From b0a738ce797bd2b91f5c8092ee9ff10e8e3fc7fa Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 22 Dec 2020 13:06:31 -0500 Subject: Pass down EnableKeyring from containers.conf to conmon We have a new field in containers.conf that tells whether or not we want to generate a new keyring in a container. This field was being ignored. It now will be followed and passed down to conmon. Fixes: https://github.com/containers/podman/issues/8384 Signed-off-by: Daniel J Walsh --- libpod/oci_conmon_linux.go | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'libpod') diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go index 7e0a1d457..79af4fa81 100644 --- a/libpod/oci_conmon_linux.go +++ b/libpod/oci_conmon_linux.go @@ -69,6 +69,7 @@ type ConmonOCIRuntime struct { supportsKVM bool supportsNoCgroups bool sdNotify bool + enableKeyring bool } // Make a new Conmon-based OCI runtime with the given options. @@ -107,6 +108,7 @@ func newConmonOCIRuntime(name string, paths []string, conmonPath string, runtime runtime.noPivot = runtimeCfg.Engine.NoPivotRoot runtime.reservePorts = runtimeCfg.Engine.EnablePortReservation runtime.sdNotify = runtimeCfg.Engine.SDNotify + runtime.enableKeyring = runtimeCfg.Containers.EnableKeyring // TODO: probe OCI runtime for feature and enable automatically if // available. @@ -1021,6 +1023,9 @@ func (r *ConmonOCIRuntime) createOCIContainer(ctr *Container, restoreOptions *Co args = append(args, "-i") } + if !r.enableKeyring { + args = append(args, "--no-new-keyring") + } if ctr.config.ConmonPidFile != "" { args = append(args, "--conmon-pidfile", ctr.config.ConmonPidFile) } -- cgit v1.2.3-54-g00ecf