package entities import ( "context" "fmt" "io" "os" "github.com/containers/buildah/pkg/parse" "github.com/containers/common/pkg/config" "github.com/containers/common/pkg/sysinfo" "github.com/containers/libpod/pkg/apparmor" "github.com/containers/libpod/pkg/cgroups" "github.com/containers/libpod/pkg/rootless" "github.com/opencontainers/selinux/go-selinux" "github.com/opentracing/opentracing-go" "github.com/spf13/pflag" ) // EngineMode is the connection type podman is using to access libpod type EngineMode string const ( ABIMode = EngineMode("abi") TunnelMode = EngineMode("tunnel") ) // Convert EngineMode to String func (m EngineMode) String() string { return string(m) } // PodmanConfig combines the defaults and settings from the file system with the // flags given in os.Args. Some runtime state is also stored here. type PodmanConfig struct { *config.Config *pflag.FlagSet CGroupUsage string // rootless code determines Usage message ConmonPath string // --conmon flag will set Engine.ConmonPath CpuProfile string // Hidden: Should CPU profile be taken EngineMode EngineMode // ABI or Tunneling mode Identities []string // ssh identities for connecting to server MaxWorks int // maximum number of parallel threads RuntimePath string // --runtime flag will set Engine.RuntimePath SpanCloser io.Closer // Close() for tracing object SpanCtx context.Context // context to use when tracing Span opentracing.Span // tracing object Syslog bool // write to StdOut and Syslog, not supported when tunneling Trace bool // Hidden: Trace execution Uri string // URI to API Service Runroot string StorageDriver string StorageOpts []string } // DefaultSecurityOptions: getter for security options from configuration func (c PodmanConfig) DefaultSecurityOptions() []string { securityOpts := []string{} if c.Containers.SeccompProfile != "" && c.Containers.SeccompProfile != parse.SeccompDefaultPath { securityOpts = append(securityOpts, fmt.Sprintf("seccomp=%s", c.Containers.SeccompProfile)) } if apparmor.IsEnabled() && c.Containers.ApparmorProfile != "" { securityOpts = append(securityOpts, fmt.Sprintf("apparmor=%s", c.Containers.ApparmorProfile)) } if selinux.GetEnabled() && !c.Containers.EnableLabeling { securityOpts = append(securityOpts, fmt.Sprintf("label=%s", selinux.DisableSecOpt()[0])) } return securityOpts } // DefaultSysctls func (c PodmanConfig) DefaultSysctls() []string { return c.Containers.DefaultSysctls } func (c PodmanConfig) DefaultVolumes() []string { return c.Containers.Volumes } func (c PodmanConfig) DefaultDevices() []string { return c.Containers.Devices } func (c PodmanConfig) DefaultDNSServers() []string { return c.Containers.DNSServers } func (c PodmanConfig) DefaultDNSSearches() []string { return c.Containers.DNSSearches } func (c PodmanConfig) DefaultDNSOptions() []string { return c.Containers.DNSOptions } func (c PodmanConfig) DefaultEnv() []string { return c.Containers.Env } func (c PodmanConfig) DefaultInitPath() string { return c.Containers.InitPath } func (c PodmanConfig) DefaultIPCNS() string { return c.Containers.IPCNS } func (c PodmanConfig) DefaultPidNS() string { return c.Containers.PidNS } func (c PodmanConfig) DefaultNetNS() string { if c.Containers.NetNS == "private" && rootless.IsRootless() { return "slirp4netns" } return c.Containers.NetNS } func (c PodmanConfig) DefaultCgroupNS() string { return c.Containers.CgroupNS } func (c PodmanConfig) DefaultUTSNS() string { return c.Containers.UTSNS } func (c PodmanConfig) DefaultShmSize() string { return c.Containers.ShmSize } func (c PodmanConfig) DefaultUlimits() []string { return c.Containers.DefaultUlimits } func (c PodmanConfig) DefaultUserNS() string { if v, found := os.LookupEnv("PODMAN_USERNS"); found { return v } return c.Containers.UserNS } func (c PodmanConfig) DefaultPidsLimit() int64 { if rootless.IsRootless() { cgroup2, _ := cgroups.IsCgroup2UnifiedMode() if cgroup2 { return c.Containers.PidsLimit } } return sysinfo.GetDefaultPidsLimit() } func (c PodmanConfig) DefaultPidsDescription() string { return "Tune container pids limit (set 0 for unlimited)" } func (c PodmanConfig) DefaultDetachKeys() string { return c.Engine.DetachKeys } // TODO: Remove in rootless support PR // // EngineOptions holds the environment for running the engines // type EngineOptions struct { // // Introduced with V2 // Uri string // Identities []string // FlagSet *pflag.FlagSet // EngineMode EngineMode // CGroupUsage string // // // Introduced with V1 // CGroupManager string // config.EngineConfig // CniConfigDir string // config.NetworkConfig.NetworkConfigDir // ConmonPath string // config.EngineConfig // DefaultMountsFile string // config.ContainersConfig // EventsBackend string // config.EngineConfig.EventsLogger // HooksDir []string // config.EngineConfig // MaxWorks int // Namespace string // config.EngineConfig // Root string // // Runroot string // config.EngineConfig.StorageConfigRunRootSet?? // Runtime string // config.EngineConfig.OCIRuntime // StorageDriver string // config.EngineConfig.StorageConfigGraphDriverNameSet?? // StorageOpts []string // Syslog bool // Trace bool // NetworkCmdPath string // config.EngineConfig // // Config string // CpuProfile string // LogLevel string // TmpDir string // config.EngineConfig // // RemoteUserName string // deprecated // RemoteHost string // deprecated // VarlinkAddress string // deprecated // ConnectionName string // RemoteConfigFilePath string // Port int // deprecated // IdentityFile string // deprecated // IgnoreHosts bool // } // // func NewEngineOptions(opts EngineOptions) (EngineOptions, error) { // ctnrCfg, err := config.Default() // if err != nil { // logrus.Error(err) // os.Exit(1) // } // // cgroupManager := ctnrCfg.Engine.CgroupManager // cgroupUsage := `Cgroup manager to use ("cgroupfs"|"systemd")` // cgroupv2, _ := cgroups.IsCgroup2UnifiedMode() // cniPluginDir := ctnrCfg.Network.CNIPluginDirs[0] // // cfg, err := config.NewConfig("") // if err != nil { // logrus.Errorf("Error loading container config %v\n", err) // os.Exit(1) // } // cfg.CheckCgroupsAndAdjustConfig() // // if rootless.IsRootless() { // if !cgroupv2 { // cgroupManager = "" // cgroupUsage = "Cgroup manager is not supported in rootless mode" // } // cniPluginDir = "" // } // // return EngineOptions{ // CGroupManager: cgroupManager, // CGroupUsage: cgroupUsage, // CniConfigDir: cniPluginDir, // Config: opts.Config, // TODO: deprecate // ConmonPath: opts.ConmonPath, // ConnectionName: opts.ConnectionName, // CpuProfile: opts.CpuProfile, // DefaultMountsFile: ctnrCfg.Containers.DefaultMountsFile, // EngineMode: opts.EngineMode, // EventsBackend: ctnrCfg.Engine.EventsLogger, // FlagSet: opts.FlagSet, // TODO: deprecate // HooksDir: append(ctnrCfg.Engine.HooksDir[:0:0], ctnrCfg.Engine.HooksDir...), // Identities: append(opts.Identities[:0:0], opts.Identities...), // IdentityFile: opts.IdentityFile, // TODO: deprecate // IgnoreHosts: opts.IgnoreHosts, // LogLevel: opts.LogLevel, // MaxWorks: opts.MaxWorks, // Namespace: ctnrCfg.Engine.Namespace, // NetworkCmdPath: ctnrCfg.Engine.NetworkCmdPath, // Port: opts.Port, // RemoteConfigFilePath: opts.RemoteConfigFilePath, // RemoteHost: opts.RemoteHost, // TODO: deprecate // RemoteUserName: opts.RemoteUserName, // TODO: deprecate // Root: opts.Root, // Runroot: opts.Runroot, // Runtime: opts.Runtime, // StorageDriver: opts.StorageDriver, // StorageOpts: append(opts.StorageOpts[:0:0], opts.StorageOpts...), // Syslog: opts.Syslog, // TmpDir: opts.TmpDir, // Trace: opts.Trace, // Uri: opts.Uri, // VarlinkAddress: opts.VarlinkAddress, // }, nil // }