/config" - "github.com/containers/libpod/v2/libpod" - "github.com/containers/libpod/v2/libpod/image" - "github.com/containers/libpod/v2/pkg/specgen" - "github.com/containers/libpod/v2/pkg/util" + "github.com/containers/podman/v2/libpod" + "github.com/containers/podman/v2/libpod/image" + "github.com/containers/podman/v2/pkg/specgen" + "github.com/containers/podman/v2/pkg/util" "github.com/opencontainers/runtime-tools/generate" "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" @@ -56,6 +57,28 @@ func setLabelOpts(s *specgen.SpecGenerator, runtime *libpod.Runtime, pidConfig s return nil } +func setupApparmor(s *specgen.SpecGenerator, rtc *config.Config, g *generate.Generator) error { + hasProfile := len(s.ApparmorProfile) > 0 + if !apparmor.IsEnabled() { + if hasProfile { + return errors.Errorf("Apparmor profile %q specified, but Apparmor is not enabled on this system", s.ApparmorProfile) + } + return nil + } + // If privileged and caller did not specify apparmor profiles return + if s.Privileged && !hasProfile { + return nil + } + if !hasProfile { + s.ApparmorProfile = rtc.Containers.ApparmorProfile + } + if len(s.ApparmorProfile) > 0 { + g.SetProcessApparmorProfile(s.ApparmorProfile) + } + + return nil +} + func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, newImage *image.Image, rtc *config.Config) error { var ( caplist []string @@ -105,6 +128,13 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, } } } + + g.SetProcessNoNewPrivileges(s.NoNewPrivileges) + + if err := setupApparmor(s, rtc, g); err != nil { + return err + } + configSpec := g.Config configSpec.Process.Capabilities.Bounding = caplist diff --git a/pkg/specgen/generate/storage.go b/pkg/specgen/generate/storage.go index f3b1a4e3d..182ae74a7 100644 --- a/pkg/specgen/generate/storage.go +++ b/pkg/specgen/generate/storage.go @@ -9,10 +9,10 @@ import ( "strings" "github.com/containers/common/pkg/config" - "github.com/containers/libpod/v2/libpod" - "github.com/containers/libpod/v2/libpod/image" - "github.com/containers/libpod/v2/pkg/specgen" - "github.com/containers/libpod/v2/pkg/util" + "github.com/containers/podman/v2/libpod" + "github.com/containers/podman/v2/libpod/image" + "github.com/containers/podman/v2/pkg/specgen" + "github.com/containers/podman/v2/pkg/util" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/pkg/errors" "github.com/sirupsen/logrus" diff --git a/pkg/specgen/generate/validate.go b/pkg/specgen/generate/validate.go index cd2f9ec22..dca45cc0e 100644 --- a/pkg/specgen/generate/validate.go +++ b/pkg/specgen/generate/validate.go @@ -2,8 +2,8 @@ package generate import ( "github.com/containers/common/pkg/sysinfo" - "github.com/containers/libpod/v2/pkg/cgroups" - "github.com/containers/libpod/v2/pkg/specgen" + "github.com/containers/podman/v2/pkg/cgroups" + "github.com/containers/podman/v2/pkg/specgen" "github.com/pkg/errors" ) diff --git a/pkg/specgen/namespaces.go b/pkg/specgen/namespaces.go index 5f56b242b..90c56d366 100644 --- a/pkg/specgen/namespaces.go +++ b/pkg/specgen/namespaces.go @@ -3,8 +3,8 @@ package specgen import ( "strings" - "github.com/containers/libpod/v2/pkg/cgroups" - "github.com/containers/libpod/v2/pkg/rootless" + "github.com/containers/podman/v2/pkg/cgroups" + "github.com/containers/podman/v2/pkg/rootless" "github.com/pkg/errors" ) @@ -108,7 +108,9 @@ func validateNetNS(n *Namespace) error { return nil } switch n.NSMode { - case "", Default, Host, Path, FromContainer, FromPod, Private, NoNetwork, Bridge, Slirp: + case Slirp: + break + case "", Default, Host, Path, FromContainer, FromPod, Private, NoNetwork, Bridge: break default: return errors.Errorf("invalid network %q", n.NSMode) @@ -119,8 +121,8 @@ func validateNetNS(n *Namespace) error { if len(n.Value) < 1 { return errors.Errorf("namespace mode %s requires a value", n.NSMode) } - } else { - // All others must NOT set a string value + } else if n.NSMode != Slirp { + // All others except must NOT set a string value if len(n.Value) > 0 { return errors.Errorf("namespace value %s cannot be provided with namespace mode %s", n.Value, n.NSMode) } @@ -250,7 +252,7 @@ func ParseNetworkNamespace(ns string) (Namespace, []string, error) { var cniNetworks []string // Net defaults to Slirp on rootless switch { - case ns == "slirp4netns": + case ns == "slirp4netns", strings.HasPrefix(ns, "slirp4netns:"): toReturn.NSMode = Slirp case ns == "pod": toReturn.NSMode = FromPod diff --git a/pkg/specgen/pod_validate.go b/pkg/specgen/pod_validate.go index 070bb1e41..d5e0aecf2 100644 --- a/pkg/specgen/pod_validate.go +++ b/pkg/specgen/pod_validate.go @@ -1,7 +1,8 @@ package specgen import ( - "github.com/containers/libpod/v2/pkg/util" + "github.com/containers/podman/v2/pkg/rootless" + "github.com/containers/podman/v2/pkg/util" "github.com/pkg/errors" ) @@ -18,6 +19,16 @@ func exclusivePodOptions(opt1, opt2 string) error { // Validate verifies the input is valid func (p *PodSpecGenerator) Validate() error { + + if rootless.IsRootless() { + if p.StaticIP != nil { + return ErrNoStaticIPRootless + } + if p.StaticMAC != nil { + return ErrNoStaticMACRootless + } + } + // PodBasicConfig if p.NoInfra { if len(p.InfraCommand) > 0 { diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go index 16d4b7c8c..84a6c36a0 100644 --- a/pkg/specgen/specgen.go +++ b/pkg/specgen/specgen.go @@ -1,6 +1,7 @@ package specgen import ( + "errors" "net" "syscall" @@ -197,6 +198,9 @@ type ContainerStorageConfig struct { // there are conflicts. // Optional. Volumes []*NamedVolume `json:"volumes,omitempty"` + // Overlay volumes are named volumes that will be added to the container. + // Optional. + OverlayVolumes []*OverlayVolume `json:"overlay_volumes,omitempty"` // Devices are devices that will be added to the container. // Optional. Devices []spec.LinuxDevice `json:"devices,omitempty"` @@ -283,6 +287,8 @@ type ContainerSecurityConfig struct { // ReadOnlyFilesystem indicates that everything will be mounted // as read-only ReadOnlyFilesystem bool `json:"read_only_filesystem,omittempty"` + // Umask is the umask the init process of the container will be run with. + Umask string `json:"umask,omitempty"` } // ContainerCgroupConfig contains configuration information about a container's @@ -378,6 +384,9 @@ type ContainerNetworkConfig struct { // Conflicts with UseImageHosts. // Optional. HostAdd []string `json:"hostadd,omitempty"` + // NetworkOptions are additional options for each network + // Optional. + NetworkOptions map[string][]string `json:"network_options,omitempty"` } // ContainerResourceConfig contains information on container resource limits. @@ -439,6 +448,15 @@ type NamedVolume struct { Options []string } +// OverlayVolume holds information about a overlay volume that will be mounted into +// the container. +type OverlayVolume struct { + // Destination is the absolute path where the mount will be placed in the container. + Destination string `json:"destination"` + // Source specifies the source path of the mount. + Source string `json:"source,omitempty"` +} + // PortMapping is one or more ports that will be mapped into the container. type PortMapping struct { // HostIP is the IP that we will bind to on the host. @@ -469,6 +487,15 @@ type PortMapping struct { Protocol string `json:"protocol,omitempty"` } +var ( + // ErrNoStaticIPRootless is used when a rootless user requests to assign a static IP address + // to a pod or container + ErrNoStaticIPRootless error = errors.New("rootless containers and pods cannot be assigned static IP addresses") + // ErrNoStaticMACRootless is used when a rootless user requests to assign a static MAC address + // to a pod or container + ErrNoStaticMACRootless error = errors.New("rootless containers and pods cannot be assigned static MAC addresses") +) + // NewSpecGenerator returns a SpecGenerator struct given one of two mandatory inputs func NewSpecGenerator(arg string, rootfs bool) *SpecGenerator { csc := ContainerStorageConfig{} |