Adopt some rootless code to podman 3.0.x

fix #92 parse rootless info correctly from podman 3.0.x struct fix #93 use slirp4netns as default network mode if running rootless Bump supported podman version in README to 3.0.x
hashicorp · Mar 21, 2021 · 9a30d88 · 9a30d88
1 parent 0502b79
commit 9a30d88
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 27 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,10 @@
 * config: Support for sysctl configuration [[GH-82](https://github.com/hashicorp/nomad-driver-podman/issues/82)]
 * config: Fixed a bug where we always pulled an image if image name has a transport prefix [[GH-88](https://github.com/hashicorp/nomad-driver-podman/pull/88)]
 
+BUG FIXES:
+* [[GH-93](https://github.com/hashicorp/nomad-driver-podman/issues/93)] use slirp4netns as default network mode if running rootless
+* [[GH-92](https://github.com/hashicorp/nomad-driver-podman/issues/92)] parse rootless info correctly from podman 3.0.x struct
+
 ## 0.2.0
 
 FEATURES:

diff --git a/README.md b/README.md
@@ -42,7 +42,7 @@ cd nomad-driver-podman
 - Linux host with `podman` installed
 - For rootless containers you need a system supporting cgroup V2 and a few other things, follow [this tutorial](https://github.com/containers/libpod/blob/master/docs/tutorials/rootless_tutorial.md)
 
-You need a 2.x podman binary and a system socket activation unit,
+You need a 3.0.x podman binary and a system socket activation unit,
 see https://www.redhat.com/sysadmin/podmans-new-rest-api
 
 Nomad agent, nomad-driver-podman and podman will reside on the same host, so you

diff --git a/api/structs.go b/api/structs.go
@@ -1405,31 +1405,40 @@ type Info struct {
 	Version    Version                `json:"version"`
 }
 
+//HostInfo describes the libpod host
+type SecurityInfo struct {
+	DefaultCapabilities string `json:"capabilities"`
+	AppArmorEnabled     bool   `json:"apparmorEnabled"`
+	Rootless            bool   `json:"rootless"`
+	SECCOMPEnabled      bool   `json:"seccompEnabled"`
+	SELinuxEnabled      bool   `json:"selinuxEnabled"`
+}
+
 //HostInfo describes the libpod host
 type HostInfo struct {
-	Arch           string           `json:"arch"`
-	BuildahVersion string           `json:"buildahVersion"`
-	CgroupManager  string           `json:"cgroupManager"`
-	CGroupsVersion string           `json:"cgroupVersion"`
-	Conmon         *ConmonInfo      `json:"conmon"`
-	CPUs           int              `json:"cpus"`
-	Distribution   DistributionInfo `json:"distribution"`
-	EventLogger    string           `json:"eventLogger"`
-	Hostname       string           `json:"hostname"`
-	// IDMappings     IDMappings             `json:"idMappings,omitempty"`
-	Kernel       string                 `json:"kernel"`
-	MemFree      int64                  `json:"memFree"`
-	MemTotal     int64                  `json:"memTotal"`
-	OCIRuntime   *OCIRuntimeInfo        `json:"ociRuntime"`
-	OS           string                 `json:"os"`
-	RemoteSocket *RemoteSocket          `json:"remoteSocket,omitempty"`
-	Rootless     bool                   `json:"rootless"`
-	RuntimeInfo  map[string]interface{} `json:"runtimeInfo,omitempty"`
-	Slirp4NetNS  SlirpInfo              `json:"slirp4netns,omitempty"`
-	SwapFree     int64                  `json:"swapFree"`
-	SwapTotal    int64                  `json:"swapTotal"`
-	Uptime       string                 `json:"uptime"`
-	Linkmode     string                 `json:"linkmode"`
+	Conmon       *ConmonInfo      `json:"conmon"`
+	Distribution DistributionInfo `json:"distribution"`
+	//IDMappings     IDMappings             `json:"idMappings,omitempty"`
+	OCIRuntime     *OCIRuntimeInfo        `json:"ociRuntime"`
+	RemoteSocket   *RemoteSocket          `json:"remoteSocket,omitempty"`
+	Security       SecurityInfo           `json:"security"`
+	Slirp4NetNS    SlirpInfo              `json:"slirp4netns,omitempty"`
+	RuntimeInfo    map[string]interface{} `json:"runtimeInfo,omitempty"`
+	Arch           string                 `json:"arch"`
+	BuildahVersion string                 `json:"buildahVersion"`
+	CgroupManager  string                 `json:"cgroupManager"`
+	CGroupsVersion string                 `json:"cgroupVersion"`
+	EventLogger    string                 `json:"eventLogger"`
+	Hostname       string                 `json:"hostname"`
+	Kernel         string                 `json:"kernel"`
+	OS             string                 `json:"os"`
+	Uptime         string                 `json:"uptime"`
+	Linkmode       string                 `json:"linkmode"`
+	MemFree        int64                  `json:"memFree"`
+	MemTotal       int64                  `json:"memTotal"`
+	SwapFree       int64                  `json:"swapFree"`
+	SwapTotal      int64                  `json:"swapTotal"`
+	CPUs           int                    `json:"cpus"`
 }
 
 // RemoteSocket describes information about the API socket

diff --git a/driver.go b/driver.go
@@ -222,7 +222,7 @@ func (d *Driver) buildFingerprint() *drivers.Fingerprint {
 		desc = "ready"
 		attrs["driver.podman"] = pstructs.NewBoolAttribute(true)
 		attrs["driver.podman.version"] = pstructs.NewStringAttribute(info.Version.Version)
-		attrs["driver.podman.rootless"] = pstructs.NewBoolAttribute(info.Host.Rootless)
+		attrs["driver.podman.rootless"] = pstructs.NewBoolAttribute(info.Host.Security.Rootless)
 		attrs["driver.podman.cgroupVersion"] = pstructs.NewStringAttribute(info.Host.CGroupsVersion)
 		if d.systemInfo.Version.Version == "" {
 			// keep first received systemInfo in driver struct
@@ -322,6 +322,8 @@ func BuildContainerName(cfg *drivers.TaskConfig) string {
 
 // StartTask creates and starts a new Container based on the given TaskConfig.
 func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drivers.DriverNetwork, error) {
+	rootless := d.systemInfo.Host.Security.Rootless
+
 	if _, ok := d.tasks.Get(cfg.ID); ok {
 		return nil, nil, fmt.Errorf("task with ID %q already started", cfg.ID)
 	}
@@ -406,7 +408,7 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive
 	}
 	// FIXME: can fail for nonRoot due to missing cpu limit delegation permissions,
 	//        see https://github.com/containers/podman/blob/master/troubleshooting.md
-	if !d.systemInfo.Host.Rootless {
+	if !rootless {
 		cpuShares := uint64(cfg.Resources.LinuxResources.CPUShares)
 		createOpts.ContainerResourceConfig.ResourceLimits.CPU.Shares = &cpuShares
 	}
@@ -430,7 +432,13 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive
 		createOpts.ContainerNetworkConfig.NetNS.Value = cfg.NetworkIsolation.Path
 	} else {
 		if driverConfig.NetworkMode == "" {
-			createOpts.ContainerNetworkConfig.NetNS.NSMode = api.Bridge
+			if !rootless {
+				// bridge is default for rootful podman
+				createOpts.ContainerNetworkConfig.NetNS.NSMode = api.Bridge
+			} else {
+				// slirp4netns is default for rootless podman
+				createOpts.ContainerNetworkConfig.NetNS.NSMode = api.Slirp
+			}
 		} else if driverConfig.NetworkMode == "bridge" {
 			createOpts.ContainerNetworkConfig.NetNS.NSMode = api.Bridge
 		} else if driverConfig.NetworkMode == "host" {