10
"github.com/containers/common/libimage"
11
"github.com/containers/common/pkg/config"
12
"github.com/containers/podman/v5/libpod"
13
"github.com/containers/podman/v5/libpod/define"
14
"github.com/containers/podman/v5/pkg/specgen"
15
"github.com/opencontainers/runtime-spec/specs-go"
16
spec "github.com/opencontainers/runtime-spec/specs-go"
17
"github.com/opencontainers/runtime-tools/generate"
20
// SpecGenToOCI returns the base configuration for the container.
21
func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runtime, rtc *config.Config, newImage *libimage.Image, mounts []spec.Mount, pod *libpod.Pod, finalCmd []string, compatibleOptions *libpod.InfraInherit) (*spec.Spec, error) {
24
inspectData, err := newImage.Inspect(ctx, nil)
28
imageOs = inspectData.Os
33
if imageOs != "freebsd" && imageOs != "linux" {
34
return nil, fmt.Errorf("unsupported image OS: %s", imageOs)
37
g, err := generate.New(imageOs)
42
g.SetProcessCwd(s.WorkDir)
44
g.SetProcessArgs(finalCmd)
46
if s.Terminal != nil {
47
g.SetProcessTerminal(*s.Terminal)
50
for key, val := range s.Annotations {
51
g.AddAnnotation(key, val)
55
var userDevices []spec.LinuxDevice
56
if !s.IsPrivileged() {
57
// add default devices from containers.conf
58
for _, device := range rtc.Containers.Devices.Get() {
59
if err = DevicesFromPath(&g, device); err != nil {
63
if len(compatibleOptions.HostDeviceList) > 0 && len(s.Devices) == 0 {
64
userDevices = compatibleOptions.HostDeviceList
66
userDevices = s.Devices
68
// add default devices specified by caller
69
for _, device := range userDevices {
70
if err = DevicesFromPath(&g, device.Path); err != nil {
77
for name, val := range s.Env {
78
g.AddProcessEnv(name, val)
84
if err := specConfigureNamespaces(s, &g, rt, pod); err != nil {
87
configSpec := g.Config
89
if err := securityConfigureGenerator(s, &g, newImage, rtc); err != nil {
94
if imageOs == "linux" {
95
var mounts []spec.Mount
96
for _, m := range configSpec.Mounts {
97
switch m.Destination {
100
m.Options = []string{"nodev"}
101
mounts = append(mounts, m)
105
m.Options = []string{"nodev"}
106
mounts = append(mounts, m)
108
case "/dev", "/dev/pts", "/dev/shm", "/dev/mqueue":
112
mounts = append(mounts,
119
"rule=path shm unhide mode 1777",
123
Destination: "/dev/fd",
129
Destination: "/dev/shm",
130
Type: define.TypeTmpfs,
132
Options: []string{"notmpcopyup"},
135
configSpec.Mounts = mounts
139
configSpec.Mounts = SupersedeUserMounts(mounts, configSpec.Mounts)
140
// Process mounts to ensure correct options
141
if err := InitFSMounts(configSpec.Mounts); err != nil {
146
if configSpec.Annotations == nil {
147
configSpec.Annotations = make(map[string]string)
150
if s.Remove != nil && *s.Remove {
151
configSpec.Annotations[define.InspectAnnotationAutoremove] = define.InspectResponseTrue
154
if len(s.VolumesFrom) > 0 {
155
configSpec.Annotations[define.VolumesFromAnnotation] = strings.Join(s.VolumesFrom, ";")
158
if s.IsPrivileged() {
159
configSpec.Annotations[define.InspectAnnotationPrivileged] = define.InspectResponseTrue
162
if s.Init != nil && *s.Init {
163
configSpec.Annotations[define.InspectAnnotationInit] = define.InspectResponseTrue
166
if s.OOMScoreAdj != nil {
167
g.SetProcessOOMScoreAdj(*s.OOMScoreAdj)
170
return configSpec, nil
173
func WeightDevices(wtDevices map[string]spec.LinuxWeightDevice) ([]spec.LinuxWeightDevice, error) {
174
devs := []spec.LinuxWeightDevice{}
178
func subNegativeOne(u specs.POSIXRlimit) specs.POSIXRlimit {