mirror of
https://github.com/containers/podman.git
synced 2025-05-21 00:56:36 +08:00
0f7d54b026
Migrate the Podman code base over to `common/libimage` which replaces `libpod/image` and a lot of glue code entirely. Note that I tried to leave bread crumbs for changed tests. Miscellaneous changes: * Some errors yield different messages which required to alter some tests. * I fixed some pre-existing issues in the code. Others were marked as `//TODO`s to prevent the PR from exploding. * The `NamesHistory` of an image is returned as is from the storage. Previously, we did some filtering which I think is undesirable. Instead we should return the data as stored in the storage. * Touched handlers use the ABI interfaces where possible. * Local image resolution: previously Podman would match "foo" on "myfoo". This behaviour has been changed and Podman will now only match on repository boundaries such that "foo" would match "my/foo" but not "myfoo". I consider the old behaviour to be a bug, at the very least an exotic corner case. * Futhermore, "foo:none" does *not* resolve to a local image "foo" without tag anymore. It's a hill I am (almost) willing to die on. * `image prune` prints the IDs of pruned images. Previously, in some cases, the names were printed instead. The API clearly states ID, so we should stick to it. * Compat endpoint image removal with _force_ deletes the entire not only the specified tag. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
66 lines
2.0 KiB
Go
66 lines
2.0 KiB
Go
// +build linux,cgo
|
|
|
|
package generate
|
|
|
|
import (
|
|
"context"
|
|
"io/ioutil"
|
|
|
|
"github.com/containers/common/libimage"
|
|
goSeccomp "github.com/containers/common/pkg/seccomp"
|
|
"github.com/containers/podman/v3/pkg/seccomp"
|
|
"github.com/containers/podman/v3/pkg/specgen"
|
|
spec "github.com/opencontainers/runtime-spec/specs-go"
|
|
"github.com/pkg/errors"
|
|
"github.com/sirupsen/logrus"
|
|
)
|
|
|
|
func getSeccompConfig(s *specgen.SpecGenerator, configSpec *spec.Spec, img *libimage.Image) (*spec.LinuxSeccomp, error) {
|
|
var seccompConfig *spec.LinuxSeccomp
|
|
var err error
|
|
scp, err := seccomp.LookupPolicy(s.SeccompPolicy)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if scp == seccomp.PolicyImage {
|
|
if img == nil {
|
|
return nil, errors.New("cannot read seccomp profile without a valid image")
|
|
}
|
|
labels, err := img.Labels(context.Background())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
imagePolicy := labels[seccomp.ContainerImageLabel]
|
|
if len(imagePolicy) < 1 {
|
|
return nil, errors.New("no seccomp policy defined by image")
|
|
}
|
|
logrus.Debug("Loading seccomp profile from the security config")
|
|
seccompConfig, err = goSeccomp.LoadProfile(imagePolicy, configSpec)
|
|
if err != nil {
|
|
return nil, errors.Wrap(err, "loading seccomp profile failed")
|
|
}
|
|
return seccompConfig, nil
|
|
}
|
|
|
|
if s.SeccompProfilePath != "" {
|
|
logrus.Debugf("Loading seccomp profile from %q", s.SeccompProfilePath)
|
|
seccompProfile, err := ioutil.ReadFile(s.SeccompProfilePath)
|
|
if err != nil {
|
|
return nil, errors.Wrap(err, "opening seccomp profile failed")
|
|
}
|
|
seccompConfig, err = goSeccomp.LoadProfile(string(seccompProfile), configSpec)
|
|
if err != nil {
|
|
return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", s.SeccompProfilePath)
|
|
}
|
|
} else {
|
|
logrus.Debug("Loading default seccomp profile")
|
|
seccompConfig, err = goSeccomp.GetDefaultProfile(configSpec)
|
|
if err != nil {
|
|
return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", s.SeccompProfilePath)
|
|
}
|
|
}
|
|
|
|
return seccompConfig, nil
|
|
}
|