diff options
Diffstat (limited to 'pkg/specgen')
| -rw-r--r-- | pkg/specgen/config_unsupported.go | 1 | ||||
| -rw-r--r-- | pkg/specgen/generate/config_linux.go | 4 | ||||
| -rw-r--r-- | pkg/specgen/generate/config_linux_cgo.go | 1 | ||||
| -rw-r--r-- | pkg/specgen/generate/config_linux_nocgo.go | 1 | ||||
| -rw-r--r-- | pkg/specgen/generate/container_create.go | 4 | ||||
| -rw-r--r-- | pkg/specgen/generate/kube/kube.go | 10 | ||||
| -rw-r--r-- | pkg/specgen/generate/kube/kube_test.go | 2 | ||||
| -rw-r--r-- | pkg/specgen/generate/kube/play_test.go | 6 | ||||
| -rw-r--r-- | pkg/specgen/generate/kube/seccomp.go | 2 | ||||
| -rw-r--r-- | pkg/specgen/generate/kube/volume.go | 2 | ||||
| -rw-r--r-- | pkg/specgen/generate/oci.go | 6 | ||||
| -rw-r--r-- | pkg/specgen/generate/pod_create.go | 1 | ||||
| -rw-r--r-- | pkg/specgen/generate/ports_bench_test.go | 2 | ||||
| -rw-r--r-- | pkg/specgen/specgen.go | 4 |
14 files changed, 34 insertions, 12 deletions
diff --git a/pkg/specgen/config_unsupported.go b/pkg/specgen/config_unsupported.go index 70a60ac47..a6bf77277 100644 --- a/pkg/specgen/config_unsupported.go +++ b/pkg/specgen/config_unsupported.go @@ -1,3 +1,4 @@ +//go:build !linux // +build !linux package specgen diff --git a/pkg/specgen/generate/config_linux.go b/pkg/specgen/generate/config_linux.go index a5772bc6a..35d7f0252 100644 --- a/pkg/specgen/generate/config_linux.go +++ b/pkg/specgen/generate/config_linux.go @@ -262,8 +262,8 @@ func addDevice(g *generate.Generator, device string) error { // ParseDevice parses device mapping string to a src, dest & permissions string func ParseDevice(device string) (string, string, string, error) { //nolint - src := "" - dst := "" + var src string + var dst string permissions := "rwm" arr := strings.Split(device, ":") switch len(arr) { diff --git a/pkg/specgen/generate/config_linux_cgo.go b/pkg/specgen/generate/config_linux_cgo.go index 239655c72..efab6679a 100644 --- a/pkg/specgen/generate/config_linux_cgo.go +++ b/pkg/specgen/generate/config_linux_cgo.go @@ -1,3 +1,4 @@ +//go:build linux && cgo // +build linux,cgo package generate diff --git a/pkg/specgen/generate/config_linux_nocgo.go b/pkg/specgen/generate/config_linux_nocgo.go index 9ead739a7..99b0c4eb2 100644 --- a/pkg/specgen/generate/config_linux_nocgo.go +++ b/pkg/specgen/generate/config_linux_nocgo.go @@ -1,3 +1,4 @@ +//go:build linux && !cgo // +build linux,!cgo package generate diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go index c0b23953f..8ab0eae5a 100644 --- a/pkg/specgen/generate/container_create.go +++ b/pkg/specgen/generate/container_create.go @@ -526,6 +526,10 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen. options = append(options, libpod.WithPidFile(s.PidFile)) } + if len(s.ChrootDirs) != 0 { + options = append(options, libpod.WithChrootDirs(s.ChrootDirs)) + } + options = append(options, libpod.WithSelectedPasswordManagement(s.Passwd)) return options, nil diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go index 5e6671231..df751a780 100644 --- a/pkg/specgen/generate/kube/kube.go +++ b/pkg/specgen/generate/kube/kube.go @@ -20,6 +20,8 @@ import ( "github.com/containers/podman/v4/libpod/define" ann "github.com/containers/podman/v4/pkg/annotations" "github.com/containers/podman/v4/pkg/domain/entities" + v1 "github.com/containers/podman/v4/pkg/k8s.io/api/core/v1" + "github.com/containers/podman/v4/pkg/k8s.io/apimachinery/pkg/api/resource" "github.com/containers/podman/v4/pkg/specgen" "github.com/containers/podman/v4/pkg/specgen/generate" "github.com/containers/podman/v4/pkg/util" @@ -27,8 +29,6 @@ import ( "github.com/docker/go-units" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/pkg/errors" - v1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/resource" ) func ToPodOpt(ctx context.Context, podName string, p entities.PodCreateOptions, podYAML *v1.PodTemplateSpec) (entities.PodCreateOptions, error) { @@ -277,7 +277,13 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener } annotations := make(map[string]string) + if opts.Annotations != nil { + annotations = opts.Annotations + } if opts.PodInfraID != "" { + if annotations == nil { + + } annotations[ann.SandboxID] = opts.PodInfraID annotations[ann.ContainerType] = ann.ContainerTypeContainer } diff --git a/pkg/specgen/generate/kube/kube_test.go b/pkg/specgen/generate/kube/kube_test.go index 62793ebb6..0898d427d 100644 --- a/pkg/specgen/generate/kube/kube_test.go +++ b/pkg/specgen/generate/kube/kube_test.go @@ -3,8 +3,8 @@ package kube import ( "testing" + v1 "github.com/containers/podman/v4/pkg/k8s.io/api/core/v1" "github.com/stretchr/testify/assert" - v1 "k8s.io/api/core/v1" //"github.com/stretchr/testify/require" ) diff --git a/pkg/specgen/generate/kube/play_test.go b/pkg/specgen/generate/kube/play_test.go index 6798fdb1b..448522c2a 100644 --- a/pkg/specgen/generate/kube/play_test.go +++ b/pkg/specgen/generate/kube/play_test.go @@ -11,11 +11,11 @@ import ( "testing" "github.com/containers/common/pkg/secrets" + v1 "github.com/containers/podman/v4/pkg/k8s.io/api/core/v1" + "github.com/containers/podman/v4/pkg/k8s.io/apimachinery/pkg/api/resource" + v12 "github.com/containers/podman/v4/pkg/k8s.io/apimachinery/pkg/apis/meta/v1" "github.com/docker/docker/pkg/system" "github.com/stretchr/testify/assert" - v1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/resource" - v12 "k8s.io/apimachinery/pkg/apis/meta/v1" ) func createSecrets(t *testing.T, d string) *secrets.SecretsManager { diff --git a/pkg/specgen/generate/kube/seccomp.go b/pkg/specgen/generate/kube/seccomp.go index b977b6f50..1e681e977 100644 --- a/pkg/specgen/generate/kube/seccomp.go +++ b/pkg/specgen/generate/kube/seccomp.go @@ -5,8 +5,8 @@ import ( "strings" "github.com/containers/podman/v4/libpod" + v1 "github.com/containers/podman/v4/pkg/k8s.io/api/core/v1" "github.com/pkg/errors" - v1 "k8s.io/api/core/v1" ) // KubeSeccompPaths holds information about a pod YAML's seccomp configuration diff --git a/pkg/specgen/generate/kube/volume.go b/pkg/specgen/generate/kube/volume.go index 01f731b60..d57cb5685 100644 --- a/pkg/specgen/generate/kube/volume.go +++ b/pkg/specgen/generate/kube/volume.go @@ -5,9 +5,9 @@ import ( "github.com/containers/common/pkg/parse" "github.com/containers/podman/v4/libpod" + v1 "github.com/containers/podman/v4/pkg/k8s.io/api/core/v1" "github.com/pkg/errors" "github.com/sirupsen/logrus" - v1 "k8s.io/api/core/v1" ) const ( diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go index 8b3550e36..1cc3a463f 100644 --- a/pkg/specgen/generate/oci.go +++ b/pkg/specgen/generate/oci.go @@ -332,6 +332,11 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt } // Devices + // set the default rule at the beginning of device configuration + if !inUserNS && !s.Privileged { + g.AddLinuxResourcesDevice(false, "", nil, nil, "rwm") + } + var userDevices []spec.LinuxDevice if s.Privileged { // If privileged, we need to add all the host devices to the @@ -363,7 +368,6 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt // set the devices cgroup when not running in a user namespace if !inUserNS && !s.Privileged { - g.AddLinuxResourcesDevice(false, "", nil, nil, "rwm") for _, dev := range s.DeviceCgroupRule { g.AddLinuxResourcesDevice(true, dev.Type, dev.Major, dev.Minor, dev.Access) } diff --git a/pkg/specgen/generate/pod_create.go b/pkg/specgen/generate/pod_create.go index 8450fe7ce..ba823f3a8 100644 --- a/pkg/specgen/generate/pod_create.go +++ b/pkg/specgen/generate/pod_create.go @@ -56,6 +56,7 @@ ENTRYPOINT ["/catatonit", "-P"]`, catatonitPath) CommonBuildOpts: &buildahDefine.CommonBuildOptions{}, Output: imageName, Quiet: true, + IgnoreFile: "/dev/null", // makes sure to not read a local .ignorefile (see #13529) IIDFile: "/dev/null", // prevents Buildah from writing the ID on stdout } if _, _, err := rt.Build(context.Background(), buildOptions, tmpF.Name()); err != nil { diff --git a/pkg/specgen/generate/ports_bench_test.go b/pkg/specgen/generate/ports_bench_test.go index f208a34c5..f65cd2f15 100644 --- a/pkg/specgen/generate/ports_bench_test.go +++ b/pkg/specgen/generate/ports_bench_test.go @@ -9,7 +9,7 @@ import ( func benchmarkParsePortMapping(b *testing.B, ports []types.PortMapping) { for n := 0; n < b.N; n++ { - ParsePortMapping(ports, nil) + _, _ = ParsePortMapping(ports, nil) } } diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go index 7f6f79b87..27d77af9f 100644 --- a/pkg/specgen/specgen.go +++ b/pkg/specgen/specgen.go @@ -301,6 +301,10 @@ type ContainerStorageConfig struct { // Volatile specifies whether the container storage can be optimized // at the cost of not syncing all the dirty files in memory. Volatile bool `json:"volatile,omitempty"` + // ChrootDirs is an additional set of directories that need to be + // treated as root directories. Standard bind mounts will be mounted + // into paths relative to these directories. + ChrootDirs []string `json:"chroot_directories,omitempty"` } // ContainerSecurityConfig is a container's security features, including |