summaryrefslogtreecommitdiff
path: root/pkg/spec/spec.go
Commit message (Collapse)AuthorAge
* Set up ulimits for rootless containers.Daniel J Walsh2020-05-06
| | | | | | | Currently we are setting the maximum limits for rootful podman containers, no reason not to set them by default for rootless users as well Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* User specified environment after other environments are setDaniel J Walsh2020-04-29
| | | | | | | Users can not currently override the environment variables set by --http-proxy Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #5676 from kolyshkin/volume-flags-altOpenShift Merge Robot2020-04-03
|\ | | | | Fix/improve pkg/storage.InitFSMounts
| * pkg/spec.InitFSMounts: fix mount opts in placeKir Kolyshkin2020-04-01
| | | | | | | | | | | | | | ... rather than create a new slice and then make the caller replace the original with the new one. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
* | Fix environment handling from containers.confDaniel J Walsh2020-04-02
|/ | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Add support for containers.confDaniel J Walsh2020-03-27
| | | | | | | vendor in c/common config pkg for containers.conf Signed-off-by: Qi Wang qiwan@redhat.com Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #5206 from rhatdan/capabilitiesOpenShift Merge Robot2020-03-03
|\ | | | | Allow devs to set labels in container images for default capabilities.
| * Allow devs to set labels in container images for default capabilities.Daniel J Walsh2020-03-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows users to specify the list of capabilities required to run their container image. Setting a image/container label "io.containers.capabilities=setuid,setgid" tells podman that the contained image should work fine with just these two capabilties, instead of running with the default capabilities, podman will launch the container with just these capabilties. If the user or image specified capabilities that are not in the default set, the container will print an error message and will continue to run with the default capabilities. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | consolidate env handling into pkg/envValentin Rothberg2020-03-03
|/ | | | | | | | | Env-variable related code is scattered across several packages making it hard to maintain and extend. Consolidate the code into a new pkg/env package. Signed-off-by: Valentin Rothberg <rothberg@redhat.com> Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* apiv2 container create using specgenBrent Baude2020-02-19
| | | | | | this uses the specgen structure to create containers rather than the outdated createconfig. right now, only the apiv2 create is wired up. eventually the cli will also have to be done. Signed-off-by: Brent Baude <bbaude@redhat.com>
* set process labels in pkg/specValentin Rothberg2020-02-19
| | | | | | | | Set the (default) process labels in `pkg/spec`. This way, we can also query libpod.conf and disable labeling if needed. Fixes: #5087 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* support device-cgroup-ruleQi Wang2020-02-12
| | | | | | | fix #4876 Add `--device-cgroup-rule` to podman create and run. This enables to add device rules after the container has been created. Signed-off-by: Qi Wang <qiwan@redhat.com>
* podman: add new option --cgroups=no-conmonGiuseppe Scrivano2020-01-16
| | | | | | | | it allows to disable cgroups creation only for the conmon process. A new cgroup is created for the container payload. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Split up create config handling of namespaces and securityPeter Hunt2019-11-07
| | | | | | | | As it stands, createconfig is a huge struct. This works fine when the only caller is when we create a container with a fully created config. However, if we wish to share code for security and namespace configuration, a single large struct becomes unweildy, as well as difficult to configure with the single createConfigToOCISpec function. This PR breaks up namespace and security configuration into their own structs, with the eventual goal of allowing the namespace/security fields to be configured by the pod create cli, and allow the infra container to share this with the pod's containers. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* namespaces: by default create cgroupns on cgroups v2Giuseppe Scrivano2019-11-05
| | | | | | | | | | | | | | | | change the default on cgroups v2 and create a new cgroup namespace. When a cgroup namespace is used, processes inside the namespace are only able to see cgroup paths relative to the cgroup namespace root and not have full visibility on all the cgroups present on the system. The previous behaviour is maintained on a cgroups v1 host, where a cgroup namespace is not created by default. Closes: https://github.com/containers/libpod/issues/4363 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* add libpod/configValentin Rothberg2019-10-31
| | | | | | | | | | | | Refactor the `RuntimeConfig` along with related code from libpod into libpod/config. Note that this is a first step of consolidating code into more coherent packages to make the code more maintainable and less prone to regressions on the long runs. Some libpod definitions were moved to `libpod/define` to resolve circular dependencies. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* rootless: detect no system session with --cgroup-manager=systemdGiuseppe Scrivano2019-10-23
| | | | | | | if the cgroup manager is set to systemd, detect if dbus is available, otherwise fallback to --cgroup-manager=cgroupfs. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: do not set PIDs limit if --cgroup-manager=cgroupfsGiuseppe Scrivano2019-10-11
| | | | | | | even if the system is using cgroups v2, rootless is not able to setup limits when the cgroup-manager is not systemd. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Setup a reasonable default for pids-limit 4096Daniel J Walsh2019-10-04
| | | | | | | | | | | CRI-O defaults to 1024 for the maximum pids in a container. Podman should have a similar limit. Once we have a containers.conf, we can set the limit in this file, and have it easily customizable. Currently the documentation says that -1 sets pids-limit=max, but -1 fails. This patch allows -1, but also indicates that 0 also sets the max pids limit. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* rootless: allow cgroupfs manager on cgroups v2Giuseppe Scrivano2019-10-02
| | | | | | | if there are no resources specified, make sure the OCI resources block is empty so that the OCI runtime won't complain. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Add support for launching containers without CGroupsMatthew Heon2019-09-10
| | | | | | | This is mostly used with Systemd, which really wants to manage CGroups itself when managing containers via unit file. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Set base mount options for bind mounts from base systemMatthew Heon2019-08-28
| | | | | | | | | | | | | | | | | | If I mount, say, /usr/bin into my container - I expect to be able to run the executables in that mount. Unconditionally applying noexec would be a bad idea. Before my patches to change mount options and allow exec/dev/suid being set explicitly, we inferred the mount options from where on the base system the mount originated, and the options it had there. Implement the same functionality for the new option handling. There's a lot of performance left on the table here, but I don't know that this is ever going to take enough time to make it worth optimizing. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add support for 'exec', 'suid', 'dev' mount flagsMatthew Heon2019-08-28
| | | | | | | | | | | | | | | | | | Previously, we explicitly set noexec/nosuid/nodev on every mount, with no ability to disable them. The 'mount' command on Linux will accept their inverses without complaint, though - 'noexec' is counteracted by 'exec', 'nosuid' by 'suid', etc. Add support for passing these options at the command line to disable our explicit forcing of security options. This also cleans up mount option handling significantly. We are still parsing options in more than one place, which isn't good, but option parsing for bind and tmpfs mounts has been unified. Fixes: #3819 Fixes: #3803 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* refer to container whose namespace we sharePeter Hunt2019-08-07
| | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* Properly share UTS namespaces in a podPeter Hunt2019-08-07
| | | | | | Sharing a UTS namespace means sharing the hostname. Fix situations where a container in a pod didn't properly share the hostname of the pod. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* Vendor in buildah 1.9.2Daniel J Walsh2019-07-30
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* podman: support --userns=ns|containerGiuseppe Scrivano2019-07-25
| | | | | | | | allow to join the user namespace of another container. Closes: https://github.com/containers/libpod/issues/3629 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #3593 from giuseppe/rootless-privileged-devicesOpenShift Merge Robot2019-07-18
|\ | | | | rootless: add host devices with --privileged
| * rootless: add rw devices with --privilegedGiuseppe Scrivano2019-07-18
| | | | | | | | | | | | | | | | | | when --privileged is specified, add all the devices that are usable by the user. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1730773 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | libpod: support for cgroup namespaceGiuseppe Scrivano2019-07-18
|/ | | | | | | | | | | | | | allow a container to run in a new cgroup namespace. When running in a new cgroup namespace, the current cgroup appears to be the root, so that there is no way for the container to access cgroups outside of its own subtree. By default it uses --cgroup=host to keep the previous behavior. To create a new namespace, --cgroup=private must be provided. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Populate inspect with security-opt settingsMatthew Heon2019-07-17
| | | | | | | | We can infer no-new-privileges. For now, manually populate seccomp (can't infer what file we sourced from) and SELinux/Apparmor (hard to tell if they're enabled or not). Signed-off-by: Matthew Heon <mheon@redhat.com>
* Move the HostConfig portion of Inspect inside libpodMatthew Heon2019-07-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When we first began writing Podman, we ran into a major issue when implementing Inspect. Libpod deliberately does not tie its internal data structures to Docker, and stores most information about containers encoded within the OCI spec. However, Podman must present a CLI compatible with Docker, which means it must expose all the information in 'docker inspect' - most of which is not contained in the OCI spec or libpod's Config struct. Our solution at the time was the create artifact. We JSON'd the complete CreateConfig (a parsed form of the CLI arguments to 'podman run') and stored it with the container, restoring it when we needed to run commands that required the extra info. Over the past month, I've been looking more at Inspect, and refactored large portions of it into Libpod - generating them from what we know about the OCI config and libpod's (now much expanded, versus previously) container configuration. This path comes close to completing the process, moving the last part of inspect into libpod and removing the need for the create artifact. This improves libpod's compatability with non-Podman containers. We no longer require an arbitrarily-formatted JSON blob to be present to run inspect. Fixes: #3500 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* spec: rework --ulimit hostGiuseppe Scrivano2019-07-17
| | | | | | | it seems enough to not specify any ulimit block to maintain the host limits. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #3563 from giuseppe/fix-single-mapping-rootlessOpenShift Merge Robot2019-07-12
|\ | | | | spec: fix userns with less than 5 gids
| * spec: fix userns with less than 5 gidsGiuseppe Scrivano2019-07-12
| | | | | | | | | | | | | | when the container is running in a user namespace, check if gid=5 is available, otherwise drop the option gid=5 for /dev/pts. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #3491 from giuseppe/rlimit-hostOpenShift Merge Robot2019-07-11
|\ \ | |/ |/| podman: add --ulimit host
| * podman: add --ulimit hostGiuseppe Scrivano2019-07-08
| | | | | | | | | | | | | | | | | | add a simple way to copy ulimit values from the host. if --ulimit host is used then the current ulimits in place are copied to the container. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | first pass of corrections for golangci-lintbaude2019-07-10
|/ | | | Signed-off-by: baude <bbaude@redhat.com>
* util: drop IsCgroup2UnifiedMode and use it from cgroupsGiuseppe Scrivano2019-06-26
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: force resources to be nil on cgroup v1Giuseppe Scrivano2019-05-20
| | | | | | | | | force the resources block to be empty instead of having default values. Regression introduced by 8e88461511e81d2327e4c1a1315bb58fda1827ca Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Don't set apparmor if --priviligedDaniel J Walsh2019-05-20
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* rootless, spec: allow resources with cgroup v2Giuseppe Scrivano2019-05-13
| | | | | | | We were always raising an error when the rootless user attempted to setup resources, but this is not the case anymore with cgroup v2. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Move handling of ReadOnlyTmpfs into new mounts codeMatthew Heon2019-05-01
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Migrate to unified volume handling codeMatthew Heon2019-05-01
| | | | | | | | | | | | | Unify handling for the --volume, --mount, --volumes-from, --tmpfs and --init flags into a single file and set of functions. This will greatly improve readability and maintainability. Further, properly handle superceding and conflicting mounts. Our current patchwork has serious issues when mounts conflict, or when a mount from --volumes-from or an image volume should be overwritten by a user volume or named volume. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Remove non-config fields from CreateConfigMatthew Heon2019-05-01
| | | | | | | | | The goal here is to keep only the configuration directly used to build the container in CreateConfig, and scrub temporary state and helpers that we need to generate. We'll keep those internally in MakeContainerConfig. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add a new function for converting a CreateConfigMatthew Heon2019-05-01
| | | | | | | | | | | Right now, there are two major API calls necessary to turn a filled-in CreateConfig into the options and OCI spec necessary to make a libpod Container. I'm intending on refactoring both of these extensively to unify a few things, so make a common frontend to both that will prevent API changes from leaking out of the package. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* auto pass http_proxy into containerJames Cassell2019-04-30
| | | | Signed-off-by: James Cassell <code@james.cassell.me>
* Add --read-only-tmpfs optionsDaniel J Walsh2019-04-26
| | | | | | | | | | | The --read-only-tmpfs option caused podman to mount tmpfs on /run, /tmp, /var/tmp if the container is running int read-only mode. The default is true, so you would need to execute a command like --read-only --read-only-tmpfs=false to turn off this behaviour. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* spec: mask /sys/kernel when bind mounting /sysGiuseppe Scrivano2019-04-11
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* oci: add /sys/kernel to the masked pathsGiuseppe Scrivano2019-04-11
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>