Merge pull request #4698 from rhatdan/containers.conf

Add support for containers.conf
containers · Mar 27, 2020 · 3336b10 · 3336b10
2 parents 1fe2fbb + 4352d58
commit 3336b10
Show file tree

Hide file tree

Showing 91 changed files with 1,343 additions and 1,407 deletions.
diff --git a/API.md b/API.md
@@ -1296,6 +1296,10 @@ password [string](https://godoc.org/builtin#string)
 
 BuildInfo is used to describe user input for building images
 
+architecture [string](https://godoc.org/builtin#string)
+
+addCapabilities [[]string](#[]string)
+
 additionalTags [[]string](#[]string)
 
 annotations [[]string](#[]string)
@@ -1314,8 +1318,12 @@ contextDir [string](https://godoc.org/builtin#string)
 
 defaultsMountFilePath [string](https://godoc.org/builtin#string)
 
+devices [[]string](#[]string)
+
 dockerfiles [[]string](#[]string)
 
+dropCapabilities [[]string](#[]string)
+
 err [string](https://godoc.org/builtin#string)
 
 forceRmIntermediateCtrs [bool](https://godoc.org/builtin#bool)
@@ -1328,6 +1336,8 @@ layers [bool](https://godoc.org/builtin#bool)
 
 nocache [bool](https://godoc.org/builtin#bool)
 
+os [string](https://godoc.org/builtin#string)
+
 out [string](https://godoc.org/builtin#string)
 
 output [string](https://godoc.org/builtin#string)
@@ -1344,7 +1354,13 @@ reportWriter [string](https://godoc.org/builtin#string)
 
 runtimeArgs [[]string](#[]string)
 
+signBy [string](https://godoc.org/builtin#string)
+
 squash [bool](https://godoc.org/builtin#bool)
+
+target [string](https://godoc.org/builtin#string)
+
+transientMounts [[]string](#[]string)
 ### <a name="BuildOptions"></a>type BuildOptions
 
 BuildOptions are are used to describe describe physical attributes of the build

diff --git a/cmd/podman/attach.go b/cmd/podman/attach.go
@@ -2,7 +2,6 @@ package main
 
 import (
 	"github.com/containers/libpod/cmd/podman/cliconfig"
-	"github.com/containers/libpod/libpod/define"
 	"github.com/containers/libpod/pkg/adapter"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
@@ -32,10 +31,7 @@ func init() {
 	attachCommand.SetHelpTemplate(HelpTemplate())
 	attachCommand.SetUsageTemplate(UsageTemplate())
 	flags := attachCommand.Flags()
-	flags.StringVar(&attachCommand.DetachKeys, "detach-keys", define.DefaultDetachKeys, "Select the key sequence for detaching a container. Format is a single character `[a-Z]` or a comma separated sequence of `ctrl-<value>`, where `<value>` is one of: `a-z`, `@`, `^`, `[`, `\\`, `]`, `^` or `_`")
-	// Clear the default, the value specified in the config file should have the
-	// priority
-	attachCommand.DetachKeys = ""
+	flags.StringVar(&attachCommand.DetachKeys, "detach-keys", getDefaultDetachKeys(), "Select the key sequence for detaching a container. Format is a single character `[a-Z]` or a comma separated sequence of `ctrl-<value>`, where `<value>` is one of: `a-z`, `@`, `^`, `[`, `\\`, `]`, `^` or `_`")
 	flags.BoolVar(&attachCommand.NoStdin, "no-stdin", false, "Do not attach STDIN. The default is false")
 	flags.BoolVar(&attachCommand.SigProxy, "sig-proxy", true, "Proxy received signals to the process")
 	flags.BoolVarP(&attachCommand.Latest, "latest", "l", false, "Act on the latest container podman is aware of")

diff --git a/cmd/podman/build.go b/cmd/podman/build.go
@@ -9,9 +9,9 @@ import (
 	"github.com/containers/buildah"
 	"github.com/containers/buildah/imagebuildah"
 	buildahcli "github.com/containers/buildah/pkg/cli"
-	"github.com/containers/image/v5/types"
+	"github.com/containers/buildah/pkg/parse"
+	"github.com/containers/common/pkg/config"
 	"github.com/containers/libpod/cmd/podman/cliconfig"
-	"github.com/containers/libpod/libpod/define"
 	"github.com/containers/libpod/pkg/adapter"
 	"github.com/docker/go-units"
 	"github.com/opencontainers/runtime-spec/specs-go"
@@ -86,6 +86,7 @@ func initBuild() {
 	fromAndBugFlags, err := buildahcli.GetFromAndBudFlags(&fromAndBudValues, &userNSValues, &namespaceValues)
 	if err != nil {
 		logrus.Errorf("failed to setup podman build flags: %v", err)
+		os.Exit(1)
 	}
 
 	flags.AddFlagSet(&budFlags)
@@ -267,14 +268,15 @@ func buildCmd(c *cliconfig.BuildValues) error {
 	if err != nil {
 		return err
 	}
-	if conf != nil && conf.CgroupManager == define.SystemdCgroupsManager {
+	if conf != nil && conf.Engine.CgroupManager == config.SystemdCgroupsManager {
 		runtimeFlags = append(runtimeFlags, "--systemd-cgroup")
 	}
 	// end from buildah
 
 	defer runtime.DeferredShutdown(false)
 
-	var stdout, stderr, reporter *os.File
+	var stdin, stdout, stderr, reporter *os.File
+	stdin = os.Stdin
 	stdout = os.Stdout
 	stderr = os.Stderr
 	reporter = os.Stderr
@@ -310,6 +312,17 @@ func buildCmd(c *cliconfig.BuildValues) error {
 		return err
 	}
 
+	networkPolicy := buildah.NetworkDefault
+	for _, ns := range nsValues {
+		if ns.Name == "none" {
+			networkPolicy = buildah.NetworkDisabled
+			break
+		} else if !filepath.IsAbs(ns.Path) {
+			networkPolicy = buildah.NetworkEnabled
+			break
+		}
+	}
+
 	buildOpts := buildah.CommonBuildOptions{
 		AddHost:      c.AddHost,
 		CgroupParent: c.CgroupParent,
@@ -341,21 +354,49 @@ func buildCmd(c *cliconfig.BuildValues) error {
 		layers = false
 	}
 
+	compression := imagebuildah.Gzip
+	if c.DisableCompression {
+		compression = imagebuildah.Uncompressed
+	}
+
+	isolation, err := parse.IsolationOption(c.Isolation)
+	if err != nil {
+		return errors.Wrapf(err, "error parsing ID mapping options")
+	}
+
+	usernsOption, idmappingOptions, err := parse.IDMappingOptions(c.PodmanCommand.Command, isolation)
+	if err != nil {
+		return errors.Wrapf(err, "error parsing ID mapping options")
+	}
+	nsValues = append(nsValues, usernsOption...)
+
+	systemContext, err := parse.SystemContextFromOptions(c.PodmanCommand.Command)
+	if err != nil {
+		return errors.Wrapf(err, "error building system context")
+	}
+
 	options := imagebuildah.BuildOptions{
-		Architecture:            c.Arch,
-		CommonBuildOpts:         &buildOpts,
+		AddCapabilities:         c.CapAdd,
 		AdditionalTags:          tags,
 		Annotations:             c.Annotation,
+		Architecture:            c.Arch,
 		Args:                    args,
+		BlobDirectory:           c.BlobCache,
 		CNIConfigDir:            c.CNIConfigDir,
 		CNIPluginPath:           c.CNIPlugInPath,
-		Compression:             imagebuildah.Gzip,
+		CommonBuildOpts:         &buildOpts,
+		Compression:             compression,
+		ConfigureNetwork:        networkPolicy,
 		ContextDirectory:        contextDir,
 		DefaultMountsFilePath:   c.GlobalFlags.DefaultMountsFile,
+		Devices:                 c.Devices,
+		DropCapabilities:        c.CapDrop,
 		Err:                     stderr,
-		In:                      os.Stdin,
 		ForceRmIntermediateCtrs: c.ForceRm,
+		IDMappingOptions:        idmappingOptions,
 		IIDFile:                 c.Iidfile,
+		In:                      stdin,
+		Isolation:               isolation,
 		Labels:                  c.Label,
 		Layers:                  layers,
 		NamespaceOptions:        nsValues,
@@ -369,13 +410,12 @@ func buildCmd(c *cliconfig.BuildValues) error {
 		RemoveIntermediateCtrs:  c.Rm,
 		ReportWriter:            reporter,
 		RuntimeArgs:             runtimeFlags,
+		SignBy:                  c.SignBy,
 		SignaturePolicyPath:     c.SignaturePolicy,
 		Squash:                  c.Squash,
-		SystemContext: &types.SystemContext{
-			OSChoice:           c.OverrideOS,
-			ArchitectureChoice: c.OverrideArch,
-		},
-		Target: c.Target,
+		SystemContext:           systemContext,
+		Target:                  c.Target,
+		TransientMounts:         c.Volumes,
 	}
 	_, _, err = runtime.Build(getContext(), c, options, containerfiles)
 	return err

diff --git a/cmd/podman/cliconfig/config.go b/cmd/podman/cliconfig/config.go
@@ -2,7 +2,10 @@ package cliconfig
 
 import (
 	"net"
+	"os"
 
+	"github.com/containers/common/pkg/config"
+	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 )
 
@@ -700,3 +703,14 @@ type SystemDfValues struct {
 type UntagValues struct {
 	PodmanCommand
 }
+
+func GetDefaultConfig() *config.Config {
+	var err error
+	conf, err := config.NewConfig("")
+	conf.CheckCgroupsAndAdjustConfig()
+	if err != nil {
+		logrus.Errorf("Error loading container config %v\n", err)
+		os.Exit(1)
+	}
+	return conf
+}
diff --git a/cmd/podman/cliconfig/defaults.go b/cmd/podman/cliconfig/defaults.go
@@ -11,6 +11,4 @@ var (
 	DefaultHealthCheckTimeout = "30s"
 	// DefaultImageVolume default value
 	DefaultImageVolume = "bind"
-	// DefaultShmSize default value
-	DefaultShmSize = "65536k"
 )
diff --git a/cmd/podman/commands.go b/cmd/podman/commands.go
@@ -3,6 +3,15 @@
 package main
 
 import (
+	"fmt"
+	"os"
+
+	"github.com/containers/buildah/pkg/parse"
+	"github.com/containers/libpod/pkg/apparmor"
+	"github.com/containers/libpod/pkg/cgroups"
+	"github.com/containers/libpod/pkg/rootless"
+	"github.com/containers/libpod/pkg/sysinfo"
+	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/spf13/cobra"
 )
 
@@ -81,3 +90,107 @@ func getSystemSubCommands() []*cobra.Command {
 
 	return systemCommands
 }
+
+func getDefaultSecurityOptions() []string {
+	securityOpts := []string{}
+	if defaultContainerConfig.Containers.SeccompProfile != "" && defaultContainerConfig.Containers.SeccompProfile != parse.SeccompDefaultPath {
+		securityOpts = append(securityOpts, fmt.Sprintf("seccomp=%s", defaultContainerConfig.Containers.SeccompProfile))
+	}
+	if apparmor.IsEnabled() && defaultContainerConfig.Containers.ApparmorProfile != "" {
+		securityOpts = append(securityOpts, fmt.Sprintf("apparmor=%s", defaultContainerConfig.Containers.ApparmorProfile))
+	}
+	if selinux.GetEnabled() && !defaultContainerConfig.Containers.EnableLabeling {
+		securityOpts = append(securityOpts, fmt.Sprintf("label=%s", selinux.DisableSecOpt()[0]))
+	}
+	return securityOpts
+}
+
+// getDefaultSysctls
+func getDefaultSysctls() []string {
+	return defaultContainerConfig.Containers.DefaultSysctls
+}
+
+func getDefaultVolumes() []string {
+	return defaultContainerConfig.Containers.Volumes
+}
+
+func getDefaultDevices() []string {
+	return defaultContainerConfig.Containers.Devices
+}
+
+func getDefaultDNSServers() []string {
+	return defaultContainerConfig.Containers.DNSServers
+}
+
+func getDefaultDNSSearches() []string {
+	return defaultContainerConfig.Containers.DNSSearches
+}
+
+func getDefaultDNSOptions() []string {
+	return defaultContainerConfig.Containers.DNSOptions
+}
+
+func getDefaultEnv() []string {
+	return defaultContainerConfig.Containers.Env
+}
+
+func getDefaultInitPath() string {
+	return defaultContainerConfig.Containers.InitPath
+}
+
+func getDefaultIPCNS() string {
+	return defaultContainerConfig.Containers.IPCNS
+}
+
+func getDefaultPidNS() string {
+	return defaultContainerConfig.Containers.PidNS
+}
+
+func getDefaultNetNS() string {
+	if defaultContainerConfig.Containers.NetNS == "private" && rootless.IsRootless() {
+		return "slirp4netns"
+	}
+	return defaultContainerConfig.Containers.NetNS
+}
+
+func getDefaultCgroupNS() string {
+	return defaultContainerConfig.Containers.CgroupNS
+}
+
+func getDefaultUTSNS() string {
+	return defaultContainerConfig.Containers.UTSNS
+}
+
+func getDefaultShmSize() string {
+	return defaultContainerConfig.Containers.ShmSize
+}
+
+func getDefaultUlimits() []string {
+	return defaultContainerConfig.Containers.DefaultUlimits
+}
+
+func getDefaultUserNS() string {
+	userns := os.Getenv("PODMAN_USERNS")
+	if userns != "" {
+		return userns
+	}
+	return defaultContainerConfig.Containers.UserNS
+}
+
+func getDefaultPidsLimit() int64 {
+	if rootless.IsRootless() {
+		cgroup2, _ := cgroups.IsCgroup2UnifiedMode()
+		if cgroup2 {
+			return defaultContainerConfig.Containers.PidsLimit
+		}
+	}
+	return sysinfo.GetDefaultPidsLimit()
+}
+
+func getDefaultPidsDescription() string {
+	return "Tune container pids limit (set 0 for unlimited)"
+}
+
+func getDefaultDetachKeys() string {
+	return defaultContainerConfig.Engine.DetachKeys
+}