github.com/containers/podman/v4@v4.9.4/pkg/specgen/generate/oci_freebsd.go (about)

     1  //go:build !remote
     2  // +build !remote
     3  
     4  package generate
     5  
     6  import (
     7  	"context"
     8  	"fmt"
     9  	"strings"
    10  
    11  	"github.com/containers/common/libimage"
    12  	"github.com/containers/common/pkg/config"
    13  	"github.com/containers/podman/v4/libpod"
    14  	"github.com/containers/podman/v4/libpod/define"
    15  	"github.com/containers/podman/v4/pkg/specgen"
    16  	"github.com/opencontainers/runtime-spec/specs-go"
    17  	spec "github.com/opencontainers/runtime-spec/specs-go"
    18  	"github.com/opencontainers/runtime-tools/generate"
    19  )
    20  
    21  // SpecGenToOCI returns the base configuration for the container.
    22  func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runtime, rtc *config.Config, newImage *libimage.Image, mounts []spec.Mount, pod *libpod.Pod, finalCmd []string, compatibleOptions *libpod.InfraInherit) (*spec.Spec, error) {
    23  	var imageOs string
    24  	if newImage != nil {
    25  		inspectData, err := newImage.Inspect(ctx, nil)
    26  		if err != nil {
    27  			return nil, err
    28  		}
    29  		imageOs = inspectData.Os
    30  	} else {
    31  		imageOs = "freebsd"
    32  	}
    33  
    34  	if imageOs != "freebsd" && imageOs != "linux" {
    35  		return nil, fmt.Errorf("unsupported image OS: %s", imageOs)
    36  	}
    37  
    38  	g, err := generate.New(imageOs)
    39  	if err != nil {
    40  		return nil, err
    41  	}
    42  
    43  	g.SetProcessCwd(s.WorkDir)
    44  
    45  	g.SetProcessArgs(finalCmd)
    46  
    47  	g.SetProcessTerminal(s.Terminal)
    48  
    49  	for key, val := range s.Annotations {
    50  		g.AddAnnotation(key, val)
    51  	}
    52  
    53  	// Devices
    54  	var userDevices []spec.LinuxDevice
    55  	if !s.Privileged {
    56  		// add default devices from containers.conf
    57  		for _, device := range rtc.Containers.Devices.Get() {
    58  			if err = DevicesFromPath(&g, device); err != nil {
    59  				return nil, err
    60  			}
    61  		}
    62  		if len(compatibleOptions.HostDeviceList) > 0 && len(s.Devices) == 0 {
    63  			userDevices = compatibleOptions.HostDeviceList
    64  		} else {
    65  			userDevices = s.Devices
    66  		}
    67  		// add default devices specified by caller
    68  		for _, device := range userDevices {
    69  			if err = DevicesFromPath(&g, device.Path); err != nil {
    70  				return nil, err
    71  			}
    72  		}
    73  	}
    74  
    75  	g.ClearProcessEnv()
    76  	for name, val := range s.Env {
    77  		g.AddProcessEnv(name, val)
    78  	}
    79  
    80  	addRlimits(s, &g)
    81  
    82  	// NAMESPACES
    83  	if err := specConfigureNamespaces(s, &g, rt, pod); err != nil {
    84  		return nil, err
    85  	}
    86  	configSpec := g.Config
    87  
    88  	if err := securityConfigureGenerator(s, &g, newImage, rtc); err != nil {
    89  		return nil, err
    90  	}
    91  
    92  	// Linux emulatioon
    93  	if imageOs == "linux" {
    94  		var mounts []spec.Mount
    95  		for _, m := range configSpec.Mounts {
    96  			switch m.Destination {
    97  			case "/proc":
    98  				m.Type = "linprocfs"
    99  				m.Options = []string{"nodev"}
   100  				mounts = append(mounts, m)
   101  				continue
   102  			case "/sys":
   103  				m.Type = "linsysfs"
   104  				m.Options = []string{"nodev"}
   105  				mounts = append(mounts, m)
   106  				continue
   107  			case "/dev", "/dev/pts", "/dev/shm", "/dev/mqueue":
   108  				continue
   109  			}
   110  		}
   111  		mounts = append(mounts,
   112  			spec.Mount{
   113  				Destination: "/dev",
   114  				Type:        "devfs",
   115  				Source:      "devfs",
   116  				Options: []string{
   117  					"ruleset=4",
   118  					"rule=path shm unhide mode 1777",
   119  				},
   120  			},
   121  			spec.Mount{
   122  				Destination: "/dev/fd",
   123  				Type:        "fdescfs",
   124  				Source:      "fdesc",
   125  				Options:     []string{},
   126  			},
   127  			spec.Mount{
   128  				Destination: "/dev/shm",
   129  				Type:        define.TypeTmpfs,
   130  				Source:      "shm",
   131  				Options:     []string{"notmpcopyup"},
   132  			},
   133  		)
   134  		configSpec.Mounts = mounts
   135  	}
   136  
   137  	// BIND MOUNTS
   138  	configSpec.Mounts = SupersedeUserMounts(mounts, configSpec.Mounts)
   139  	// Process mounts to ensure correct options
   140  	if err := InitFSMounts(configSpec.Mounts); err != nil {
   141  		return nil, err
   142  	}
   143  
   144  	// Add annotations
   145  	if configSpec.Annotations == nil {
   146  		configSpec.Annotations = make(map[string]string)
   147  	}
   148  
   149  	if s.Remove {
   150  		configSpec.Annotations[define.InspectAnnotationAutoremove] = define.InspectResponseTrue
   151  	}
   152  
   153  	if len(s.VolumesFrom) > 0 {
   154  		configSpec.Annotations[define.InspectAnnotationVolumesFrom] = strings.Join(s.VolumesFrom, ",")
   155  	}
   156  
   157  	if s.Privileged {
   158  		configSpec.Annotations[define.InspectAnnotationPrivileged] = define.InspectResponseTrue
   159  	}
   160  
   161  	if s.Init {
   162  		configSpec.Annotations[define.InspectAnnotationInit] = define.InspectResponseTrue
   163  	}
   164  
   165  	if s.OOMScoreAdj != nil {
   166  		g.SetProcessOOMScoreAdj(*s.OOMScoreAdj)
   167  	}
   168  
   169  	return configSpec, nil
   170  }
   171  
   172  func WeightDevices(wtDevices map[string]spec.LinuxWeightDevice) ([]spec.LinuxWeightDevice, error) {
   173  	devs := []spec.LinuxWeightDevice{}
   174  	return devs, nil
   175  }
   176  
   177  func subNegativeOne(u specs.POSIXRlimit) specs.POSIXRlimit {
   178  	return u
   179  }