diff options
Diffstat (limited to 'pkg')
-rw-r--r-- | pkg/api/handlers/libpod/containers_create.go | 17 | ||||
-rw-r--r-- | pkg/specgen/generate/container.go | 7 | ||||
-rw-r--r-- | pkg/specgen/generate/namespaces.go | 11 | ||||
-rw-r--r-- | pkg/specgen/generate/security.go | 2 | ||||
-rw-r--r-- | pkg/specgenutil/specgen.go | 22 |
5 files changed, 46 insertions, 13 deletions
diff --git a/pkg/api/handlers/libpod/containers_create.go b/pkg/api/handlers/libpod/containers_create.go index 4f9dc008d..1043dec4d 100644 --- a/pkg/api/handlers/libpod/containers_create.go +++ b/pkg/api/handlers/libpod/containers_create.go @@ -4,6 +4,7 @@ import ( "context" "encoding/json" "net/http" + "strconv" "github.com/containers/podman/v4/libpod" "github.com/containers/podman/v4/pkg/api/handlers/utils" @@ -11,6 +12,7 @@ import ( "github.com/containers/podman/v4/pkg/domain/entities" "github.com/containers/podman/v4/pkg/specgen" "github.com/containers/podman/v4/pkg/specgen/generate" + "github.com/containers/podman/v4/pkg/specgenutil" "github.com/pkg/errors" ) @@ -39,6 +41,20 @@ func CreateContainer(w http.ResponseWriter, r *http.Request) { t := true sg.Passwd = &t } + + // need to check for memory limit to adjust swap + if sg.ResourceLimits != nil && sg.ResourceLimits.Memory != nil { + s := "" + var l int64 = 0 + if sg.ResourceLimits.Memory.Swap != nil { + s = strconv.Itoa(int(*sg.ResourceLimits.Memory.Swap)) + } + if sg.ResourceLimits.Memory.Limit != nil { + l = *sg.ResourceLimits.Memory.Limit + } + specgenutil.LimitToSwap(sg.ResourceLimits.Memory, s, l) + } + warn, err := generate.CompleteSpec(r.Context(), runtime, &sg) if err != nil { utils.InternalServerError(w, err) @@ -54,6 +70,7 @@ func CreateContainer(w http.ResponseWriter, r *http.Request) { utils.InternalServerError(w, err) return } + response := entities.ContainerCreateResponse{ID: ctr.ID(), Warnings: warn} utils.WriteJSON(w, http.StatusCreated, response) } diff --git a/pkg/specgen/generate/container.go b/pkg/specgen/generate/container.go index b38b0e695..f7ea2edfa 100644 --- a/pkg/specgen/generate/container.go +++ b/pkg/specgen/generate/container.go @@ -428,9 +428,12 @@ func ConfigToSpec(rt *libpod.Runtime, specg *specgen.SpecGenerator, contaierID s case "cgroup": specg.CgroupNS = specgen.Namespace{NSMode: specgen.Default} //default case "ipc": - if conf.ShmDir == "/dev/shm" { + switch conf.ShmDir { + case "/dev/shm": specg.IpcNS = specgen.Namespace{NSMode: specgen.Host} - } else { + case "": + specg.IpcNS = specgen.Namespace{NSMode: specgen.None} + default: specg.IpcNS = specgen.Namespace{NSMode: specgen.Default} //default } case "uts": diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go index 9ce45aaf0..05c2d1741 100644 --- a/pkg/specgen/generate/namespaces.go +++ b/pkg/specgen/generate/namespaces.go @@ -134,8 +134,17 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod. if err != nil { return nil, errors.Wrapf(err, "error looking up container to share ipc namespace with") } + if ipcCtr.ConfigNoCopy().NoShmShare { + return nil, errors.Errorf("joining IPC of container %s is not allowed: non-shareable IPC (hint: use IpcMode:shareable for the donor container)", ipcCtr.ID()) + } toReturn = append(toReturn, libpod.WithIPCNSFrom(ipcCtr)) - toReturn = append(toReturn, libpod.WithShmDir(ipcCtr.ShmDir())) + if !ipcCtr.ConfigNoCopy().NoShm { + toReturn = append(toReturn, libpod.WithShmDir(ipcCtr.ShmDir())) + } + case specgen.None: + toReturn = append(toReturn, libpod.WithNoShm(true)) + case specgen.Private: + toReturn = append(toReturn, libpod.WithNoShmShare(true)) } // UTS diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go index 988c29832..ec52164ab 100644 --- a/pkg/specgen/generate/security.go +++ b/pkg/specgen/generate/security.go @@ -222,7 +222,7 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, for sysctlKey, sysctlVal := range defaultSysctls { // Ignore mqueue sysctls if --ipc=host if noUseIPC && strings.HasPrefix(sysctlKey, "fs.mqueue.") { - logrus.Infof("Sysctl %s=%s ignored in containers.conf, since IPC Namespace set to host", sysctlKey, sysctlVal) + logrus.Infof("Sysctl %s=%s ignored in containers.conf, since IPC Namespace set to %q", sysctlKey, sysctlVal, s.IpcNS.NSMode) continue } diff --git a/pkg/specgenutil/specgen.go b/pkg/specgenutil/specgen.go index 42b66d909..00de99817 100644 --- a/pkg/specgenutil/specgen.go +++ b/pkg/specgenutil/specgen.go @@ -126,6 +126,16 @@ func getIOLimits(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions) ( return io, nil } +func LimitToSwap(memory *specs.LinuxMemory, swap string, ml int64) { + if ml > 0 { + memory.Limit = &ml + if swap == "" { + limit := 2 * ml + memory.Swap = &(limit) + } + } +} + func getMemoryLimits(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions) (*specs.LinuxMemory, error) { var err error memory := &specs.LinuxMemory{} @@ -135,14 +145,8 @@ func getMemoryLimits(s *specgen.SpecGenerator, c *entities.ContainerCreateOption if err != nil { return nil, errors.Wrapf(err, "invalid value for memory") } - if ml > 0 { - memory.Limit = &ml - if c.MemorySwap == "" { - limit := 2 * ml - memory.Swap = &(limit) - } - hasLimits = true - } + LimitToSwap(memory, c.MemorySwap, ml) + hasLimits = true } if m := c.MemoryReservation; len(m) > 0 { mr, err := units.RAMInBytes(m) @@ -190,7 +194,7 @@ func setNamespaces(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions) } } if c.IPC != "" { - s.IpcNS, err = specgen.ParseNamespace(c.IPC) + s.IpcNS, err = specgen.ParseIPCNamespace(c.IPC) if err != nil { return err } |