2018-06-20 18:23:24 +00:00
|
|
|
// +build linux
|
|
|
|
|
|
|
|
|
|
package libpod
|
|
|
|
|
|
|
|
|
|
import (
|
2018-07-04 15:51:20 +00:00
|
|
|
"context"
|
2018-06-20 18:23:24 +00:00
|
|
|
"fmt"
|
2019-02-06 19:17:25 +00:00
|
|
|
"io"
|
2018-09-18 09:56:19 +00:00
|
|
|
"io/ioutil"
|
|
|
|
|
"net"
|
|
|
|
|
"os"
|
2018-07-04 15:51:20 +00:00
|
|
|
"path"
|
2018-09-18 09:56:19 +00:00
|
|
|
"path/filepath"
|
2018-11-08 11:12:14 +00:00
|
|
|
"strconv"
|
2018-07-04 15:51:20 +00:00
|
|
|
"strings"
|
2018-10-17 18:43:36 +00:00
|
|
|
"sync"
|
2018-07-04 15:51:20 +00:00
|
|
|
"syscall"
|
|
|
|
|
"time"
|
2018-06-20 18:23:24 +00:00
|
|
|
|
2018-09-18 09:56:19 +00:00
|
|
|
cnitypes "github.com/containernetworking/cni/pkg/types/current"
|
2018-10-17 18:43:36 +00:00
|
|
|
"github.com/containernetworking/plugins/pkg/ns"
|
2019-03-04 13:35:09 +00:00
|
|
|
"github.com/containers/buildah/pkg/secrets"
|
2019-06-24 20:48:34 +00:00
|
|
|
"github.com/containers/libpod/libpod/define"
|
2019-09-03 09:10:01 +00:00
|
|
|
"github.com/containers/libpod/pkg/annotations"
|
2019-01-09 13:54:58 +00:00
|
|
|
"github.com/containers/libpod/pkg/apparmor"
|
2019-06-19 12:22:09 +00:00
|
|
|
"github.com/containers/libpod/pkg/cgroups"
|
2018-10-02 13:38:28 +00:00
|
|
|
"github.com/containers/libpod/pkg/criu"
|
2018-10-25 18:39:25 +00:00
|
|
|
"github.com/containers/libpod/pkg/lookup"
|
2018-11-08 11:12:14 +00:00
|
|
|
"github.com/containers/libpod/pkg/resolvconf"
|
2018-08-16 10:41:15 +00:00
|
|
|
"github.com/containers/libpod/pkg/rootless"
|
2019-02-06 19:17:25 +00:00
|
|
|
"github.com/containers/storage/pkg/archive"
|
2019-05-23 11:12:56 +00:00
|
|
|
securejoin "github.com/cyphar/filepath-securejoin"
|
2018-11-08 11:12:14 +00:00
|
|
|
"github.com/opencontainers/runc/libcontainer/user"
|
2018-07-04 15:51:20 +00:00
|
|
|
spec "github.com/opencontainers/runtime-spec/specs-go"
|
|
|
|
|
"github.com/opencontainers/runtime-tools/generate"
|
|
|
|
|
"github.com/opencontainers/selinux/go-selinux/label"
|
2019-03-05 23:11:28 +00:00
|
|
|
"github.com/opentracing/opentracing-go"
|
2018-07-04 15:51:20 +00:00
|
|
|
"github.com/pkg/errors"
|
2018-06-20 18:23:24 +00:00
|
|
|
"github.com/sirupsen/logrus"
|
2018-07-04 15:51:20 +00:00
|
|
|
"golang.org/x/sys/unix"
|
2018-06-20 18:23:24 +00:00
|
|
|
)
|
|
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
func (c *Container) mountSHM(shmOptions string) error {
|
|
|
|
|
if err := unix.Mount("shm", c.config.ShmDir, "tmpfs", unix.MS_NOEXEC|unix.MS_NOSUID|unix.MS_NODEV,
|
|
|
|
|
label.FormatMountLabel(shmOptions, c.config.MountLabel)); err != nil {
|
|
|
|
|
return errors.Wrapf(err, "failed to mount shm tmpfs %q", c.config.ShmDir)
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (c *Container) unmountSHM(mount string) error {
|
2019-09-05 14:00:50 +00:00
|
|
|
if err := unix.Unmount(mount, 0); err != nil {
|
2019-09-06 14:25:53 +00:00
|
|
|
if err != syscall.EINVAL && err != syscall.ENOENT {
|
2019-09-05 14:00:50 +00:00
|
|
|
return errors.Wrapf(err, "error unmounting container %s SHM mount %s", c.ID(), mount)
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
2019-09-06 14:25:53 +00:00
|
|
|
// If it's just an EINVAL or ENOENT, debug logs only
|
2019-09-05 14:00:50 +00:00
|
|
|
logrus.Debugf("container %s failed to unmount %s : %v", c.ID(), mount, err)
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// prepare mounts the container and sets up other required resources like net
|
|
|
|
|
// namespaces
|
2019-09-03 19:03:44 +00:00
|
|
|
func (c *Container) prepare() (Err error) {
|
2018-10-17 18:43:36 +00:00
|
|
|
var (
|
2019-08-06 14:49:03 +00:00
|
|
|
wg sync.WaitGroup
|
|
|
|
|
netNS ns.NetNS
|
|
|
|
|
networkStatus []*cnitypes.Result
|
|
|
|
|
createNetNSErr, mountStorageErr error
|
|
|
|
|
mountPoint string
|
|
|
|
|
tmpStateLock sync.Mutex
|
2018-10-17 18:43:36 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
wg.Add(2)
|
|
|
|
|
|
|
|
|
|
go func() {
|
|
|
|
|
defer wg.Done()
|
|
|
|
|
// Set up network namespace if not already set up
|
|
|
|
|
if c.config.CreateNetNS && c.state.NetNS == nil && !c.config.PostConfigureNetNS {
|
|
|
|
|
netNS, networkStatus, createNetNSErr = c.runtime.createNetNS(c)
|
2019-06-12 17:31:18 +00:00
|
|
|
if createNetNSErr != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
2018-11-08 21:06:59 +00:00
|
|
|
|
|
|
|
|
tmpStateLock.Lock()
|
|
|
|
|
defer tmpStateLock.Unlock()
|
|
|
|
|
|
|
|
|
|
// Assign NetNS attributes to container
|
2019-06-12 17:31:18 +00:00
|
|
|
c.state.NetNS = netNS
|
|
|
|
|
c.state.NetworkStatus = networkStatus
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// handle rootless network namespace setup
|
|
|
|
|
if c.state.NetNS != nil && c.config.NetMode == "slirp4netns" && !c.config.PostConfigureNetNS {
|
|
|
|
|
createNetNSErr = c.runtime.setupRootlessNetNS(c)
|
2018-10-17 18:43:36 +00:00
|
|
|
}
|
|
|
|
|
}()
|
2018-07-04 15:51:20 +00:00
|
|
|
// Mount storage if not mounted
|
2018-10-17 18:43:36 +00:00
|
|
|
go func() {
|
|
|
|
|
defer wg.Done()
|
|
|
|
|
mountPoint, mountStorageErr = c.mountStorage()
|
2018-11-08 21:06:59 +00:00
|
|
|
|
|
|
|
|
if mountStorageErr != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tmpStateLock.Lock()
|
|
|
|
|
defer tmpStateLock.Unlock()
|
|
|
|
|
|
|
|
|
|
// Finish up mountStorage
|
|
|
|
|
c.state.Mounted = true
|
|
|
|
|
c.state.Mountpoint = mountPoint
|
|
|
|
|
|
|
|
|
|
logrus.Debugf("Created root filesystem for container %s at %s", c.ID(), c.state.Mountpoint)
|
|
|
|
|
}()
|
|
|
|
|
|
2018-10-17 18:43:36 +00:00
|
|
|
wg.Wait()
|
2018-11-08 21:06:59 +00:00
|
|
|
|
2019-09-03 19:03:44 +00:00
|
|
|
var createErr error
|
2018-10-17 18:43:36 +00:00
|
|
|
if createNetNSErr != nil {
|
2019-09-03 19:03:44 +00:00
|
|
|
createErr = createNetNSErr
|
2018-10-17 18:43:36 +00:00
|
|
|
}
|
|
|
|
|
if mountStorageErr != nil {
|
2019-09-06 17:52:13 +00:00
|
|
|
if createErr != nil {
|
|
|
|
|
logrus.Errorf("Error preparing container %s: %v", c.ID(), createErr)
|
|
|
|
|
}
|
2019-09-03 19:03:44 +00:00
|
|
|
createErr = mountStorageErr
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Only trigger storage cleanup if mountStorage was successful.
|
|
|
|
|
// Otherwise, we may mess up mount counters.
|
|
|
|
|
if createNetNSErr != nil && mountStorageErr == nil {
|
|
|
|
|
if err := c.cleanupStorage(); err != nil {
|
|
|
|
|
// createErr is guaranteed non-nil, so print
|
|
|
|
|
// unconditionally
|
|
|
|
|
logrus.Errorf("Error preparing container %s: %v", c.ID(), createErr)
|
|
|
|
|
createErr = errors.Wrapf(err, "error unmounting storage for container %s after network create failure", c.ID())
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// It's OK to unconditionally trigger network cleanup. If the network
|
|
|
|
|
// isn't ready it will do nothing.
|
|
|
|
|
if createErr != nil {
|
|
|
|
|
if err := c.cleanupNetwork(); err != nil {
|
|
|
|
|
logrus.Errorf("Error preparing container %s: %v", c.ID(), createErr)
|
|
|
|
|
createErr = errors.Wrapf(err, "error cleaning up container %s network after setup failure", c.ID())
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if createErr != nil {
|
|
|
|
|
return createErr
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
|
|
|
|
|
2019-09-03 19:03:44 +00:00
|
|
|
// Save changes to container state
|
2018-10-17 18:43:36 +00:00
|
|
|
return c.save()
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// cleanupNetwork unmounts and cleans up the container's network
|
|
|
|
|
func (c *Container) cleanupNetwork() error {
|
2018-12-06 19:56:57 +00:00
|
|
|
if c.config.NetNsCtr != "" {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
netDisabled, err := c.NetworkDisabled()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if netDisabled {
|
2018-11-08 11:12:14 +00:00
|
|
|
return nil
|
|
|
|
|
}
|
2018-07-04 15:51:20 +00:00
|
|
|
if c.state.NetNS == nil {
|
|
|
|
|
logrus.Debugf("Network is already cleaned up, skipping...")
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Stop the container's network namespace (if it has one)
|
|
|
|
|
if err := c.runtime.teardownNetNS(c); err != nil {
|
|
|
|
|
logrus.Errorf("unable to cleanup network for container %s: %q", c.ID(), err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
c.state.NetNS = nil
|
2018-07-12 14:51:31 +00:00
|
|
|
c.state.NetworkStatus = nil
|
2018-07-04 15:51:20 +00:00
|
|
|
|
|
|
|
|
if c.valid {
|
|
|
|
|
return c.save()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2019-09-21 13:45:55 +00:00
|
|
|
func (c *Container) getUserOverrides() *lookup.Overrides {
|
|
|
|
|
var hasPasswdFile, hasGroupFile bool
|
|
|
|
|
overrides := lookup.Overrides{}
|
|
|
|
|
for _, m := range c.config.Spec.Mounts {
|
|
|
|
|
if m.Destination == "/etc/passwd" {
|
|
|
|
|
overrides.ContainerEtcPasswdPath = m.Source
|
|
|
|
|
hasPasswdFile = true
|
|
|
|
|
}
|
|
|
|
|
if m.Destination == "/etc/group" {
|
|
|
|
|
overrides.ContainerEtcGroupPath = m.Source
|
|
|
|
|
hasGroupFile = true
|
|
|
|
|
}
|
|
|
|
|
if m.Destination == "/etc" {
|
|
|
|
|
if !hasPasswdFile {
|
|
|
|
|
overrides.ContainerEtcPasswdPath = filepath.Join(m.Source, "passwd")
|
|
|
|
|
}
|
|
|
|
|
if !hasGroupFile {
|
|
|
|
|
overrides.ContainerEtcGroupPath = filepath.Join(m.Source, "group")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return &overrides
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
// Generate spec for a container
|
|
|
|
|
// Accepts a map of the container's dependencies
|
|
|
|
|
func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
|
2018-10-16 20:30:53 +00:00
|
|
|
span, _ := opentracing.StartSpanFromContext(ctx, "generateSpec")
|
|
|
|
|
span.SetTag("type", "container")
|
|
|
|
|
defer span.Finish()
|
|
|
|
|
|
2019-09-21 13:45:55 +00:00
|
|
|
overrides := c.getUserOverrides()
|
|
|
|
|
execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, c.config.User, overrides)
|
2018-10-25 18:39:25 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2018-10-16 20:30:53 +00:00
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
g := generate.NewFromSpec(c.config.Spec)
|
|
|
|
|
|
|
|
|
|
// If network namespace was requested, add it now
|
|
|
|
|
if c.config.CreateNetNS {
|
|
|
|
|
if c.config.PostConfigureNetNS {
|
2019-07-23 09:56:00 +00:00
|
|
|
if err := g.AddOrReplaceLinuxNamespace(string(spec.NetworkNamespace), ""); err != nil {
|
2019-07-03 20:37:17 +00:00
|
|
|
return nil, err
|
|
|
|
|
}
|
2018-07-04 15:51:20 +00:00
|
|
|
} else {
|
2019-07-23 09:56:00 +00:00
|
|
|
if err := g.AddOrReplaceLinuxNamespace(string(spec.NetworkNamespace), c.state.NetNS.Path()); err != nil {
|
2019-07-03 20:37:17 +00:00
|
|
|
return nil, err
|
|
|
|
|
}
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
|
|
|
|
}
|
2018-11-08 11:12:14 +00:00
|
|
|
|
2019-01-09 13:54:58 +00:00
|
|
|
// Apply AppArmor checks and load the default profile if needed.
|
2019-05-23 11:12:56 +00:00
|
|
|
if !c.config.Privileged {
|
|
|
|
|
updatedProfile, err := apparmor.CheckProfileAndLoadDefault(c.config.Spec.Process.ApparmorProfile)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
g.SetProcessApparmorProfile(updatedProfile)
|
2019-01-09 13:54:58 +00:00
|
|
|
}
|
|
|
|
|
|
2018-11-08 11:12:14 +00:00
|
|
|
if err := c.makeBindMounts(); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2019-03-15 14:01:23 +00:00
|
|
|
|
2018-09-18 13:06:40 +00:00
|
|
|
// Check if the spec file mounts contain the label Relabel flags z or Z.
|
|
|
|
|
// If they do, relabel the source directory and then remove the option.
|
2019-03-20 11:05:02 +00:00
|
|
|
for i := range g.Config.Mounts {
|
|
|
|
|
m := &g.Config.Mounts[i]
|
2018-09-18 13:06:40 +00:00
|
|
|
var options []string
|
|
|
|
|
for _, o := range m.Options {
|
|
|
|
|
switch o {
|
|
|
|
|
case "z":
|
|
|
|
|
fallthrough
|
|
|
|
|
case "Z":
|
|
|
|
|
if err := label.Relabel(m.Source, c.MountLabel(), label.IsShared(o)); err != nil {
|
|
|
|
|
return nil, errors.Wrapf(err, "relabel failed %q", m.Source)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
options = append(options, o)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
m.Options = options
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
g.SetProcessSelinuxLabel(c.ProcessLabel())
|
|
|
|
|
g.SetLinuxMountLabel(c.MountLabel())
|
2019-03-15 14:01:23 +00:00
|
|
|
|
|
|
|
|
// Add named volumes
|
|
|
|
|
for _, namedVol := range c.config.NamedVolumes {
|
|
|
|
|
volume, err := c.runtime.GetVolume(namedVol.Name)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errors.Wrapf(err, "error retrieving volume %s to add to container %s", namedVol.Name, c.ID())
|
|
|
|
|
}
|
|
|
|
|
mountPoint := volume.MountPoint()
|
|
|
|
|
volMount := spec.Mount{
|
|
|
|
|
Type: "bind",
|
|
|
|
|
Source: mountPoint,
|
|
|
|
|
Destination: namedVol.Dest,
|
|
|
|
|
Options: namedVol.Options,
|
|
|
|
|
}
|
|
|
|
|
g.AddMount(volMount)
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
// Add bind mounts to container
|
|
|
|
|
for dstPath, srcPath := range c.state.BindMounts {
|
|
|
|
|
newMount := spec.Mount{
|
|
|
|
|
Type: "bind",
|
|
|
|
|
Source: srcPath,
|
|
|
|
|
Destination: dstPath,
|
2018-09-19 17:13:54 +00:00
|
|
|
Options: []string{"bind", "private"},
|
|
|
|
|
}
|
2018-12-24 11:55:24 +00:00
|
|
|
if c.IsReadOnly() && dstPath != "/dev/shm" {
|
2019-01-11 09:34:27 +00:00
|
|
|
newMount.Options = append(newMount.Options, "ro", "nosuid", "noexec", "nodev")
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
|
|
|
|
if !MountExists(g.Mounts(), dstPath) {
|
|
|
|
|
g.AddMount(newMount)
|
|
|
|
|
} else {
|
|
|
|
|
logrus.Warnf("User mount overriding libpod mount at %q", dstPath)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-09-20 12:45:20 +00:00
|
|
|
hasHomeSet := false
|
|
|
|
|
for _, s := range c.config.Spec.Process.Env {
|
|
|
|
|
if strings.HasPrefix(s, "HOME=") {
|
|
|
|
|
hasHomeSet = true
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if !hasHomeSet {
|
|
|
|
|
c.config.Spec.Process.Env = append(c.config.Spec.Process.Env, fmt.Sprintf("HOME=%s", execUser.Home))
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
if c.config.User != "" {
|
|
|
|
|
// User and Group must go together
|
2018-10-25 18:39:25 +00:00
|
|
|
g.SetProcessUID(uint32(execUser.Uid))
|
|
|
|
|
g.SetProcessGID(uint32(execUser.Gid))
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Add addition groups if c.config.GroupAdd is not empty
|
|
|
|
|
if len(c.config.Groups) > 0 {
|
2018-10-25 18:39:25 +00:00
|
|
|
gids, _ := lookup.GetContainerGroups(c.config.Groups, c.state.Mountpoint, nil)
|
|
|
|
|
for _, gid := range gids {
|
2018-07-04 15:51:20 +00:00
|
|
|
g.AddProcessAdditionalGid(gid)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-15 19:42:12 +00:00
|
|
|
if c.config.Systemd {
|
2018-10-17 14:45:58 +00:00
|
|
|
if err := c.setupSystemd(g.Mounts(), g); err != nil {
|
|
|
|
|
return nil, errors.Wrapf(err, "error adding systemd-specific mounts")
|
|
|
|
|
}
|
2018-10-15 19:42:12 +00:00
|
|
|
}
|
|
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
// Look up and add groups the user belongs to, if a group wasn't directly specified
|
|
|
|
|
if !rootless.IsRootless() && !strings.Contains(c.config.User, ":") {
|
2018-10-24 15:39:12 +00:00
|
|
|
for _, gid := range execUser.Sgids {
|
|
|
|
|
g.AddProcessAdditionalGid(uint32(gid))
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Add shared namespaces from other containers
|
|
|
|
|
if c.config.IPCNsCtr != "" {
|
|
|
|
|
if err := c.addNamespaceContainer(&g, IPCNS, c.config.IPCNsCtr, spec.IPCNamespace); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if c.config.MountNsCtr != "" {
|
|
|
|
|
if err := c.addNamespaceContainer(&g, MountNS, c.config.MountNsCtr, spec.MountNamespace); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if c.config.NetNsCtr != "" {
|
|
|
|
|
if err := c.addNamespaceContainer(&g, NetNS, c.config.NetNsCtr, spec.NetworkNamespace); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if c.config.PIDNsCtr != "" {
|
2019-07-23 09:56:00 +00:00
|
|
|
if err := c.addNamespaceContainer(&g, PIDNS, c.config.PIDNsCtr, spec.PIDNamespace); err != nil {
|
2018-07-04 15:51:20 +00:00
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if c.config.UserNsCtr != "" {
|
|
|
|
|
if err := c.addNamespaceContainer(&g, UserNS, c.config.UserNsCtr, spec.UserNamespace); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2019-07-24 09:20:31 +00:00
|
|
|
if len(g.Config.Linux.UIDMappings) == 0 {
|
|
|
|
|
// runc complains if no mapping is specified, even if we join another ns. So provide a dummy mapping
|
|
|
|
|
g.AddLinuxUIDMapping(uint32(0), uint32(0), uint32(1))
|
|
|
|
|
g.AddLinuxGIDMapping(uint32(0), uint32(0), uint32(1))
|
|
|
|
|
}
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
|
|
|
|
if c.config.UTSNsCtr != "" {
|
|
|
|
|
if err := c.addNamespaceContainer(&g, UTSNS, c.config.UTSNsCtr, spec.UTSNamespace); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if c.config.CgroupNsCtr != "" {
|
|
|
|
|
if err := c.addNamespaceContainer(&g, CgroupNS, c.config.CgroupNsCtr, spec.CgroupNamespace); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-21 11:18:42 +00:00
|
|
|
g.SetRootPath(c.state.Mountpoint)
|
2019-09-03 09:10:01 +00:00
|
|
|
g.AddAnnotation(annotations.Created, c.config.CreatedTime.Format(time.RFC3339Nano))
|
2018-07-04 15:51:20 +00:00
|
|
|
g.AddAnnotation("org.opencontainers.image.stopSignal", fmt.Sprintf("%d", c.config.StopSignal))
|
|
|
|
|
|
2019-09-03 09:10:01 +00:00
|
|
|
if _, exists := g.Config.Annotations[annotations.ContainerManager]; !exists {
|
|
|
|
|
g.AddAnnotation(annotations.ContainerManager, annotations.ContainerManagerLibpod)
|
|
|
|
|
}
|
|
|
|
|
|
2018-08-15 15:27:26 +00:00
|
|
|
for _, i := range c.config.Spec.Linux.Namespaces {
|
2019-07-23 09:56:00 +00:00
|
|
|
if i.Type == spec.UTSNamespace {
|
2018-08-15 15:27:26 +00:00
|
|
|
hostname := c.Hostname()
|
|
|
|
|
g.SetHostname(hostname)
|
|
|
|
|
g.AddProcessEnv("HOSTNAME", hostname)
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-07-04 15:51:20 +00:00
|
|
|
|
|
|
|
|
// Only add container environment variable if not already present
|
|
|
|
|
foundContainerEnv := false
|
|
|
|
|
for _, env := range g.Config.Process.Env {
|
|
|
|
|
if strings.HasPrefix(env, "container=") {
|
|
|
|
|
foundContainerEnv = true
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if !foundContainerEnv {
|
|
|
|
|
g.AddProcessEnv("container", "libpod")
|
|
|
|
|
}
|
|
|
|
|
|
2019-10-10 18:45:56 +00:00
|
|
|
cgroupPath, err := c.getOCICgroupPath()
|
2019-06-19 12:22:09 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2019-10-10 18:45:56 +00:00
|
|
|
g.SetLinuxCgroupsPath(cgroupPath)
|
2018-07-04 15:51:20 +00:00
|
|
|
|
2018-08-10 18:46:59 +00:00
|
|
|
// Mounts need to be sorted so paths will not cover other paths
|
|
|
|
|
mounts := sortMounts(g.Mounts())
|
|
|
|
|
g.ClearMounts()
|
2018-11-21 14:56:31 +00:00
|
|
|
|
|
|
|
|
// Determine property of RootPropagation based on volume properties. If
|
|
|
|
|
// a volume is shared, then keep root propagation shared. This should
|
|
|
|
|
// work for slave and private volumes too.
|
|
|
|
|
//
|
|
|
|
|
// For slave volumes, it can be either [r]shared/[r]slave.
|
|
|
|
|
//
|
|
|
|
|
// For private volumes any root propagation value should work.
|
|
|
|
|
rootPropagation := ""
|
2018-08-10 18:46:59 +00:00
|
|
|
for _, m := range mounts {
|
2019-03-08 20:33:12 +00:00
|
|
|
// We need to remove all symlinks from tmpfs mounts.
|
|
|
|
|
// Runc and other runtimes may choke on them.
|
|
|
|
|
// Easy solution: use securejoin to do a scoped evaluation of
|
|
|
|
|
// the links, then trim off the mount prefix.
|
|
|
|
|
if m.Type == "tmpfs" {
|
|
|
|
|
finalPath, err := securejoin.SecureJoin(c.state.Mountpoint, m.Destination)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errors.Wrapf(err, "error resolving symlinks for mount destination %s", m.Destination)
|
|
|
|
|
}
|
|
|
|
|
trimmedPath := strings.TrimPrefix(finalPath, strings.TrimSuffix(c.state.Mountpoint, "/"))
|
|
|
|
|
m.Destination = trimmedPath
|
|
|
|
|
}
|
2018-08-10 18:46:59 +00:00
|
|
|
g.AddMount(m)
|
2018-11-21 14:56:31 +00:00
|
|
|
for _, opt := range m.Options {
|
|
|
|
|
switch opt {
|
|
|
|
|
case MountShared, MountRShared:
|
|
|
|
|
if rootPropagation != MountShared && rootPropagation != MountRShared {
|
|
|
|
|
rootPropagation = MountShared
|
|
|
|
|
}
|
|
|
|
|
case MountSlave, MountRSlave:
|
|
|
|
|
if rootPropagation != MountShared && rootPropagation != MountRShared && rootPropagation != MountSlave && rootPropagation != MountRSlave {
|
|
|
|
|
rootPropagation = MountRSlave
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if rootPropagation != "" {
|
|
|
|
|
logrus.Debugf("set root propagation to %q", rootPropagation)
|
2019-07-03 20:37:17 +00:00
|
|
|
if err := g.SetLinuxRootPropagation(rootPropagation); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2018-08-10 18:46:59 +00:00
|
|
|
}
|
2018-11-19 17:22:32 +00:00
|
|
|
|
|
|
|
|
// Warning: precreate hooks may alter g.Config in place.
|
|
|
|
|
if c.state.ExtensionStageHooks, err = c.setupOCIHooks(ctx, g.Config); err != nil {
|
|
|
|
|
return nil, errors.Wrapf(err, "error setting up OCI Hooks")
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
return g.Config, nil
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-15 19:42:12 +00:00
|
|
|
// systemd expects to have /run, /run/lock and /tmp on tmpfs
|
|
|
|
|
// It also expects to be able to write to /sys/fs/cgroup/systemd and /var/log/journal
|
2018-10-17 14:45:58 +00:00
|
|
|
func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) error {
|
2018-10-15 19:42:12 +00:00
|
|
|
options := []string{"rw", "rprivate", "noexec", "nosuid", "nodev"}
|
2019-06-11 11:54:53 +00:00
|
|
|
for _, dest := range []string{"/run", "/run/lock"} {
|
2018-10-15 19:42:12 +00:00
|
|
|
if MountExists(mounts, dest) {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
tmpfsMnt := spec.Mount{
|
|
|
|
|
Destination: dest,
|
|
|
|
|
Type: "tmpfs",
|
|
|
|
|
Source: "tmpfs",
|
|
|
|
|
Options: append(options, "tmpcopyup", "size=65536k"),
|
|
|
|
|
}
|
|
|
|
|
g.AddMount(tmpfsMnt)
|
|
|
|
|
}
|
|
|
|
|
for _, dest := range []string{"/tmp", "/var/log/journal"} {
|
|
|
|
|
if MountExists(mounts, dest) {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
tmpfsMnt := spec.Mount{
|
|
|
|
|
Destination: dest,
|
|
|
|
|
Type: "tmpfs",
|
|
|
|
|
Source: "tmpfs",
|
|
|
|
|
Options: append(options, "tmpcopyup"),
|
|
|
|
|
}
|
|
|
|
|
g.AddMount(tmpfsMnt)
|
|
|
|
|
}
|
2018-10-17 14:45:58 +00:00
|
|
|
|
2019-07-31 07:03:00 +00:00
|
|
|
unified, err := cgroups.IsCgroup2UnifiedMode()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2018-10-17 14:45:58 +00:00
|
|
|
|
2019-07-31 07:03:00 +00:00
|
|
|
if unified {
|
2019-08-06 07:11:47 +00:00
|
|
|
g.RemoveMount("/sys/fs/cgroup")
|
|
|
|
|
|
2019-09-12 12:33:10 +00:00
|
|
|
hasCgroupNs := false
|
|
|
|
|
for _, ns := range c.config.Spec.Linux.Namespaces {
|
|
|
|
|
if ns.Type == spec.CgroupNamespace {
|
|
|
|
|
hasCgroupNs = true
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var systemdMnt spec.Mount
|
|
|
|
|
if hasCgroupNs {
|
|
|
|
|
systemdMnt = spec.Mount{
|
|
|
|
|
Destination: "/sys/fs/cgroup",
|
|
|
|
|
Type: "cgroup",
|
|
|
|
|
Source: "cgroup",
|
|
|
|
|
Options: []string{"private", "rw"},
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
systemdMnt = spec.Mount{
|
|
|
|
|
Destination: "/sys/fs/cgroup",
|
|
|
|
|
Type: "bind",
|
|
|
|
|
Source: "/sys/fs/cgroup",
|
|
|
|
|
Options: []string{"bind", "private", "rw"},
|
|
|
|
|
}
|
2018-11-05 19:02:50 +00:00
|
|
|
}
|
|
|
|
|
g.AddMount(systemdMnt)
|
2018-11-05 21:48:29 +00:00
|
|
|
} else {
|
2019-08-06 07:11:47 +00:00
|
|
|
systemdMnt := spec.Mount{
|
|
|
|
|
Destination: "/sys/fs/cgroup/systemd",
|
|
|
|
|
Type: "bind",
|
|
|
|
|
Source: "/sys/fs/cgroup/systemd",
|
|
|
|
|
Options: []string{"bind", "nodev", "noexec", "nosuid"},
|
2018-11-05 21:48:29 +00:00
|
|
|
}
|
2019-08-06 07:11:47 +00:00
|
|
|
g.AddMount(systemdMnt)
|
2018-10-15 19:42:12 +00:00
|
|
|
}
|
2018-10-17 14:45:58 +00:00
|
|
|
|
|
|
|
|
return nil
|
2018-10-15 19:42:12 +00:00
|
|
|
}
|
|
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
// Add an existing container's namespace to the spec
|
2019-07-23 09:56:00 +00:00
|
|
|
func (c *Container) addNamespaceContainer(g *generate.Generator, ns LinuxNS, ctr string, specNS spec.LinuxNamespaceType) error {
|
2018-07-04 15:51:20 +00:00
|
|
|
nsCtr, err := c.runtime.state.Container(ctr)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error retrieving dependency %s of container %s from state", ctr, c.ID())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// TODO need unlocked version of this for use in pods
|
|
|
|
|
nsPath, err := nsCtr.NamespacePath(ns)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2019-07-23 09:56:00 +00:00
|
|
|
if err := g.AddOrReplaceLinuxNamespace(string(specNS), nsPath); err != nil {
|
2018-07-04 15:51:20 +00:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2018-09-18 09:56:19 +00:00
|
|
|
|
2019-06-27 07:56:39 +00:00
|
|
|
func (c *Container) exportCheckpoint(dest string, ignoreRootfs bool) (err error) {
|
2019-02-06 19:22:46 +00:00
|
|
|
if (len(c.config.NamedVolumes) > 0) || (len(c.Dependencies()) > 0) {
|
|
|
|
|
return errors.Errorf("Cannot export checkpoints of containers with named volumes or dependencies")
|
|
|
|
|
}
|
2019-02-06 19:17:25 +00:00
|
|
|
logrus.Debugf("Exporting checkpoint image of container %q to %q", c.ID(), dest)
|
2019-06-27 06:16:32 +00:00
|
|
|
|
2019-06-27 07:56:39 +00:00
|
|
|
includeFiles := []string{
|
|
|
|
|
"checkpoint",
|
|
|
|
|
"artifacts",
|
|
|
|
|
"ctr.log",
|
|
|
|
|
"config.dump",
|
|
|
|
|
"spec.dump",
|
|
|
|
|
"network.status"}
|
|
|
|
|
|
2019-06-27 06:16:32 +00:00
|
|
|
// Get root file-system changes included in the checkpoint archive
|
|
|
|
|
rootfsDiffPath := filepath.Join(c.bundlePath(), "rootfs-diff.tar")
|
2019-06-27 07:56:39 +00:00
|
|
|
if !ignoreRootfs {
|
|
|
|
|
rootfsDiffFile, err := os.Create(rootfsDiffPath)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error creating root file-system diff file %q", rootfsDiffPath)
|
|
|
|
|
}
|
|
|
|
|
tarStream, err := c.runtime.GetDiffTarStream("", c.ID())
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error exporting root file-system diff to %q", rootfsDiffPath)
|
|
|
|
|
}
|
|
|
|
|
_, err = io.Copy(rootfsDiffFile, tarStream)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error exporting root file-system diff to %q", rootfsDiffPath)
|
|
|
|
|
}
|
|
|
|
|
tarStream.Close()
|
|
|
|
|
rootfsDiffFile.Close()
|
|
|
|
|
includeFiles = append(includeFiles, "rootfs-diff.tar")
|
2019-06-27 06:16:32 +00:00
|
|
|
}
|
|
|
|
|
|
2019-02-06 19:17:25 +00:00
|
|
|
input, err := archive.TarWithOptions(c.bundlePath(), &archive.TarOptions{
|
|
|
|
|
Compression: archive.Gzip,
|
|
|
|
|
IncludeSourceDir: true,
|
2019-06-27 07:56:39 +00:00
|
|
|
IncludeFiles: includeFiles,
|
2019-02-06 19:17:25 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error reading checkpoint directory %q", c.ID())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
outFile, err := os.Create(dest)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error creating checkpoint export file %q", dest)
|
|
|
|
|
}
|
|
|
|
|
defer outFile.Close()
|
|
|
|
|
|
|
|
|
|
if err := os.Chmod(dest, 0600); err != nil {
|
|
|
|
|
return errors.Wrapf(err, "cannot chmod %q", dest)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_, err = io.Copy(outFile, input)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-27 06:16:32 +00:00
|
|
|
os.Remove(rootfsDiffPath)
|
|
|
|
|
|
2019-02-06 19:17:25 +00:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-28 17:24:08 +00:00
|
|
|
func (c *Container) checkpointRestoreSupported() (err error) {
|
2018-10-02 13:38:28 +00:00
|
|
|
if !criu.CheckForCriu() {
|
2019-02-28 17:24:08 +00:00
|
|
|
return errors.Errorf("Checkpoint/Restore requires at least CRIU %d", criu.MinCriuVersion)
|
|
|
|
|
}
|
2019-10-08 17:53:36 +00:00
|
|
|
if !c.ociRuntime.SupportsCheckpoint() {
|
2019-02-28 17:24:08 +00:00
|
|
|
return errors.Errorf("Configured runtime does not support checkpoint/restore")
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2019-04-12 13:12:38 +00:00
|
|
|
func (c *Container) checkpointRestoreLabelLog(fileName string) (err error) {
|
2019-02-20 16:42:44 +00:00
|
|
|
// Create the CRIU log file and label it
|
2019-04-12 13:12:38 +00:00
|
|
|
dumpLog := filepath.Join(c.bundlePath(), fileName)
|
2019-02-20 16:42:44 +00:00
|
|
|
|
|
|
|
|
logFile, err := os.OpenFile(dumpLog, os.O_CREATE, 0600)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "failed to create CRIU log file %q", dumpLog)
|
|
|
|
|
}
|
2019-07-03 20:37:17 +00:00
|
|
|
if err := logFile.Close(); err != nil {
|
|
|
|
|
logrus.Errorf("unable to close log file: %q", err)
|
|
|
|
|
}
|
2019-02-20 16:42:44 +00:00
|
|
|
if err = label.SetFileLabel(dumpLog, c.MountLabel()); err != nil {
|
|
|
|
|
return errors.Wrapf(err, "failed to label CRIU log file %q", dumpLog)
|
|
|
|
|
}
|
2019-04-12 13:12:38 +00:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (c *Container) checkpoint(ctx context.Context, options ContainerCheckpointOptions) (err error) {
|
|
|
|
|
if err := c.checkpointRestoreSupported(); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-25 13:40:19 +00:00
|
|
|
if c.state.State != define.ContainerStateRunning {
|
2019-06-24 20:48:34 +00:00
|
|
|
return errors.Wrapf(define.ErrCtrStateInvalid, "%q is not running, cannot checkpoint", c.state.State)
|
2019-04-12 13:12:38 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := c.checkpointRestoreLabelLog("dump.log"); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2019-02-20 16:42:44 +00:00
|
|
|
|
2019-10-08 17:53:36 +00:00
|
|
|
if err := c.ociRuntime.CheckpointContainer(c, options); err != nil {
|
2018-09-18 09:56:19 +00:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Save network.status. This is needed to restore the container with
|
|
|
|
|
// the same IP. Currently limited to one IP address in a container
|
|
|
|
|
// with one interface.
|
2019-01-08 20:12:43 +00:00
|
|
|
formatJSON, err := json.MarshalIndent(c.state.NetworkStatus, "", " ")
|
2018-09-18 09:56:19 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if err := ioutil.WriteFile(filepath.Join(c.bundlePath(), "network.status"), formatJSON, 0644); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-06 19:22:46 +00:00
|
|
|
if options.TargetFile != "" {
|
2019-06-27 07:56:39 +00:00
|
|
|
if err = c.exportCheckpoint(options.TargetFile, options.IgnoreRootfs); err != nil {
|
2019-02-06 19:22:46 +00:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-18 09:56:19 +00:00
|
|
|
logrus.Debugf("Checkpointed container %s", c.ID())
|
|
|
|
|
|
2018-11-20 15:34:15 +00:00
|
|
|
if !options.KeepRunning {
|
2019-06-25 13:40:19 +00:00
|
|
|
c.state.State = define.ContainerStateStopped
|
2018-09-18 09:56:19 +00:00
|
|
|
|
2018-11-20 15:34:15 +00:00
|
|
|
// Cleanup Storage and Network
|
|
|
|
|
if err := c.cleanup(ctx); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
|
|
2018-11-20 14:08:08 +00:00
|
|
|
if !options.Keep {
|
2019-02-06 19:17:25 +00:00
|
|
|
cleanup := []string{
|
|
|
|
|
"dump.log",
|
|
|
|
|
"stats-dump",
|
|
|
|
|
"config.dump",
|
|
|
|
|
"spec.dump",
|
|
|
|
|
}
|
2019-07-03 20:37:17 +00:00
|
|
|
for _, del := range cleanup {
|
|
|
|
|
file := filepath.Join(c.bundlePath(), del)
|
|
|
|
|
if err := os.Remove(file); err != nil {
|
|
|
|
|
logrus.Debugf("unable to remove file %s", file)
|
|
|
|
|
}
|
2019-02-06 19:17:25 +00:00
|
|
|
}
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
|
|
2019-07-05 13:23:09 +00:00
|
|
|
c.state.FinishedTime = time.Now()
|
2018-09-18 09:56:19 +00:00
|
|
|
return c.save()
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-06 19:17:25 +00:00
|
|
|
func (c *Container) importCheckpoint(input string) (err error) {
|
|
|
|
|
archiveFile, err := os.Open(input)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "Failed to open checkpoint archive %s for import", input)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
defer archiveFile.Close()
|
|
|
|
|
options := &archive.TarOptions{
|
|
|
|
|
ExcludePatterns: []string{
|
|
|
|
|
// config.dump and spec.dump are only required
|
|
|
|
|
// container creation
|
|
|
|
|
"config.dump",
|
|
|
|
|
"spec.dump",
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
err = archive.Untar(archiveFile, c.bundlePath(), options)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "Unpacking of checkpoint archive %s failed", input)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Make sure the newly created config.json exists on disk
|
2019-07-11 10:44:12 +00:00
|
|
|
g := generate.Generator{Config: c.config.Spec}
|
|
|
|
|
if err = c.saveSpec(g.Config); err != nil {
|
2019-02-06 19:17:25 +00:00
|
|
|
return errors.Wrap(err, "Saving imported container specification for restore failed")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-21 13:09:17 +00:00
|
|
|
func (c *Container) restore(ctx context.Context, options ContainerCheckpointOptions) (err error) {
|
2018-09-18 09:56:19 +00:00
|
|
|
|
2019-02-28 17:24:08 +00:00
|
|
|
if err := c.checkpointRestoreSupported(); err != nil {
|
|
|
|
|
return err
|
2018-10-02 13:38:28 +00:00
|
|
|
}
|
|
|
|
|
|
2019-06-25 13:40:19 +00:00
|
|
|
if (c.state.State != define.ContainerStateConfigured) && (c.state.State != define.ContainerStateExited) {
|
2019-06-24 20:48:34 +00:00
|
|
|
return errors.Wrapf(define.ErrCtrStateInvalid, "container %s is running or paused, cannot restore", c.ID())
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
|
|
2019-02-06 19:22:46 +00:00
|
|
|
if options.TargetFile != "" {
|
|
|
|
|
if err = c.importCheckpoint(options.TargetFile); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-18 09:56:19 +00:00
|
|
|
// Let's try to stat() CRIU's inventory file. If it does not exist, it makes
|
|
|
|
|
// no sense to try a restore. This is a minimal check if a checkpoint exist.
|
|
|
|
|
if _, err := os.Stat(filepath.Join(c.CheckpointPath(), "inventory.img")); os.IsNotExist(err) {
|
|
|
|
|
return errors.Wrapf(err, "A complete checkpoint for this container cannot be found, cannot restore")
|
|
|
|
|
}
|
|
|
|
|
|
2019-04-12 13:12:38 +00:00
|
|
|
if err := c.checkpointRestoreLabelLog("restore.log"); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2019-08-01 17:23:02 +00:00
|
|
|
// If a container is restored multiple times from an exported checkpoint with
|
|
|
|
|
// the help of '--import --name', the restore will fail if during 'podman run'
|
|
|
|
|
// a static container IP was set with '--ip'. The user can tell the restore
|
|
|
|
|
// process to ignore the static IP with '--ignore-static-ip'
|
|
|
|
|
if options.IgnoreStaticIP {
|
|
|
|
|
c.config.StaticIP = nil
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-18 09:56:19 +00:00
|
|
|
// Read network configuration from checkpoint
|
|
|
|
|
// Currently only one interface with one IP is supported.
|
|
|
|
|
networkStatusFile, err := os.Open(filepath.Join(c.bundlePath(), "network.status"))
|
2019-03-14 07:57:16 +00:00
|
|
|
// If the restored container should get a new name, the IP address of
|
|
|
|
|
// the container will not be restored. This assumes that if a new name is
|
|
|
|
|
// specified, the container is restored multiple times.
|
|
|
|
|
// TODO: This implicit restoring with or without IP depending on an
|
|
|
|
|
// unrelated restore parameter (--name) does not seem like the
|
|
|
|
|
// best solution.
|
2019-08-01 17:23:02 +00:00
|
|
|
if err == nil && options.Name == "" && !options.IgnoreStaticIP {
|
2018-09-18 09:56:19 +00:00
|
|
|
// The file with the network.status does exist. Let's restore the
|
|
|
|
|
// container with the same IP address as during checkpointing.
|
|
|
|
|
defer networkStatusFile.Close()
|
|
|
|
|
var networkStatus []*cnitypes.Result
|
|
|
|
|
networkJSON, err := ioutil.ReadAll(networkStatusFile)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2019-07-03 20:37:17 +00:00
|
|
|
if err := json.Unmarshal(networkJSON, &networkStatus); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2018-09-18 09:56:19 +00:00
|
|
|
// Take the first IP address
|
|
|
|
|
var IP net.IP
|
|
|
|
|
if len(networkStatus) > 0 {
|
|
|
|
|
if len(networkStatus[0].IPs) > 0 {
|
|
|
|
|
IP = networkStatus[0].IPs[0].Address.IP
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if IP != nil {
|
|
|
|
|
// Tell CNI which IP address we want.
|
2018-12-11 16:27:05 +00:00
|
|
|
c.requestedIP = IP
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
defer func() {
|
|
|
|
|
if err != nil {
|
|
|
|
|
if err2 := c.cleanup(ctx); err2 != nil {
|
|
|
|
|
logrus.Errorf("error cleaning up container %s: %v", c.ID(), err2)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}()
|
|
|
|
|
|
2018-11-07 16:44:33 +00:00
|
|
|
if err := c.prepare(); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-18 09:56:19 +00:00
|
|
|
// Read config
|
|
|
|
|
jsonPath := filepath.Join(c.bundlePath(), "config.json")
|
|
|
|
|
logrus.Debugf("generate.NewFromFile at %v", jsonPath)
|
|
|
|
|
g, err := generate.NewFromFile(jsonPath)
|
|
|
|
|
if err != nil {
|
|
|
|
|
logrus.Debugf("generate.NewFromFile failed with %v", err)
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-06 19:22:46 +00:00
|
|
|
// Restoring from an import means that we are doing migration
|
|
|
|
|
if options.TargetFile != "" {
|
|
|
|
|
g.SetRootPath(c.state.Mountpoint)
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-18 09:56:19 +00:00
|
|
|
// We want to have the same network namespace as before.
|
|
|
|
|
if c.config.CreateNetNS {
|
2019-07-23 09:56:00 +00:00
|
|
|
if err := g.AddOrReplaceLinuxNamespace(string(spec.NetworkNamespace), c.state.NetNS.Path()); err != nil {
|
2019-07-03 20:37:17 +00:00
|
|
|
return err
|
|
|
|
|
}
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
|
|
2019-02-06 19:22:46 +00:00
|
|
|
if err := c.makeBindMounts(); err != nil {
|
2018-09-18 09:56:19 +00:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-06 19:22:46 +00:00
|
|
|
if options.TargetFile != "" {
|
|
|
|
|
for dstPath, srcPath := range c.state.BindMounts {
|
|
|
|
|
newMount := spec.Mount{
|
|
|
|
|
Type: "bind",
|
|
|
|
|
Source: srcPath,
|
|
|
|
|
Destination: dstPath,
|
|
|
|
|
Options: []string{"bind", "private"},
|
|
|
|
|
}
|
|
|
|
|
if c.IsReadOnly() && dstPath != "/dev/shm" {
|
|
|
|
|
newMount.Options = append(newMount.Options, "ro", "nosuid", "noexec", "nodev")
|
|
|
|
|
}
|
|
|
|
|
if !MountExists(g.Mounts(), dstPath) {
|
|
|
|
|
g.AddMount(newMount)
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Cleanup for a working restore.
|
2019-07-03 20:37:17 +00:00
|
|
|
if err := c.removeConmonFiles(); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2018-09-18 09:56:19 +00:00
|
|
|
|
2019-02-06 19:22:46 +00:00
|
|
|
// Save the OCI spec to disk
|
2019-07-11 10:44:12 +00:00
|
|
|
if err := c.saveSpec(g.Config); err != nil {
|
2019-02-06 19:22:46 +00:00
|
|
|
return err
|
|
|
|
|
}
|
2019-06-27 06:16:32 +00:00
|
|
|
|
|
|
|
|
// Before actually restarting the container, apply the root file-system changes
|
2019-06-27 07:56:39 +00:00
|
|
|
if !options.IgnoreRootfs {
|
|
|
|
|
rootfsDiffPath := filepath.Join(c.bundlePath(), "rootfs-diff.tar")
|
|
|
|
|
if _, err := os.Stat(rootfsDiffPath); err == nil {
|
|
|
|
|
// Only do this if a rootfs-diff.tar actually exists
|
|
|
|
|
rootfsDiffFile, err := os.Open(rootfsDiffPath)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "Failed to open root file-system diff file %s", rootfsDiffPath)
|
|
|
|
|
}
|
|
|
|
|
if err := c.runtime.ApplyDiffTarStream(c.ID(), rootfsDiffFile); err != nil {
|
|
|
|
|
return errors.Wrapf(err, "Failed to apply root file-system diff file %s", rootfsDiffPath)
|
|
|
|
|
}
|
|
|
|
|
rootfsDiffFile.Close()
|
2019-06-27 06:16:32 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-10-08 17:53:36 +00:00
|
|
|
if err := c.ociRuntime.CreateContainer(c, &options); err != nil {
|
2018-09-18 09:56:19 +00:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
logrus.Debugf("Restored container %s", c.ID())
|
|
|
|
|
|
2019-06-25 13:40:19 +00:00
|
|
|
c.state.State = define.ContainerStateRunning
|
2018-09-18 09:56:19 +00:00
|
|
|
|
2018-11-21 13:09:17 +00:00
|
|
|
if !options.Keep {
|
2018-09-18 09:56:19 +00:00
|
|
|
// Delete all checkpoint related files. At this point, in theory, all files
|
|
|
|
|
// should exist. Still ignoring errors for now as the container should be
|
|
|
|
|
// restored and running. Not erroring out just because some cleanup operation
|
|
|
|
|
// failed. Starting with the checkpoint directory
|
|
|
|
|
err = os.RemoveAll(c.CheckpointPath())
|
|
|
|
|
if err != nil {
|
|
|
|
|
logrus.Debugf("Non-fatal: removal of checkpoint directory (%s) failed: %v", c.CheckpointPath(), err)
|
|
|
|
|
}
|
2019-06-27 06:16:32 +00:00
|
|
|
cleanup := [...]string{"restore.log", "dump.log", "stats-dump", "stats-restore", "network.status", "rootfs-diff.tar"}
|
2019-07-03 20:37:17 +00:00
|
|
|
for _, del := range cleanup {
|
|
|
|
|
file := filepath.Join(c.bundlePath(), del)
|
2018-09-18 09:56:19 +00:00
|
|
|
err = os.Remove(file)
|
|
|
|
|
if err != nil {
|
|
|
|
|
logrus.Debugf("Non-fatal: removal of checkpoint file (%s) failed: %v", file, err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return c.save()
|
|
|
|
|
}
|
2018-11-08 11:12:14 +00:00
|
|
|
|
|
|
|
|
// Make standard bind mounts to include in the container
|
|
|
|
|
func (c *Container) makeBindMounts() error {
|
|
|
|
|
if err := os.Chown(c.state.RunDir, c.RootUID(), c.RootGID()); err != nil {
|
|
|
|
|
return errors.Wrapf(err, "cannot chown run directory %s", c.state.RunDir)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if c.state.BindMounts == nil {
|
|
|
|
|
c.state.BindMounts = make(map[string]string)
|
|
|
|
|
}
|
2018-12-06 19:56:57 +00:00
|
|
|
netDisabled, err := c.NetworkDisabled()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2018-11-08 11:12:14 +00:00
|
|
|
|
2018-12-06 19:56:57 +00:00
|
|
|
if !netDisabled {
|
2018-12-11 21:53:12 +00:00
|
|
|
// If /etc/resolv.conf and /etc/hosts exist, delete them so we
|
2019-03-10 16:16:30 +00:00
|
|
|
// will recreate. Only do this if we aren't sharing them with
|
|
|
|
|
// another container.
|
|
|
|
|
if c.config.NetNsCtr == "" {
|
2019-07-03 20:37:17 +00:00
|
|
|
if resolvePath, ok := c.state.BindMounts["/etc/resolv.conf"]; ok {
|
|
|
|
|
if err := os.Remove(resolvePath); err != nil && !os.IsNotExist(err) {
|
2019-03-10 16:16:30 +00:00
|
|
|
return errors.Wrapf(err, "error removing container %s resolv.conf", c.ID())
|
|
|
|
|
}
|
|
|
|
|
delete(c.state.BindMounts, "/etc/resolv.conf")
|
2018-12-11 21:53:12 +00:00
|
|
|
}
|
2019-07-03 20:37:17 +00:00
|
|
|
if hostsPath, ok := c.state.BindMounts["/etc/hosts"]; ok {
|
|
|
|
|
if err := os.Remove(hostsPath); err != nil && !os.IsNotExist(err) {
|
2019-03-10 16:16:30 +00:00
|
|
|
return errors.Wrapf(err, "error removing container %s hosts", c.ID())
|
|
|
|
|
}
|
|
|
|
|
delete(c.state.BindMounts, "/etc/hosts")
|
2018-12-11 21:53:12 +00:00
|
|
|
}
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
|
2019-03-26 17:55:19 +00:00
|
|
|
if c.config.NetNsCtr != "" && (!c.config.UseImageResolvConf || !c.config.UseImageHosts) {
|
2019-03-22 18:39:09 +00:00
|
|
|
// We share a net namespace.
|
2018-12-11 21:53:12 +00:00
|
|
|
// We want /etc/resolv.conf and /etc/hosts from the
|
2019-03-22 18:39:09 +00:00
|
|
|
// other container. Unless we're not creating both of
|
|
|
|
|
// them.
|
2018-12-11 21:53:12 +00:00
|
|
|
depCtr, err := c.runtime.state.Container(c.config.NetNsCtr)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error fetching dependency %s of container %s", c.config.NetNsCtr, c.ID())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// We need that container's bind mounts
|
|
|
|
|
bindMounts, err := depCtr.BindMounts()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error fetching bind mounts from dependency %s of container %s", depCtr.ID(), c.ID())
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-26 17:55:19 +00:00
|
|
|
if !c.config.UseImageResolvConf {
|
2019-03-22 18:39:09 +00:00
|
|
|
// The other container may not have a resolv.conf or /etc/hosts
|
|
|
|
|
// If it doesn't, don't copy them
|
|
|
|
|
resolvPath, exists := bindMounts["/etc/resolv.conf"]
|
|
|
|
|
if exists {
|
|
|
|
|
c.state.BindMounts["/etc/resolv.conf"] = resolvPath
|
|
|
|
|
}
|
2019-02-23 12:52:05 +00:00
|
|
|
}
|
2019-03-04 03:54:41 +00:00
|
|
|
|
2019-03-26 17:55:19 +00:00
|
|
|
if !c.config.UseImageHosts {
|
2019-03-22 18:39:09 +00:00
|
|
|
// check if dependency container has an /etc/hosts file
|
|
|
|
|
hostsPath, exists := bindMounts["/etc/hosts"]
|
|
|
|
|
if !exists {
|
|
|
|
|
return errors.Errorf("error finding hosts file of dependency container %s for container %s", depCtr.ID(), c.ID())
|
|
|
|
|
}
|
2019-03-04 03:54:41 +00:00
|
|
|
|
2019-03-22 18:39:09 +00:00
|
|
|
depCtr.lock.Lock()
|
|
|
|
|
// generate a hosts file for the dependency container,
|
|
|
|
|
// based on either its old hosts file, or the default,
|
|
|
|
|
// and add the relevant information from the new container (hosts and IP)
|
|
|
|
|
hostsPath, err = depCtr.appendHosts(hostsPath, c)
|
2019-03-04 03:54:41 +00:00
|
|
|
|
2019-03-22 18:39:09 +00:00
|
|
|
if err != nil {
|
|
|
|
|
depCtr.lock.Unlock()
|
|
|
|
|
return errors.Wrapf(err, "error creating hosts file for container %s which depends on container %s", c.ID(), depCtr.ID())
|
|
|
|
|
}
|
2019-03-04 03:54:41 +00:00
|
|
|
depCtr.lock.Unlock()
|
|
|
|
|
|
2019-03-22 18:39:09 +00:00
|
|
|
// finally, save it in the new container
|
|
|
|
|
c.state.BindMounts["/etc/hosts"] = hostsPath
|
|
|
|
|
}
|
2018-12-11 21:53:12 +00:00
|
|
|
} else {
|
2019-03-26 17:55:19 +00:00
|
|
|
if !c.config.UseImageResolvConf {
|
2019-03-22 18:39:09 +00:00
|
|
|
newResolv, err := c.generateResolvConf()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error creating resolv.conf for container %s", c.ID())
|
|
|
|
|
}
|
|
|
|
|
c.state.BindMounts["/etc/resolv.conf"] = newResolv
|
2018-12-11 21:53:12 +00:00
|
|
|
}
|
|
|
|
|
|
2019-03-26 17:55:19 +00:00
|
|
|
if !c.config.UseImageHosts {
|
2019-03-22 18:39:09 +00:00
|
|
|
newHosts, err := c.generateHosts("/etc/hosts")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error creating hosts file for container %s", c.ID())
|
|
|
|
|
}
|
|
|
|
|
c.state.BindMounts["/etc/hosts"] = newHosts
|
2018-12-11 21:53:12 +00:00
|
|
|
}
|
|
|
|
|
}
|
2019-02-23 12:52:05 +00:00
|
|
|
|
2019-03-22 18:39:09 +00:00
|
|
|
if c.state.BindMounts["/etc/hosts"] != "" {
|
|
|
|
|
if err := label.Relabel(c.state.BindMounts["/etc/hosts"], c.config.MountLabel, true); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2019-02-23 12:52:05 +00:00
|
|
|
}
|
|
|
|
|
|
2019-03-22 18:39:09 +00:00
|
|
|
if c.state.BindMounts["/etc/resolv.conf"] != "" {
|
|
|
|
|
if err := label.Relabel(c.state.BindMounts["/etc/resolv.conf"], c.config.MountLabel, true); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2019-02-23 12:52:05 +00:00
|
|
|
}
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// SHM is always added when we mount the container
|
|
|
|
|
c.state.BindMounts["/dev/shm"] = c.config.ShmDir
|
|
|
|
|
|
|
|
|
|
newPasswd, err := c.generatePasswd()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error creating temporary passwd file for container %s", c.ID())
|
|
|
|
|
}
|
|
|
|
|
if newPasswd != "" {
|
|
|
|
|
// Make /etc/passwd
|
|
|
|
|
if _, ok := c.state.BindMounts["/etc/passwd"]; ok {
|
|
|
|
|
// If it already exists, delete so we can recreate
|
|
|
|
|
delete(c.state.BindMounts, "/etc/passwd")
|
|
|
|
|
}
|
|
|
|
|
logrus.Debugf("adding entry to /etc/passwd for non existent default user")
|
|
|
|
|
c.state.BindMounts["/etc/passwd"] = newPasswd
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Make /etc/hostname
|
|
|
|
|
// This should never change, so no need to recreate if it exists
|
|
|
|
|
if _, ok := c.state.BindMounts["/etc/hostname"]; !ok {
|
|
|
|
|
hostnamePath, err := c.writeStringToRundir("hostname", c.Hostname())
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error creating hostname file for container %s", c.ID())
|
|
|
|
|
}
|
|
|
|
|
c.state.BindMounts["/etc/hostname"] = hostnamePath
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Make .containerenv
|
|
|
|
|
// Empty file, so no need to recreate if it exists
|
|
|
|
|
if _, ok := c.state.BindMounts["/run/.containerenv"]; !ok {
|
|
|
|
|
// Empty string for now, but we may consider populating this later
|
|
|
|
|
containerenvPath, err := c.writeStringToRundir(".containerenv", "")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error creating containerenv file for container %s", c.ID())
|
|
|
|
|
}
|
|
|
|
|
c.state.BindMounts["/run/.containerenv"] = containerenvPath
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Add Secret Mounts
|
2019-03-21 11:18:42 +00:00
|
|
|
secretMounts := secrets.SecretMountsWithUIDGID(c.config.MountLabel, c.state.RunDir, c.runtime.config.DefaultMountsFile, c.state.RunDir, c.RootUID(), c.RootGID(), rootless.IsRootless())
|
2018-11-08 11:12:14 +00:00
|
|
|
for _, mount := range secretMounts {
|
|
|
|
|
if _, ok := c.state.BindMounts[mount.Destination]; !ok {
|
|
|
|
|
c.state.BindMounts[mount.Destination] = mount.Source
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// generateResolvConf generates a containers resolv.conf
|
|
|
|
|
func (c *Container) generateResolvConf() (string, error) {
|
2019-08-28 18:19:15 +00:00
|
|
|
var (
|
|
|
|
|
nameservers []string
|
|
|
|
|
cniNameServers []string
|
|
|
|
|
)
|
|
|
|
|
|
2019-02-18 02:55:30 +00:00
|
|
|
resolvConf := "/etc/resolv.conf"
|
2019-07-03 20:37:17 +00:00
|
|
|
for _, namespace := range c.config.Spec.Linux.Namespaces {
|
|
|
|
|
if namespace.Type == spec.NetworkNamespace {
|
|
|
|
|
if namespace.Path != "" && !strings.HasPrefix(namespace.Path, "/proc/") {
|
|
|
|
|
definedPath := filepath.Join("/etc/netns", filepath.Base(namespace.Path), "resolv.conf")
|
2019-02-18 02:55:30 +00:00
|
|
|
_, err := os.Stat(definedPath)
|
|
|
|
|
if err == nil {
|
|
|
|
|
resolvConf = definedPath
|
|
|
|
|
} else if !os.IsNotExist(err) {
|
|
|
|
|
return "", errors.Wrapf(err, "failed to stat %s", definedPath)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-08 11:12:14 +00:00
|
|
|
// Determine the endpoint for resolv.conf in case it is a symlink
|
2019-02-18 02:55:30 +00:00
|
|
|
resolvPath, err := filepath.EvalSymlinks(resolvConf)
|
2018-11-08 11:12:14 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
contents, err := ioutil.ReadFile(resolvPath)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", errors.Wrapf(err, "unable to read %s", resolvPath)
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-21 14:30:03 +00:00
|
|
|
// Ensure that the container's /etc/resolv.conf is compatible with its
|
|
|
|
|
// network configuration.
|
2018-11-08 11:12:14 +00:00
|
|
|
// TODO: set ipv6 enable bool more sanely
|
2018-11-21 14:30:03 +00:00
|
|
|
resolv, err := resolvconf.FilterResolvDNS(contents, true, c.config.CreateNetNS)
|
2018-11-08 11:12:14 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return "", errors.Wrapf(err, "error parsing host resolv.conf")
|
|
|
|
|
}
|
|
|
|
|
|
2019-08-28 18:19:15 +00:00
|
|
|
// Check if CNI gave back and DNS servers for us to add in
|
|
|
|
|
cniResponse := c.state.NetworkStatus
|
|
|
|
|
for _, i := range cniResponse {
|
|
|
|
|
if i.DNS.Nameservers != nil {
|
|
|
|
|
cniNameServers = append(cniNameServers, i.DNS.Nameservers...)
|
|
|
|
|
logrus.Debugf("adding nameserver(s) from cni response of '%q'", i.DNS.Nameservers)
|
|
|
|
|
}
|
2019-03-11 10:42:01 +00:00
|
|
|
}
|
2019-08-28 18:19:15 +00:00
|
|
|
|
|
|
|
|
// If the user provided dns, it trumps all; then dns masq; then resolv.conf
|
2018-11-08 11:12:14 +00:00
|
|
|
if len(c.config.DNSServer) > 0 {
|
|
|
|
|
// We store DNS servers as net.IP, so need to convert to string
|
|
|
|
|
for _, server := range c.config.DNSServer {
|
|
|
|
|
nameservers = append(nameservers, server.String())
|
|
|
|
|
}
|
2019-08-28 18:19:15 +00:00
|
|
|
} else if len(cniNameServers) > 0 {
|
|
|
|
|
nameservers = append(nameservers, cniNameServers...)
|
|
|
|
|
} else {
|
|
|
|
|
// Make a new resolv.conf
|
|
|
|
|
nameservers = resolvconf.GetNameservers(resolv.Content)
|
|
|
|
|
// slirp4netns has a built in DNS server.
|
|
|
|
|
if c.config.NetMode.IsSlirp4netns() {
|
|
|
|
|
nameservers = append([]string{"10.0.2.3"}, nameservers...)
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
search := resolvconf.GetSearchDomains(resolv.Content)
|
|
|
|
|
if len(c.config.DNSSearch) > 0 {
|
|
|
|
|
search = c.config.DNSSearch
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
options := resolvconf.GetOptions(resolv.Content)
|
|
|
|
|
if len(c.config.DNSOption) > 0 {
|
|
|
|
|
options = c.config.DNSOption
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
destPath := filepath.Join(c.state.RunDir, "resolv.conf")
|
|
|
|
|
|
|
|
|
|
if err := os.Remove(destPath); err != nil && !os.IsNotExist(err) {
|
|
|
|
|
return "", errors.Wrapf(err, "error removing resolv.conf for container %s", c.ID())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Build resolv.conf
|
|
|
|
|
if _, err = resolvconf.Build(destPath, nameservers, search, options); err != nil {
|
2018-11-27 16:33:19 +00:00
|
|
|
return "", errors.Wrapf(err, "error building resolv.conf for container %s", c.ID())
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Relabel resolv.conf for the container
|
2019-02-23 12:52:05 +00:00
|
|
|
if err := label.Relabel(destPath, c.config.MountLabel, true); err != nil {
|
2018-11-08 11:12:14 +00:00
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-21 11:18:42 +00:00
|
|
|
return filepath.Join(c.state.RunDir, "resolv.conf"), nil
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// generateHosts creates a containers hosts file
|
2019-03-04 03:54:41 +00:00
|
|
|
func (c *Container) generateHosts(path string) (string, error) {
|
|
|
|
|
orig, err := ioutil.ReadFile(path)
|
2018-11-08 11:12:14 +00:00
|
|
|
if err != nil {
|
2019-03-04 03:54:41 +00:00
|
|
|
return "", errors.Wrapf(err, "unable to read %s", path)
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
hosts := string(orig)
|
2019-03-04 03:54:41 +00:00
|
|
|
hosts += c.getHosts()
|
|
|
|
|
return c.writeStringToRundir("hosts", hosts)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// appendHosts appends a container's config and state pertaining to hosts to a container's
|
|
|
|
|
// local hosts file. netCtr is the container from which the netNS information is
|
|
|
|
|
// taken.
|
|
|
|
|
// path is the basis of the hosts file, into which netCtr's netNS information will be appended.
|
|
|
|
|
func (c *Container) appendHosts(path string, netCtr *Container) (string, error) {
|
|
|
|
|
return c.appendStringToRundir("hosts", netCtr.getHosts())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// getHosts finds the pertinent information for a container's host file in its config and state
|
|
|
|
|
// and returns a string in a format that can be written to the host file
|
|
|
|
|
func (c *Container) getHosts() string {
|
|
|
|
|
var hosts string
|
2018-11-08 11:12:14 +00:00
|
|
|
if len(c.config.HostAdd) > 0 {
|
|
|
|
|
for _, host := range c.config.HostAdd {
|
|
|
|
|
// the host format has already been verified at this point
|
|
|
|
|
fields := strings.SplitN(host, ":", 2)
|
|
|
|
|
hosts += fmt.Sprintf("%s %s\n", fields[1], fields[0])
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-06-22 12:26:03 +00:00
|
|
|
if c.config.NetMode.IsSlirp4netns() {
|
|
|
|
|
// When using slirp4netns, the interface gets a static IP
|
|
|
|
|
hosts += fmt.Sprintf("# used by slirp4netns\n%s\t%s\n", "10.0.2.100", c.Hostname())
|
|
|
|
|
}
|
2018-11-08 11:12:14 +00:00
|
|
|
if len(c.state.NetworkStatus) > 0 && len(c.state.NetworkStatus[0].IPs) > 0 {
|
|
|
|
|
ipAddress := strings.Split(c.state.NetworkStatus[0].IPs[0].Address.String(), "/")[0]
|
|
|
|
|
hosts += fmt.Sprintf("%s\t%s\n", ipAddress, c.Hostname())
|
|
|
|
|
}
|
2019-03-04 03:54:41 +00:00
|
|
|
return hosts
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// generatePasswd generates a container specific passwd file,
|
|
|
|
|
// iff g.config.User is a number
|
|
|
|
|
func (c *Container) generatePasswd() (string, error) {
|
|
|
|
|
var (
|
|
|
|
|
groupspec string
|
|
|
|
|
gid int
|
|
|
|
|
)
|
|
|
|
|
if c.config.User == "" {
|
|
|
|
|
return "", nil
|
|
|
|
|
}
|
2019-07-03 20:37:17 +00:00
|
|
|
splitSpec := strings.SplitN(c.config.User, ":", 2)
|
|
|
|
|
userspec := splitSpec[0]
|
|
|
|
|
if len(splitSpec) > 1 {
|
|
|
|
|
groupspec = splitSpec[1]
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
// If a non numeric User, then don't generate passwd
|
|
|
|
|
uid, err := strconv.ParseUint(userspec, 10, 32)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", nil
|
|
|
|
|
}
|
|
|
|
|
// Lookup the user to see if it exists in the container image
|
|
|
|
|
_, err = lookup.GetUser(c.state.Mountpoint, userspec)
|
|
|
|
|
if err != nil && err != user.ErrNoPasswdEntries {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
if err == nil {
|
|
|
|
|
return "", nil
|
|
|
|
|
}
|
|
|
|
|
if groupspec != "" {
|
2018-12-04 19:46:17 +00:00
|
|
|
ugid, err := strconv.ParseUint(groupspec, 10, 32)
|
|
|
|
|
if err == nil {
|
|
|
|
|
gid = int(ugid)
|
|
|
|
|
} else {
|
|
|
|
|
group, err := lookup.GetGroup(c.state.Mountpoint, groupspec)
|
|
|
|
|
if err != nil {
|
2018-11-08 11:12:14 +00:00
|
|
|
return "", errors.Wrapf(err, "unable to get gid %s from group file", groupspec)
|
|
|
|
|
}
|
2018-12-04 19:46:17 +00:00
|
|
|
gid = group.Gid
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
originPasswdFile := filepath.Join(c.state.Mountpoint, "/etc/passwd")
|
|
|
|
|
orig, err := ioutil.ReadFile(originPasswdFile)
|
|
|
|
|
if err != nil && !os.IsNotExist(err) {
|
|
|
|
|
return "", errors.Wrapf(err, "unable to read passwd file %s", originPasswdFile)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pwd := fmt.Sprintf("%s%d:x:%d:%d:container user:%s:/bin/sh\n", orig, uid, uid, gid, c.WorkingDir())
|
|
|
|
|
passwdFile, err := c.writeStringToRundir("passwd", pwd)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", errors.Wrapf(err, "failed to create temporary passwd file")
|
|
|
|
|
}
|
2019-07-03 20:37:17 +00:00
|
|
|
if err := os.Chmod(passwdFile, 0644); err != nil {
|
2018-11-08 11:12:14 +00:00
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
return passwdFile, nil
|
|
|
|
|
}
|
2019-03-14 12:33:53 +00:00
|
|
|
|
|
|
|
|
func (c *Container) copyOwnerAndPerms(source, dest string) error {
|
|
|
|
|
info, err := os.Stat(source)
|
|
|
|
|
if err != nil {
|
|
|
|
|
if os.IsNotExist(err) {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
return errors.Wrapf(err, "cannot stat `%s`", dest)
|
|
|
|
|
}
|
|
|
|
|
if err := os.Chmod(dest, info.Mode()); err != nil {
|
|
|
|
|
return errors.Wrapf(err, "cannot chmod `%s`", dest)
|
|
|
|
|
}
|
|
|
|
|
if err := os.Chown(dest, int(info.Sys().(*syscall.Stat_t).Uid), int(info.Sys().(*syscall.Stat_t).Gid)); err != nil {
|
|
|
|
|
return errors.Wrapf(err, "cannot chown `%s`", dest)
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2019-09-23 18:54:10 +00:00
|
|
|
|
|
|
|
|
// Teardown CNI config on refresh
|
|
|
|
|
func (c *Container) refreshCNI() error {
|
|
|
|
|
// Let's try and delete any lingering network config...
|
|
|
|
|
podNetwork := c.runtime.getPodNetwork(c.ID(), c.config.Name, "", c.config.Networks, c.config.PortMappings, c.config.StaticIP)
|
|
|
|
|
return c.runtime.netPlugin.TearDownPod(podNetwork)
|
|
|
|
|
}
|
2019-10-10 18:45:56 +00:00
|
|
|
|
|
|
|
|
// Get cgroup path in a format suitable for the OCI spec
|
|
|
|
|
func (c *Container) getOCICgroupPath() (string, error) {
|
|
|
|
|
unified, err := cgroups.IsCgroup2UnifiedMode()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
if (rootless.IsRootless() && !unified) || c.config.NoCgroups {
|
|
|
|
|
return "", nil
|
|
|
|
|
} else if c.runtime.config.CgroupManager == SystemdCgroupsManager {
|
|
|
|
|
// When runc is set to use Systemd as a cgroup manager, it
|
|
|
|
|
// expects cgroups to be passed as follows:
|
|
|
|
|
// slice:prefix:name
|
|
|
|
|
systemdCgroups := fmt.Sprintf("%s:libpod:%s", path.Base(c.config.CgroupParent), c.ID())
|
|
|
|
|
logrus.Debugf("Setting CGroups for container %s to %s", c.ID(), systemdCgroups)
|
|
|
|
|
return systemdCgroups, nil
|
|
|
|
|
} else if c.runtime.config.CgroupManager == CgroupfsCgroupsManager {
|
|
|
|
|
cgroupPath, err := c.CGroupPath()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
logrus.Debugf("Setting CGroup path for container %s to %s", c.ID(), cgroupPath)
|
|
|
|
|
return cgroupPath, nil
|
|
|
|
|
} else {
|
|
|
|
|
return "", errors.Wrapf(define.ErrInvalidArg, "invalid cgroup manager %s requested", c.runtime.config.CgroupManager)
|
|
|
|
|
}
|
|
|
|
|
}
|
