opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-08-05 19:02:37 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add support for containers.conf

Browse Source 
vendor in c/common config pkg for containers.conf

Signed-off-by: Qi Wang qiwan@redhat.com
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh
2020-03-27 10:13:51 -04:00
parent 2c5c198020
commit 4352d58549
91 changed files with 1343 additions and 1407 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
pkg/spec/spec.go
View File

@ -4,9 +4,8 @@ import (
"strings"
"github.com/containers/common/pkg/capabilities"
cconfig "github.com/containers/common/pkg/config"
"github.com/containers/libpod/libpod"
libpodconfig "github.com/containers/libpod/libpod/config"
"github.com/containers/libpod/libpod/define"
"github.com/containers/libpod/pkg/cgroups"
"github.com/containers/libpod/pkg/env"
"github.com/containers/libpod/pkg/rootless"
@ -81,6 +80,37 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
g.AddLinuxMaskedPaths("/sys/kernel")
}
}
var runtimeConfig *cconfig.Config
if runtime != nil {
runtimeConfig, err = runtime.GetConfig()
if err != nil {
return nil, err
}
g.Config.Process.Capabilities.Bounding = runtimeConfig.Containers.DefaultCapabilities
sysctls, err := util.ValidateSysctls(runtimeConfig.Containers.DefaultSysctls)
if err != nil {
return nil, err
}
for name, val := range config.Security.Sysctl {
sysctls[name] = val
}
config.Security.Sysctl = sysctls
if !util.StringInSlice("host", config.Resources.Ulimit) {
config.Resources.Ulimit = append(runtimeConfig.Containers.DefaultUlimits, config.Resources.Ulimit...)
}
if config.Resources.PidsLimit < 0 && !config.cgroupDisabled() {
config.Resources.PidsLimit = runtimeConfig.Containers.PidsLimit
}
} else {
g.Config.Process.Capabilities.Bounding = cconfig.DefaultCapabilities
if config.Resources.PidsLimit < 0 && !config.cgroupDisabled() {
config.Resources.PidsLimit = cconfig.DefaultPidsLimit
}
}
gid5Available := true
if isRootless {
nGids, err := GetAvailableGids()
@ -242,16 +272,6 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
}
}
// SECURITY OPTS
var runtimeConfig *libpodconfig.Config
if runtime != nil {
runtimeConfig, err = runtime.GetConfig()
if err != nil {
return nil, err
}
}
g.SetProcessNoNewPrivileges(config.Security.NoNewPrivs)
if !config.Security.Privileged {
@ -261,7 +281,7 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
// Unless already set via the CLI, check if we need to disable process
// labels or set the defaults.
if len(config.Security.LabelOpts) == 0 && runtimeConfig != nil {
if !runtimeConfig.EnableLabeling {
if !runtimeConfig.Containers.EnableLabeling {
// Disabled in the config.
config.Security.LabelOpts = append(config.Security.LabelOpts, "disable")
} else if err := config.Security.SetLabelOpts(runtime, &config.Pid, &config.Ipc); err != nil {
@ -284,7 +304,7 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
if err != nil {
return nil, err
}
if (!cgroup2 || (runtimeConfig != nil && runtimeConfig.CgroupManager != define.SystemdCgroupsManager)) && config.Resources.PidsLimit == sysinfo.GetDefaultPidsLimit() {
if (!cgroup2 || (runtimeConfig != nil && runtimeConfig.Engine.CgroupManager != cconfig.SystemdCgroupsManager)) && config.Resources.PidsLimit == sysinfo.GetDefaultPidsLimit() {
setPidLimit = false
}
}
@ -376,7 +396,7 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
configSpec.Linux.Resources = &spec.LinuxResources{}
}
canUseResources := cgroup2 && runtimeConfig != nil && (runtimeConfig.CgroupManager == define.SystemdCgroupsManager)
canUseResources := cgroup2 && runtimeConfig != nil && (runtimeConfig.Engine.CgroupManager == cconfig.SystemdCgroupsManager)
if addedResources && !canUseResources {
return nil, errors.New("invalid configuration, cannot specify resource limits without cgroups v2 and --cgroup-manager=systemd")
@ -433,6 +453,10 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
return configSpec, nil
}
func (config *CreateConfig) cgroupDisabled() bool {
return config.Cgroup.Cgroups == "disabled"
}
func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, g *generate.Generator) {
if !privileged {
for _, mp := range []string{