diff options
Diffstat (limited to 'pkg')
| -rw-r--r-- | pkg/secrets/secrets.go | 81 | ||||
| -rw-r--r-- | pkg/varlinkapi/config.go | 14 | ||||
| -rw-r--r-- | pkg/varlinkapi/containers.go | 111 | ||||
| -rw-r--r-- | pkg/varlinkapi/images.go | 75 | ||||
| -rw-r--r-- | pkg/varlinkapi/system.go | 30 |
5 files changed, 304 insertions, 7 deletions
diff --git a/pkg/secrets/secrets.go b/pkg/secrets/secrets.go index be825d906..9b328575b 100644 --- a/pkg/secrets/secrets.go +++ b/pkg/secrets/secrets.go @@ -2,7 +2,6 @@ package secrets import ( "bufio" - "fmt" "io/ioutil" "os" "path/filepath" @@ -127,9 +126,35 @@ func getMountsMap(path string) (string, string, error) { return "", "", errors.Errorf("unable to get host and container dir") } -// SecretMounts copies the contents of host directory to container directory +// SecretMounts copies, adds, and mounts the secrets to the container root filesystem +func SecretMounts(mountLabel, containerWorkingDir string) []rspec.Mount { + var secretMounts []rspec.Mount + // Add secrets from paths given in the mounts.conf files + for _, file := range []string{OverrideMountsFile, DefaultMountsFile} { + mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir) + if err != nil { + logrus.Warnf("error mounting secrets, skipping: %v", err) + } + secretMounts = append(secretMounts, mounts...) + } + + // Add FIPS mode secret if /etc/system-fips exists on the host + _, err := os.Stat("/etc/system-fips") + if err == nil { + if err := addFIPSsModeSecret(&secretMounts, containerWorkingDir); err != nil { + logrus.Warnf("error adding FIPS mode secret to container: %v", err) + } + } else if os.IsNotExist(err) { + logrus.Debug("/etc/system-fips does not exist on host, not mounting FIPS mode secret") + } else { + logrus.Errorf("error stating /etc/system-fips for FIPS mode secret: %v", err) + } + return secretMounts +} + +// addSecretsFromMountsFile copies the contents of host directory to container directory // and returns a list of mounts -func SecretMounts(filePath, mountLabel, containerWorkingDir string) ([]rspec.Mount, error) { +func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir string) ([]rspec.Mount, error) { var mounts []rspec.Mount defaultMountsPaths := getMounts(filePath) for _, path := range defaultMountsPaths { @@ -144,15 +169,12 @@ func SecretMounts(filePath, mountLabel, containerWorkingDir string) ([]rspec.Mou } ctrDirOnHost := filepath.Join(containerWorkingDir, ctrDir) - if err = os.RemoveAll(ctrDirOnHost); err != nil { - return nil, fmt.Errorf("remove container directory failed: %v", err) - } // In the event of a restart, don't want to copy secrets over again as they already would exist in ctrDirOnHost _, err = os.Stat(ctrDirOnHost) if os.IsNotExist(err) { if err = os.MkdirAll(ctrDirOnHost, 0755); err != nil { - return nil, fmt.Errorf("making container directory failed: %v", err) + return nil, errors.Wrapf(err, "making container directory failed") } hostDir, err = resolveSymbolicLink(hostDir) @@ -190,6 +212,51 @@ func SecretMounts(filePath, mountLabel, containerWorkingDir string) ([]rspec.Mou return mounts, nil } +// addFIPSModeSecret creates /run/secrets/system-fips in the container +// root filesystem if /etc/system-fips exists on hosts. +// This enables the container to be FIPS compliant and run openssl in +// FIPS mode as the host is also in FIPS mode. +func addFIPSsModeSecret(mounts *[]rspec.Mount, containerWorkingDir string) error { + secretsDir := "/run/secrets" + ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir) + if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) { + if err = os.MkdirAll(ctrDirOnHost, 0755); err != nil { + return errors.Wrapf(err, "making container directory on host failed") + } + } + fipsFile := filepath.Join(ctrDirOnHost, "system-fips") + // In the event of restart, it is possible for the FIPS mode file to already exist + if _, err := os.Stat(fipsFile); os.IsNotExist(err) { + file, err := os.Create(fipsFile) + if err != nil { + return errors.Wrapf(err, "error creating system-fips file in container for FIPS mode") + } + defer file.Close() + } + + if !mountExists(*mounts, secretsDir) { + m := rspec.Mount{ + Source: ctrDirOnHost, + Destination: secretsDir, + Type: "bind", + Options: []string{"bind"}, + } + *mounts = append(*mounts, m) + } + + return nil +} + +// mountExists checks if a mount already exists in the spec +func mountExists(mounts []rspec.Mount, dest string) bool { + for _, mount := range mounts { + if mount.Destination == dest { + return true + } + } + return false +} + // resolveSymbolicLink resolves a possbile symlink path. If the path is a symlink, returns resolved // path; if not, returns the original path. func resolveSymbolicLink(path string) (string, error) { diff --git a/pkg/varlinkapi/config.go b/pkg/varlinkapi/config.go new file mode 100644 index 000000000..167270f09 --- /dev/null +++ b/pkg/varlinkapi/config.go @@ -0,0 +1,14 @@ +package varlinkapi + +import "github.com/projectatomic/libpod/cmd/podman/ioprojectatomicpodman" + +// LibpodAPI is the basic varlink struct for libpod +type LibpodAPI struct { + ioprojectatomicpodman.VarlinkInterface +} + +var ( + lp = LibpodAPI{} + // VarlinkLibpod instantiation + VarlinkLibpod = ioprojectatomicpodman.VarlinkNew(&lp) +) diff --git a/pkg/varlinkapi/containers.go b/pkg/varlinkapi/containers.go new file mode 100644 index 000000000..e58cab497 --- /dev/null +++ b/pkg/varlinkapi/containers.go @@ -0,0 +1,111 @@ +package varlinkapi + +import ( + "github.com/projectatomic/libpod/cmd/podman/ioprojectatomicpodman" +) + +// ListContainers ... +func (i *LibpodAPI) ListContainers(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("ListContainers") +} + +// CreateContainer ... +func (i *LibpodAPI) CreateContainer(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("CreateContainer") +} + +// InspectContainer ... +func (i *LibpodAPI) InspectContainer(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("InspectContainer") +} + +// ListContainerProcesses ... +func (i *LibpodAPI) ListContainerProcesses(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("ListContainerProcesses") +} + +// GetContainerLogs ... +func (i *LibpodAPI) GetContainerLogs(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("GetContainerLogs") +} + +// ListContainerChanges ... +func (i *LibpodAPI) ListContainerChanges(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("ListContianerChanges") +} + +// ExportContainer ... +func (i *LibpodAPI) ExportContainer(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("ExportContainer") +} + +// GetContainerStats ... +func (i *LibpodAPI) GetContainerStats(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("GetContainerStates") +} + +// ResizeContainerTty ... +func (i *LibpodAPI) ResizeContainerTty(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("ResizeContainerTty") +} + +// StartContainer ... +func (i *LibpodAPI) StartContainer(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("StartContainer") +} + +// StopContainer ... +func (i *LibpodAPI) StopContainer(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("StopContainer") +} + +// RestartContainer ... +func (i *LibpodAPI) RestartContainer(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("RestartContainer") +} + +// KillContainer ... +func (i *LibpodAPI) KillContainer(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("KillContainer") +} + +// UpdateContainer ... +func (i *LibpodAPI) UpdateContainer(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("UpdateContainer") +} + +// RenameContainer ... +func (i *LibpodAPI) RenameContainer(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("RenameContainer") +} + +// PauseContainer ... +func (i *LibpodAPI) PauseContainer(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("PauseContainer") +} + +// UnpauseContainer ... +func (i *LibpodAPI) UnpauseContainer(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("UnpauseContainer") +} + +// AttachToContainer ... +// TODO: DO we also want a different one for websocket? +func (i *LibpodAPI) AttachToContainer(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("AttachToContainer") +} + +// WaitContainer ... +func (i *LibpodAPI) WaitContainer(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("WaitContainer") +} + +// RemoveContainer ... +func (i *LibpodAPI) RemoveContainer(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("RemoveContainer") +} + +// DeleteStoppedContainers ... +func (i *LibpodAPI) DeleteStoppedContainers(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("DeleteContainer") +} diff --git a/pkg/varlinkapi/images.go b/pkg/varlinkapi/images.go new file mode 100644 index 000000000..1de54e43b --- /dev/null +++ b/pkg/varlinkapi/images.go @@ -0,0 +1,75 @@ +package varlinkapi + +import ( + "github.com/projectatomic/libpod/cmd/podman/ioprojectatomicpodman" +) + +// ListImages ... +func (i *LibpodAPI) ListImages(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("ListImages") +} + +// BuildImage ... +func (i *LibpodAPI) BuildImage(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("BuildImage") +} + +// CreateImage ... +func (i *LibpodAPI) CreateImage(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("CreateImage") +} + +// InspectImage ... +func (i *LibpodAPI) InspectImage(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("InspectImage") +} + +// HistoryImage ... +func (i *LibpodAPI) HistoryImage(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("HistoryImage") +} + +// PushImage ... +func (i *LibpodAPI) PushImage(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("PushImage") +} + +// TagImage ... +func (i *LibpodAPI) TagImage(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("TagImage") +} + +// RemoveImage ... +func (i *LibpodAPI) RemoveImage(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("RemoveImage") +} + +// SearchImage ... +func (i *LibpodAPI) SearchImage(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("SearchImage") +} + +// DeleteUnusedImages ... +func (i *LibpodAPI) DeleteUnusedImages(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("DeleteUnusedImages") +} + +// CreateFromContainer ... +func (i *LibpodAPI) CreateFromContainer(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("CreateFromContainer") +} + +// ImportImage ... +func (i *LibpodAPI) ImportImage(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("ImportImage") +} + +// ExportImage ... +func (i *LibpodAPI) ExportImage(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("ExportImage") +} + +// PullImage ... +func (i *LibpodAPI) PullImage(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyMethodNotImplemented("PullImage") +} diff --git a/pkg/varlinkapi/system.go b/pkg/varlinkapi/system.go new file mode 100644 index 000000000..c343f1245 --- /dev/null +++ b/pkg/varlinkapi/system.go @@ -0,0 +1,30 @@ +package varlinkapi + +import ( + "github.com/projectatomic/libpod/cmd/podman/ioprojectatomicpodman" + "github.com/projectatomic/libpod/libpod" +) + +// GetVersion ... +func (i *LibpodAPI) GetVersion(call ioprojectatomicpodman.VarlinkCall) error { + versionInfo, err := libpod.GetVersion() + if err != nil { + return err + } + + return call.ReplyGetVersion(ioprojectatomicpodman.Version{ + Version: versionInfo.Version, + Go_version: versionInfo.GoVersion, + Git_commit: versionInfo.GitCommit, + Built: versionInfo.Built, + Os_arch: versionInfo.OsArch, + }) +} + +// Ping returns a simple string "OK" response for clients to make sure +// the service is working. +func (i *LibpodAPI) Ping(call ioprojectatomicpodman.VarlinkCall) error { + return call.ReplyPing(ioprojectatomicpodman.StringResponse{ + Message: "OK", + }) +} |