summaryrefslogtreecommitdiff
path: root/pkg/specgen
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/specgen')
-rw-r--r--pkg/specgen/container_validate.go8
-rw-r--r--pkg/specgen/generate/kube/kube.go3
-rw-r--r--pkg/specgen/generate/namespaces.go12
-rw-r--r--pkg/specgen/generate/pod_create.go9
-rw-r--r--pkg/specgen/generate/ports.go2
-rw-r--r--pkg/specgen/generate/security.go5
-rw-r--r--pkg/specgen/generate/validate.go9
-rw-r--r--pkg/specgen/namespaces.go68
-rw-r--r--pkg/specgen/namespaces_test.go25
-rw-r--r--pkg/specgen/podspecgen.go5
10 files changed, 48 insertions, 98 deletions
diff --git a/pkg/specgen/container_validate.go b/pkg/specgen/container_validate.go
index 355fbc368..5616a4511 100644
--- a/pkg/specgen/container_validate.go
+++ b/pkg/specgen/container_validate.go
@@ -4,9 +4,9 @@ import (
"strconv"
"strings"
+ "github.com/containers/common/pkg/util"
"github.com/containers/podman/v4/libpod/define"
"github.com/containers/podman/v4/pkg/rootless"
- "github.com/containers/podman/v4/pkg/util"
"github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
)
@@ -183,10 +183,12 @@ func (s *SpecGenerator) Validate() error {
}
// Set defaults if network info is not provided
- if s.NetNS.NSMode == "" {
- s.NetNS.NSMode = Bridge
+ // when we are rootless we default to slirp4netns
+ if s.NetNS.IsPrivate() || s.NetNS.IsDefault() {
if rootless.IsRootless() {
s.NetNS.NSMode = Slirp
+ } else {
+ s.NetNS.NSMode = Bridge
}
}
if err := validateNetNS(&s.NetNS); err != nil {
diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go
index f37d79798..689c740f0 100644
--- a/pkg/specgen/generate/kube/kube.go
+++ b/pkg/specgen/generate/kube/kube.go
@@ -16,6 +16,7 @@ import (
"github.com/containers/common/libnetwork/types"
"github.com/containers/common/pkg/parse"
"github.com/containers/common/pkg/secrets"
+ cutil "github.com/containers/common/pkg/util"
"github.com/containers/image/v5/manifest"
"github.com/containers/podman/v4/libpod/define"
ann "github.com/containers/podman/v4/pkg/annotations"
@@ -356,7 +357,7 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
// a selinux mount option exists for it
for k, v := range opts.Annotations {
// Make sure the z/Z option is not already there (from editing the YAML)
- if strings.Replace(k, define.BindMountPrefix, "", 1) == volumeSource.Source && !util.StringInSlice("z", options) && !util.StringInSlice("Z", options) {
+ if strings.Replace(k, define.BindMountPrefix, "", 1) == volumeSource.Source && !cutil.StringInSlice("z", options) && !cutil.StringInSlice("Z", options) {
options = append(options, v)
}
}
diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go
index 37d561ec2..4dd6b3eaf 100644
--- a/pkg/specgen/generate/namespaces.go
+++ b/pkg/specgen/generate/namespaces.go
@@ -236,10 +236,12 @@ func namespaceOptions(s *specgen.SpecGenerator, rt *libpod.Runtime, pod *libpod.
toReturn = append(toReturn, libpod.WithCgroupsMode(s.CgroupsMode))
}
- // Net
- // TODO validate CNINetworks, StaticIP, StaticIPv6 are only set if we
- // are in bridge mode.
postConfigureNetNS := !s.UserNS.IsHost()
+ // when we are rootless we default to slirp4netns
+ if rootless.IsRootless() && (s.NetNS.IsPrivate() || s.NetNS.IsDefault()) {
+ s.NetNS.NSMode = specgen.Slirp
+ }
+
switch s.NetNS.NSMode {
case specgen.FromPod:
if pod == nil || infraCtr == nil {
@@ -262,9 +264,7 @@ func namespaceOptions(s *specgen.SpecGenerator, rt *libpod.Runtime, pod *libpod.
val = fmt.Sprintf("slirp4netns:%s", s.NetNS.Value)
}
toReturn = append(toReturn, libpod.WithNetNS(portMappings, expose, postConfigureNetNS, val, nil))
- case specgen.Private:
- fallthrough
- case specgen.Bridge:
+ case specgen.Bridge, specgen.Private, specgen.Default:
portMappings, expose, err := createPortMappings(s, imageData)
if err != nil {
return nil, err
diff --git a/pkg/specgen/generate/pod_create.go b/pkg/specgen/generate/pod_create.go
index 5b7bb2b57..d4f281a11 100644
--- a/pkg/specgen/generate/pod_create.go
+++ b/pkg/specgen/generate/pod_create.go
@@ -141,6 +141,9 @@ func MapSpec(p *specgen.PodSpecGenerator) (*specgen.SpecGenerator, error) {
case specgen.Bridge:
p.InfraContainerSpec.NetNS.NSMode = specgen.Bridge
logrus.Debugf("Pod using bridge network mode")
+ case specgen.Private:
+ p.InfraContainerSpec.NetNS.NSMode = specgen.Private
+ logrus.Debugf("Pod will use default network mode")
case specgen.Host:
logrus.Debugf("Pod will use host networking")
if len(p.InfraContainerSpec.PortMappings) > 0 ||
@@ -151,15 +154,15 @@ func MapSpec(p *specgen.PodSpecGenerator) (*specgen.SpecGenerator, error) {
p.InfraContainerSpec.NetNS.NSMode = specgen.Host
case specgen.Slirp:
logrus.Debugf("Pod will use slirp4netns")
- if p.InfraContainerSpec.NetNS.NSMode != "host" {
+ if p.InfraContainerSpec.NetNS.NSMode != specgen.Host {
p.InfraContainerSpec.NetworkOptions = p.NetworkOptions
- p.InfraContainerSpec.NetNS.NSMode = specgen.NamespaceMode("slirp4netns")
+ p.InfraContainerSpec.NetNS.NSMode = specgen.Slirp
}
case specgen.NoNetwork:
logrus.Debugf("Pod will not use networking")
if len(p.InfraContainerSpec.PortMappings) > 0 ||
len(p.InfraContainerSpec.Networks) > 0 ||
- p.InfraContainerSpec.NetNS.NSMode == "host" {
+ p.InfraContainerSpec.NetNS.NSMode == specgen.Host {
return nil, errors.Wrapf(define.ErrInvalidArg, "cannot disable pod network if network-related configuration is specified")
}
p.InfraContainerSpec.NetNS.NSMode = specgen.NoNetwork
diff --git a/pkg/specgen/generate/ports.go b/pkg/specgen/generate/ports.go
index bec548d3b..4243630e2 100644
--- a/pkg/specgen/generate/ports.go
+++ b/pkg/specgen/generate/ports.go
@@ -10,9 +10,9 @@ import (
"github.com/containers/common/libnetwork/types"
"github.com/containers/podman/v4/utils"
+ "github.com/containers/common/pkg/util"
"github.com/containers/podman/v4/pkg/specgen"
"github.com/containers/podman/v4/pkg/specgenutil"
- "github.com/containers/podman/v4/pkg/util"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
)
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index ec52164ab..7268ec318 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -7,6 +7,7 @@ import (
"github.com/containers/common/pkg/apparmor"
"github.com/containers/common/pkg/capabilities"
"github.com/containers/common/pkg/config"
+ cutil "github.com/containers/common/pkg/util"
"github.com/containers/podman/v4/libpod"
"github.com/containers/podman/v4/libpod/define"
"github.com/containers/podman/v4/pkg/specgen"
@@ -120,7 +121,7 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
// capabilities, required to run the container.
var capsRequiredRequested []string
for key, val := range s.Labels {
- if util.StringInSlice(key, capabilities.ContainerImageLabels) {
+ if cutil.StringInSlice(key, capabilities.ContainerImageLabels) {
capsRequiredRequested = strings.Split(val, ",")
}
}
@@ -132,7 +133,7 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
}
// Verify all capRequired are in the capList
for _, cap := range capsRequired {
- if !util.StringInSlice(cap, caplist) {
+ if !cutil.StringInSlice(cap, caplist) {
privCapsRequired = append(privCapsRequired, cap)
}
}
diff --git a/pkg/specgen/generate/validate.go b/pkg/specgen/generate/validate.go
index 44c7818e7..a1affef31 100644
--- a/pkg/specgen/generate/validate.go
+++ b/pkg/specgen/generate/validate.go
@@ -1,6 +1,7 @@
package generate
import (
+ "io/ioutil"
"os"
"path/filepath"
@@ -166,6 +167,14 @@ func verifyContainerResourcesCgroupV2(s *specgen.SpecGenerator) ([]string, error
if err != nil {
return warnings, err
}
+
+ if own == "/" {
+ // If running under the root cgroup try to create or reuse a "probe" cgroup to read memory values
+ own = "podman_probe"
+ _ = os.MkdirAll(filepath.Join("/sys/fs/cgroup", own), 0o755)
+ _ = ioutil.WriteFile("/sys/fs/cgroup/cgroup.subtree_control", []byte("+memory"), 0o644)
+ }
+
memoryMax := filepath.Join("/sys/fs/cgroup", own, "memory.max")
memorySwapMax := filepath.Join("/sys/fs/cgroup", own, "memory.swap.max")
_, errMemoryMax := os.Stat(memoryMax)
diff --git a/pkg/specgen/namespaces.go b/pkg/specgen/namespaces.go
index 7a7ca2706..f1343f6e2 100644
--- a/pkg/specgen/namespaces.go
+++ b/pkg/specgen/namespaces.go
@@ -8,8 +8,8 @@ import (
"github.com/containers/common/libnetwork/types"
"github.com/containers/common/pkg/cgroups"
+ cutil "github.com/containers/common/pkg/util"
"github.com/containers/podman/v4/libpod/define"
- "github.com/containers/podman/v4/pkg/rootless"
"github.com/containers/podman/v4/pkg/util"
"github.com/containers/storage"
spec "github.com/opencontainers/runtime-spec/specs-go"
@@ -318,62 +318,6 @@ func ParseUserNamespace(ns string) (Namespace, error) {
return ParseNamespace(ns)
}
-// ParseNetworkNamespace parses a network namespace specification in string
-// form.
-// Returns a namespace and (optionally) a list of CNI networks to join.
-func ParseNetworkNamespace(ns string, rootlessDefaultCNI bool) (Namespace, map[string]types.PerNetworkOptions, error) {
- toReturn := Namespace{}
- networks := make(map[string]types.PerNetworkOptions)
- // Net defaults to Slirp on rootless
- switch {
- case ns == string(Slirp), strings.HasPrefix(ns, string(Slirp)+":"):
- toReturn.NSMode = Slirp
- case ns == string(FromPod):
- toReturn.NSMode = FromPod
- case ns == "" || ns == string(Default) || ns == string(Private):
- if rootless.IsRootless() {
- if rootlessDefaultCNI {
- toReturn.NSMode = Bridge
- } else {
- toReturn.NSMode = Slirp
- }
- } else {
- toReturn.NSMode = Bridge
- }
- case ns == string(Bridge):
- toReturn.NSMode = Bridge
- case ns == string(NoNetwork):
- toReturn.NSMode = NoNetwork
- case ns == string(Host):
- toReturn.NSMode = Host
- case strings.HasPrefix(ns, "ns:"):
- split := strings.SplitN(ns, ":", 2)
- if len(split) != 2 {
- return toReturn, nil, errors.Errorf("must provide a path to a namespace when specifying \"ns:\"")
- }
- toReturn.NSMode = Path
- toReturn.Value = split[1]
- case strings.HasPrefix(ns, string(FromContainer)+":"):
- split := strings.SplitN(ns, ":", 2)
- if len(split) != 2 {
- return toReturn, nil, errors.Errorf("must provide name or ID or a container when specifying \"container:\"")
- }
- toReturn.NSMode = FromContainer
- toReturn.Value = split[1]
- default:
- // Assume we have been given a list of CNI networks.
- // Which only works in bridge mode, so set that.
- networkList := strings.Split(ns, ",")
- for _, net := range networkList {
- networks[net] = types.PerNetworkOptions{}
- }
-
- toReturn.NSMode = Bridge
- }
-
- return toReturn, networks, nil
-}
-
// ParseNetworkFlag parses a network string slice into the network options
// If the input is nil or empty it will use the default setting from containers.conf
func ParseNetworkFlag(networks []string) (Namespace, map[string]types.PerNetworkOptions, map[string][]string, error) {
@@ -399,13 +343,7 @@ func ParseNetworkFlag(networks []string) (Namespace, map[string]types.PerNetwork
case ns == string(FromPod):
toReturn.NSMode = FromPod
case ns == "" || ns == string(Default) || ns == string(Private):
- // Net defaults to Slirp on rootless
- if rootless.IsRootless() {
- toReturn.NSMode = Slirp
- break
- }
- // if root we use bridge
- fallthrough
+ toReturn.NSMode = Private
case ns == string(Bridge), strings.HasPrefix(ns, string(Bridge)+":"):
toReturn.NSMode = Bridge
parts := strings.SplitN(ns, ":", 2)
@@ -472,7 +410,7 @@ func ParseNetworkFlag(networks []string) (Namespace, map[string]types.PerNetwork
if parts[0] == "" {
return toReturn, nil, nil, errors.Wrapf(define.ErrInvalidArg, "network name cannot be empty")
}
- if util.StringInSlice(parts[0], []string{string(Bridge), string(Slirp), string(FromPod), string(NoNetwork),
+ if cutil.StringInSlice(parts[0], []string{string(Bridge), string(Slirp), string(FromPod), string(NoNetwork),
string(Default), string(Private), string(Path), string(FromContainer), string(Host)}) {
return toReturn, nil, nil, errors.Wrapf(define.ErrInvalidArg, "can only set extra network names, selected mode %s conflicts with bridge", parts[0])
}
diff --git a/pkg/specgen/namespaces_test.go b/pkg/specgen/namespaces_test.go
index 368c92bd5..d03a6d032 100644
--- a/pkg/specgen/namespaces_test.go
+++ b/pkg/specgen/namespaces_test.go
@@ -5,7 +5,6 @@ import (
"testing"
"github.com/containers/common/libnetwork/types"
- "github.com/containers/podman/v4/pkg/rootless"
"github.com/stretchr/testify/assert"
)
@@ -17,14 +16,6 @@ func parsMacNoErr(mac string) types.HardwareAddr {
func TestParseNetworkFlag(t *testing.T) {
// root and rootless have different defaults
defaultNetName := "default"
- defaultNetworks := map[string]types.PerNetworkOptions{
- defaultNetName: {},
- }
- defaultNsMode := Namespace{NSMode: Bridge}
- if rootless.IsRootless() {
- defaultNsMode = Namespace{NSMode: Slirp}
- defaultNetworks = map[string]types.PerNetworkOptions{}
- }
tests := []struct {
name string
@@ -37,26 +28,26 @@ func TestParseNetworkFlag(t *testing.T) {
{
name: "empty input",
args: nil,
- nsmode: defaultNsMode,
- networks: defaultNetworks,
+ nsmode: Namespace{NSMode: Private},
+ networks: map[string]types.PerNetworkOptions{},
},
{
name: "empty string as input",
args: []string{},
- nsmode: defaultNsMode,
- networks: defaultNetworks,
+ nsmode: Namespace{NSMode: Private},
+ networks: map[string]types.PerNetworkOptions{},
},
{
name: "default mode",
args: []string{"default"},
- nsmode: defaultNsMode,
- networks: defaultNetworks,
+ nsmode: Namespace{NSMode: Private},
+ networks: map[string]types.PerNetworkOptions{},
},
{
name: "private mode",
args: []string{"private"},
- nsmode: defaultNsMode,
- networks: defaultNetworks,
+ nsmode: Namespace{NSMode: Private},
+ networks: map[string]types.PerNetworkOptions{},
},
{
name: "bridge mode",
diff --git a/pkg/specgen/podspecgen.go b/pkg/specgen/podspecgen.go
index 603506241..777097ac5 100644
--- a/pkg/specgen/podspecgen.go
+++ b/pkg/specgen/podspecgen.go
@@ -4,6 +4,7 @@ import (
"net"
"github.com/containers/common/libnetwork/types"
+ storageTypes "github.com/containers/storage/types"
spec "github.com/opencontainers/runtime-spec/specs-go"
)
@@ -222,6 +223,10 @@ type PodResourceConfig struct {
type PodSecurityConfig struct {
SecurityOpt []string `json:"security_opt,omitempty"`
+ // IDMappings are UID and GID mappings that will be used by user
+ // namespaces.
+ // Required if UserNS is private.
+ IDMappings *storageTypes.IDMappingOptions `json:"idmappings,omitempty"`
}
// NewPodSpecGenerator creates a new pod spec
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-01-14 07:21:55 +0000