Skip to content

Commit dcf3c74

Browse files
haircommanderhaircommander
committed
Split up create config handling of namespaces and security
As it stands, createconfig is a huge struct. This works fine when the only caller is when we create a container with a fully created config. However, if we wish to share code for security and namespace configuration, a single large struct becomes unweildy, as well as difficult to configure with the single createConfigToOCISpec function. This PR breaks up namespace and security configuration into their own structs, with the eventual goal of allowing the namespace/security fields to be configured by the pod create cli, and allow the infra container to share this with the pod's containers. Signed-off-by: Peter Hunt <[email protected]>
1 parent 3463a71 commit dcf3c74

12 files changed

+907
-710
lines changed

cmd/podman/shared/create.go

+74-114
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,6 @@ import (
2626
"github.com/docker/docker/pkg/signal"
2727
"github.com/docker/go-connections/nat"
2828
"github.com/docker/go-units"
29-
"github.com/opencontainers/selinux/go-selinux/label"
3029
"github.com/opentracing/opentracing-go"
3130
"github.com/pkg/errors"
3231
"github.com/sirupsen/logrus"
@@ -195,72 +194,6 @@ func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod.
195194
return ctr, createConfig, nil
196195
}
197196

198-
func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string, runtime *libpod.Runtime) error {
199-
var (
200-
labelOpts []string
201-
)
202-
203-
if config.PidMode.IsHost() {
204-
labelOpts = append(labelOpts, label.DisableSecOpt()...)
205-
} else if config.PidMode.IsContainer() {
206-
ctr, err := runtime.LookupContainer(config.PidMode.Container())
207-
if err != nil {
208-
return errors.Wrapf(err, "container %q not found", config.PidMode.Container())
209-
}
210-
secopts, err := label.DupSecOpt(ctr.ProcessLabel())
211-
if err != nil {
212-
return errors.Wrapf(err, "failed to duplicate label %q ", ctr.ProcessLabel())
213-
}
214-
labelOpts = append(labelOpts, secopts...)
215-
}
216-
217-
if config.IpcMode.IsHost() {
218-
labelOpts = append(labelOpts, label.DisableSecOpt()...)
219-
} else if config.IpcMode.IsContainer() {
220-
ctr, err := runtime.LookupContainer(config.IpcMode.Container())
221-
if err != nil {
222-
return errors.Wrapf(err, "container %q not found", config.IpcMode.Container())
223-
}
224-
secopts, err := label.DupSecOpt(ctr.ProcessLabel())
225-
if err != nil {
226-
return errors.Wrapf(err, "failed to duplicate label %q ", ctr.ProcessLabel())
227-
}
228-
labelOpts = append(labelOpts, secopts...)
229-
}
230-
231-
for _, opt := range securityOpts {
232-
if opt == "no-new-privileges" {
233-
config.NoNewPrivs = true
234-
} else {
235-
con := strings.SplitN(opt, "=", 2)
236-
if len(con) != 2 {
237-
return fmt.Errorf("invalid --security-opt 1: %q", opt)
238-
}
239-
240-
switch con[0] {
241-
case "label":
242-
labelOpts = append(labelOpts, con[1])
243-
case "apparmor":
244-
config.ApparmorProfile = con[1]
245-
case "seccomp":
246-
config.SeccompProfilePath = con[1]
247-
default:
248-
return fmt.Errorf("invalid --security-opt 2: %q", opt)
249-
}
250-
}
251-
}
252-
253-
if config.SeccompProfilePath == "" {
254-
var err error
255-
config.SeccompProfilePath, err = libpod.DefaultSeccompPath()
256-
if err != nil {
257-
return err
258-
}
259-
}
260-
config.LabelOpts = labelOpts
261-
return nil
262-
}
263-
264197
func configureEntrypoint(c *GenericCLIResults, data *inspect.ImageData) []string {
265198
entrypoint := []string{}
266199
if c.IsSet("entrypoint") {
@@ -348,11 +281,6 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod.
348281
rootfs = c.InputArgs[0]
349282
}
350283

351-
sysctl, err := validateSysctl(c.StringSlice("sysctl"))
352-
if err != nil {
353-
return nil, errors.Wrapf(err, "invalid value for sysctl")
354-
}
355-
356284
if c.String("memory") != "" {
357285
memoryLimit, err = units.RAMInBytes(c.String("memory"))
358286
if err != nil {
@@ -691,61 +619,96 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod.
691619
pidsLimit = 0
692620
}
693621

622+
pid := &cc.PidConfig{
623+
PidMode: pidMode,
624+
}
625+
ipc := &cc.IpcConfig{
626+
IpcMode: ipcMode,
627+
}
628+
629+
cgroup := &cc.CgroupConfig{
630+
Cgroups: c.String("cgroups"),
631+
Cgroupns: c.String("cgroupns"),
632+
CgroupParent: c.String("cgroup-parent"),
633+
CgroupMode: cgroupMode,
634+
}
635+
636+
userns := &cc.UserConfig{
637+
GroupAdd: c.StringSlice("group-add"),
638+
IDMappings: idmappings,
639+
UsernsMode: usernsMode,
640+
User: user,
641+
}
642+
643+
uts := &cc.UtsConfig{
644+
UtsMode: utsMode,
645+
NoHosts: c.Bool("no-hosts"),
646+
HostAdd: c.StringSlice("add-host"),
647+
Hostname: c.String("hostname"),
648+
}
649+
650+
net := &cc.NetworkConfig{
651+
DNSOpt: c.StringSlice("dns-opt"),
652+
DNSSearch: c.StringSlice("dns-search"),
653+
DNSServers: c.StringSlice("dns"),
654+
HTTPProxy: c.Bool("http-proxy"),
655+
MacAddress: c.String("mac-address"),
656+
Network: network,
657+
NetMode: netMode,
658+
IPAddress: c.String("ip"),
659+
Publish: c.StringSlice("publish"),
660+
PublishAll: c.Bool("publish-all"),
661+
PortBindings: portBindings,
662+
}
663+
664+
sysctl, err := validateSysctl(c.StringSlice("sysctl"))
665+
if err != nil {
666+
return nil, errors.Wrapf(err, "invalid value for sysctl")
667+
}
668+
669+
secConfig := &cc.SecurityConfig{
670+
CapAdd: c.StringSlice("cap-add"),
671+
CapDrop: c.StringSlice("cap-drop"),
672+
Privileged: c.Bool("privileged"),
673+
ReadOnlyRootfs: c.Bool("read-only"),
674+
ReadOnlyTmpfs: c.Bool("read-only-tmpfs"),
675+
Sysctl: sysctl,
676+
}
677+
678+
if err := secConfig.SetLabelOpts(runtime, pid, ipc); err != nil {
679+
return nil, err
680+
}
681+
if err := secConfig.SetSecurityOpts(runtime, c.StringArray("security-opt")); err != nil {
682+
return nil, err
683+
}
684+
694685
config := &cc.CreateConfig{
695686
Annotations: annotations,
696687
BuiltinImgVolumes: ImageVolumes,
697688
ConmonPidFile: c.String("conmon-pidfile"),
698689
ImageVolumeType: c.String("image-volume"),
699-
CapAdd: c.StringSlice("cap-add"),
700-
CapDrop: c.StringSlice("cap-drop"),
701690
CidFile: c.String("cidfile"),
702-
Cgroupns: c.String("cgroupns"),
703-
Cgroups: c.String("cgroups"),
704-
CgroupParent: c.String("cgroup-parent"),
705691
Command: command,
706692
UserCommand: userCommand,
707693
Detach: c.Bool("detach"),
708694
Devices: c.StringSlice("device"),
709-
DNSOpt: c.StringSlice("dns-opt"),
710-
DNSSearch: c.StringSlice("dns-search"),
711-
DNSServers: c.StringSlice("dns"),
712695
Entrypoint: entrypoint,
713696
Env: env,
714697
// ExposedPorts: ports,
715-
GroupAdd: c.StringSlice("group-add"),
716-
Hostname: c.String("hostname"),
717-
HostAdd: c.StringSlice("add-host"),
718-
HTTPProxy: c.Bool("http-proxy"),
719-
NoHosts: c.Bool("no-hosts"),
720-
IDMappings: idmappings,
721698
Init: c.Bool("init"),
722699
InitPath: c.String("init-path"),
723700
Image: imageName,
724701
ImageID: imageID,
725702
Interactive: c.Bool("interactive"),
726703
// IP6Address: c.String("ipv6"), // Not implemented yet - needs CNI support for static v6
727-
IPAddress: c.String("ip"),
728-
Labels: labels,
704+
Labels: labels,
729705
// LinkLocalIP: c.StringSlice("link-local-ip"), // Not implemented yet
730706
LogDriver: logDriver,
731707
LogDriverOpt: c.StringSlice("log-opt"),
732-
MacAddress: c.String("mac-address"),
733708
Name: c.String("name"),
734-
Network: network,
735709
// NetworkAlias: c.StringSlice("network-alias"), // Not implemented - does this make sense in Podman?
736-
IpcMode: ipcMode,
737-
NetMode: netMode,
738-
UtsMode: utsMode,
739-
PidMode: pidMode,
740-
CgroupMode: cgroupMode,
741-
Pod: podName,
742-
Privileged: c.Bool("privileged"),
743-
Publish: c.StringSlice("publish"),
744-
PublishAll: c.Bool("publish-all"),
745-
PortBindings: portBindings,
746-
Quiet: c.Bool("quiet"),
747-
ReadOnlyRootfs: c.Bool("read-only"),
748-
ReadOnlyTmpfs: c.Bool("read-only-tmpfs"),
710+
Pod: podName,
711+
Quiet: c.Bool("quiet"),
749712
Resources: cc.CreateResourceConfig{
750713
BlkioWeight: blkioWeight,
751714
BlkioWeightDevice: c.StringSlice("blkio-weight-device"),
@@ -774,30 +737,27 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod.
774737
},
775738
RestartPolicy: c.String("restart"),
776739
Rm: c.Bool("rm"),
740+
Security: *secConfig,
777741
StopSignal: stopSignal,
778742
StopTimeout: c.Uint("stop-timeout"),
779-
Sysctl: sysctl,
780743
Systemd: systemd,
781744
Tmpfs: c.StringArray("tmpfs"),
782745
Tty: tty,
783-
User: user,
784-
UsernsMode: usernsMode,
785746
MountsFlag: c.StringArray("mount"),
786747
Volumes: c.StringArray("volume"),
787748
WorkDir: workDir,
788749
Rootfs: rootfs,
789750
VolumesFrom: c.StringSlice("volumes-from"),
790751
Syslog: c.Bool("syslog"),
791-
}
792752

793-
if config.Privileged {
794-
config.LabelOpts = label.DisableSecOpt()
795-
} else {
796-
if err := parseSecurityOpt(config, c.StringArray("security-opt"), runtime); err != nil {
797-
return nil, err
798-
}
753+
Pid: *pid,
754+
Ipc: *ipc,
755+
Cgroup: *cgroup,
756+
User: *userns,
757+
Uts: *uts,
758+
Network: *net,
799759
}
800-
config.SecurityOpts = c.StringArray("security-opt")
760+
801761
warnings, err := verifyContainerResources(config, false)
802762
if err != nil {
803763
return nil, err

0 commit comments

Comments
 (0)