containers
/
automation-tests
mirror of https://github.com/containers/automation-tests.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

rootless: fix --net host --privileged 

Closes: https://github.com/containers/libpod/issues/1313

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Closes: #1323
Approved by: umohnani8
This commit is contained in:
Giuseppe Scrivano 2018-08-22 17:45:07 +02:00 committed by Atomic Bot
parent b4420e22fc
commit 77bcc89d52
1 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
pkg/spec/spec.go
View File

@ -25,7 +25,13 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
}
g.HostSpecific = true
addCgroup := true
if config.Privileged {
canMountSys := true
if !config.UsernsMode.IsHost() && config.NetMode.IsHost() {
canMountSys = false
}
if config.Privileged && canMountSys {
cgroupPerm = "rw"
g.RemoveMount("/sys")
sysMnt := spec.Mount{
@ -35,14 +41,18 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
Options: []string{"nosuid", "noexec", "nodev", "rw"},
}
g.AddMount(sysMnt)
} else if !config.UsernsMode.IsHost() && config.NetMode.IsHost() {
} else if !canMountSys {
addCgroup = false
g.RemoveMount("/sys")
r := "ro"
if config.Privileged {
r = "rw"
}
sysMnt := spec.Mount{
Destination: "/sys",
Type: "bind",
Source: "/sys",
Options: []string{"nosuid", "noexec", "nodev", "ro", "rbind"},
Options: []string{"nosuid", "noexec", "nodev", r, "rbind"},
}
g.AddMount(sysMnt)
}