From 4352d585490f6c1eb7234ef4f92e0157083d69b3 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 27 Mar 2020 10:13:51 -0400 Subject: Add support for containers.conf vendor in c/common config pkg for containers.conf Signed-off-by: Qi Wang qiwan@redhat.com Signed-off-by: Daniel J Walsh --- pkg/spec/createconfig.go | 23 +++++++++++---------- pkg/spec/spec.go | 54 ++++++++++++++++++++++++++++++++++-------------- pkg/spec/storage.go | 2 +- 3 files changed, 52 insertions(+), 27 deletions(-) (limited to 'pkg/spec') diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go index 12dfed8c3..daa997104 100644 --- a/pkg/spec/createconfig.go +++ b/pkg/spec/createconfig.go @@ -196,6 +196,7 @@ func (c *CreateConfig) createExitCommand(runtime *libpod.Runtime) ([]string, err if err != nil { return nil, err } + storageConfig := runtime.StorageConfig() // We need a cleanup process for containers in the current model. // But we can't assume that the caller is Podman - it could be another @@ -208,23 +209,23 @@ func (c *CreateConfig) createExitCommand(runtime *libpod.Runtime) ([]string, err } command := []string{cmd, - "--root", config.StorageConfig.GraphRoot, - "--runroot", config.StorageConfig.RunRoot, + "--root", storageConfig.GraphRoot, + "--runroot", storageConfig.RunRoot, "--log-level", logrus.GetLevel().String(), - "--cgroup-manager", config.CgroupManager, - "--tmpdir", config.TmpDir, + "--cgroup-manager", config.Engine.CgroupManager, + "--tmpdir", config.Engine.TmpDir, } - if config.OCIRuntime != "" { - command = append(command, []string{"--runtime", config.OCIRuntime}...) + if config.Engine.OCIRuntime != "" { + command = append(command, []string{"--runtime", config.Engine.OCIRuntime}...) } - if config.StorageConfig.GraphDriverName != "" { - command = append(command, []string{"--storage-driver", config.StorageConfig.GraphDriverName}...) + if storageConfig.GraphDriverName != "" { + command = append(command, []string{"--storage-driver", storageConfig.GraphDriverName}...) } - for _, opt := range config.StorageConfig.GraphDriverOptions { + for _, opt := range storageConfig.GraphDriverOptions { command = append(command, []string{"--storage-opt", opt}...) } - if config.EventsLogger != "" { - command = append(command, []string{"--events-backend", config.EventsLogger}...) + if config.Engine.EventsLogger != "" { + command = append(command, []string{"--events-backend", config.Engine.EventsLogger}...) } if c.Syslog { diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index 8f0630b85..d4fd5976f 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -4,9 +4,8 @@ import ( "strings" "github.com/containers/common/pkg/capabilities" + cconfig "github.com/containers/common/pkg/config" "github.com/containers/libpod/libpod" - libpodconfig "github.com/containers/libpod/libpod/config" - "github.com/containers/libpod/libpod/define" "github.com/containers/libpod/pkg/cgroups" "github.com/containers/libpod/pkg/env" "github.com/containers/libpod/pkg/rootless" @@ -81,6 +80,37 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM g.AddLinuxMaskedPaths("/sys/kernel") } } + var runtimeConfig *cconfig.Config + + if runtime != nil { + runtimeConfig, err = runtime.GetConfig() + if err != nil { + return nil, err + } + g.Config.Process.Capabilities.Bounding = runtimeConfig.Containers.DefaultCapabilities + sysctls, err := util.ValidateSysctls(runtimeConfig.Containers.DefaultSysctls) + if err != nil { + return nil, err + } + + for name, val := range config.Security.Sysctl { + sysctls[name] = val + } + config.Security.Sysctl = sysctls + if !util.StringInSlice("host", config.Resources.Ulimit) { + config.Resources.Ulimit = append(runtimeConfig.Containers.DefaultUlimits, config.Resources.Ulimit...) + } + if config.Resources.PidsLimit < 0 && !config.cgroupDisabled() { + config.Resources.PidsLimit = runtimeConfig.Containers.PidsLimit + } + + } else { + g.Config.Process.Capabilities.Bounding = cconfig.DefaultCapabilities + if config.Resources.PidsLimit < 0 && !config.cgroupDisabled() { + config.Resources.PidsLimit = cconfig.DefaultPidsLimit + } + } + gid5Available := true if isRootless { nGids, err := GetAvailableGids() @@ -242,16 +272,6 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM } } - // SECURITY OPTS - var runtimeConfig *libpodconfig.Config - - if runtime != nil { - runtimeConfig, err = runtime.GetConfig() - if err != nil { - return nil, err - } - } - g.SetProcessNoNewPrivileges(config.Security.NoNewPrivs) if !config.Security.Privileged { @@ -261,7 +281,7 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM // Unless already set via the CLI, check if we need to disable process // labels or set the defaults. if len(config.Security.LabelOpts) == 0 && runtimeConfig != nil { - if !runtimeConfig.EnableLabeling { + if !runtimeConfig.Containers.EnableLabeling { // Disabled in the config. config.Security.LabelOpts = append(config.Security.LabelOpts, "disable") } else if err := config.Security.SetLabelOpts(runtime, &config.Pid, &config.Ipc); err != nil { @@ -284,7 +304,7 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM if err != nil { return nil, err } - if (!cgroup2 || (runtimeConfig != nil && runtimeConfig.CgroupManager != define.SystemdCgroupsManager)) && config.Resources.PidsLimit == sysinfo.GetDefaultPidsLimit() { + if (!cgroup2 || (runtimeConfig != nil && runtimeConfig.Engine.CgroupManager != cconfig.SystemdCgroupsManager)) && config.Resources.PidsLimit == sysinfo.GetDefaultPidsLimit() { setPidLimit = false } } @@ -376,7 +396,7 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM configSpec.Linux.Resources = &spec.LinuxResources{} } - canUseResources := cgroup2 && runtimeConfig != nil && (runtimeConfig.CgroupManager == define.SystemdCgroupsManager) + canUseResources := cgroup2 && runtimeConfig != nil && (runtimeConfig.Engine.CgroupManager == cconfig.SystemdCgroupsManager) if addedResources && !canUseResources { return nil, errors.New("invalid configuration, cannot specify resource limits without cgroups v2 and --cgroup-manager=systemd") @@ -433,6 +453,10 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM return configSpec, nil } +func (config *CreateConfig) cgroupDisabled() bool { + return config.Cgroup.Cgroups == "disabled" +} + func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, g *generate.Generator) { if !privileged { for _, mp := range []string{ diff --git a/pkg/spec/storage.go b/pkg/spec/storage.go index c365701de..b0687b4c2 100644 --- a/pkg/spec/storage.go +++ b/pkg/spec/storage.go @@ -124,7 +124,7 @@ func (config *CreateConfig) parseVolumes(runtime *libpod.Runtime) ([]spec.Mount, if err != nil { return nil, nil, err } - initPath = rtc.InitPath + initPath = rtc.Engine.InitPath } initMount, err := config.addContainerInitBinary(initPath) if err != nil { -- cgit v1.2.3-54-g00ecf