feat:[close #283] Allow creating unshared containers in Apx core

cmd/subsyStems.go

@@ -224,7 +224,7 @@ func newSubSystem(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	subSystem, err := core.NewSubSystem(subSystemName, stack, false, false, false)
+	subSystem, err := core.NewSubSystem(subSystemName, stack, false, false, false, false)
 	if err != nil {
 		return err
 	}

core/dbox.go

@@ -86,6 +86,13 @@ func (d *dbox) RunCommand(command string, args []string, engineFlags []string, u
 	// ignored in commands like "enter"
 	finalArgs := []string{command}
 
+	// NOTE: for engine-specific commands, we need to use pkexec for rootfull
+	//		 containers, since podman does not offer a dedicated flag for this.
+	if rootFull && useEngine {
+		entrypoint = "pkexec"
+		finalArgs = []string{d.EngineBinary, command}
+	}
+
 	cmd := exec.Command(entrypoint, finalArgs...)
 
 	if !captureOutput && !muteOutput {
@@ -115,7 +122,7 @@ func (d *dbox) RunCommand(command string, args []string, engineFlags []string, u
 
 	// NOTE: the root flag is not being used by the Apx CLI, but it's useful
 	//		 for those using Apx as a library, e.g. VSO.
-	if rootFull {
+	if rootFull && !useEngine {
 		cmd.Args = append(cmd.Args, "--root")
 	}
 
@@ -208,7 +215,7 @@ func (d *dbox) ContainerDelete(name string, rootFull bool) error {
 	return err
 }
 
-func (d *dbox) CreateContainer(name string, image string, additionalPackages []string, labels map[string]string, withInit bool, rootFull bool) error {
+func (d *dbox) CreateContainer(name string, image string, additionalPackages []string, labels map[string]string, withInit bool, rootFull bool, unshared bool) error {
 	args := []string{
 		"--image", image,
 		"--name", name,
@@ -224,6 +231,10 @@ func (d *dbox) CreateContainer(name string, image string, additionalPackages []s
 		args = append(args, "--init")
 	}
 
+	if unshared {
+		args = append(args, "--unshare-all")
+	}
+
 	if len(additionalPackages) > 0 {
 		args = append(args, "--additional-packages")
 		args = append(args, strings.Join(additionalPackages, " "))

core/subSystem.go

@@ -29,17 +29,19 @@ type SubSystem struct {
 	HasInit          bool
 	IsManaged        bool
 	IsRootfull       bool
+	IsUnshared       bool
 }
 
-func NewSubSystem(name string, stack *Stack, hasInit bool, isManaged bool, IsRootfull bool) (*SubSystem, error) {
+func NewSubSystem(name string, stack *Stack, hasInit bool, isManaged bool, isRootfull bool, isUnshared bool) (*SubSystem, error) {
 	internalName := genInternalName(name)
 	return &SubSystem{
 		InternalName: internalName,
 		Name:         name,
 		Stack:        stack,
 		HasInit:      hasInit,
 		IsManaged:    isManaged,
-		IsRootfull:   IsRootfull,
+		IsRootfull:   isRootfull,
+		IsUnshared:   isUnshared,
 	}, nil
 }
 
@@ -126,13 +128,18 @@ func (s *SubSystem) Create() error {
 		labels["hasInit"] = "true"
 	}
 
+	if s.IsUnshared {
+		labels["unshared"] = "true"
+	}
+
 	err = dbox.CreateContainer(
 		s.InternalName,
 		s.Stack.Base,
 		s.Stack.Packages,
 		labels,
 		s.HasInit,
 		s.IsRootfull,
+		s.IsUnshared,
 	)
 	if err != nil {
 		return err
@@ -164,6 +171,8 @@ func LoadSubSystem(name string, isRootFull bool) (*SubSystem, error) {
 		Status:       container.Status,
 		HasInit:      container.Labels["hasInit"] == "true",
 		IsManaged:    container.Labels["managed"] == "true",
+		IsRootfull:   isRootFull,
+		IsUnshared:   container.Labels["unshared"] == "true",
 	}, nil
 }