server: container_create: make the spec hostspecific
node-e2e tests were failing in RHEL because, if running a privileged container, we get all capability in the spec. The spec generator wasn't filtering caps based on actual host caps, it was just adding _everything_. This patch makes spec generator host specific. Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This commit is contained in:
Antonio Murdaca
parent
90e3e7a632
commit
089cb88f17
1 changed files with 2 additions and 1 deletions
|
|
@ -330,6 +330,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
||||||
|
|
||||||
// creates a spec Generator with the default spec.
|
// creates a spec Generator with the default spec.
|
||||||
specgen := generate.New()
|
specgen := generate.New()
|
||||||
|
specgen.HostSpecific = true
|
||||||
|
|
||||||
if err := addOciBindMounts(sb, containerConfig, &specgen); err != nil {
|
if err := addOciBindMounts(sb, containerConfig, &specgen); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
|
@ -456,7 +457,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
||||||
if dropCaps != nil {
|
if dropCaps != nil {
|
||||||
for _, cap := range dropCaps {
|
for _, cap := range dropCaps {
|
||||||
if err := specgen.DropProcessCapability(toCAPPrefixed(cap)); err != nil {
|
if err := specgen.DropProcessCapability(toCAPPrefixed(cap)); err != nil {
|
||||||
return nil, err
|
logrus.Debugf("failed to drop cap %s: %v", toCAPPrefixed(cap), err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue