diff options
Diffstat (limited to 'pkg')
-rw-r--r-- | pkg/specgen/generate/config_linux.go | 56 | ||||
-rw-r--r-- | pkg/specgen/generate/config_linux_test.go | 28 | ||||
-rw-r--r-- | pkg/specgen/generate/container_create.go | 3 | ||||
-rw-r--r-- | pkg/specgen/specgen.go | 3 |
4 files changed, 67 insertions, 23 deletions
diff --git a/pkg/specgen/generate/config_linux.go b/pkg/specgen/generate/config_linux.go index 5c945cff3..6b9e9c4bf 100644 --- a/pkg/specgen/generate/config_linux.go +++ b/pkg/specgen/generate/config_linux.go @@ -10,7 +10,6 @@ import ( "github.com/containers/podman/v3/libpod/define" "github.com/containers/podman/v3/pkg/rootless" - "github.com/containers/podman/v3/pkg/util" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" "github.com/pkg/errors" @@ -151,30 +150,23 @@ func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, mask, unmask "/sys/dev/block", } - unmaskAll := false - if unmask != nil && unmask[0] == "ALL" { - unmaskAll = true - } - if !privileged { - if !unmaskAll { - for _, mp := range defaultMaskPaths { - // check that the path to mask is not in the list of paths to unmask - if !util.StringInSlice(mp, unmask) { - g.AddLinuxMaskedPaths(mp) - } + for _, mp := range defaultMaskPaths { + // check that the path to mask is not in the list of paths to unmask + if shouldMask(mp, unmask) { + g.AddLinuxMaskedPaths(mp) } - for _, rp := range []string{ - "/proc/asound", - "/proc/bus", - "/proc/fs", - "/proc/irq", - "/proc/sys", - "/proc/sysrq-trigger", - } { - if !util.StringInSlice(rp, unmask) { - g.AddLinuxReadonlyPaths(rp) - } + } + for _, rp := range []string{ + "/proc/asound", + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger", + } { + if shouldMask(rp, unmask) { + g.AddLinuxReadonlyPaths(rp) } } @@ -376,3 +368,21 @@ func supportAmbientCapabilities() bool { err := unix.Prctl(unix.PR_CAP_AMBIENT, unix.PR_CAP_AMBIENT_IS_SET, 0, 0, 0) return err == nil } + +func shouldMask(mask string, unmask []string) bool { + for _, m := range unmask { + if strings.ToLower(m) == "all" { + return false + } + for _, m1 := range strings.Split(m, ":") { + match, err := filepath.Match(m1, mask) + if err != nil { + logrus.Errorf(err.Error()) + } + if match { + return false + } + } + } + return true +} diff --git a/pkg/specgen/generate/config_linux_test.go b/pkg/specgen/generate/config_linux_test.go new file mode 100644 index 000000000..39973324b --- /dev/null +++ b/pkg/specgen/generate/config_linux_test.go @@ -0,0 +1,28 @@ +package generate + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestShouldMask(t *testing.T) { + tests := []struct { + mask string + unmask []string + shouldMask bool + }{ + {"/proc/foo", []string{"all"}, false}, + {"/proc/foo", []string{"ALL"}, false}, + {"/proc/foo", []string{"/proc/foo"}, false}, + {"/proc/foo", []string{"/proc/*"}, false}, + {"/proc/foo", []string{"/proc/bar", "all"}, false}, + {"/proc/foo", []string{"/proc/f*"}, false}, + {"/proc/foo", []string{"/proc/b*"}, true}, + {"/proc/foo", []string{}, true}, + } + for _, test := range tests { + val := shouldMask(test.mask, test.unmask) + assert.Equal(t, val, test.shouldMask) + } +} diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go index 01f939022..0090156c9 100644 --- a/pkg/specgen/generate/container_create.go +++ b/pkg/specgen/generate/container_create.go @@ -200,6 +200,9 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen. if s.Umask != "" { options = append(options, libpod.WithUmask(s.Umask)) } + if s.Volatile { + options = append(options, libpod.WithVolatile()) + } useSystemd := false switch s.Systemd { diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go index fdcb7a0e0..5ef2b0653 100644 --- a/pkg/specgen/specgen.go +++ b/pkg/specgen/specgen.go @@ -256,6 +256,9 @@ type ContainerStorageConfig struct { // Secrets are the secrets that will be added to the container // Optional. Secrets []string `json:"secrets,omitempty"` + // Volatile specifies whether the container storage can be optimized + // at the cost of not syncing all the dirty files in memory. + Volatile bool `json:"volatile,omitempty"` } // ContainerSecurityConfig is a container's security features, including |