summaryrefslogtreecommitdiff
path: root/pkg/specgen
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/specgen')
-rw-r--r--pkg/specgen/container_validate.go9
-rw-r--r--pkg/specgen/generate/config_linux.go1
-rw-r--r--pkg/specgen/generate/container_create.go16
-rw-r--r--pkg/specgen/generate/oci.go8
-rw-r--r--pkg/specgen/generate/ports.go1
-rw-r--r--pkg/specgen/pod_validate.go11
-rw-r--r--pkg/specgen/specgen.go10
7 files changed, 44 insertions, 12 deletions
diff --git a/pkg/specgen/container_validate.go b/pkg/specgen/container_validate.go
index bf03ff0e7..622313a04 100644
--- a/pkg/specgen/container_validate.go
+++ b/pkg/specgen/container_validate.go
@@ -28,6 +28,15 @@ func exclusiveOptions(opt1, opt2 string) error {
// input for creating a container.
func (s *SpecGenerator) Validate() error {
+ if rootless.IsRootless() {
+ if s.StaticIP != nil || s.StaticIPv6 != nil {
+ return ErrNoStaticIPRootless
+ }
+ if s.StaticMAC != nil {
+ return ErrNoStaticMACRootless
+ }
+ }
+
//
// ContainerBasicConfig
//
diff --git a/pkg/specgen/generate/config_linux.go b/pkg/specgen/generate/config_linux.go
index b2d79f01b..9b6bd2827 100644
--- a/pkg/specgen/generate/config_linux.go
+++ b/pkg/specgen/generate/config_linux.go
@@ -150,6 +150,7 @@ func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, g *generate.
"/proc/scsi",
"/sys/firmware",
"/sys/fs/selinux",
+ "/sys/dev",
} {
g.AddLinuxMaskedPaths(mp)
}
diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go
index 1bcd33672..c1ceac69e 100644
--- a/pkg/specgen/generate/container_create.go
+++ b/pkg/specgen/generate/container_create.go
@@ -106,11 +106,12 @@ func MakeContainer(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGener
return nil, err
}
- if s.PreserveFDs > 0 {
- options = append(options, libpod.WithPreserveFDs(s.PreserveFDs))
+ command, err := makeCommand(ctx, s, newImage, rtc)
+ if err != nil {
+ return nil, err
}
- opts, err := createContainerOptions(ctx, rt, s, pod, finalVolumes, newImage)
+ opts, err := createContainerOptions(ctx, rt, s, pod, finalVolumes, newImage, command)
if err != nil {
return nil, err
}
@@ -122,17 +123,21 @@ func MakeContainer(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGener
}
options = append(options, libpod.WithExitCommand(exitCommandArgs))
- runtimeSpec, err := SpecGenToOCI(ctx, s, rt, rtc, newImage, finalMounts, pod)
+ runtimeSpec, err := SpecGenToOCI(ctx, s, rt, rtc, newImage, finalMounts, pod, command)
if err != nil {
return nil, err
}
return rt.NewContainer(ctx, runtimeSpec, options...)
}
-func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGenerator, pod *libpod.Pod, volumes []*specgen.NamedVolume, img *image.Image) ([]libpod.CtrCreateOption, error) {
+func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGenerator, pod *libpod.Pod, volumes []*specgen.NamedVolume, img *image.Image, command []string) ([]libpod.CtrCreateOption, error) {
var options []libpod.CtrCreateOption
var err error
+ if s.PreserveFDs > 0 {
+ options = append(options, libpod.WithPreserveFDs(s.PreserveFDs))
+ }
+
if s.Stdin {
options = append(options, libpod.WithStdin())
}
@@ -148,7 +153,6 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.
case "false":
break
case "", "true":
- command := s.Command
if len(command) == 0 {
command, err = img.Cmd(ctx)
if err != nil {
diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go
index 0a485e7cd..140dc5092 100644
--- a/pkg/specgen/generate/oci.go
+++ b/pkg/specgen/generate/oci.go
@@ -87,7 +87,7 @@ func makeCommand(ctx context.Context, s *specgen.SpecGenerator, img *image.Image
finalCommand := []string{}
entrypoint := s.Entrypoint
- if len(entrypoint) == 0 && img != nil {
+ if entrypoint == nil && img != nil {
newEntry, err := img.Entrypoint(ctx)
if err != nil {
return nil, err
@@ -126,7 +126,7 @@ func makeCommand(ctx context.Context, s *specgen.SpecGenerator, img *image.Image
return finalCommand, nil
}
-func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runtime, rtc *config.Config, newImage *image.Image, mounts []spec.Mount, pod *libpod.Pod) (*spec.Spec, error) {
+func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runtime, rtc *config.Config, newImage *image.Image, mounts []spec.Mount, pod *libpod.Pod, finalCmd []string) (*spec.Spec, error) {
var (
inUserNS bool
)
@@ -252,10 +252,6 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
}
g.SetProcessCwd(s.WorkDir)
- finalCmd, err := makeCommand(ctx, s, newImage, rtc)
- if err != nil {
- return nil, err
- }
g.SetProcessArgs(finalCmd)
g.SetProcessTerminal(s.Terminal)
diff --git a/pkg/specgen/generate/ports.go b/pkg/specgen/generate/ports.go
index 9412ecfbf..c8d1c27c5 100644
--- a/pkg/specgen/generate/ports.go
+++ b/pkg/specgen/generate/ports.go
@@ -356,6 +356,7 @@ func checkProtocol(protocol string, allowSCTP bool) ([]string, error) {
splitProto := strings.Split(protocol, ",")
// Don't error on duplicates - just deduplicate
for _, p := range splitProto {
+ p = strings.ToLower(p)
switch p {
case protoTCP, "":
protocols[protoTCP] = struct{}{}
diff --git a/pkg/specgen/pod_validate.go b/pkg/specgen/pod_validate.go
index 070bb1e41..69c3b58ed 100644
--- a/pkg/specgen/pod_validate.go
+++ b/pkg/specgen/pod_validate.go
@@ -1,6 +1,7 @@
package specgen
import (
+ "github.com/containers/libpod/v2/pkg/rootless"
"github.com/containers/libpod/v2/pkg/util"
"github.com/pkg/errors"
)
@@ -18,6 +19,16 @@ func exclusivePodOptions(opt1, opt2 string) error {
// Validate verifies the input is valid
func (p *PodSpecGenerator) Validate() error {
+
+ if rootless.IsRootless() {
+ if p.StaticIP != nil {
+ return ErrNoStaticIPRootless
+ }
+ if p.StaticMAC != nil {
+ return ErrNoStaticMACRootless
+ }
+ }
+
// PodBasicConfig
if p.NoInfra {
if len(p.InfraCommand) > 0 {
diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go
index 16d4b7c8c..17583d82a 100644
--- a/pkg/specgen/specgen.go
+++ b/pkg/specgen/specgen.go
@@ -1,6 +1,7 @@
package specgen
import (
+ "errors"
"net"
"syscall"
@@ -469,6 +470,15 @@ type PortMapping struct {
Protocol string `json:"protocol,omitempty"`
}
+var (
+ // ErrNoStaticIPRootless is used when a rootless user requests to assign a static IP address
+ // to a pod or container
+ ErrNoStaticIPRootless error = errors.New("rootless containers and pods cannot be assigned static IP addresses")
+ // ErrNoStaticMACRootless is used when a rootless user requests to assign a static MAC address
+ // to a pod or container
+ ErrNoStaticMACRootless error = errors.New("rootless containers and pods cannot be assigned static MAC addresses")
+)
+
// NewSpecGenerator returns a SpecGenerator struct given one of two mandatory inputs
func NewSpecGenerator(arg string, rootfs bool) *SpecGenerator {
csc := ContainerStorageConfig{}
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-10-18 17:21:15 +0000