tyler.durden/compose
1
0
Fork 0
mirror of https://github.com/docker/compose.git synced 2025-07-21 12:44:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

parse security opts to process seccomp file as relative to project dir

Browse Source 
Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
This commit is contained in:
Nicolas De Loof 2021-09-24 08:37:11 +02:00 committed by Nicolas De loof
parent 244834ff12
commit a0f0debb9e
1 changed files with 36 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
pkg/compose/create.go
View File

@ -17,8 +17,11 @@
package compose
import (
"bytes"
"context"
"encoding/json"
"fmt"
"io/ioutil"
"path"
"path/filepath"
"strconv"
@ -345,6 +348,10 @@ func (s *composeService) getCreateOptions(ctx context.Context, p *types.Project,
volumesFrom = append(volumesFrom, v[len("container:"):])
}
securityOpts, err := parseSecurityOpts(p, service.SecurityOpt)
if err != nil {
return nil, nil, nil, err
}
hostConfig := container.HostConfig{
AutoRemove: autoRemove,
Binds: binds,
@ -366,7 +373,7 @@ func (s *composeService) getCreateOptions(ctx context.Context, p *types.Project,
DNSSearch: service.DNSSearch,
DNSOptions: service.DNSOpts,
ExtraHosts: service.ExtraHosts,
SecurityOpt: service.SecurityOpt,
SecurityOpt: securityOpts,
UsernsMode: container.UsernsMode(service.UserNSMode),
Privileged: service.Privileged,
PidMode: container.PidMode(service.Pid),
@ -378,6 +385,34 @@ func (s *composeService) getCreateOptions(ctx context.Context, p *types.Project,
return &containerConfig, &hostConfig, networkConfig, nil
}
// copy/pasted from https://github.com/docker/cli/blob/9de1b162f/cli/command/container/opts.go#L673-L697 + RelativePath
// TODO find so way to share this code with docker/cli
func parseSecurityOpts(p *types.Project, securityOpts []string) ([]string, error) {
for key, opt := range securityOpts {
con := strings.SplitN(opt, "=", 2)
if len(con) == 1 && con[0] != "no-new-privileges" {
if strings.Contains(opt, ":") {
con = strings.SplitN(opt, ":", 2)
} else {
return securityOpts, errors.Errorf("Invalid security-opt: %q", opt)
}
}
if con[0] == "seccomp" && con[1] != "unconfined" {
f, err := ioutil.ReadFile(p.RelativePath(con[1]))
if err != nil {
return securityOpts, errors.Errorf("opening seccomp profile (%s) failed: %v", con[1], err)
}
b := bytes.NewBuffer(nil)
if err := json.Compact(b, f); err != nil {
return securityOpts, errors.Errorf("compacting json for seccomp profile (%s) failed: %v", con[1], err)
}
securityOpts[key] = fmt.Sprintf("seccomp=%s", b.Bytes())
}
}
return securityOpts, nil
}
func (s *composeService) prepareLabels(p *types.Project, service types.ServiceConfig, number int) (map[string]string, error) {
labels := map[string]string{}
for k, v := range service.Labels {