diff options
Diffstat (limited to 'pkg')
| -rw-r--r-- | pkg/domain/entities/containers.go | 1 | ||||
| -rw-r--r-- | pkg/rootless/rootless_linux.go | 3 | ||||
| -rw-r--r-- | pkg/specgen/container_validate.go | 4 | ||||
| -rw-r--r-- | pkg/specgen/generate/container_create.go | 4 | ||||
| -rw-r--r-- | pkg/specgen/specgen.go | 6 |
5 files changed, 13 insertions, 5 deletions
diff --git a/pkg/domain/entities/containers.go b/pkg/domain/entities/containers.go index b4d8e6c29..9ea572293 100644 --- a/pkg/domain/entities/containers.go +++ b/pkg/domain/entities/containers.go @@ -294,6 +294,7 @@ type ContainerRunOptions struct { ErrorStream *os.File InputStream *os.File OutputStream *os.File + PreserveFDs uint Rm bool SigProxy bool Spec *specgen.SpecGenerator diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go index 3de136f12..01f5b1206 100644 --- a/pkg/rootless/rootless_linux.go +++ b/pkg/rootless/rootless_linux.go @@ -166,7 +166,8 @@ func GetConfiguredMappings() ([]idtools.IDMap, []idtools.IDMap, error) { } mappings, err := idtools.NewIDMappings(username, username) if err != nil { - logrus.Errorf("cannot find mappings for user %s: %v", username, err) + logrus.Errorf( + "cannot find UID/GID for user %s: %v - check rootless mode in man pages.", username, err) } else { uids = mappings.UIDs() gids = mappings.GIDs() diff --git a/pkg/specgen/container_validate.go b/pkg/specgen/container_validate.go index 45179343b..33bacecaf 100644 --- a/pkg/specgen/container_validate.go +++ b/pkg/specgen/container_validate.go @@ -61,10 +61,6 @@ func (s *SpecGenerator) Validate() error { // // ContainerSecurityConfig // - // groups and privileged are exclusive - if len(s.Groups) > 0 && s.Privileged { - return exclusiveOptions("Groups", "privileged") - } // capadd and privileged are exclusive if len(s.CapAdd) > 0 && s.Privileged { return exclusiveOptions("CapAdd", "privileged") diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go index 2f7100e7e..ea6f938a8 100644 --- a/pkg/specgen/generate/container_create.go +++ b/pkg/specgen/generate/container_create.go @@ -104,6 +104,10 @@ func MakeContainer(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGener return nil, err } + if s.PreserveFDs > 0 { + options = append(options, libpod.WithPreserveFDs(s.PreserveFDs)) + } + opts, err := createContainerOptions(ctx, rt, s, pod, finalVolumes, newImage) if err != nil { return nil, err diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go index bb01a5d14..46ff8c716 100644 --- a/pkg/specgen/specgen.go +++ b/pkg/specgen/specgen.go @@ -130,6 +130,11 @@ type ContainerBasicConfig struct { // Remove indicates if the container should be removed once it has been started // and exits Remove bool `json:"remove"` + // PreserveFDs is a number of additional file descriptors (in addition + // to 0, 1, 2) that will be passed to the executed process. The total FDs + // passed will be 3 + PreserveFDs. + // set tags as `json:"-"` for not supported remote + PreserveFDs uint `json:"-"` } // ContainerStorageConfig contains information on the storage configuration of a @@ -207,6 +212,7 @@ type ContainerSecurityConfig struct { // - Adds all devices on the system to the container. // - Adds all capabilities to the container. // - Disables Seccomp, SELinux, and Apparmor confinement. + // (Though SELinux can be manually re-enabled). // TODO: this conflicts with things. // TODO: this does more. Privileged bool `json:"privileged,omitempty"` |