containers
/
automation-tests
mirror of https://github.com/containers/automation-tests.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Handle image user and exposed ports in podman play kube 

Currently if a user runs an image with a user specified or
exposed ports with podman play kube, the fields are ignored.

Fixed: https://github.com/containers/podman/issues/9609

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh 2021-05-18 10:37:54 -04:00
parent 5b4ffc7ba7
commit de293c9802
No known key found for this signature in database
GPG Key ID: A2DF901DABE2C028
3 changed files with 84 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
pkg/specgen/generate/kube/kube.go
View File

@ -12,6 +12,7 @@ import (
"github.com/containers/common/pkg/secrets" "github.com/containers/common/pkg/secrets"
ann "github.com/containers/podman/v3/pkg/annotations" ann "github.com/containers/podman/v3/pkg/annotations"
"github.com/containers/podman/v3/pkg/specgen" "github.com/containers/podman/v3/pkg/specgen"
"github.com/containers/podman/v3/pkg/specgen/generate"
"github.com/containers/podman/v3/pkg/util" "github.com/containers/podman/v3/pkg/util"
spec "github.com/opencontainers/runtime-spec/specs-go" spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors" "github.com/pkg/errors"
@ -182,6 +183,19 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
if imageData.Config.WorkingDir != "" { if imageData.Config.WorkingDir != "" {
s.WorkDir = imageData.Config.WorkingDir s.WorkDir = imageData.Config.WorkingDir
} }
if s.User == "" {
s.User = imageData.Config.User
}
exposed, err := generate.GenExposedPorts(imageData.Config.ExposedPorts)
if err != nil {
return nil, err
}
for k, v := range s.Expose {
exposed[k] = v
}
s.Expose = exposed
// Pull entrypoint and cmd from image // Pull entrypoint and cmd from image
s.Entrypoint = imageData.Config.Entrypoint s.Entrypoint = imageData.Config.Entrypoint
s.Command = imageData.Config.Cmd s.Command = imageData.Config.Cmd

49
pkg/specgen/generate/ports.go
View File

@ -268,31 +268,18 @@ func createPortMappings(ctx context.Context, s *specgen.SpecGenerator, imageData
logrus.Debugf("Adding exposed ports") logrus.Debugf("Adding exposed ports")
// We need to merge s.Expose into image exposed ports
expose := make(map[uint16]string) expose := make(map[uint16]string)
for k, v := range s.Expose {
expose[k] = v
}
if imageData != nil { if imageData != nil {
for imgExpose := range imageData.Config.ExposedPorts { expose, err = GenExposedPorts(imageData.Config.ExposedPorts)
// Expose format is portNumber[/protocol] if err != nil {
splitExpose := strings.SplitN(imgExpose, "/", 2) return nil, err
num, err := strconv.Atoi(splitExpose[0])
if err != nil {
return nil, errors.Wrapf(err, "unable to convert image EXPOSE statement %q to port number", imgExpose)
}
if num > 65535 || num < 1 {
return nil, errors.Errorf("%d from image EXPOSE statement %q is not a valid port number", num, imgExpose)
}
// No need to validate protocol, we'll do it below.
if len(splitExpose) == 1 {
expose[uint16(num)] = "tcp"
} else {
expose[uint16(num)] = splitExpose[1]
}
} }
} }
// We need to merge s.Expose into image exposed ports
for k, v := range s.Expose {
expose[k] = v
}
// There's been a request to expose some ports. Let's do that. // There's been a request to expose some ports. Let's do that.
// Start by figuring out what needs to be exposed. // Start by figuring out what needs to be exposed.
// This is a map of container port number to protocols to expose. // This is a map of container port number to protocols to expose.
@ -417,3 +404,25 @@ func checkProtocol(protocol string, allowSCTP bool) ([]string, error) {
return finalProto, nil return finalProto, nil
} }
func GenExposedPorts(exposedPorts map[string]struct{}) (map[uint16]string, error) {
expose := make(map[uint16]string)
for imgExpose := range exposedPorts {
// Expose format is portNumber[/protocol]
splitExpose := strings.SplitN(imgExpose, "/", 2)
num, err := strconv.Atoi(splitExpose[0])
if err != nil {
return nil, errors.Wrapf(err, "unable to convert image EXPOSE statement %q to port number", imgExpose)
}
if num > 65535 || num < 1 {
return nil, errors.Errorf("%d from image EXPOSE statement %q is not a valid port number", num, imgExpose)
}
// No need to validate protocol, we'll do it below.
if len(splitExpose) == 1 {
expose[uint16(num)] = "tcp"
} else {
expose[uint16(num)] = splitExpose[1]
}
}
return expose, nil
}

41
test/system/700-play.bats
View File

@ -88,3 +88,44 @@ RELABEL="system_u:object_r:container_file_t:s0"
fi fi
run_podman pod rm -f test_pod run_podman pod rm -f test_pod
} }
@test "podman play with user from image" {
TESTDIR=$PODMAN_TMPDIR/testdir
mkdir -p $TESTDIR
testUserYaml="
apiVersion: v1
kind: Pod
metadata:
labels:
app: test
name: test_pod
spec:
containers:
- command:
- id
env:
- name: PATH
value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- name: TERM
value: xterm
- name: container
value: podman
image: userimage
name: test
resources: {}
status: {}
"
cat > $PODMAN_TMPDIR/Containerfile << _EOF
from $IMAGE
USER bin
_EOF
echo "$testUserYaml" | sed "s|TESTDIR|${TESTDIR}|g" > $PODMAN_TMPDIR/test.yaml
run_podman build -t userimage $PODMAN_TMPDIR
run_podman play kube --start=false $PODMAN_TMPDIR/test.yaml
run_podman inspect --format "{{ .Config.User }}" test_pod-test
is "$output" bin "expect container within pod to run as the bin user"
run_podman pod rm -f test_pod
}