Merge pull request #441 from Mashimiao/conflicting-options

generate: solve conflicting options problem

Author: liangchenye

cmd/oci-runtime-tool/generate.go

@@ -302,6 +302,10 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
 
 	g.SetupPrivileged(context.Bool("privileged"))
 
+	if context.Bool("process-cap-drop-all") {
+		g.ClearProcessCapabilities()
+	}
+
 	if context.IsSet("process-cap-add-ambient") {
 		addCaps := context.StringSlice("process-cap-add-ambient")
 		for _, cap := range addCaps {
@@ -347,10 +351,6 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
 		}
 	}
 
-	if context.Bool("process-cap-drop-all") {
-		g.ClearProcessCapabilities()
-	}
-
 	if context.IsSet("process-cap-drop-ambient") {
 		dropCaps := context.StringSlice("process-cap-drop-ambient")
 		for _, cap := range dropCaps {
@@ -704,6 +704,10 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
 		}
 	}
 
+	if context.Bool("linux-namespace-remove-all") {
+		g.ClearLinuxNamespaces()
+	}
+
 	if context.IsSet("linux-namespace-add") {
 		namespaces := context.StringSlice("linux-namespace-add")
 		for _, ns := range namespaces {
@@ -726,8 +730,8 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
 		}
 	}
 
-	if context.Bool("linux-namespace-remove-all") {
-		g.ClearLinuxNamespaces()
+	if context.Bool("process-rlimits-remove-all") {
+		g.ClearProcessRlimits()
 	}
 
 	if context.IsSet("process-rlimits-add") {
@@ -751,8 +755,8 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
 		}
 	}
 
-	if context.Bool("process-rlimits-remove-all") {
-		g.ClearProcessRlimits()
+	if context.Bool("linux-device-remove-all") {
+		g.ClearLinuxDevices()
 	}
 
 	if context.IsSet("linux-device-add") {
@@ -776,10 +780,6 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
 		}
 	}
 
-	if context.Bool("linux-device-remove-all") {
-		g.ClearLinuxDevices()
-	}
-
 	err := addSeccomp(context, g)
 	return err
 }
@@ -1047,6 +1047,12 @@ func parseLinuxResourcesDeviceAccess(device string, g *generate.Generator) (rspe
 }
 
 func addSeccomp(context *cli.Context, g *generate.Generator) error {
+	if context.Bool("linux-seccomp-remove-all") {
+		err := g.RemoveAllSeccompRules()
+		if err != nil {
+			return err
+		}
+	}
 
 	// Set the DefaultAction of seccomp
 	if context.IsSet("linux-seccomp-default") {
@@ -1118,12 +1124,6 @@ func addSeccomp(context *cli.Context, g *generate.Generator) error {
 		}
 	}
 
-	if context.Bool("linux-seccomp-remove-all") {
-		err := g.RemoveAllSeccompRules()
-		if err != nil {
-			return err
-		}
-	}
 	return nil
 }
 

man/oci-runtime-tool-generate.1.md

@@ -165,6 +165,8 @@ read the configuration from `config.json`.
 
 **--linux-device-remove-all**=true|false
   Remove all devices for linux inside the container. The default is *false*.
+  This option conflicts with --linux-device-add and --linux-device-remove.
+  When combined with them, no matter what the options' order is, parse this option first.
 
 **--linux-device-cgroup-add**=allow|deny[,type=TYPE][,major=MAJOR][,minor=MINOR][,access=ACCESS]
   Add a device control rule.
@@ -244,6 +246,8 @@ read the configuration from `config.json`.
 **--linux-namespace-remove-all**=true|false
   Removes all namespaces from the set of namespaces configured for a container,
   such that the container will effectively run on the host.
+  This option conflicts with --linux-namespace-add and --linux-namespace-remove.
+  When combined with them, no matter what the options' order is, parse this option first.
 
 **--linux-network-classid**=CLASSID
   Specifies network class identifier which will be tagged by container's network packets.
@@ -296,14 +300,16 @@ read the configuration from `config.json`.
 **--linux-seccomp-kill**=SYSCALL
   Specifies syscalls to create seccomp rule to respond with KILL.
 
-**--linux-seccomp-only**==true|false
+**--linux-seccomp-only**=true|false
   Option to only export the seccomp section of output
 
 **--linux-seccomp-remove**=[]
   Specifies syscall restrictions to remove from the configuration.
 
-**--linux-seccomp-remove-all**==true|false
+**--linux-seccomp-remove-all**=true|false
   Option to remove all syscall restrictions.
+  This option conflicts with other --linux-seccomp-xxx options.
+  When combined with them, no matter what the options' order is, parse this option first.
 
 **--linux-seccomp-trace**=SYSCALL
   Specifies syscalls to create seccomp rule to respond with TRACE.
@@ -374,8 +380,10 @@ read the configuration from `config.json`.
 **--process-cap-add-permitted**=[]
   Add Linux permitted capabilities
 
-**--process-cap-drop-all**true|false
+**--process-cap-drop-all**=true|false
   Drop all Linux capabilities
+  This option conflicts with other cap options, as --process-cap-*.
+  When combined with them, no matter what the options' order is, parse this option first.
 
 **--process-cap-drop-ambient**=[]
   Drop Linux ambient capabilities
@@ -420,6 +428,8 @@ read the configuration from `config.json`.
 
 **--process-rlimits-remove-all**=true|false
   Remove all resource limits for process inside the container. The default is *false*.
+  This option conflicts with --linux-rlimits-add and --linux-rlimits-remove.
+  When combined with them, no matter what the options' order is, parse this option first.
 
 **--process-terminal**=true|false
   Specifies whether a terminal is attached to the process. The default is *false*.