diff options
Diffstat (limited to 'pkg/specgen')
| -rw-r--r-- | pkg/specgen/generate/config_linux.go | 23 | ||||
| -rw-r--r-- | pkg/specgen/generate/kube/kube.go | 5 | ||||
| -rw-r--r-- | pkg/specgen/generate/kube/volume.go | 2 | ||||
| -rw-r--r-- | pkg/specgen/generate/ports.go | 12 | ||||
| -rw-r--r-- | pkg/specgen/generate/security.go | 2 |
5 files changed, 27 insertions, 17 deletions
diff --git a/pkg/specgen/generate/config_linux.go b/pkg/specgen/generate/config_linux.go index 1808f99b8..e0b039fb7 100644 --- a/pkg/specgen/generate/config_linux.go +++ b/pkg/specgen/generate/config_linux.go @@ -167,22 +167,23 @@ func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, mask, unmask g.AddLinuxMaskedPaths(mp) } } + for _, rp := range []string{ + "/proc/asound", + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger", + } { + if !util.StringInSlice(rp, unmask) { + g.AddLinuxReadonlyPaths(rp) + } + } } if pidModeIsHost && rootless.IsRootless() { return } - - for _, rp := range []string{ - "/proc/asound", - "/proc/bus", - "/proc/fs", - "/proc/irq", - "/proc/sys", - "/proc/sysrq-trigger", - } { - g.AddLinuxReadonlyPaths(rp) - } } // mask the paths provided by the user diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go index 5f72d28bb..5cc7891ac 100644 --- a/pkg/specgen/generate/kube/kube.go +++ b/pkg/specgen/generate/kube/kube.go @@ -148,6 +148,11 @@ func ToSpecGen(ctx context.Context, containerYAML v1.Container, iid string, newI // Environment Variables envs := map[string]string{} + for _, env := range imageData.Config.Env { + keyval := strings.Split(env, "=") + envs[keyval[0]] = keyval[1] + } + for _, env := range containerYAML.Env { value := envVarValue(env, configMaps) diff --git a/pkg/specgen/generate/kube/volume.go b/pkg/specgen/generate/kube/volume.go index 2ef0f4c23..bb8edabb7 100644 --- a/pkg/specgen/generate/kube/volume.go +++ b/pkg/specgen/generate/kube/volume.go @@ -103,7 +103,7 @@ func VolumeFromSource(volumeSource v1.VolumeSource) (*KubeVolume, error) { } else if volumeSource.PersistentVolumeClaim != nil { return VolumeFromPersistentVolumeClaim(volumeSource.PersistentVolumeClaim) } else { - return nil, errors.Errorf("HostPath and PersistentVolumeClaim are currently the conly supported VolumeSource") + return nil, errors.Errorf("HostPath and PersistentVolumeClaim are currently the only supported VolumeSource") } } diff --git a/pkg/specgen/generate/ports.go b/pkg/specgen/generate/ports.go index 5c13c95b2..83ded059f 100644 --- a/pkg/specgen/generate/ports.go +++ b/pkg/specgen/generate/ports.go @@ -107,7 +107,11 @@ func parsePortMapping(portMappings []specgen.PortMapping) ([]ocicni.PortMapping, var index uint16 for index = 0; index < len; index++ { cPort := containerPort + index - hPort := hostPort + index + hPort := hostPort + // Only increment host port if it's not 0. + if hostPort != 0 { + hPort += index + } if cPort == 0 { return nil, nil, nil, errors.Errorf("container port cannot be 0") @@ -162,8 +166,8 @@ func parsePortMapping(portMappings []specgen.PortMapping) ([]ocicni.PortMapping, tempMappings, tempMapping{ mapping: cniPort, - startOfRange: port.Range > 0 && index == 0, - isInRange: port.Range > 0, + startOfRange: port.Range > 1 && index == 0, + isInRange: port.Range > 1, }, ) } @@ -183,7 +187,7 @@ func parsePortMapping(portMappings []specgen.PortMapping) ([]ocicni.PortMapping, for _, tmp := range tempMappings { p := tmp.mapping - if p.HostPort != 0 && !tmp.isInRange { + if p.HostPort != 0 { remadeMappings = append(remadeMappings, p) continue } diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go index dee140282..56947ff24 100644 --- a/pkg/specgen/generate/security.go +++ b/pkg/specgen/generate/security.go @@ -141,7 +141,7 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, configSpec.Process.Capabilities.Effective = caplist configSpec.Process.Capabilities.Permitted = caplist } else { - userCaps, err := capabilities.NormalizeCapabilities(s.CapAdd) + userCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil) if err != nil { return errors.Wrapf(err, "capabilities requested by user are not valid: %q", strings.Join(s.CapAdd, ",")) } |