mirror/ youki
1
0
Fork 0
mirror of https://github.com/containers/youki synced 2024-06-10 08:46:21 +02:00
Code Issues
youki/src/container/tenant_builder.rs

362 lines
11 KiB
Rust
Raw Normal View History

Support calling exec multiple times
2021-07-15 22:12:21 +02:00
use anyhow::{bail, Context, Result};
Implement exec command
2021-07-15 01:09:04 +02:00
use caps::Capability;
add chdir back.
2021-07-21 00:41:12 +02:00
use nix::unistd;
Upgrade oci-spec-rs to 0.4.0 for youki 1. Fix capability type (Capability type change: Vec -> HashSet) 2. Implement functions equivalent to LinuxDeviceType::to_sflag in youki. 3. Fix crate path: use oci_spec::XXX -> use oci_spec::runtime::XXX Signed-off-by: Takashi IIGUNI <iiguni.tks@gmail.com>
2021-09-06 11:08:17 +02:00
use oci_spec::runtime::{
Define CapabilityExt with a functions to convert caps to oci_spec Signed-off-by: Takashi IIGUNI <iiguni.tks@gmail.com>
2021-09-08 13:24:37 +02:00
Capabilities as SpecCapabilities, Capability as SpecCapability, LinuxCapabilities,
LinuxNamespace, LinuxNamespaceType, Process, Spec,
Upgrade oci-spec-rs to 0.4.0 for youki 1. Fix capability type (Capability type change: Vec -> HashSet) 2. Implement functions equivalent to LinuxDeviceType::to_sflag in youki. 3. Fix crate path: use oci_spec::XXX -> use oci_spec::runtime::XXX Signed-off-by: Takashi IIGUNI <iiguni.tks@gmail.com>
2021-09-06 11:08:17 +02:00
};
Bump procfs
2021-09-06 11:25:17 +02:00
use procfs::process::Namespace;
Support calling exec multiple times
2021-07-15 22:12:21 +02:00
Split container builder into dedicated init and tenant builders The current monolithic builder provides options that should only be called during init and not when creating a tenant and vice versa. This puts the burden on the user of the builder to know which methods are safe to call. Now the ContainerBuilder can be used to specify options that are common to both scenarios and afterwards as_init/as_tenant can be called to provide scenario specific options. This also simplifies the whole "if init then else" branching logic during container build.
2021-07-04 22:44:07 +02:00
use std::{
collections::HashMap,
Implement exec command
2021-07-15 01:09:04 +02:00
convert::TryFrom,
Support calling exec multiple times
2021-07-15 22:12:21 +02:00
fs,
Merge remote-tracking branch 'upstream/main' into upgrade-oci-spec-rs Signed-off-by: Takashi IIGUNI <iiguni.tks@gmail.com>
2021-09-07 04:32:41 +02:00
os::unix::prelude::RawFd,
Split container builder into dedicated init and tenant builders The current monolithic builder provides options that should only be called during init and not when creating a tenant and vice versa. This puts the burden on the user of the builder to know which methods are safe to call. Now the ContainerBuilder can be used to specify options that are common to both scenarios and afterwards as_init/as_tenant can be called to provide scenario specific options. This also simplifies the whole "if init then else" branching logic during container build.
2021-07-04 22:44:07 +02:00
path::{Path, PathBuf},
Implement exec command
2021-07-15 01:09:04 +02:00
str::FromStr,
};
Define CapabilityExt with a functions to convert caps to oci_spec Signed-off-by: Takashi IIGUNI <iiguni.tks@gmail.com>
2021-09-08 13:24:37 +02:00
use crate::capabilities::CapabilityExt;
Add validation for setgroup and refactor rootless
2021-08-28 19:37:52 +02:00
use crate::{notify_socket::NotifySocket, rootless::Rootless, tty, utils};
Split container builder into dedicated init and tenant builders The current monolithic builder provides options that should only be called during init and not when creating a tenant and vice versa. This puts the burden on the user of the builder to know which methods are safe to call. Now the ContainerBuilder can be used to specify options that are common to both scenarios and afterwards as_init/as_tenant can be called to provide scenario specific options. This also simplifies the whole "if init then else" branching logic during container build.
2021-07-04 22:44:07 +02:00
Implement exec command
2021-07-15 01:09:04 +02:00
use super::{builder::ContainerBuilder, builder_impl::ContainerBuilderImpl, Container};
Split container builder into dedicated init and tenant builders The current monolithic builder provides options that should only be called during init and not when creating a tenant and vice versa. This puts the burden on the user of the builder to know which methods are safe to call. Now the ContainerBuilder can be used to specify options that are common to both scenarios and afterwards as_init/as_tenant can be called to provide scenario specific options. This also simplifies the whole "if init then else" branching logic during container build.
2021-07-04 22:44:07 +02:00
Implement exec command
2021-07-15 01:09:04 +02:00
const NAMESPACE_TYPES: &[&str] = &["ipc", "uts", "net", "pid", "mnt", "cgroup"];
Support calling exec multiple times
2021-07-15 22:12:21 +02:00
const TENANT_NOTIFY: &str = "tenant-notify-";
const TENANT_TTY: &str = "tenant-tty-";
Split container builder into dedicated init and tenant builders The current monolithic builder provides options that should only be called during init and not when creating a tenant and vice versa. This puts the burden on the user of the builder to know which methods are safe to call. Now the ContainerBuilder can be used to specify options that are common to both scenarios and afterwards as_init/as_tenant can be called to provide scenario specific options. This also simplifies the whole "if init then else" branching logic during container build.
2021-07-04 22:44:07 +02:00
Add documentation
2021-07-05 19:40:35 +02:00
/// Builder that can be used to configure the properties of a process
/// that will join an existing container sandbox
Split container builder into dedicated init and tenant builders The current monolithic builder provides options that should only be called during init and not when creating a tenant and vice versa. This puts the burden on the user of the builder to know which methods are safe to call. Now the ContainerBuilder can be used to specify options that are common to both scenarios and afterwards as_init/as_tenant can be called to provide scenario specific options. This also simplifies the whole "if init then else" branching logic during container build.
2021-07-04 22:44:07 +02:00
pub struct TenantContainerBuilder {
base: ContainerBuilder,
env: HashMap<String, String>,
cwd: Option<PathBuf>,
Implement exec command
2021-07-15 01:09:04 +02:00
args: Vec<String>,
no_new_privs: Option<bool>,
capabilities: Vec<String>,
process: Option<PathBuf>,
Split container builder into dedicated init and tenant builders The current monolithic builder provides options that should only be called during init and not when creating a tenant and vice versa. This puts the burden on the user of the builder to know which methods are safe to call. Now the ContainerBuilder can be used to specify options that are common to both scenarios and afterwards as_init/as_tenant can be called to provide scenario specific options. This also simplifies the whole "if init then else" branching logic during container build.
2021-07-04 22:44:07 +02:00
}
impl TenantContainerBuilder {
Add documentation
2021-07-05 19:40:35 +02:00
/// Generates the base configuration for a process that will join
/// an existing container sandbox from which configuration methods
/// can be chained
Split container builder into dedicated init and tenant builders The current monolithic builder provides options that should only be called during init and not when creating a tenant and vice versa. This puts the burden on the user of the builder to know which methods are safe to call. Now the ContainerBuilder can be used to specify options that are common to both scenarios and afterwards as_init/as_tenant can be called to provide scenario specific options. This also simplifies the whole "if init then else" branching logic during container build.
2021-07-04 22:44:07 +02:00
pub(super) fn new(builder: ContainerBuilder) -> Self {
Self {
base: builder,
env: HashMap::new(),
cwd: None,
Implement exec command
2021-07-15 01:09:04 +02:00
args: Vec::new(),
no_new_privs: None,
capabilities: Vec::new(),
process: None,
Split container builder into dedicated init and tenant builders The current monolithic builder provides options that should only be called during init and not when creating a tenant and vice versa. This puts the burden on the user of the builder to know which methods are safe to call. Now the ContainerBuilder can be used to specify options that are common to both scenarios and afterwards as_init/as_tenant can be called to provide scenario specific options. This also simplifies the whole "if init then else" branching logic during container build.
2021-07-04 22:44:07 +02:00
}
}
Add documentation
2021-07-05 19:40:35 +02:00
/// Sets environment variables for the container
Split container builder into dedicated init and tenant builders The current monolithic builder provides options that should only be called during init and not when creating a tenant and vice versa. This puts the burden on the user of the builder to know which methods are safe to call. Now the ContainerBuilder can be used to specify options that are common to both scenarios and afterwards as_init/as_tenant can be called to provide scenario specific options. This also simplifies the whole "if init then else" branching logic during container build.
2021-07-04 22:44:07 +02:00
pub fn with_env(mut self, env: HashMap<String, String>) -> Self {
self.env = env;
self
}
Add documentation
2021-07-05 19:40:35 +02:00
/// Sets the working directory of the container
make the builder pattern more flowing and code readable.
2021-07-29 15:26:14 +02:00
pub fn with_cwd<P: Into<PathBuf>>(mut self, path: Option<P>) -> Self {
self.cwd = path.map(|p| p.into());
Split container builder into dedicated init and tenant builders The current monolithic builder provides options that should only be called during init and not when creating a tenant and vice versa. This puts the burden on the user of the builder to know which methods are safe to call. Now the ContainerBuilder can be used to specify options that are common to both scenarios and afterwards as_init/as_tenant can be called to provide scenario specific options. This also simplifies the whole "if init then else" branching logic during container build.
2021-07-04 22:44:07 +02:00
self
}
Add documentation
2021-07-05 19:40:35 +02:00
/// Sets the command the container will be started with
Implement exec command
2021-07-15 01:09:04 +02:00
pub fn with_container_args(mut self, args: Vec<String>) -> Self {
self.args = args;
self
}
pub fn with_no_new_privs(mut self, no_new_privs: bool) -> Self {
self.no_new_privs = Some(no_new_privs);
self
}
pub fn with_capabilities(mut self, capabilities: Vec<String>) -> Self {
self.capabilities = capabilities;
self
}
make the builder pattern more flowing and code readable.
2021-07-29 15:26:14 +02:00
pub fn with_process<P: Into<PathBuf>>(mut self, path: Option<P>) -> Self {
self.process = path.map(|p| p.into());
Split container builder into dedicated init and tenant builders The current monolithic builder provides options that should only be called during init and not when creating a tenant and vice versa. This puts the burden on the user of the builder to know which methods are safe to call. Now the ContainerBuilder can be used to specify options that are common to both scenarios and afterwards as_init/as_tenant can be called to provide scenario specific options. This also simplifies the whole "if init then else" branching logic during container build.
2021-07-04 22:44:07 +02:00
self
}
Add documentation
2021-07-05 19:40:35 +02:00
/// Joins an existing container
Split container builder into dedicated init and tenant builders The current monolithic builder provides options that should only be called during init and not when creating a tenant and vice versa. This puts the burden on the user of the builder to know which methods are safe to call. Now the ContainerBuilder can be used to specify options that are common to both scenarios and afterwards as_init/as_tenant can be called to provide scenario specific options. This also simplifies the whole "if init then else" branching logic during container build.
2021-07-04 22:44:07 +02:00
pub fn build(self) -> Result<()> {
let container_dir = self.lookup_container_dir()?;
Implement exec command
2021-07-15 01:09:04 +02:00
let container = self.load_container_state(container_dir.clone())?;
let mut spec = self.load_init_spec(&container_dir)?;
self.adapt_spec_for_tenant(&mut spec, &container)?;
log::debug!("{:#?}", spec);
Split container builder into dedicated init and tenant builders The current monolithic builder provides options that should only be called during init and not when creating a tenant and vice versa. This puts the burden on the user of the builder to know which methods are safe to call. Now the ContainerBuilder can be used to specify options that are common to both scenarios and afterwards as_init/as_tenant can be called to provide scenario specific options. This also simplifies the whole "if init then else" branching logic during container build.
2021-07-04 22:44:07 +02:00
add chdir back.
2021-07-21 00:41:12 +02:00
unistd::chdir(&*container_dir)?;
fix the notify listener
2021-07-19 08:22:47 +02:00
let notify_path = Self::setup_notify_listener(&container_dir)?;
Split container builder into dedicated init and tenant builders The current monolithic builder provides options that should only be called during init and not when creating a tenant and vice versa. This puts the burden on the user of the builder to know which methods are safe to call. Now the ContainerBuilder can be used to specify options that are common to both scenarios and afterwards as_init/as_tenant can be called to provide scenario specific options. This also simplifies the whole "if init then else" branching logic during container build.
2021-07-04 22:44:07 +02:00
// convert path of root file system of the container to absolute path
Generalize OCI spec root We now generalize and document the OCI `Spec` root structure. This means that some fields have been added and other are now optional. All corresponding usages of the new spec format have been changed and tests have been adapted. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2021-07-30 12:40:45 +02:00
let rootfs = fs::canonicalize(&spec.root.as_ref().context("no root in spec")?.path)?;
Split container builder into dedicated init and tenant builders The current monolithic builder provides options that should only be called during init and not when creating a tenant and vice versa. This puts the burden on the user of the builder to know which methods are safe to call. Now the ContainerBuilder can be used to specify options that are common to both scenarios and afterwards as_init/as_tenant can be called to provide scenario specific options. This also simplifies the whole "if init then else" branching logic during container build.
2021-07-04 22:44:07 +02:00
// if socket file path is given in commandline options,
// get file descriptors of console socket
Support calling exec multiple times
2021-07-15 22:12:21 +02:00
let csocketfd = self.setup_tty_socket(&container_dir)?;
Split container builder into dedicated init and tenant builders The current monolithic builder provides options that should only be called during init and not when creating a tenant and vice versa. This puts the burden on the user of the builder to know which methods are safe to call. Now the ContainerBuilder can be used to specify options that are common to both scenarios and afterwards as_init/as_tenant can be called to provide scenario specific options. This also simplifies the whole "if init then else" branching logic during container build.
2021-07-04 22:44:07 +02:00
Implement exec command
2021-07-15 01:09:04 +02:00
let use_systemd = self.should_use_systemd(&container);
Add validation for setgroup and refactor rootless
2021-08-28 19:37:52 +02:00
let rootless = Rootless::new(&spec)?;
Split container builder into dedicated init and tenant builders The current monolithic builder provides options that should only be called during init and not when creating a tenant and vice versa. This puts the burden on the user of the builder to know which methods are safe to call. Now the ContainerBuilder can be used to specify options that are common to both scenarios and afterwards as_init/as_tenant can be called to provide scenario specific options. This also simplifies the whole "if init then else" branching logic during container build.
2021-07-04 22:44:07 +02:00
let mut builder_impl = ContainerBuilderImpl {
init: false,
syscall: self.base.syscall,
container_id: self.base.container_id,
pid_file: self.base.pid_file,
console_socket: csocketfd,
Support calling exec multiple times
2021-07-15 22:12:21 +02:00
use_systemd,
reduce the number of clones by introducing lifetime to rootless.
2021-08-08 10:37:13 +02:00
spec: &spec,
Split container builder into dedicated init and tenant builders The current monolithic builder provides options that should only be called during init and not when creating a tenant and vice versa. This puts the burden on the user of the builder to know which methods are safe to call. Now the ContainerBuilder can be used to specify options that are common to both scenarios and afterwards as_init/as_tenant can be called to provide scenario specific options. This also simplifies the whole "if init then else" branching logic during container build.
2021-07-04 22:44:07 +02:00
rootfs,
rootless,
fix the notify listener
2021-07-19 08:22:47 +02:00
notify_path: notify_path.clone(),
Split container builder into dedicated init and tenant builders The current monolithic builder provides options that should only be called during init and not when creating a tenant and vice versa. This puts the burden on the user of the builder to know which methods are safe to call. Now the ContainerBuilder can be used to specify options that are common to both scenarios and afterwards as_init/as_tenant can be called to provide scenario specific options. This also simplifies the whole "if init then else" branching logic during container build.
2021-07-04 22:44:07 +02:00
container: None,
Implemented preserve_fds
2021-08-02 02:23:56 +02:00
preserve_fds: self.base.preserve_fds,
Split container builder into dedicated init and tenant builders The current monolithic builder provides options that should only be called during init and not when creating a tenant and vice versa. This puts the burden on the user of the builder to know which methods are safe to call. Now the ContainerBuilder can be used to specify options that are common to both scenarios and afterwards as_init/as_tenant can be called to provide scenario specific options. This also simplifies the whole "if init then else" branching logic during container build.
2021-07-04 22:44:07 +02:00
};
builder_impl.create()?;
Implement exec command
2021-07-15 01:09:04 +02:00
Support calling exec multiple times
2021-07-15 22:12:21 +02:00
let mut notify_socket = NotifySocket::new(notify_path);
Implement exec command
2021-07-15 01:09:04 +02:00
notify_socket.notify_container_start()?;
Split container builder into dedicated init and tenant builders The current monolithic builder provides options that should only be called during init and not when creating a tenant and vice versa. This puts the burden on the user of the builder to know which methods are safe to call. Now the ContainerBuilder can be used to specify options that are common to both scenarios and afterwards as_init/as_tenant can be called to provide scenario specific options. This also simplifies the whole "if init then else" branching logic during container build.
2021-07-04 22:44:07 +02:00
Ok(())
}
fn lookup_container_dir(&self) -> Result<PathBuf> {
let container_dir = self.base.root_path.join(&self.base.container_id);
if !container_dir.exists() {
bail!("container {} does not exist", self.base.container_id);
}
Ok(container_dir)
}
fn load_init_spec(&self, container_dir: &Path) -> Result<Spec> {
let spec_path = container_dir.join("config.json");
Upgrade oci-spec-rs to 0.4.0 for youki 1. Fix capability type (Capability type change: Vec -> HashSet) 2. Implement functions equivalent to LinuxDeviceType::to_sflag in youki. 3. Fix crate path: use oci_spec::XXX -> use oci_spec::runtime::XXX Signed-off-by: Takashi IIGUNI <iiguni.tks@gmail.com>
2021-09-06 11:08:17 +02:00
let spec = Spec::load(spec_path).context("failed to load spec")?;
Split container builder into dedicated init and tenant builders The current monolithic builder provides options that should only be called during init and not when creating a tenant and vice versa. This puts the burden on the user of the builder to know which methods are safe to call. Now the ContainerBuilder can be used to specify options that are common to both scenarios and afterwards as_init/as_tenant can be called to provide scenario specific options. This also simplifies the whole "if init then else" branching logic during container build.
2021-07-04 22:44:07 +02:00
Ok(spec)
}
Implement exec command
2021-07-15 01:09:04 +02:00
fn load_container_state(&self, container_dir: PathBuf) -> Result<Container> {
let container = Container::load(container_dir)?.refresh_status()?;
if !container.can_exec() {
bail!(
"Cannot exec as container is in state {}",
container.status()
);
}
Ok(container)
}
fn adapt_spec_for_tenant(&self, spec: &mut Spec, container: &Container) -> Result<()> {
if let Some(ref process) = self.process {
self.set_process(spec, process)?;
} else {
self.set_working_dir(spec)?;
self.set_args(spec)?;
self.set_environment(spec)?;
Generalize OCI spec root We now generalize and document the OCI `Spec` root structure. This means that some fields have been added and other are now optional. All corresponding usages of the new spec format have been changed and tests have been adapted. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2021-07-30 12:40:45 +02:00
self.set_no_new_privileges(spec)?;
Implement exec command
2021-07-15 01:09:04 +02:00
self.set_capabilities(spec)?;
}
if container.pid().is_none() {
bail!("Could not retrieve container init pid");
}
let init_process = procfs::process::Process::new(container.pid().unwrap().as_raw())?;
self.set_namespaces(spec, init_process.namespaces()?)?;
Ok(())
}
fn set_process(&self, spec: &mut Spec, process: &Path) -> Result<()> {
if !process.exists() {
bail!(
"Process.json file does not exist at specified path {}",
process.display()
)
}
Support calling exec multiple times
2021-07-15 22:12:21 +02:00
let process = utils::open(process)?;
Implement exec command
2021-07-15 01:09:04 +02:00
let process_spec: Process = serde_json::from_reader(process)?;
Generalize OCI spec root We now generalize and document the OCI `Spec` root structure. This means that some fields have been added and other are now optional. All corresponding usages of the new spec format have been changed and tests have been adapted. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2021-07-30 12:40:45 +02:00
spec.process = Some(process_spec);
Support calling exec multiple times
2021-07-15 22:12:21 +02:00
Ok(())
Implement exec command
2021-07-15 01:09:04 +02:00
}
fn set_working_dir(&self, spec: &mut Spec) -> Result<()> {
if let Some(ref cwd) = self.cwd {
if cwd.is_relative() {
bail!(
"Current working directory must be an absolute path, but is {}",
cwd.display()
);
}
Upgrade oci-spec-rs to 0.4.0 for youki 1. Fix capability type (Capability type change: Vec -> HashSet) 2. Implement functions equivalent to LinuxDeviceType::to_sflag in youki. 3. Fix crate path: use oci_spec::XXX -> use oci_spec::runtime::XXX Signed-off-by: Takashi IIGUNI <iiguni.tks@gmail.com>
2021-09-06 11:08:17 +02:00
spec.process.as_mut().context("no process in spec")?.cwd = cwd.to_path_buf();
Implement exec command
2021-07-15 01:09:04 +02:00
}
Ok(())
}
fn set_args(&self, spec: &mut Spec) -> Result<()> {
if self.args.is_empty() {
bail!("Container command was not specified")
}
Make optional types optional This adds a few missing types and synchronizes them with the implementation in containrs. Optional types are now not required any more which means that all necessary code paths in youki needs to be adapted as well. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2021-08-04 13:41:00 +02:00
spec.process.as_mut().context("no process in spec")?.args = self.args.clone().into();
Implement exec command
2021-07-15 01:09:04 +02:00
Ok(())
}
fn set_environment(&self, spec: &mut Spec) -> Result<()> {
Generalize OCI spec root We now generalize and document the OCI `Spec` root structure. This means that some fields have been added and other are now optional. All corresponding usages of the new spec format have been changed and tests have been adapted. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2021-07-30 12:40:45 +02:00
spec.process
.as_mut()
.context("no process in spec")?
.env
Make optional types optional This adds a few missing types and synchronizes them with the implementation in containrs. Optional types are now not required any more which means that all necessary code paths in youki needs to be adapted as well. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2021-08-04 13:41:00 +02:00
.as_mut()
.context("no env in process spec")?
Generalize OCI spec root We now generalize and document the OCI `Spec` root structure. This means that some fields have been added and other are now optional. All corresponding usages of the new spec format have been changed and tests have been adapted. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2021-07-30 12:40:45 +02:00
.append(
&mut self
.env
.iter()
.map(|(k, v)| format!("{}={}", k, v))
.collect(),
);
Implement exec command
2021-07-15 01:09:04 +02:00
Ok(())
}
Generalize OCI spec root We now generalize and document the OCI `Spec` root structure. This means that some fields have been added and other are now optional. All corresponding usages of the new spec format have been changed and tests have been adapted. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2021-07-30 12:40:45 +02:00
fn set_no_new_privileges(&self, spec: &mut Spec) -> Result<()> {
Implement exec command
2021-07-15 01:09:04 +02:00
if let Some(no_new_privs) = self.no_new_privs {
Generalize OCI spec root We now generalize and document the OCI `Spec` root structure. This means that some fields have been added and other are now optional. All corresponding usages of the new spec format have been changed and tests have been adapted. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2021-07-30 12:40:45 +02:00
spec.process
.as_mut()
.context("no process in spec")?
Make optional types optional This adds a few missing types and synchronizes them with the implementation in containrs. Optional types are now not required any more which means that all necessary code paths in youki needs to be adapted as well. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2021-08-04 13:41:00 +02:00
.no_new_privileges = no_new_privs.into();
Implement exec command
2021-07-15 01:09:04 +02:00
}
Generalize OCI spec root We now generalize and document the OCI `Spec` root structure. This means that some fields have been added and other are now optional. All corresponding usages of the new spec format have been changed and tests have been adapted. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2021-07-30 12:40:45 +02:00
Ok(())
Implement exec command
2021-07-15 01:09:04 +02:00
}
fn set_capabilities(&self, spec: &mut Spec) -> Result<()> {
if !self.capabilities.is_empty() {
add serde_support to caps format cargo comments comment cargo files
2021-07-20 20:59:34 +02:00
let mut caps: Vec<Capability> = Vec::with_capacity(self.capabilities.len());
Implement exec command
2021-07-15 01:09:04 +02:00
for cap in &self.capabilities {
add serde_support to caps format cargo comments comment cargo files
2021-07-20 20:59:34 +02:00
caps.push(Capability::from_str(cap)?);
Implement exec command
2021-07-15 01:09:04 +02:00
}
Define CapabilityExt with a functions to convert caps to oci_spec Signed-off-by: Takashi IIGUNI <iiguni.tks@gmail.com>
2021-09-08 13:24:37 +02:00
let caps: SpecCapabilities =
caps.iter().map(|c| SpecCapability::from_cap(*c)).collect();
Upgrade oci-spec-rs to 0.4.0 for youki 1. Fix capability type (Capability type change: Vec -> HashSet) 2. Implement functions equivalent to LinuxDeviceType::to_sflag in youki. 3. Fix crate path: use oci_spec::XXX -> use oci_spec::runtime::XXX Signed-off-by: Takashi IIGUNI <iiguni.tks@gmail.com>
2021-09-06 11:08:17 +02:00
Generalize OCI spec root We now generalize and document the OCI `Spec` root structure. This means that some fields have been added and other are now optional. All corresponding usages of the new spec format have been changed and tests have been adapted. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2021-07-30 12:40:45 +02:00
if let Some(ref mut spec_caps) = spec
.process
.as_mut()
.context("no process in spec")?
.capabilities
{
Make optional types optional This adds a few missing types and synchronizes them with the implementation in containrs. Optional types are now not required any more which means that all necessary code paths in youki needs to be adapted as well. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2021-08-04 13:41:00 +02:00
spec_caps
.ambient
.as_mut()
.context("no ambient caps in process spec")?
Upgrade oci-spec-rs to 0.4.0 for youki 1. Fix capability type (Capability type change: Vec -> HashSet) 2. Implement functions equivalent to LinuxDeviceType::to_sflag in youki. 3. Fix crate path: use oci_spec::XXX -> use oci_spec::runtime::XXX Signed-off-by: Takashi IIGUNI <iiguni.tks@gmail.com>
2021-09-06 11:08:17 +02:00
.extend(&caps);
Make optional types optional This adds a few missing types and synchronizes them with the implementation in containrs. Optional types are now not required any more which means that all necessary code paths in youki needs to be adapted as well. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2021-08-04 13:41:00 +02:00
spec_caps
.bounding
.as_mut()
.context("no bounding caps in process spec")?
Upgrade oci-spec-rs to 0.4.0 for youki 1. Fix capability type (Capability type change: Vec -> HashSet) 2. Implement functions equivalent to LinuxDeviceType::to_sflag in youki. 3. Fix crate path: use oci_spec::XXX -> use oci_spec::runtime::XXX Signed-off-by: Takashi IIGUNI <iiguni.tks@gmail.com>
2021-09-06 11:08:17 +02:00
.extend(&caps);
Make optional types optional This adds a few missing types and synchronizes them with the implementation in containrs. Optional types are now not required any more which means that all necessary code paths in youki needs to be adapted as well. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2021-08-04 13:41:00 +02:00
spec_caps
.effective
.as_mut()
.context("no effective caps in process spec")?
Upgrade oci-spec-rs to 0.4.0 for youki 1. Fix capability type (Capability type change: Vec -> HashSet) 2. Implement functions equivalent to LinuxDeviceType::to_sflag in youki. 3. Fix crate path: use oci_spec::XXX -> use oci_spec::runtime::XXX Signed-off-by: Takashi IIGUNI <iiguni.tks@gmail.com>
2021-09-06 11:08:17 +02:00
.extend(&caps);
Make optional types optional This adds a few missing types and synchronizes them with the implementation in containrs. Optional types are now not required any more which means that all necessary code paths in youki needs to be adapted as well. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2021-08-04 13:41:00 +02:00
spec_caps
.inheritable
.as_mut()
.context("no inheritable caps in process spec")?
Upgrade oci-spec-rs to 0.4.0 for youki 1. Fix capability type (Capability type change: Vec -> HashSet) 2. Implement functions equivalent to LinuxDeviceType::to_sflag in youki. 3. Fix crate path: use oci_spec::XXX -> use oci_spec::runtime::XXX Signed-off-by: Takashi IIGUNI <iiguni.tks@gmail.com>
2021-09-06 11:08:17 +02:00
.extend(&caps);
Make optional types optional This adds a few missing types and synchronizes them with the implementation in containrs. Optional types are now not required any more which means that all necessary code paths in youki needs to be adapted as well. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2021-08-04 13:41:00 +02:00
spec_caps
.permitted
.as_mut()
.context("no permitted caps in process spec")?
Upgrade oci-spec-rs to 0.4.0 for youki 1. Fix capability type (Capability type change: Vec -> HashSet) 2. Implement functions equivalent to LinuxDeviceType::to_sflag in youki. 3. Fix crate path: use oci_spec::XXX -> use oci_spec::runtime::XXX Signed-off-by: Takashi IIGUNI <iiguni.tks@gmail.com>
2021-09-06 11:08:17 +02:00
.extend(&caps);
Implement exec command
2021-07-15 01:09:04 +02:00
} else {
Generalize OCI spec root We now generalize and document the OCI `Spec` root structure. This means that some fields have been added and other are now optional. All corresponding usages of the new spec format have been changed and tests have been adapted. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2021-07-30 12:40:45 +02:00
spec.process
.as_mut()
.context("no process in spec")?
.capabilities = Some(LinuxCapabilities {
Make optional types optional This adds a few missing types and synchronizes them with the implementation in containrs. Optional types are now not required any more which means that all necessary code paths in youki needs to be adapted as well. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2021-08-04 13:41:00 +02:00
ambient: caps.clone().into(),
bounding: caps.clone().into(),
effective: caps.clone().into(),
inheritable: caps.clone().into(),
permitted: caps.into(),
Implement exec command
2021-07-15 01:09:04 +02:00
})
}
}
Ok(())
}
fn set_namespaces(&self, spec: &mut Spec, init_namespaces: Vec<Namespace>) -> Result<()> {
let mut tenant_namespaces = Vec::with_capacity(init_namespaces.len());
for ns_type in NAMESPACE_TYPES.iter().copied() {
if let Some(init_ns) = init_namespaces.iter().find(|n| n.ns_type.eq(ns_type)) {
let tenant_ns = LinuxNamespaceType::try_from(ns_type)?;
tenant_namespaces.push(LinuxNamespace {
typ: tenant_ns,
reduce the number of clones by introducing lifetime to namespaces.
2021-08-09 07:54:24 +02:00
path: Some(init_ns.path.clone()),
Implement exec command
2021-07-15 01:09:04 +02:00
})
}
}
Generalize OCI spec root We now generalize and document the OCI `Spec` root structure. This means that some fields have been added and other are now optional. All corresponding usages of the new spec format have been changed and tests have been adapted. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2021-07-30 12:40:45 +02:00
let mut linux = &mut spec.linux.as_mut().context("no linux in spec")?;
Make optional types optional This adds a few missing types and synchronizes them with the implementation in containrs. Optional types are now not required any more which means that all necessary code paths in youki needs to be adapted as well. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2021-08-04 13:41:00 +02:00
linux.namespaces = tenant_namespaces.into();
Implement exec command
2021-07-15 01:09:04 +02:00
Ok(())
}
fn should_use_systemd(&self, container: &Container) -> bool {
if let Some(use_systemd) = container.systemd() {
return use_systemd;
}
false
}
Support calling exec multiple times
2021-07-15 22:12:21 +02:00
fix the notify listener
2021-07-19 08:22:47 +02:00
fn setup_notify_listener(container_dir: &Path) -> Result<PathBuf> {
fix the warnings found by cargo clippy.
2021-08-01 12:12:49 +02:00
let notify_name = Self::generate_name(container_dir, TENANT_NOTIFY);
Support calling exec multiple times
2021-07-15 22:12:21 +02:00
let socket_path = container_dir.join(&notify_name);
fix the notify listener
2021-07-19 08:22:47 +02:00
Ok(socket_path)
Support calling exec multiple times
2021-07-15 22:12:21 +02:00
}
delete the original FileDescriptor. I was going to develop it a bit more, but there was no point in being particularly original, I deleted it.
2021-08-09 08:05:31 +02:00
fn setup_tty_socket(&self, container_dir: &Path) -> Result<Option<RawFd>> {
fix the warnings found by cargo clippy.
2021-08-01 12:12:49 +02:00
let tty_name = Self::generate_name(container_dir, TENANT_TTY);
Support calling exec multiple times
2021-07-15 22:12:21 +02:00
let csocketfd = if let Some(console_socket) = &self.base.console_socket {
Some(tty::setup_console_socket(
container_dir,
console_socket,
&tty_name,
)?)
} else {
None
};
Ok(csocketfd)
}
fn generate_name(dir: &Path, prefix: &str) -> String {
loop {
let rand = fastrand::i32(..);
let name = format!("{}{:x}.sock", prefix, rand);
if !dir.join(&name).exists() {
return name;
}
}
}
Implement exec command
2021-07-15 01:09:04 +02:00
}