220 Commits

Author SHA1 Message Date
29273cda10 lint: fix warnings found by perfsprint
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2023-10-20 16:27:46 +02:00
b72bb11629 Add TERM iff TERM not defined in container when podman exec -t
Fixes: https://github.com/containers/podman/issues/20334

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2023-10-18 15:40:52 -04:00
0443c5166e inspect: ignore ENOENT during device lookup
When we walk the /dev tree we need to lookup all device paths. Now in
order to get the major and minor version we have to actually stat each
device. This can again fail of course. There is at least a race between
the readdir at stat call so it must ignore ENOENT errors to avoid
the race condition as this is not a user problem. Second, we should
also not return other errors and just log them instead, returning an
error means stopping the walk and returning early which means inspect
fails with an error which would be bad.

Also there seems to be cases were ENOENT will be returned all the time,
e.g. when a device is forcefully removed. In the reported bug this is
triggered with iSCSI devices.

Because the caller does already lookup the device from the created map
it reports a warning there if the device is missing on the host so it
is not a problem to ignore a error during lookup here.

[NO NEW TESTS NEEDED] Requires special device setup to trigger
consistentlyand we cannot do that in CI.

Fixes https://issues.redhat.com/browse/RHEL-11158

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2023-10-04 13:26:21 +02:00
91b8bc7f13 uid/gid mapping flags
Motivation
===========

This feature aims to make --uidmap and --gidmap easier to use, especially in rootless podman setups.

(I will focus here on the --gidmap option, although the same applies for --uidmap.)

In rootless podman, the user namespace mapping happens in two steps, through an intermediate mapping.

See https://docs.podman.io/en/latest/markdown/podman-run.1.html#uidmap-container-uid-from-uid-amount
for further detail, here is a summary:

First the user GID is mapped to 0 (root), and all subordinate GIDs (defined at /etc/subgid, and
usually >100000) are mapped starting at 1.

One way to customize the mapping is through the `--gidmap` option, that maps that intermediate mapping
to the final mapping that will be seen by the container.

As an example, let's say we have as main GID the group 1000, and we also belong to the additional GID 2000,
that we want to make accessible inside the container.

We first ask the sysadmin to subordinate the group to us, by adding "$user:2000:1" to /etc/subgid.

Then we need to use --gidmap to specify that we want to map GID 2000 into some GID inside the container.

And here is the first trouble:

Since the --gidmap option operates on the intermediate mapping, we first need to figure out where has
podman placed our GID 2000 in that intermediate mapping using:

    podman unshare cat /proc/self/gid_map

Then, we may see that GID 2000 was mapped to intermediate GID 5. So our --gidmap option should include:

    --gidmap 20000:5:1

This intermediate mapping may change in the future if further groups are subordinated to us (or we stop
having its subordination), so we are forced to verify the mapping with
`podman unshare cat /proc/self/gid_map` every time, and parse it if we want to script it.

**The first usability improvement** we agreed on #18333 is to be able to use:

    --gidmap 20000:@2000:1

so podman does this lookup in the parent user namespace for us.

But this is only part of the problem. We must specify a **full** gidmap and not only what we want:

    --gidmap 0:0:5 --gidmap 5:6:15000 --gidmap 20000:5:1

This is becoming complicated. We had to break the gidmap at 5, because the intermediate 5 had to
be mapped to another value (20000), and then we had to keep mapping all other subordinate ids... up to
close to the maximum number of subordinate ids that we have (or some reasonable value). This is hard
to explain to someone who does not understand how the mappings work internally.

To simplify this, **the second usability improvement** is to be able to use:

   --gidmap "+20000:@2000:1"

where the plus flag (`+`) states that the given mapping should extend any previous/default mapping,
overriding any previous conflicting assignment.

Podman will set that mapping and fill the rest of mapped gids with all other subordinated gids, leading
to the same (or an equivalent) full gidmap that we were specifying before.

One final usability improvement related to this is the following:

By default, when podman  gets a --gidmap argument but not a --uidmap argument, it copies the mapping.
This is convenient in many scenarios, since usually subordinated uids and gids are assigned in chunks
simultaneously, and the subordinated IDs in /etc/subuid and /etc/subgid for a given user match.

For scenarios with additional subordinated GIDs, this map copying is annoying, since it forces the user
to provide a --uidmap, to prevent the copy from being made. This means, that when the user wants:

    --gidmap 0:0:5 --gidmap 5:6:15000 --gidmap 20000:5:1

The user has to include a uidmap as well:

    --gidmap 0:0:5 --gidmap 5:6:15000 --gidmap 20000:5:1 --uidmap 0:0:65000

making everything even harder to understand without proper context.

For this reason, besides the "+" flag, we introduce the "u" and "g" flags. Those flags applied to a
mapping tell podman that the mapping should only apply to users or groups, and ignored otherwise.

Therefore we can use:

   --gidmap "+g20000:@2000:1"

So the mapping only applies to groups and is ignored for uidmaps. If no "u" nor "g" flag is assigned
podman assumes the mapping applies to both users and groups as before, so we preserve backwards compatibility.

Co-authored-by: Tom Sweeney <tsweeney@redhat.com>
Signed-off-by: Sergio Oller <sergioller@gmail.com>
2023-08-28 20:21:04 +02:00
45ce4834af Add support for ramfs as well as tmpfs in volume mounts
Users want to mount a tmpfs file system with secrets, and make
sure the secret is never saved into swap. They can do this either
by using a ramfs tmpfs mount or by passing `noswap` option to
a tmpfs mount.

Fixes: https://github.com/containers/podman/issues/19659

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2023-08-21 07:14:57 -04:00
bcebcad1fd Update system connection add & remove
Add new --farm flag to podman system connection add so that
a user can add a new connection to a farm immediately.
Update system connection remove such that when a connection is
removed, the connection is also removed from any farms that have it.
Add docs and tests for these changes.

Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
2023-08-09 13:37:37 -04:00
1e54539432 Add support for passing container stop timeout as -1 (infinite)
Compat api for containers/stop should take -1 value

Add support for `podman stop --time -1`
Add support for `podman restart --time -1`
Add support for `podman rm --time -1`
Add support for `podman pod stop --time -1`
Add support for `podman pod rm --time -1`
Add support for `podman volume rm --time -1`
Add support for `podman network rm --time -1`

Fixes: https://github.com/containers/podman/issues/17542

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2023-08-04 08:36:45 -04:00
f256f4f954 Use constants for mount types
Inspired by https://github.com/containers/podman/pull/19238

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2023-07-14 07:17:21 -04:00
94e59bd2ff Use /proc/self/gid_map as intended, not uid_map
GetKeepIDMapping never read the gid (as it intended) but reused the uid.
Most likely a typo that never bothered anybody as uid and gid usually
match.

Signed-off-by: Simon Brakhane <simon@brakhane.net>
2023-06-30 12:57:55 +02:00
05eb3e6f13 Make Podman/Buildah use same DecryptConfig/EncryptConfig funcs
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2023-06-27 18:04:42 +02:00
8a90765b90 filters: use new FilterID function from c/common
Remove code duplication and use the new FilterID function from
c/common. Also remove the duplicated ComputeUntilTimestamp in podman use
the one from c/common as well.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2023-06-13 17:49:41 +02:00
c7a8d29f12 refactor: improve get ssh path duplicate code
Signed-off-by: Black-Hole1 <bh@bugs.cc>
2023-06-07 09:03:35 +08:00
4108b37118 Support podman --remote when Containerfile is not in context directory
Fixes: https://github.com/containers/podman/issues/18239

[NO NEW TESTS NEEDED]

@test "podman build -f test" in test/system/070-build.bats

Will test this.  This was passing when run on a local system since
the remote end was using the clients path to read the Containerfile
The issue is it would not work in a podman machine since the
Containerfile would/should be a different path.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2023-05-22 11:58:36 -04:00
685c736185 source code comments and docs: fix typos, language, Markdown layout
- fix a/an before noun
- fix loose -> lose
- fix "the the"
- fix lets -> let's
- fix Markdown layout
- fix a few typos
- remove unnecessary text in troubleshooting.md

Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
2023-05-22 07:52:16 +02:00
c400cc7ead libpod/Container.rootFsSize(): use recorded image sizes
In rootFsSize(), instead of calculating the size of the diff for every
layer of the container's base image, ask the storage library for the sum
of the values it recorded when it first wrote those layers.

In a similar fashion, teach rwSize() to use the library's
ContainerSize() method instead of trying to roll its own.

Replace calls to pkg/util.SizeOfPath() with calls to
github.com/containers/storage/pkg/directory.Size(), which does the same
thing.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2023-05-09 09:33:37 -04:00
edbeee5238 Add --restart flag to pod create
Add --restart flag to pod create to allow users to set the
restart policy for the pod, which applies to all the containers
in the pod. This reuses the restart policy already there for
containers and has the same restart policy options.
Add "never" to the restart policy options to match k8s syntax.
It is a synonym for "no" and does the exact same thing where the
containers are not restarted once exited.
Only the containers that have exited will be restarted based on the
restart policy, running containers will not be restarted when an exited
container is restarted in the same pod (same as is done in k8s).

Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
2023-05-02 10:29:58 -04:00
bab95de9a2 rootless: make sure we only use a single pause process
Currently --tmpdir changes the location of the pause.pid file. this
causes issues because the c code in pkg/rootless does not know about
that. I tried to fix this[1] by fixing the c code to not use the
shortcut. While this fix worked it will result in many pause processes
leaking in the integrration tests.

Commit ab88632 added this behavior but following the disccusion it was
never the intention that we end up having more than one pause process.
The issues that was trying to fix was caused by somthing else AFAICT,
the main problem seems to be that the pause.pid file parent directory
may not be created when we try to create the pid file so it failed with
ENOENT. This patch fixes it by creating this directory always and revert
the change to no longer depend on the tmpdir value.

With this commit we now always use XDG_RUNTIME_DIR/libpod/tmp/pause.pid
for all podman processes. This allows the c shortcut to work reliably
and should therefore improve perfomance over my other approach.

A system test is added to ensure we see the right behavior and that
podman system migrate actually stops the pause process. Thanks to Ed
Santiago for the improved test to make it work for both `catatonit` and
`podman pause`.

This should fix the issues with namespace missmatches that we can see in
CI as flakes.

[1] https://github.com/containers/podman/pull/18057

Fixes #18057

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2023-04-11 10:57:46 +02:00
4d56292e7a libpod: mount safely subpaths
add a function to securely mount a subpath inside a volume.  We cannot
trust that the subpath is safe since it is beneath a volume that could
be controlled by a separate container.  To avoid TOCTOU races between
when we check the subpath and when the OCI runtime mounts it, we open
the subpath, validate it, bind mount to a temporary directory and use
it instead of the original path.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2023-03-31 19:48:03 +02:00
c8eeab21cf Merge pull request #16315 from flouthoc/remote-ignore-symlink
remote,build: ignore if `.containerignore` or `.dockerignore` is a symlink outside of buildContext
2023-03-28 23:23:07 +02:00
a5ca732256 Fix typos
Software version used
https://github.com/crate-ci/typos/releases/tag/v1.13.10

The binary was downloaded from
https://github.com/crate-ci/typos/releases/download/v1.13.10/typos-v1.13.10-x86_64-unknown-linux-musl.tar.gz

Command that was run:

typos --write-changes docs cmd cni contrib dependencies docs hack libpod pkg utils

False positives were manually removed.
A few marshaling/existant typos were manually fixed.

Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
2023-02-11 18:23:24 +01:00
de63ad7044 libpod: allow userns=keep-id for root
copy the current mapping into a new user namespace, and run into a
separate user namespace.

Closes: https://github.com/containers/podman/issues/17337

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2023-02-03 12:44:30 +01:00
cbb45a6d42 utils: new conversion method
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2023-02-01 09:26:50 +01:00
d10860a323 Do not mount /dev/tty into rootless containers
[NO NEW TESTS NEEDED]

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2165875
Signed-off-by: Martin Roukala (né Peres) <martin.roukala@mupuf.org>
2023-01-31 22:10:26 +02:00
b0b166b5bb Match VT device paths to be blocked from mounting exactly
As @mheon pointed out in PR #17055[^1], isVirtualConsoleDevice() does
not only matches VT device paths but also devices named like
/dev/tty0abcd.
This causes that non VT device paths named /dev/tty[0-9]+[A-Za-z]+ are
not mounted into privileged container and systemd containers accidentally.

This is an unlikely issue because the Linux kernel does not use device
paths like that.
To make it failproof and prevent issues in unlikely scenarios, change
isVirtualConsoleDevice() to exactly match ^/dev/tty[0-9]+$ paths.

Because it is not possible to match this path exactly with Glob syntax,
the path is now checked with strings.TrimPrefix() and
strconv.ParseUint().
ParseUint uses a bitsize of 16, this is sufficient because the max
number of TTY devices is 512 in Linux 6.1.5.
(Checked via 'git grep -e '#define' --and -e 'TTY_MINORS').

The commit also adds a unit-test for isVirtualConsoleDevice().

Fixes: f4c81b0aa5fd ("Only prevent VTs to be mounted inside...")

[^1]: https://github.com/containers/podman/pull/17055#issuecomment-1378904068

Signed-off-by: Fabian Holler <mail@fholler.de>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2023-01-28 05:18:40 -05:00
70e8f6243a remote,build: error if containerignore is symlink
Drop support for remote use-cases when `.containerignore` or
`.dockerignore` is a symlink pointing to arbitrary location on host.

Signed-off-by: Aditya R <arajan@redhat.com>
2023-01-26 16:11:51 +05:30
7093d1fe5c Merge pull request #17130 from Luap99/remove-dup-code
commit: use libimage code to parse changes
2023-01-17 05:10:22 -05:00
79865c2903 commit: use libimage code to parse changes
This code is duplicated in podman and c/common, we should only use one
version.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2023-01-16 16:28:11 +01:00
70057c8b47 Make rootless privileged containers share the same tty devices as rootfull ones
Until Podman v4.3, privileged rootfull containers would expose all the
host devices to the container while rootless ones would exclude
`/dev/ptmx` and `/dev/tty*`.

When 5a2405ae1b3a ("Don't mount /dev/tty* inside privileged containers
running systemd") landed, rootfull containers started excluding all the
`/dev/tty*` devices when the container would be running in systemd
mode, reducing the disparity between rootless and rootfull containers
when running in this mode.

However, this commit regressed some legitimate use cases: exposing
non-virtual-terminal tty devices (modems, arduinos, serial
consoles, ...) to the container, and the regression was addressed in
f4c81b0aa5fd ("Only prevent VTs to be mounted inside privileged
systemd containers").

This now calls into question why all tty devices were historically
prevented from being shared to the rootless non-privileged containers.
A look at the podman git history reveals that the code was introduced
as part of ba430bfe5ef6 ("podman v2 remove bloat v2"), and obviously
was copy-pasted from some other code I couldn't find.

In any case, we can easily guess that this check was put for the same
reason 5a2405ae1b3a was introduced: to prevent breaking the host
environment's consoles. This also means that excluding *all* tty
devices is overbearing, and should instead be limited to just virtual
terminals like we do on the rootfull path.

This is what this commit does, thus making the rootless codepath behave
like the rootfull one when in systemd mode.

This leaves `/dev/ptmx` as the main difference between the two
codepath. Based on the blog post from the then-runC maintainer[1] and
this Red Hat bug[2], I believe that this is intentional and a needed
difference for the rootless path.

Closes: #16925
Suggested-by: Fabian Holler <mail@fholler.de>
Signed-off-by: Martin Roukala (né Peres) <martin.roukala@mupuf.org>

[1]: https://www.cyphar.com/blog/post/20160627-rootless-containers-with-runc
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=501718
2023-01-16 16:23:53 +02:00
f4c81b0aa5 Only prevent VTs to be mounted inside privileged systemd containers
While mounting virtual console devices in a systemd container is a
recipe for disaster (I experienced it first hand), mounting serial
console devices, modems, and others should still be done by default
for privileged systemd-based containers.

v2, addressing the review from @fho:
 - use backticks in the regular expression to remove backslashes
 - pre-compile the regex at the package level
 - drop IsVirtualTerminalDevice (not needed for a one-liner)

v3, addressing the review from @fho and @rhatdan:
 - re-introduce a private function for matching the device names
 - use path.Match rather than a regex not to slow down startup time

Closes #16925.

Fixes: 5a2405ae1b3a ("Don't mount /dev/tty* inside privileged...")
Signed-off-by: Martin Roukala (né Peres) <martin.roukala@mupuf.org>
2023-01-11 16:57:58 +02:00
c1db4f85ae Merge pull request #16329 from gupttaru/encryption-decryption-feature
Add encryption decryption feature
2022-11-28 06:33:59 -05:00
3bb9ed4f09 Adding encryption decryption feature
Signed-off-by: Tarun1 Gupta <gupttaru@deshaw.com>
2022-11-24 04:53:59 -05:00
72966a32cd [CI:DOCS] Fix spelling and typos
Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
2022-11-19 16:26:00 +01:00
71f0c9f33a Eval symlinks on XDG_RUNTIME_DIR
Partial Fix for https://github.com/containers/podman/issues/14606

[NO NEW TESTS NEEDED]

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2022-10-28 14:32:39 -04:00
83313c547c rootless: support keep-id with one mapping
support using keep-id when only one mapping is available to the
rootless user.

When there is only one id available (e.g. there are no additional IDs
set in /etc/subuid and /etc/subgid for the unprivileged user), then
only add the identity mapping $ID -> $ID, leaving unmapped other IDs
in the user namespace.

[NO NEW TESTS NEEDED] it needs a configuration with only one ID
available.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2022-10-28 14:26:07 +02:00
5dad34212f rootless: add argument to GetConfiguredMappings
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2022-10-28 14:26:07 +02:00
1c9c321d3c Merge pull request #15979 from ygalblum/play_kube_volume_import
play kube: Allow the user to import the contents of a tar file into a volume
2022-10-25 10:05:45 -04:00
0ce234425a play kube: Allow the user to import the contents of a tar file into a volume
Add a new annotation to allow the user to point to a local tar file
If the annotation is present, import the file's content into the volume
Add a flag to PlayKubeOptions to note remote requests
Fail when trying to import volume content in remote requests
Add the annotation to the documentation
Add an E2E test to the new annotation

Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
2022-10-25 15:11:25 +03:00
221cfc6872 container/pod id file: truncate instead of throwing an error
Truncate the container and pod ID files instead of throwing an error.
The main motivation is to prevent redundant work when starting systemd
units.  Throwing an error when the file already exists is not preventing
races or file corruptions, so let's leave that to the user which in
almost all cases are generated (and tested) systemd units.

Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
2022-10-25 09:37:35 +02:00
b82b27cc48 pkg/util: Add pid information descriptors for FreeBSD
[NO NEW TESTS NEEDED]

Signed-off-by: Doug Rabson <dfr@rabson.org>
2022-10-17 15:33:04 +01:00
44bac51fca bump golangci-lint to v1.49.0
Motivated to have a working `make lint` on Fedora 37 (beta).
Most changes come from the new `gofmt` standards.

Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
2022-10-17 09:19:41 +02:00
5a2405ae1b Don't mount /dev/tty* inside privileged containers running systemd
According to https://systemd.io/CONTAINER_INTERFACE/, systemd will try take
control over /dev/ttyN if exported, which can cause conflicts with the host's tty
in privileged containers. Thus we will not expose these to privileged containers
in systemd mode, as this is a bad idea according to systemd's maintainers.

Additionally, this commit adds a bats regression test to check that no /dev/ttyN
are present in a privileged container in systemd mode

This fixes https://github.com/containers/podman/issues/15878

Signed-off-by: Dan Čermák <dcermak@suse.com>
2022-09-22 16:44:26 +02:00
118546c6a7 refactor: use os.ReadDir for lightweight directory reading
`os.ReadDir` was added in Go 1.16 as part of the deprecation of `ioutil`
package. It is a more efficient implementation than `ioutil.ReadDir`.

Reference: https://pkg.go.dev/io/ioutil#ReadDir
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2022-09-11 15:58:31 +08:00
a5ee3cb790 pkg/util: Add no-op implementation of AddPrivilegedDevices on FreeBSD
[NO NEW TESTS NEEDED]

Signed-off-by: Doug Rabson <dfr@rabson.org>
2022-09-05 10:17:49 +01:00
e015c9e3f7 podman: add uid and gid options to keep-id
add two new options to the keep-id user namespace option:

- uid: allow to override the UID used inside the container.
- gid: allow to override the GID used inside the container.

For example, the following command will map the rootless user (that
has UID=0 inside the rootless user namespace) to the UID=11 inside the
container user namespace:

$ podman run --userns=keep-id:uid=11 --rm -ti  fedora cat /proc/self/uid_map
         0          1         11
        11          0          1
        12         12      65525

Closes: https://github.com/containers/podman/issues/15294

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2022-08-30 14:39:27 +02:00
b806e9f360 pkg: Build pkg/util on FreeBSD
Remove freebsd from the unsupported list and add missing symbols.

[NO NEW TESTS NEEDED]

Signed-off-by: Doug Rabson <dfr@rabson.org>
2022-08-13 07:53:34 +01:00
4724a0000d prune filter handling
network and container prune could not handle the label!=... filter. vendor in c/common to fix this and
add some podman level handling to make everything run smoothly

resolves #14182

Signed-off-by: Charlie Doern <cdoern@redhat.com>
2022-07-25 09:28:26 -04:00
a46f798831 pkg: switch to golang native error wrapping
We now use the golang error wrapping format specifier `%w` instead of
the deprecated github.com/pkg/errors package.

[NO NEW TESTS NEEDED]

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2022-07-08 08:54:47 +02:00
aada13f244 volume: new options [no]copy
add two new options to the volume create command: copy and nocopy.

When nocopy is specified, the files from the container image are not
copied up to the volume.

Closes: https://github.com/containers/podman/issues/14722

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2022-06-27 20:22:20 +02:00
41528739ce golangci-lint: enable nolintlint
The nolintlint linter does not deny the use of `//nolint`
Instead it allows us to enforce a common nolint style:
- force that a linter name must be specified
- do not add a space between `//` and `nolint`
- make sure nolint is only used when there is actually a problem

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2022-06-14 16:29:42 +02:00
8533ea0004 Privileged containers can now restart if the host devices change
If a privileged container is running, stops, and the devices on the host
change, such as a USB device is unplugged, then a container would no
longer start. Previously, the devices from the host were only being
added to the container once: when the container was created. Now, this
happens every time the container starts.

I did this by adding a boolean to the container config that indicates
whether to mount all of the devices or not, which can be set via an option.

During spec generation, if the `MountAllDevices` option is set in the
container config, all host devices are added to the container.

Additionally, a couple of functions from `pkg/specgen/generate/config_linux.go`
were moved into `pkg/util/utils_linux.go` as they were needed in
multiple packages.

Closes #13899

Signed-off-by: Jake Correnti <jcorrenti13@gmail.com>
2022-06-06 14:14:22 -04:00