mirror of
https://github.com/containers/podman.git
synced 2025-12-02 11:08:36 +08:00
c1b6effac5
These files should never be included on the remote client. There only there to finalize the spec on the server side. This makes sure it will not get reimported by accident and bloat the remote client again. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
37 lines
982 B
Go
37 lines
982 B
Go
//go:build !remote
|
|
// +build !remote
|
|
|
|
package generate
|
|
|
|
import (
|
|
"github.com/containers/common/libimage"
|
|
"github.com/containers/common/pkg/config"
|
|
"github.com/containers/podman/v4/libpod"
|
|
"github.com/containers/podman/v4/pkg/specgen"
|
|
"github.com/opencontainers/runtime-tools/generate"
|
|
)
|
|
|
|
// setLabelOpts sets the label options of the SecurityConfig according to the
|
|
// input.
|
|
func setLabelOpts(s *specgen.SpecGenerator, runtime *libpod.Runtime, pidConfig specgen.Namespace, ipcConfig specgen.Namespace) error {
|
|
return nil
|
|
}
|
|
|
|
func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, newImage *libimage.Image, rtc *config.Config) error {
|
|
// If this is a privileged container, change the devfs ruleset to expose all devices.
|
|
if s.Privileged {
|
|
for k, m := range g.Config.Mounts {
|
|
if m.Type == "devfs" {
|
|
m.Options = []string{
|
|
"ruleset=0",
|
|
}
|
|
g.Config.Mounts[k] = m
|
|
}
|
|
}
|
|
}
|
|
|
|
g.SetRootReadonly(s.ReadOnlyFilesystem)
|
|
|
|
return nil
|
|
}
|