2018-06-20 18:23:24 +00:00
|
|
|
// +build linux
|
|
|
|
|
|
|
|
package libpod
|
|
|
|
|
|
|
|
import (
|
2018-07-04 15:51:20 +00:00
|
|
|
"context"
|
2018-06-20 18:23:24 +00:00
|
|
|
"fmt"
|
2019-02-06 19:17:25 +00:00
|
|
|
"io"
|
2018-09-18 09:56:19 +00:00
|
|
|
"io/ioutil"
|
2020-10-02 07:25:12 +00:00
|
|
|
"math"
|
2018-09-18 09:56:19 +00:00
|
|
|
"net"
|
|
|
|
"os"
|
2020-06-30 19:44:14 +00:00
|
|
|
"os/user"
|
2018-07-04 15:51:20 +00:00
|
|
|
"path"
|
2018-09-18 09:56:19 +00:00
|
|
|
"path/filepath"
|
2018-11-08 11:12:14 +00:00
|
|
|
"strconv"
|
2018-07-04 15:51:20 +00:00
|
|
|
"strings"
|
2018-10-17 18:43:36 +00:00
|
|
|
"sync"
|
2018-07-04 15:51:20 +00:00
|
|
|
"syscall"
|
|
|
|
"time"
|
2018-06-20 18:23:24 +00:00
|
|
|
|
2018-09-18 09:56:19 +00:00
|
|
|
cnitypes "github.com/containernetworking/cni/pkg/types/current"
|
2018-10-17 18:43:36 +00:00
|
|
|
"github.com/containernetworking/plugins/pkg/ns"
|
2020-07-09 19:46:14 +00:00
|
|
|
"github.com/containers/buildah/pkg/overlay"
|
2019-03-04 13:35:09 +00:00
|
|
|
"github.com/containers/buildah/pkg/secrets"
|
2020-04-17 01:54:31 +00:00
|
|
|
"github.com/containers/common/pkg/apparmor"
|
2020-03-27 14:13:51 +00:00
|
|
|
"github.com/containers/common/pkg/config"
|
2020-07-28 12:23:45 +00:00
|
|
|
"github.com/containers/podman/v2/libpod/define"
|
|
|
|
"github.com/containers/podman/v2/libpod/events"
|
|
|
|
"github.com/containers/podman/v2/pkg/annotations"
|
|
|
|
"github.com/containers/podman/v2/pkg/cgroups"
|
|
|
|
"github.com/containers/podman/v2/pkg/criu"
|
|
|
|
"github.com/containers/podman/v2/pkg/lookup"
|
|
|
|
"github.com/containers/podman/v2/pkg/resolvconf"
|
|
|
|
"github.com/containers/podman/v2/pkg/rootless"
|
|
|
|
"github.com/containers/podman/v2/pkg/util"
|
|
|
|
"github.com/containers/podman/v2/utils"
|
2019-02-06 19:17:25 +00:00
|
|
|
"github.com/containers/storage/pkg/archive"
|
2020-10-02 07:25:12 +00:00
|
|
|
"github.com/containers/storage/pkg/idtools"
|
2019-05-23 11:12:56 +00:00
|
|
|
securejoin "github.com/cyphar/filepath-securejoin"
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
runcuser "github.com/opencontainers/runc/libcontainer/user"
|
2018-07-04 15:51:20 +00:00
|
|
|
spec "github.com/opencontainers/runtime-spec/specs-go"
|
|
|
|
"github.com/opencontainers/runtime-tools/generate"
|
|
|
|
"github.com/opencontainers/selinux/go-selinux/label"
|
2019-03-05 23:11:28 +00:00
|
|
|
"github.com/opentracing/opentracing-go"
|
2018-07-04 15:51:20 +00:00
|
|
|
"github.com/pkg/errors"
|
2018-06-20 18:23:24 +00:00
|
|
|
"github.com/sirupsen/logrus"
|
2018-07-04 15:51:20 +00:00
|
|
|
"golang.org/x/sys/unix"
|
2018-06-20 18:23:24 +00:00
|
|
|
)
|
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
func (c *Container) mountSHM(shmOptions string) error {
|
|
|
|
if err := unix.Mount("shm", c.config.ShmDir, "tmpfs", unix.MS_NOEXEC|unix.MS_NOSUID|unix.MS_NODEV,
|
|
|
|
label.FormatMountLabel(shmOptions, c.config.MountLabel)); err != nil {
|
|
|
|
return errors.Wrapf(err, "failed to mount shm tmpfs %q", c.config.ShmDir)
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Container) unmountSHM(mount string) error {
|
2019-09-05 14:00:50 +00:00
|
|
|
if err := unix.Unmount(mount, 0); err != nil {
|
2019-09-06 14:25:53 +00:00
|
|
|
if err != syscall.EINVAL && err != syscall.ENOENT {
|
2019-09-05 14:00:50 +00:00
|
|
|
return errors.Wrapf(err, "error unmounting container %s SHM mount %s", c.ID(), mount)
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
2019-09-06 14:25:53 +00:00
|
|
|
// If it's just an EINVAL or ENOENT, debug logs only
|
2019-09-05 14:00:50 +00:00
|
|
|
logrus.Debugf("container %s failed to unmount %s : %v", c.ID(), mount, err)
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// prepare mounts the container and sets up other required resources like net
|
|
|
|
// namespaces
|
2020-01-13 12:01:45 +00:00
|
|
|
func (c *Container) prepare() error {
|
2018-10-17 18:43:36 +00:00
|
|
|
var (
|
2019-08-06 14:49:03 +00:00
|
|
|
wg sync.WaitGroup
|
|
|
|
netNS ns.NetNS
|
|
|
|
networkStatus []*cnitypes.Result
|
|
|
|
createNetNSErr, mountStorageErr error
|
|
|
|
mountPoint string
|
|
|
|
tmpStateLock sync.Mutex
|
2018-10-17 18:43:36 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
wg.Add(2)
|
|
|
|
|
|
|
|
go func() {
|
|
|
|
defer wg.Done()
|
|
|
|
// Set up network namespace if not already set up
|
2020-06-11 11:06:21 +00:00
|
|
|
noNetNS := c.state.NetNS == nil
|
|
|
|
if c.config.CreateNetNS && noNetNS && !c.config.PostConfigureNetNS {
|
2020-08-26 09:07:51 +00:00
|
|
|
if rootless.IsRootless() && len(c.config.Networks) > 0 {
|
|
|
|
netNS, networkStatus, createNetNSErr = AllocRootlessCNI(context.Background(), c)
|
|
|
|
} else {
|
|
|
|
netNS, networkStatus, createNetNSErr = c.runtime.createNetNS(c)
|
|
|
|
}
|
2019-06-12 17:31:18 +00:00
|
|
|
if createNetNSErr != nil {
|
|
|
|
return
|
|
|
|
}
|
2018-11-08 21:06:59 +00:00
|
|
|
|
|
|
|
tmpStateLock.Lock()
|
|
|
|
defer tmpStateLock.Unlock()
|
|
|
|
|
|
|
|
// Assign NetNS attributes to container
|
2019-06-12 17:31:18 +00:00
|
|
|
c.state.NetNS = netNS
|
|
|
|
c.state.NetworkStatus = networkStatus
|
|
|
|
}
|
|
|
|
|
|
|
|
// handle rootless network namespace setup
|
2020-08-26 09:07:51 +00:00
|
|
|
if noNetNS && !c.config.PostConfigureNetNS {
|
|
|
|
if rootless.IsRootless() {
|
|
|
|
createNetNSErr = c.runtime.setupRootlessNetNS(c)
|
|
|
|
} else if c.config.NetMode.IsSlirp4netns() {
|
|
|
|
createNetNSErr = c.runtime.setupSlirp4netns(c)
|
|
|
|
}
|
2018-10-17 18:43:36 +00:00
|
|
|
}
|
|
|
|
}()
|
2018-07-04 15:51:20 +00:00
|
|
|
// Mount storage if not mounted
|
2018-10-17 18:43:36 +00:00
|
|
|
go func() {
|
|
|
|
defer wg.Done()
|
|
|
|
mountPoint, mountStorageErr = c.mountStorage()
|
2018-11-08 21:06:59 +00:00
|
|
|
|
|
|
|
if mountStorageErr != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
tmpStateLock.Lock()
|
|
|
|
defer tmpStateLock.Unlock()
|
|
|
|
|
|
|
|
// Finish up mountStorage
|
|
|
|
c.state.Mounted = true
|
|
|
|
c.state.Mountpoint = mountPoint
|
|
|
|
|
|
|
|
logrus.Debugf("Created root filesystem for container %s at %s", c.ID(), c.state.Mountpoint)
|
|
|
|
}()
|
|
|
|
|
2018-10-17 18:43:36 +00:00
|
|
|
wg.Wait()
|
2018-11-08 21:06:59 +00:00
|
|
|
|
2019-09-03 19:03:44 +00:00
|
|
|
var createErr error
|
2018-10-17 18:43:36 +00:00
|
|
|
if createNetNSErr != nil {
|
2019-09-03 19:03:44 +00:00
|
|
|
createErr = createNetNSErr
|
2018-10-17 18:43:36 +00:00
|
|
|
}
|
|
|
|
if mountStorageErr != nil {
|
2019-09-06 17:52:13 +00:00
|
|
|
if createErr != nil {
|
|
|
|
logrus.Errorf("Error preparing container %s: %v", c.ID(), createErr)
|
|
|
|
}
|
2019-09-03 19:03:44 +00:00
|
|
|
createErr = mountStorageErr
|
|
|
|
}
|
|
|
|
|
|
|
|
// Only trigger storage cleanup if mountStorage was successful.
|
|
|
|
// Otherwise, we may mess up mount counters.
|
|
|
|
if createNetNSErr != nil && mountStorageErr == nil {
|
|
|
|
if err := c.cleanupStorage(); err != nil {
|
|
|
|
// createErr is guaranteed non-nil, so print
|
|
|
|
// unconditionally
|
|
|
|
logrus.Errorf("Error preparing container %s: %v", c.ID(), createErr)
|
|
|
|
createErr = errors.Wrapf(err, "error unmounting storage for container %s after network create failure", c.ID())
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// It's OK to unconditionally trigger network cleanup. If the network
|
|
|
|
// isn't ready it will do nothing.
|
|
|
|
if createErr != nil {
|
|
|
|
if err := c.cleanupNetwork(); err != nil {
|
|
|
|
logrus.Errorf("Error preparing container %s: %v", c.ID(), createErr)
|
|
|
|
createErr = errors.Wrapf(err, "error cleaning up container %s network after setup failure", c.ID())
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if createErr != nil {
|
|
|
|
return createErr
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
|
|
|
|
2019-09-03 19:03:44 +00:00
|
|
|
// Save changes to container state
|
2020-07-31 21:08:06 +00:00
|
|
|
if err := c.save(); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Ensure container entrypoint is created (if required)
|
|
|
|
if c.config.CreateWorkingDir {
|
|
|
|
workdir, err := securejoin.SecureJoin(c.state.Mountpoint, c.WorkingDir())
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrapf(err, "error creating path to container %s working dir", c.ID())
|
|
|
|
}
|
|
|
|
rootUID := c.RootUID()
|
|
|
|
rootGID := c.RootGID()
|
|
|
|
|
|
|
|
if err := os.MkdirAll(workdir, 0755); err != nil {
|
|
|
|
if os.IsExist(err) {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return errors.Wrapf(err, "error creating container %s working dir", c.ID())
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := os.Chown(workdir, rootUID, rootGID); err != nil {
|
|
|
|
return errors.Wrapf(err, "error chowning container %s working directory to container root", c.ID())
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// cleanupNetwork unmounts and cleans up the container's network
|
|
|
|
func (c *Container) cleanupNetwork() error {
|
2018-12-06 19:56:57 +00:00
|
|
|
if c.config.NetNsCtr != "" {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
netDisabled, err := c.NetworkDisabled()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if netDisabled {
|
2018-11-08 11:12:14 +00:00
|
|
|
return nil
|
|
|
|
}
|
2018-07-04 15:51:20 +00:00
|
|
|
if c.state.NetNS == nil {
|
|
|
|
logrus.Debugf("Network is already cleaned up, skipping...")
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Stop the container's network namespace (if it has one)
|
|
|
|
if err := c.runtime.teardownNetNS(c); err != nil {
|
|
|
|
logrus.Errorf("unable to cleanup network for container %s: %q", c.ID(), err)
|
|
|
|
}
|
|
|
|
|
|
|
|
c.state.NetNS = nil
|
2018-07-12 14:51:31 +00:00
|
|
|
c.state.NetworkStatus = nil
|
2018-07-04 15:51:20 +00:00
|
|
|
|
|
|
|
if c.valid {
|
|
|
|
return c.save()
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2019-09-21 13:45:55 +00:00
|
|
|
func (c *Container) getUserOverrides() *lookup.Overrides {
|
|
|
|
var hasPasswdFile, hasGroupFile bool
|
|
|
|
overrides := lookup.Overrides{}
|
|
|
|
for _, m := range c.config.Spec.Mounts {
|
|
|
|
if m.Destination == "/etc/passwd" {
|
|
|
|
overrides.ContainerEtcPasswdPath = m.Source
|
|
|
|
hasPasswdFile = true
|
|
|
|
}
|
|
|
|
if m.Destination == "/etc/group" {
|
|
|
|
overrides.ContainerEtcGroupPath = m.Source
|
|
|
|
hasGroupFile = true
|
|
|
|
}
|
|
|
|
if m.Destination == "/etc" {
|
|
|
|
if !hasPasswdFile {
|
|
|
|
overrides.ContainerEtcPasswdPath = filepath.Join(m.Source, "passwd")
|
|
|
|
}
|
|
|
|
if !hasGroupFile {
|
|
|
|
overrides.ContainerEtcGroupPath = filepath.Join(m.Source, "group")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2020-07-14 20:20:22 +00:00
|
|
|
if path, ok := c.state.BindMounts["/etc/passwd"]; ok {
|
|
|
|
overrides.ContainerEtcPasswdPath = path
|
|
|
|
}
|
2019-09-21 13:45:55 +00:00
|
|
|
return &overrides
|
|
|
|
}
|
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
// Generate spec for a container
|
|
|
|
// Accepts a map of the container's dependencies
|
|
|
|
func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
|
2018-10-16 20:30:53 +00:00
|
|
|
span, _ := opentracing.StartSpanFromContext(ctx, "generateSpec")
|
|
|
|
span.SetTag("type", "container")
|
|
|
|
defer span.Finish()
|
|
|
|
|
2019-09-21 13:45:55 +00:00
|
|
|
overrides := c.getUserOverrides()
|
|
|
|
execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, c.config.User, overrides)
|
2018-10-25 18:39:25 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2018-10-16 20:30:53 +00:00
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
g := generate.NewFromSpec(c.config.Spec)
|
|
|
|
|
|
|
|
// If network namespace was requested, add it now
|
|
|
|
if c.config.CreateNetNS {
|
|
|
|
if c.config.PostConfigureNetNS {
|
2019-07-23 09:56:00 +00:00
|
|
|
if err := g.AddOrReplaceLinuxNamespace(string(spec.NetworkNamespace), ""); err != nil {
|
2019-07-03 20:37:17 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
2018-07-04 15:51:20 +00:00
|
|
|
} else {
|
2019-07-23 09:56:00 +00:00
|
|
|
if err := g.AddOrReplaceLinuxNamespace(string(spec.NetworkNamespace), c.state.NetNS.Path()); err != nil {
|
2019-07-03 20:37:17 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
|
|
|
}
|
2018-11-08 11:12:14 +00:00
|
|
|
|
2019-01-09 13:54:58 +00:00
|
|
|
// Apply AppArmor checks and load the default profile if needed.
|
2020-07-15 20:33:24 +00:00
|
|
|
if len(c.config.Spec.Process.ApparmorProfile) > 0 {
|
2019-05-23 11:12:56 +00:00
|
|
|
updatedProfile, err := apparmor.CheckProfileAndLoadDefault(c.config.Spec.Process.ApparmorProfile)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
g.SetProcessApparmorProfile(updatedProfile)
|
2019-01-09 13:54:58 +00:00
|
|
|
}
|
|
|
|
|
2018-11-08 11:12:14 +00:00
|
|
|
if err := c.makeBindMounts(); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2019-03-15 14:01:23 +00:00
|
|
|
|
2018-09-18 13:06:40 +00:00
|
|
|
// Check if the spec file mounts contain the label Relabel flags z or Z.
|
|
|
|
// If they do, relabel the source directory and then remove the option.
|
2019-03-20 11:05:02 +00:00
|
|
|
for i := range g.Config.Mounts {
|
|
|
|
m := &g.Config.Mounts[i]
|
2018-09-18 13:06:40 +00:00
|
|
|
var options []string
|
|
|
|
for _, o := range m.Options {
|
|
|
|
switch o {
|
|
|
|
case "z":
|
|
|
|
fallthrough
|
|
|
|
case "Z":
|
|
|
|
if err := label.Relabel(m.Source, c.MountLabel(), label.IsShared(o)); err != nil {
|
|
|
|
return nil, errors.Wrapf(err, "relabel failed %q", m.Source)
|
|
|
|
}
|
|
|
|
|
|
|
|
default:
|
|
|
|
options = append(options, o)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
m.Options = options
|
|
|
|
}
|
|
|
|
|
|
|
|
g.SetProcessSelinuxLabel(c.ProcessLabel())
|
|
|
|
g.SetLinuxMountLabel(c.MountLabel())
|
2019-03-15 14:01:23 +00:00
|
|
|
|
|
|
|
// Add named volumes
|
|
|
|
for _, namedVol := range c.config.NamedVolumes {
|
|
|
|
volume, err := c.runtime.GetVolume(namedVol.Name)
|
|
|
|
if err != nil {
|
|
|
|
return nil, errors.Wrapf(err, "error retrieving volume %s to add to container %s", namedVol.Name, c.ID())
|
|
|
|
}
|
|
|
|
mountPoint := volume.MountPoint()
|
|
|
|
volMount := spec.Mount{
|
|
|
|
Type: "bind",
|
|
|
|
Source: mountPoint,
|
|
|
|
Destination: namedVol.Dest,
|
|
|
|
Options: namedVol.Options,
|
|
|
|
}
|
|
|
|
g.AddMount(volMount)
|
|
|
|
}
|
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
// Add bind mounts to container
|
|
|
|
for dstPath, srcPath := range c.state.BindMounts {
|
|
|
|
newMount := spec.Mount{
|
|
|
|
Type: "bind",
|
|
|
|
Source: srcPath,
|
|
|
|
Destination: dstPath,
|
2018-09-19 17:13:54 +00:00
|
|
|
Options: []string{"bind", "private"},
|
|
|
|
}
|
2018-12-24 11:55:24 +00:00
|
|
|
if c.IsReadOnly() && dstPath != "/dev/shm" {
|
2019-01-11 09:34:27 +00:00
|
|
|
newMount.Options = append(newMount.Options, "ro", "nosuid", "noexec", "nodev")
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
|
|
|
if !MountExists(g.Mounts(), dstPath) {
|
|
|
|
g.AddMount(newMount)
|
|
|
|
} else {
|
|
|
|
logrus.Warnf("User mount overriding libpod mount at %q", dstPath)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-07-09 19:46:14 +00:00
|
|
|
// Add overlay volumes
|
|
|
|
for _, overlayVol := range c.config.OverlayVolumes {
|
|
|
|
contentDir, err := overlay.TempDir(c.config.StaticDir, c.RootUID(), c.RootGID())
|
|
|
|
if err != nil {
|
|
|
|
return nil, errors.Wrapf(err, "failed to create TempDir in the %s directory", c.config.StaticDir)
|
|
|
|
}
|
|
|
|
overlayMount, err := overlay.Mount(contentDir, overlayVol.Source, overlayVol.Dest, c.RootUID(), c.RootGID(), c.runtime.store.GraphOptions())
|
|
|
|
if err != nil {
|
|
|
|
return nil, errors.Wrapf(err, "creating overlay failed %q", overlayVol.Source)
|
|
|
|
}
|
|
|
|
g.AddMount(overlayMount)
|
|
|
|
}
|
|
|
|
|
2019-09-20 12:45:20 +00:00
|
|
|
hasHomeSet := false
|
|
|
|
for _, s := range c.config.Spec.Process.Env {
|
|
|
|
if strings.HasPrefix(s, "HOME=") {
|
|
|
|
hasHomeSet = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if !hasHomeSet {
|
|
|
|
c.config.Spec.Process.Env = append(c.config.Spec.Process.Env, fmt.Sprintf("HOME=%s", execUser.Home))
|
|
|
|
}
|
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
if c.config.User != "" {
|
2020-05-29 21:39:42 +00:00
|
|
|
if rootless.IsRootless() {
|
|
|
|
if err := util.CheckRootlessUIDRange(execUser.Uid); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
}
|
2018-07-04 15:51:20 +00:00
|
|
|
// User and Group must go together
|
2018-10-25 18:39:25 +00:00
|
|
|
g.SetProcessUID(uint32(execUser.Uid))
|
|
|
|
g.SetProcessGID(uint32(execUser.Gid))
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
|
|
|
|
2020-07-17 01:49:47 +00:00
|
|
|
if c.config.Umask != "" {
|
|
|
|
decVal, err := strconv.ParseUint(c.config.Umask, 8, 32)
|
|
|
|
if err != nil {
|
|
|
|
return nil, errors.Wrapf(err, "Invalid Umask Value")
|
|
|
|
}
|
2020-08-19 11:18:19 +00:00
|
|
|
umask := uint32(decVal)
|
|
|
|
g.Config.Process.User.Umask = &umask
|
2020-07-17 01:49:47 +00:00
|
|
|
}
|
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
// Add addition groups if c.config.GroupAdd is not empty
|
|
|
|
if len(c.config.Groups) > 0 {
|
2020-02-27 21:08:29 +00:00
|
|
|
gids, err := lookup.GetContainerGroups(c.config.Groups, c.state.Mountpoint, overrides)
|
|
|
|
if err != nil {
|
|
|
|
return nil, errors.Wrapf(err, "error looking up supplemental groups for container %s", c.ID())
|
|
|
|
}
|
2018-10-25 18:39:25 +00:00
|
|
|
for _, gid := range gids {
|
2018-07-04 15:51:20 +00:00
|
|
|
g.AddProcessAdditionalGid(gid)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-10-15 19:42:12 +00:00
|
|
|
if c.config.Systemd {
|
2018-10-17 14:45:58 +00:00
|
|
|
if err := c.setupSystemd(g.Mounts(), g); err != nil {
|
|
|
|
return nil, errors.Wrapf(err, "error adding systemd-specific mounts")
|
|
|
|
}
|
2018-10-15 19:42:12 +00:00
|
|
|
}
|
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
// Look up and add groups the user belongs to, if a group wasn't directly specified
|
2020-10-01 14:52:58 +00:00
|
|
|
if !strings.Contains(c.config.User, ":") {
|
2020-10-02 07:25:12 +00:00
|
|
|
// the gidMappings that are present inside the container user namespace
|
|
|
|
var gidMappings []idtools.IDMap
|
|
|
|
|
|
|
|
switch {
|
|
|
|
case len(c.config.IDMappings.GIDMap) > 0:
|
|
|
|
gidMappings = c.config.IDMappings.GIDMap
|
|
|
|
case rootless.IsRootless():
|
|
|
|
// Check whether the current user namespace has enough gids available.
|
|
|
|
availableGids, err := rootless.GetAvailableGids()
|
|
|
|
if err != nil {
|
|
|
|
return nil, errors.Wrapf(err, "cannot read number of available GIDs")
|
|
|
|
}
|
|
|
|
gidMappings = []idtools.IDMap{{
|
|
|
|
ContainerID: 0,
|
|
|
|
HostID: 0,
|
|
|
|
Size: int(availableGids),
|
|
|
|
}}
|
|
|
|
default:
|
|
|
|
gidMappings = []idtools.IDMap{{
|
|
|
|
ContainerID: 0,
|
|
|
|
HostID: 0,
|
|
|
|
Size: math.MaxInt32,
|
|
|
|
}}
|
|
|
|
}
|
2018-10-24 15:39:12 +00:00
|
|
|
for _, gid := range execUser.Sgids {
|
2020-10-02 07:25:12 +00:00
|
|
|
isGidAvailable := false
|
|
|
|
for _, m := range gidMappings {
|
|
|
|
if gid >= m.ContainerID && gid < m.ContainerID+m.Size {
|
|
|
|
isGidAvailable = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if isGidAvailable {
|
|
|
|
g.AddProcessAdditionalGid(uint32(gid))
|
|
|
|
} else {
|
|
|
|
logrus.Warnf("additional gid=%d is not present in the user namespace, skip setting it", gid)
|
|
|
|
}
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Add shared namespaces from other containers
|
|
|
|
if c.config.IPCNsCtr != "" {
|
|
|
|
if err := c.addNamespaceContainer(&g, IPCNS, c.config.IPCNsCtr, spec.IPCNamespace); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if c.config.MountNsCtr != "" {
|
|
|
|
if err := c.addNamespaceContainer(&g, MountNS, c.config.MountNsCtr, spec.MountNamespace); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if c.config.NetNsCtr != "" {
|
|
|
|
if err := c.addNamespaceContainer(&g, NetNS, c.config.NetNsCtr, spec.NetworkNamespace); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if c.config.PIDNsCtr != "" {
|
2019-07-23 09:56:00 +00:00
|
|
|
if err := c.addNamespaceContainer(&g, PIDNS, c.config.PIDNsCtr, spec.PIDNamespace); err != nil {
|
2018-07-04 15:51:20 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if c.config.UserNsCtr != "" {
|
|
|
|
if err := c.addNamespaceContainer(&g, UserNS, c.config.UserNsCtr, spec.UserNamespace); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2019-07-24 09:20:31 +00:00
|
|
|
if len(g.Config.Linux.UIDMappings) == 0 {
|
|
|
|
// runc complains if no mapping is specified, even if we join another ns. So provide a dummy mapping
|
|
|
|
g.AddLinuxUIDMapping(uint32(0), uint32(0), uint32(1))
|
|
|
|
g.AddLinuxGIDMapping(uint32(0), uint32(0), uint32(1))
|
|
|
|
}
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
2020-04-27 13:43:12 +00:00
|
|
|
|
|
|
|
for _, i := range c.config.Spec.Linux.Namespaces {
|
2020-06-10 12:52:08 +00:00
|
|
|
if i.Type == spec.UTSNamespace && i.Path == "" {
|
2020-04-27 13:43:12 +00:00
|
|
|
hostname := c.Hostname()
|
|
|
|
g.SetHostname(hostname)
|
|
|
|
g.AddProcessEnv("HOSTNAME", hostname)
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
if c.config.UTSNsCtr != "" {
|
|
|
|
if err := c.addNamespaceContainer(&g, UTSNS, c.config.UTSNsCtr, spec.UTSNamespace); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if c.config.CgroupNsCtr != "" {
|
|
|
|
if err := c.addNamespaceContainer(&g, CgroupNS, c.config.CgroupNsCtr, spec.CgroupNamespace); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-02-24 16:38:06 +00:00
|
|
|
if c.config.IDMappings.AutoUserNs {
|
|
|
|
if err := g.AddOrReplaceLinuxNamespace(string(spec.UserNamespace), ""); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
g.ClearLinuxUIDMappings()
|
|
|
|
for _, uidmap := range c.config.IDMappings.UIDMap {
|
|
|
|
g.AddLinuxUIDMapping(uint32(uidmap.HostID), uint32(uidmap.ContainerID), uint32(uidmap.Size))
|
|
|
|
}
|
|
|
|
g.ClearLinuxGIDMappings()
|
|
|
|
for _, gidmap := range c.config.IDMappings.GIDMap {
|
|
|
|
g.AddLinuxGIDMapping(uint32(gidmap.HostID), uint32(gidmap.ContainerID), uint32(gidmap.Size))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-03-21 11:18:42 +00:00
|
|
|
g.SetRootPath(c.state.Mountpoint)
|
2019-09-03 09:10:01 +00:00
|
|
|
g.AddAnnotation(annotations.Created, c.config.CreatedTime.Format(time.RFC3339Nano))
|
2018-07-04 15:51:20 +00:00
|
|
|
g.AddAnnotation("org.opencontainers.image.stopSignal", fmt.Sprintf("%d", c.config.StopSignal))
|
|
|
|
|
2019-09-03 09:10:01 +00:00
|
|
|
if _, exists := g.Config.Annotations[annotations.ContainerManager]; !exists {
|
|
|
|
g.AddAnnotation(annotations.ContainerManager, annotations.ContainerManagerLibpod)
|
|
|
|
}
|
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
// Only add container environment variable if not already present
|
|
|
|
foundContainerEnv := false
|
|
|
|
for _, env := range g.Config.Process.Env {
|
|
|
|
if strings.HasPrefix(env, "container=") {
|
|
|
|
foundContainerEnv = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if !foundContainerEnv {
|
|
|
|
g.AddProcessEnv("container", "libpod")
|
|
|
|
}
|
|
|
|
|
2019-10-10 18:45:56 +00:00
|
|
|
cgroupPath, err := c.getOCICgroupPath()
|
2019-06-19 12:22:09 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2019-10-10 18:45:56 +00:00
|
|
|
g.SetLinuxCgroupsPath(cgroupPath)
|
2018-07-04 15:51:20 +00:00
|
|
|
|
2018-08-10 18:46:59 +00:00
|
|
|
// Mounts need to be sorted so paths will not cover other paths
|
|
|
|
mounts := sortMounts(g.Mounts())
|
|
|
|
g.ClearMounts()
|
2018-11-21 14:56:31 +00:00
|
|
|
|
|
|
|
// Determine property of RootPropagation based on volume properties. If
|
|
|
|
// a volume is shared, then keep root propagation shared. This should
|
|
|
|
// work for slave and private volumes too.
|
|
|
|
//
|
|
|
|
// For slave volumes, it can be either [r]shared/[r]slave.
|
|
|
|
//
|
|
|
|
// For private volumes any root propagation value should work.
|
|
|
|
rootPropagation := ""
|
2018-08-10 18:46:59 +00:00
|
|
|
for _, m := range mounts {
|
2019-03-08 20:33:12 +00:00
|
|
|
// We need to remove all symlinks from tmpfs mounts.
|
|
|
|
// Runc and other runtimes may choke on them.
|
|
|
|
// Easy solution: use securejoin to do a scoped evaluation of
|
|
|
|
// the links, then trim off the mount prefix.
|
|
|
|
if m.Type == "tmpfs" {
|
|
|
|
finalPath, err := securejoin.SecureJoin(c.state.Mountpoint, m.Destination)
|
|
|
|
if err != nil {
|
|
|
|
return nil, errors.Wrapf(err, "error resolving symlinks for mount destination %s", m.Destination)
|
|
|
|
}
|
|
|
|
trimmedPath := strings.TrimPrefix(finalPath, strings.TrimSuffix(c.state.Mountpoint, "/"))
|
|
|
|
m.Destination = trimmedPath
|
|
|
|
}
|
2018-08-10 18:46:59 +00:00
|
|
|
g.AddMount(m)
|
2018-11-21 14:56:31 +00:00
|
|
|
for _, opt := range m.Options {
|
|
|
|
switch opt {
|
|
|
|
case MountShared, MountRShared:
|
|
|
|
if rootPropagation != MountShared && rootPropagation != MountRShared {
|
|
|
|
rootPropagation = MountShared
|
|
|
|
}
|
|
|
|
case MountSlave, MountRSlave:
|
|
|
|
if rootPropagation != MountShared && rootPropagation != MountRShared && rootPropagation != MountSlave && rootPropagation != MountRSlave {
|
|
|
|
rootPropagation = MountRSlave
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if rootPropagation != "" {
|
|
|
|
logrus.Debugf("set root propagation to %q", rootPropagation)
|
2019-07-03 20:37:17 +00:00
|
|
|
if err := g.SetLinuxRootPropagation(rootPropagation); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2018-08-10 18:46:59 +00:00
|
|
|
}
|
2018-11-19 17:22:32 +00:00
|
|
|
|
|
|
|
// Warning: precreate hooks may alter g.Config in place.
|
|
|
|
if c.state.ExtensionStageHooks, err = c.setupOCIHooks(ctx, g.Config); err != nil {
|
|
|
|
return nil, errors.Wrapf(err, "error setting up OCI Hooks")
|
|
|
|
}
|
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
return g.Config, nil
|
|
|
|
}
|
|
|
|
|
2018-10-15 19:42:12 +00:00
|
|
|
// systemd expects to have /run, /run/lock and /tmp on tmpfs
|
|
|
|
// It also expects to be able to write to /sys/fs/cgroup/systemd and /var/log/journal
|
2018-10-17 14:45:58 +00:00
|
|
|
func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) error {
|
2020-09-02 11:49:11 +00:00
|
|
|
options := []string{"rw", "rprivate", "nosuid", "nodev"}
|
2019-06-11 11:54:53 +00:00
|
|
|
for _, dest := range []string{"/run", "/run/lock"} {
|
2018-10-15 19:42:12 +00:00
|
|
|
if MountExists(mounts, dest) {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
tmpfsMnt := spec.Mount{
|
|
|
|
Destination: dest,
|
|
|
|
Type: "tmpfs",
|
|
|
|
Source: "tmpfs",
|
2020-08-17 20:24:56 +00:00
|
|
|
Options: append(options, "tmpcopyup"),
|
2018-10-15 19:42:12 +00:00
|
|
|
}
|
|
|
|
g.AddMount(tmpfsMnt)
|
|
|
|
}
|
|
|
|
for _, dest := range []string{"/tmp", "/var/log/journal"} {
|
|
|
|
if MountExists(mounts, dest) {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
tmpfsMnt := spec.Mount{
|
|
|
|
Destination: dest,
|
|
|
|
Type: "tmpfs",
|
|
|
|
Source: "tmpfs",
|
|
|
|
Options: append(options, "tmpcopyup"),
|
|
|
|
}
|
|
|
|
g.AddMount(tmpfsMnt)
|
|
|
|
}
|
2018-10-17 14:45:58 +00:00
|
|
|
|
2019-07-31 07:03:00 +00:00
|
|
|
unified, err := cgroups.IsCgroup2UnifiedMode()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2018-10-17 14:45:58 +00:00
|
|
|
|
2019-07-31 07:03:00 +00:00
|
|
|
if unified {
|
2019-08-06 07:11:47 +00:00
|
|
|
g.RemoveMount("/sys/fs/cgroup")
|
|
|
|
|
2019-09-12 12:33:10 +00:00
|
|
|
hasCgroupNs := false
|
|
|
|
for _, ns := range c.config.Spec.Linux.Namespaces {
|
|
|
|
if ns.Type == spec.CgroupNamespace {
|
|
|
|
hasCgroupNs = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
var systemdMnt spec.Mount
|
|
|
|
if hasCgroupNs {
|
|
|
|
systemdMnt = spec.Mount{
|
|
|
|
Destination: "/sys/fs/cgroup",
|
|
|
|
Type: "cgroup",
|
|
|
|
Source: "cgroup",
|
|
|
|
Options: []string{"private", "rw"},
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
systemdMnt = spec.Mount{
|
|
|
|
Destination: "/sys/fs/cgroup",
|
|
|
|
Type: "bind",
|
|
|
|
Source: "/sys/fs/cgroup",
|
|
|
|
Options: []string{"bind", "private", "rw"},
|
|
|
|
}
|
2018-11-05 19:02:50 +00:00
|
|
|
}
|
|
|
|
g.AddMount(systemdMnt)
|
2018-11-05 21:48:29 +00:00
|
|
|
} else {
|
2019-08-06 07:11:47 +00:00
|
|
|
systemdMnt := spec.Mount{
|
|
|
|
Destination: "/sys/fs/cgroup/systemd",
|
|
|
|
Type: "bind",
|
|
|
|
Source: "/sys/fs/cgroup/systemd",
|
2020-09-15 17:28:11 +00:00
|
|
|
Options: []string{"bind", "nodev", "noexec", "nosuid", "rprivate"},
|
2018-11-05 21:48:29 +00:00
|
|
|
}
|
2019-08-06 07:11:47 +00:00
|
|
|
g.AddMount(systemdMnt)
|
2019-10-25 19:50:29 +00:00
|
|
|
g.AddLinuxMaskedPaths("/sys/fs/cgroup/systemd/release_agent")
|
2018-10-15 19:42:12 +00:00
|
|
|
}
|
2018-10-17 14:45:58 +00:00
|
|
|
|
|
|
|
return nil
|
2018-10-15 19:42:12 +00:00
|
|
|
}
|
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
// Add an existing container's namespace to the spec
|
2019-07-23 09:56:00 +00:00
|
|
|
func (c *Container) addNamespaceContainer(g *generate.Generator, ns LinuxNS, ctr string, specNS spec.LinuxNamespaceType) error {
|
2018-07-04 15:51:20 +00:00
|
|
|
nsCtr, err := c.runtime.state.Container(ctr)
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrapf(err, "error retrieving dependency %s of container %s from state", ctr, c.ID())
|
|
|
|
}
|
|
|
|
|
2020-04-27 13:43:12 +00:00
|
|
|
if specNS == spec.UTSNamespace {
|
|
|
|
hostname := nsCtr.Hostname()
|
2020-06-10 12:52:08 +00:00
|
|
|
// Joining an existing namespace, cannot set the hostname
|
|
|
|
g.SetHostname("")
|
2020-04-27 13:43:12 +00:00
|
|
|
g.AddProcessEnv("HOSTNAME", hostname)
|
|
|
|
}
|
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
// TODO need unlocked version of this for use in pods
|
|
|
|
nsPath, err := nsCtr.NamespacePath(ns)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2019-07-23 09:56:00 +00:00
|
|
|
if err := g.AddOrReplaceLinuxNamespace(string(specNS), nsPath); err != nil {
|
2018-07-04 15:51:20 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
2018-09-18 09:56:19 +00:00
|
|
|
|
2020-07-09 17:50:01 +00:00
|
|
|
func (c *Container) exportCheckpoint(dest string, ignoreRootfs bool) error {
|
2019-02-06 19:22:46 +00:00
|
|
|
if (len(c.config.NamedVolumes) > 0) || (len(c.Dependencies()) > 0) {
|
|
|
|
return errors.Errorf("Cannot export checkpoints of containers with named volumes or dependencies")
|
|
|
|
}
|
2019-02-06 19:17:25 +00:00
|
|
|
logrus.Debugf("Exporting checkpoint image of container %q to %q", c.ID(), dest)
|
2019-06-27 06:16:32 +00:00
|
|
|
|
2019-06-27 07:56:39 +00:00
|
|
|
includeFiles := []string{
|
|
|
|
"checkpoint",
|
|
|
|
"artifacts",
|
|
|
|
"ctr.log",
|
|
|
|
"config.dump",
|
|
|
|
"spec.dump",
|
|
|
|
"network.status"}
|
|
|
|
|
2019-06-27 06:16:32 +00:00
|
|
|
// Get root file-system changes included in the checkpoint archive
|
|
|
|
rootfsDiffPath := filepath.Join(c.bundlePath(), "rootfs-diff.tar")
|
2019-12-04 15:06:51 +00:00
|
|
|
deleteFilesList := filepath.Join(c.bundlePath(), "deleted.files")
|
2019-06-27 07:56:39 +00:00
|
|
|
if !ignoreRootfs {
|
2019-12-04 15:06:51 +00:00
|
|
|
// To correctly track deleted files, let's go through the output of 'podman diff'
|
|
|
|
tarFiles, err := c.runtime.GetDiff("", c.ID())
|
2019-06-27 07:56:39 +00:00
|
|
|
if err != nil {
|
|
|
|
return errors.Wrapf(err, "error exporting root file-system diff to %q", rootfsDiffPath)
|
|
|
|
}
|
2019-12-04 15:06:51 +00:00
|
|
|
var rootfsIncludeFiles []string
|
|
|
|
var deletedFiles []string
|
|
|
|
|
|
|
|
for _, file := range tarFiles {
|
|
|
|
if file.Kind == archive.ChangeAdd {
|
|
|
|
rootfsIncludeFiles = append(rootfsIncludeFiles, file.Path)
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
if file.Kind == archive.ChangeDelete {
|
|
|
|
deletedFiles = append(deletedFiles, file.Path)
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
fileName, err := os.Stat(file.Path)
|
|
|
|
if err != nil {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
if !fileName.IsDir() && file.Kind == archive.ChangeModify {
|
|
|
|
rootfsIncludeFiles = append(rootfsIncludeFiles, file.Path)
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(rootfsIncludeFiles) > 0 {
|
|
|
|
rootfsTar, err := archive.TarWithOptions(c.state.Mountpoint, &archive.TarOptions{
|
|
|
|
Compression: archive.Uncompressed,
|
|
|
|
IncludeSourceDir: true,
|
|
|
|
IncludeFiles: rootfsIncludeFiles,
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrapf(err, "error exporting root file-system diff to %q", rootfsDiffPath)
|
|
|
|
}
|
|
|
|
rootfsDiffFile, err := os.Create(rootfsDiffPath)
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrapf(err, "error creating root file-system diff file %q", rootfsDiffPath)
|
|
|
|
}
|
|
|
|
defer rootfsDiffFile.Close()
|
|
|
|
_, err = io.Copy(rootfsDiffFile, rootfsTar)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
includeFiles = append(includeFiles, "rootfs-diff.tar")
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(deletedFiles) > 0 {
|
|
|
|
formatJSON, err := json.MarshalIndent(deletedFiles, "", " ")
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrapf(err, "error creating delete files list file %q", deleteFilesList)
|
|
|
|
}
|
|
|
|
if err := ioutil.WriteFile(deleteFilesList, formatJSON, 0600); err != nil {
|
|
|
|
return errors.Wrapf(err, "error creating delete files list file %q", deleteFilesList)
|
|
|
|
}
|
|
|
|
|
|
|
|
includeFiles = append(includeFiles, "deleted.files")
|
2019-06-27 07:56:39 +00:00
|
|
|
}
|
2019-06-27 06:16:32 +00:00
|
|
|
}
|
|
|
|
|
2019-02-06 19:17:25 +00:00
|
|
|
input, err := archive.TarWithOptions(c.bundlePath(), &archive.TarOptions{
|
|
|
|
Compression: archive.Gzip,
|
|
|
|
IncludeSourceDir: true,
|
2019-06-27 07:56:39 +00:00
|
|
|
IncludeFiles: includeFiles,
|
2019-02-06 19:17:25 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrapf(err, "error reading checkpoint directory %q", c.ID())
|
|
|
|
}
|
|
|
|
|
|
|
|
outFile, err := os.Create(dest)
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrapf(err, "error creating checkpoint export file %q", dest)
|
|
|
|
}
|
|
|
|
defer outFile.Close()
|
|
|
|
|
|
|
|
if err := os.Chmod(dest, 0600); err != nil {
|
|
|
|
return errors.Wrapf(err, "cannot chmod %q", dest)
|
|
|
|
}
|
|
|
|
|
|
|
|
_, err = io.Copy(outFile, input)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2019-06-27 06:16:32 +00:00
|
|
|
os.Remove(rootfsDiffPath)
|
2019-12-04 15:06:51 +00:00
|
|
|
os.Remove(deleteFilesList)
|
2019-06-27 06:16:32 +00:00
|
|
|
|
2019-02-06 19:17:25 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2020-07-09 17:50:01 +00:00
|
|
|
func (c *Container) checkpointRestoreSupported() error {
|
2018-10-02 13:38:28 +00:00
|
|
|
if !criu.CheckForCriu() {
|
2019-02-28 17:24:08 +00:00
|
|
|
return errors.Errorf("Checkpoint/Restore requires at least CRIU %d", criu.MinCriuVersion)
|
|
|
|
}
|
2019-10-08 17:53:36 +00:00
|
|
|
if !c.ociRuntime.SupportsCheckpoint() {
|
2019-02-28 17:24:08 +00:00
|
|
|
return errors.Errorf("Configured runtime does not support checkpoint/restore")
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2020-07-09 17:50:01 +00:00
|
|
|
func (c *Container) checkpointRestoreLabelLog(fileName string) error {
|
2019-02-20 16:42:44 +00:00
|
|
|
// Create the CRIU log file and label it
|
2019-04-12 13:12:38 +00:00
|
|
|
dumpLog := filepath.Join(c.bundlePath(), fileName)
|
2019-02-20 16:42:44 +00:00
|
|
|
|
|
|
|
logFile, err := os.OpenFile(dumpLog, os.O_CREATE, 0600)
|
|
|
|
if err != nil {
|
2020-10-05 19:33:53 +00:00
|
|
|
return errors.Wrap(err, "failed to create CRIU log file")
|
2019-02-20 16:42:44 +00:00
|
|
|
}
|
2019-07-03 20:37:17 +00:00
|
|
|
if err := logFile.Close(); err != nil {
|
2020-10-05 19:33:53 +00:00
|
|
|
logrus.Error(err)
|
2019-07-03 20:37:17 +00:00
|
|
|
}
|
2019-02-20 16:42:44 +00:00
|
|
|
if err = label.SetFileLabel(dumpLog, c.MountLabel()); err != nil {
|
2020-10-05 19:33:53 +00:00
|
|
|
return err
|
2019-02-20 16:42:44 +00:00
|
|
|
}
|
2019-04-12 13:12:38 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2020-07-09 17:50:01 +00:00
|
|
|
func (c *Container) checkpoint(ctx context.Context, options ContainerCheckpointOptions) error {
|
2019-04-12 13:12:38 +00:00
|
|
|
if err := c.checkpointRestoreSupported(); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2019-06-25 13:40:19 +00:00
|
|
|
if c.state.State != define.ContainerStateRunning {
|
2019-06-24 20:48:34 +00:00
|
|
|
return errors.Wrapf(define.ErrCtrStateInvalid, "%q is not running, cannot checkpoint", c.state.State)
|
2019-04-12 13:12:38 +00:00
|
|
|
}
|
|
|
|
|
2019-11-28 19:04:35 +00:00
|
|
|
if c.AutoRemove() && options.TargetFile == "" {
|
|
|
|
return errors.Errorf("Cannot checkpoint containers that have been started with '--rm' unless '--export' is used")
|
|
|
|
}
|
|
|
|
|
2019-04-12 13:12:38 +00:00
|
|
|
if err := c.checkpointRestoreLabelLog("dump.log"); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2019-02-20 16:42:44 +00:00
|
|
|
|
2019-10-08 17:53:36 +00:00
|
|
|
if err := c.ociRuntime.CheckpointContainer(c, options); err != nil {
|
2018-09-18 09:56:19 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Save network.status. This is needed to restore the container with
|
|
|
|
// the same IP. Currently limited to one IP address in a container
|
|
|
|
// with one interface.
|
2019-01-08 20:12:43 +00:00
|
|
|
formatJSON, err := json.MarshalIndent(c.state.NetworkStatus, "", " ")
|
2018-09-18 09:56:19 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if err := ioutil.WriteFile(filepath.Join(c.bundlePath(), "network.status"), formatJSON, 0644); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
Add ContainerStateRemoving
When Libpod removes a container, there is the possibility that
removal will not fully succeed. The most notable problems are
storage issues, where the container cannot be removed from
c/storage.
When this occurs, we were faced with a choice. We can keep the
container in the state, appearing in `podman ps` and available for
other API operations, but likely unable to do any of them as it's
been partially removed. Or we can remove it very early and clean
up after it's already gone. We have, until now, used the second
approach.
The problem that arises is intermittent problems removing
storage. We end up removing a container, failing to remove its
storage, and ending up with a container permanently stuck in
c/storage that we can't remove with the normal Podman CLI, can't
use the name of, and generally can't interact with. A notable
cause is when Podman is hit by a SIGKILL midway through removal,
which can consistently cause `podman rm` to fail to remove
storage.
We now add a new state for containers that are in the process of
being removed, ContainerStateRemoving. We set this at the
beginning of the removal process. It notifies Podman that the
container cannot be used anymore, but preserves it in the DB
until it is fully removed. This will allow Remove to be run on
these containers again, which should successfully remove storage
if it fails.
Fixes #3906
Signed-off-by: Matthew Heon <mheon@redhat.com>
2019-11-11 14:52:13 +00:00
|
|
|
defer c.newContainerEvent(events.Checkpoint)
|
|
|
|
|
2019-02-06 19:22:46 +00:00
|
|
|
if options.TargetFile != "" {
|
2019-06-27 07:56:39 +00:00
|
|
|
if err = c.exportCheckpoint(options.TargetFile, options.IgnoreRootfs); err != nil {
|
2019-02-06 19:22:46 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-09-18 09:56:19 +00:00
|
|
|
logrus.Debugf("Checkpointed container %s", c.ID())
|
|
|
|
|
2018-11-20 15:34:15 +00:00
|
|
|
if !options.KeepRunning {
|
2019-06-25 13:40:19 +00:00
|
|
|
c.state.State = define.ContainerStateStopped
|
2018-09-18 09:56:19 +00:00
|
|
|
|
2018-11-20 15:34:15 +00:00
|
|
|
// Cleanup Storage and Network
|
|
|
|
if err := c.cleanup(ctx); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
|
2018-11-20 14:08:08 +00:00
|
|
|
if !options.Keep {
|
2019-02-06 19:17:25 +00:00
|
|
|
cleanup := []string{
|
|
|
|
"dump.log",
|
|
|
|
"stats-dump",
|
|
|
|
"config.dump",
|
|
|
|
"spec.dump",
|
|
|
|
}
|
2019-07-03 20:37:17 +00:00
|
|
|
for _, del := range cleanup {
|
|
|
|
file := filepath.Join(c.bundlePath(), del)
|
|
|
|
if err := os.Remove(file); err != nil {
|
|
|
|
logrus.Debugf("unable to remove file %s", file)
|
|
|
|
}
|
2019-02-06 19:17:25 +00:00
|
|
|
}
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
|
2019-07-05 13:23:09 +00:00
|
|
|
c.state.FinishedTime = time.Now()
|
2018-09-18 09:56:19 +00:00
|
|
|
return c.save()
|
|
|
|
}
|
|
|
|
|
2020-07-09 17:50:01 +00:00
|
|
|
func (c *Container) importCheckpoint(input string) error {
|
2019-02-06 19:17:25 +00:00
|
|
|
archiveFile, err := os.Open(input)
|
|
|
|
if err != nil {
|
2020-10-05 22:55:29 +00:00
|
|
|
return errors.Wrap(err, "failed to open checkpoint archive for import")
|
2019-02-06 19:17:25 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
defer archiveFile.Close()
|
|
|
|
options := &archive.TarOptions{
|
|
|
|
ExcludePatterns: []string{
|
|
|
|
// config.dump and spec.dump are only required
|
|
|
|
// container creation
|
|
|
|
"config.dump",
|
|
|
|
"spec.dump",
|
|
|
|
},
|
|
|
|
}
|
|
|
|
err = archive.Untar(archiveFile, c.bundlePath(), options)
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrapf(err, "Unpacking of checkpoint archive %s failed", input)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Make sure the newly created config.json exists on disk
|
2019-07-11 10:44:12 +00:00
|
|
|
g := generate.Generator{Config: c.config.Spec}
|
|
|
|
if err = c.saveSpec(g.Config); err != nil {
|
2019-02-06 19:17:25 +00:00
|
|
|
return errors.Wrap(err, "Saving imported container specification for restore failed")
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2020-07-09 17:50:01 +00:00
|
|
|
func (c *Container) restore(ctx context.Context, options ContainerCheckpointOptions) (retErr error) {
|
2019-02-28 17:24:08 +00:00
|
|
|
if err := c.checkpointRestoreSupported(); err != nil {
|
|
|
|
return err
|
2018-10-02 13:38:28 +00:00
|
|
|
}
|
|
|
|
|
Add ContainerStateRemoving
When Libpod removes a container, there is the possibility that
removal will not fully succeed. The most notable problems are
storage issues, where the container cannot be removed from
c/storage.
When this occurs, we were faced with a choice. We can keep the
container in the state, appearing in `podman ps` and available for
other API operations, but likely unable to do any of them as it's
been partially removed. Or we can remove it very early and clean
up after it's already gone. We have, until now, used the second
approach.
The problem that arises is intermittent problems removing
storage. We end up removing a container, failing to remove its
storage, and ending up with a container permanently stuck in
c/storage that we can't remove with the normal Podman CLI, can't
use the name of, and generally can't interact with. A notable
cause is when Podman is hit by a SIGKILL midway through removal,
which can consistently cause `podman rm` to fail to remove
storage.
We now add a new state for containers that are in the process of
being removed, ContainerStateRemoving. We set this at the
beginning of the removal process. It notifies Podman that the
container cannot be used anymore, but preserves it in the DB
until it is fully removed. This will allow Remove to be run on
these containers again, which should successfully remove storage
if it fails.
Fixes #3906
Signed-off-by: Matthew Heon <mheon@redhat.com>
2019-11-11 14:52:13 +00:00
|
|
|
if !c.ensureState(define.ContainerStateConfigured, define.ContainerStateExited) {
|
2019-06-24 20:48:34 +00:00
|
|
|
return errors.Wrapf(define.ErrCtrStateInvalid, "container %s is running or paused, cannot restore", c.ID())
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
|
2019-02-06 19:22:46 +00:00
|
|
|
if options.TargetFile != "" {
|
2020-07-09 17:50:01 +00:00
|
|
|
if err := c.importCheckpoint(options.TargetFile); err != nil {
|
2019-02-06 19:22:46 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-09-18 09:56:19 +00:00
|
|
|
// Let's try to stat() CRIU's inventory file. If it does not exist, it makes
|
|
|
|
// no sense to try a restore. This is a minimal check if a checkpoint exist.
|
|
|
|
if _, err := os.Stat(filepath.Join(c.CheckpointPath(), "inventory.img")); os.IsNotExist(err) {
|
|
|
|
return errors.Wrapf(err, "A complete checkpoint for this container cannot be found, cannot restore")
|
|
|
|
}
|
|
|
|
|
2019-04-12 13:12:38 +00:00
|
|
|
if err := c.checkpointRestoreLabelLog("restore.log"); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2019-08-01 17:23:02 +00:00
|
|
|
// If a container is restored multiple times from an exported checkpoint with
|
|
|
|
// the help of '--import --name', the restore will fail if during 'podman run'
|
|
|
|
// a static container IP was set with '--ip'. The user can tell the restore
|
|
|
|
// process to ignore the static IP with '--ignore-static-ip'
|
|
|
|
if options.IgnoreStaticIP {
|
|
|
|
c.config.StaticIP = nil
|
|
|
|
}
|
|
|
|
|
2019-09-17 22:26:48 +00:00
|
|
|
// If a container is restored multiple times from an exported checkpoint with
|
|
|
|
// the help of '--import --name', the restore will fail if during 'podman run'
|
|
|
|
// a static container MAC address was set with '--mac-address'. The user
|
|
|
|
// can tell the restore process to ignore the static MAC with
|
|
|
|
// '--ignore-static-mac'
|
|
|
|
if options.IgnoreStaticMAC {
|
|
|
|
c.config.StaticMAC = nil
|
|
|
|
}
|
|
|
|
|
2018-09-18 09:56:19 +00:00
|
|
|
// Read network configuration from checkpoint
|
|
|
|
// Currently only one interface with one IP is supported.
|
|
|
|
networkStatusFile, err := os.Open(filepath.Join(c.bundlePath(), "network.status"))
|
2019-03-14 07:57:16 +00:00
|
|
|
// If the restored container should get a new name, the IP address of
|
|
|
|
// the container will not be restored. This assumes that if a new name is
|
|
|
|
// specified, the container is restored multiple times.
|
|
|
|
// TODO: This implicit restoring with or without IP depending on an
|
|
|
|
// unrelated restore parameter (--name) does not seem like the
|
|
|
|
// best solution.
|
2019-09-17 22:26:48 +00:00
|
|
|
if err == nil && options.Name == "" && (!options.IgnoreStaticIP || !options.IgnoreStaticMAC) {
|
2018-09-18 09:56:19 +00:00
|
|
|
// The file with the network.status does exist. Let's restore the
|
2019-09-17 22:26:48 +00:00
|
|
|
// container with the same IP address / MAC address as during checkpointing.
|
2018-09-18 09:56:19 +00:00
|
|
|
defer networkStatusFile.Close()
|
|
|
|
var networkStatus []*cnitypes.Result
|
|
|
|
networkJSON, err := ioutil.ReadAll(networkStatusFile)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2019-07-03 20:37:17 +00:00
|
|
|
if err := json.Unmarshal(networkJSON, &networkStatus); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2019-09-17 22:26:48 +00:00
|
|
|
if !options.IgnoreStaticIP {
|
|
|
|
// Take the first IP address
|
|
|
|
var IP net.IP
|
|
|
|
if len(networkStatus) > 0 {
|
|
|
|
if len(networkStatus[0].IPs) > 0 {
|
|
|
|
IP = networkStatus[0].IPs[0].Address.IP
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if IP != nil {
|
|
|
|
// Tell CNI which IP address we want.
|
|
|
|
c.requestedIP = IP
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
}
|
2019-09-17 22:26:48 +00:00
|
|
|
if !options.IgnoreStaticMAC {
|
|
|
|
// Take the first device with a defined sandbox.
|
|
|
|
var MAC net.HardwareAddr
|
2020-10-15 09:38:48 +00:00
|
|
|
if len(networkStatus) > 0 {
|
|
|
|
for _, n := range networkStatus[0].Interfaces {
|
|
|
|
if n.Sandbox != "" {
|
|
|
|
MAC, err = net.ParseMAC(n.Mac)
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrapf(err, "failed to parse MAC %v", n.Mac)
|
|
|
|
}
|
|
|
|
break
|
2019-09-17 22:26:48 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if MAC != nil {
|
|
|
|
// Tell CNI which MAC address we want.
|
|
|
|
c.requestedMAC = MAC
|
|
|
|
}
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
defer func() {
|
2020-07-09 17:50:01 +00:00
|
|
|
if retErr != nil {
|
|
|
|
if err := c.cleanup(ctx); err != nil {
|
|
|
|
logrus.Errorf("error cleaning up container %s: %v", c.ID(), err)
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
|
2018-11-07 16:44:33 +00:00
|
|
|
if err := c.prepare(); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2018-09-18 09:56:19 +00:00
|
|
|
// Read config
|
|
|
|
jsonPath := filepath.Join(c.bundlePath(), "config.json")
|
|
|
|
logrus.Debugf("generate.NewFromFile at %v", jsonPath)
|
|
|
|
g, err := generate.NewFromFile(jsonPath)
|
|
|
|
if err != nil {
|
|
|
|
logrus.Debugf("generate.NewFromFile failed with %v", err)
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2019-02-06 19:22:46 +00:00
|
|
|
// Restoring from an import means that we are doing migration
|
|
|
|
if options.TargetFile != "" {
|
|
|
|
g.SetRootPath(c.state.Mountpoint)
|
|
|
|
}
|
|
|
|
|
2018-09-18 09:56:19 +00:00
|
|
|
// We want to have the same network namespace as before.
|
|
|
|
if c.config.CreateNetNS {
|
2019-11-09 23:23:30 +00:00
|
|
|
netNSPath := ""
|
|
|
|
if !c.config.PostConfigureNetNS {
|
|
|
|
netNSPath = c.state.NetNS.Path()
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := g.AddOrReplaceLinuxNamespace(string(spec.NetworkNamespace), netNSPath); err != nil {
|
2019-07-03 20:37:17 +00:00
|
|
|
return err
|
|
|
|
}
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
|
2019-02-06 19:22:46 +00:00
|
|
|
if err := c.makeBindMounts(); err != nil {
|
2018-09-18 09:56:19 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2019-02-06 19:22:46 +00:00
|
|
|
if options.TargetFile != "" {
|
|
|
|
for dstPath, srcPath := range c.state.BindMounts {
|
|
|
|
newMount := spec.Mount{
|
|
|
|
Type: "bind",
|
|
|
|
Source: srcPath,
|
|
|
|
Destination: dstPath,
|
|
|
|
Options: []string{"bind", "private"},
|
|
|
|
}
|
|
|
|
if c.IsReadOnly() && dstPath != "/dev/shm" {
|
|
|
|
newMount.Options = append(newMount.Options, "ro", "nosuid", "noexec", "nodev")
|
|
|
|
}
|
|
|
|
if !MountExists(g.Mounts(), dstPath) {
|
|
|
|
g.AddMount(newMount)
|
|
|
|
}
|
|
|
|
}
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Cleanup for a working restore.
|
2019-07-03 20:37:17 +00:00
|
|
|
if err := c.removeConmonFiles(); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2018-09-18 09:56:19 +00:00
|
|
|
|
2019-02-06 19:22:46 +00:00
|
|
|
// Save the OCI spec to disk
|
2019-07-11 10:44:12 +00:00
|
|
|
if err := c.saveSpec(g.Config); err != nil {
|
2019-02-06 19:22:46 +00:00
|
|
|
return err
|
|
|
|
}
|
2019-06-27 06:16:32 +00:00
|
|
|
|
|
|
|
// Before actually restarting the container, apply the root file-system changes
|
2019-06-27 07:56:39 +00:00
|
|
|
if !options.IgnoreRootfs {
|
|
|
|
rootfsDiffPath := filepath.Join(c.bundlePath(), "rootfs-diff.tar")
|
|
|
|
if _, err := os.Stat(rootfsDiffPath); err == nil {
|
|
|
|
// Only do this if a rootfs-diff.tar actually exists
|
|
|
|
rootfsDiffFile, err := os.Open(rootfsDiffPath)
|
|
|
|
if err != nil {
|
2020-10-05 22:55:29 +00:00
|
|
|
return errors.Wrap(err, "failed to open root file-system diff file")
|
2019-06-27 07:56:39 +00:00
|
|
|
}
|
2019-12-04 15:06:51 +00:00
|
|
|
defer rootfsDiffFile.Close()
|
2019-06-27 07:56:39 +00:00
|
|
|
if err := c.runtime.ApplyDiffTarStream(c.ID(), rootfsDiffFile); err != nil {
|
2020-10-05 22:55:29 +00:00
|
|
|
return errors.Wrapf(err, "failed to apply root file-system diff file %s", rootfsDiffPath)
|
2019-06-27 07:56:39 +00:00
|
|
|
}
|
2019-12-04 15:06:51 +00:00
|
|
|
}
|
|
|
|
deletedFilesPath := filepath.Join(c.bundlePath(), "deleted.files")
|
|
|
|
if _, err := os.Stat(deletedFilesPath); err == nil {
|
|
|
|
var deletedFiles []string
|
2020-10-05 19:33:53 +00:00
|
|
|
deletedFilesJSON, err := ioutil.ReadFile(deletedFilesPath)
|
2019-12-04 15:06:51 +00:00
|
|
|
if err != nil {
|
2020-10-05 22:55:29 +00:00
|
|
|
return errors.Wrapf(err, "failed to read deleted files file")
|
2019-12-04 15:06:51 +00:00
|
|
|
}
|
|
|
|
if err := json.Unmarshal(deletedFilesJSON, &deletedFiles); err != nil {
|
2020-10-05 22:55:29 +00:00
|
|
|
return errors.Wrapf(err, "failed to read deleted files file %s", deletedFilesPath)
|
2019-12-04 15:06:51 +00:00
|
|
|
}
|
|
|
|
for _, deleteFile := range deletedFiles {
|
|
|
|
// Using RemoveAll as deletedFiles, which is generated from 'podman diff'
|
|
|
|
// lists completely deleted directories as a single entry: 'D /root'.
|
|
|
|
err = os.RemoveAll(filepath.Join(c.state.Mountpoint, deleteFile))
|
|
|
|
if err != nil {
|
2020-10-05 22:55:29 +00:00
|
|
|
return errors.Wrapf(err, "failed to delete file %s from container %s during restore", deletedFilesPath, c.ID())
|
2019-12-04 15:06:51 +00:00
|
|
|
}
|
|
|
|
}
|
2019-06-27 06:16:32 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-10-08 17:53:36 +00:00
|
|
|
if err := c.ociRuntime.CreateContainer(c, &options); err != nil {
|
2018-09-18 09:56:19 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
logrus.Debugf("Restored container %s", c.ID())
|
|
|
|
|
2019-06-25 13:40:19 +00:00
|
|
|
c.state.State = define.ContainerStateRunning
|
2018-09-18 09:56:19 +00:00
|
|
|
|
2018-11-21 13:09:17 +00:00
|
|
|
if !options.Keep {
|
2018-09-18 09:56:19 +00:00
|
|
|
// Delete all checkpoint related files. At this point, in theory, all files
|
|
|
|
// should exist. Still ignoring errors for now as the container should be
|
|
|
|
// restored and running. Not erroring out just because some cleanup operation
|
|
|
|
// failed. Starting with the checkpoint directory
|
|
|
|
err = os.RemoveAll(c.CheckpointPath())
|
|
|
|
if err != nil {
|
|
|
|
logrus.Debugf("Non-fatal: removal of checkpoint directory (%s) failed: %v", c.CheckpointPath(), err)
|
|
|
|
}
|
2019-12-04 15:06:51 +00:00
|
|
|
cleanup := [...]string{"restore.log", "dump.log", "stats-dump", "stats-restore", "network.status", "rootfs-diff.tar", "deleted.files"}
|
2019-07-03 20:37:17 +00:00
|
|
|
for _, del := range cleanup {
|
|
|
|
file := filepath.Join(c.bundlePath(), del)
|
2018-09-18 09:56:19 +00:00
|
|
|
err = os.Remove(file)
|
|
|
|
if err != nil {
|
|
|
|
logrus.Debugf("Non-fatal: removal of checkpoint file (%s) failed: %v", file, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return c.save()
|
|
|
|
}
|
2018-11-08 11:12:14 +00:00
|
|
|
|
|
|
|
// Make standard bind mounts to include in the container
|
|
|
|
func (c *Container) makeBindMounts() error {
|
|
|
|
if err := os.Chown(c.state.RunDir, c.RootUID(), c.RootGID()); err != nil {
|
|
|
|
return errors.Wrapf(err, "cannot chown run directory %s", c.state.RunDir)
|
|
|
|
}
|
|
|
|
|
|
|
|
if c.state.BindMounts == nil {
|
|
|
|
c.state.BindMounts = make(map[string]string)
|
|
|
|
}
|
2018-12-06 19:56:57 +00:00
|
|
|
netDisabled, err := c.NetworkDisabled()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2018-11-08 11:12:14 +00:00
|
|
|
|
2018-12-06 19:56:57 +00:00
|
|
|
if !netDisabled {
|
2018-12-11 21:53:12 +00:00
|
|
|
// If /etc/resolv.conf and /etc/hosts exist, delete them so we
|
2019-03-10 16:16:30 +00:00
|
|
|
// will recreate. Only do this if we aren't sharing them with
|
|
|
|
// another container.
|
|
|
|
if c.config.NetNsCtr == "" {
|
2019-07-03 20:37:17 +00:00
|
|
|
if resolvePath, ok := c.state.BindMounts["/etc/resolv.conf"]; ok {
|
|
|
|
if err := os.Remove(resolvePath); err != nil && !os.IsNotExist(err) {
|
2019-03-10 16:16:30 +00:00
|
|
|
return errors.Wrapf(err, "error removing container %s resolv.conf", c.ID())
|
|
|
|
}
|
|
|
|
delete(c.state.BindMounts, "/etc/resolv.conf")
|
2018-12-11 21:53:12 +00:00
|
|
|
}
|
2019-07-03 20:37:17 +00:00
|
|
|
if hostsPath, ok := c.state.BindMounts["/etc/hosts"]; ok {
|
|
|
|
if err := os.Remove(hostsPath); err != nil && !os.IsNotExist(err) {
|
2019-03-10 16:16:30 +00:00
|
|
|
return errors.Wrapf(err, "error removing container %s hosts", c.ID())
|
|
|
|
}
|
|
|
|
delete(c.state.BindMounts, "/etc/hosts")
|
2018-12-11 21:53:12 +00:00
|
|
|
}
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
2019-03-26 17:55:19 +00:00
|
|
|
if c.config.NetNsCtr != "" && (!c.config.UseImageResolvConf || !c.config.UseImageHosts) {
|
2019-03-22 18:39:09 +00:00
|
|
|
// We share a net namespace.
|
2018-12-11 21:53:12 +00:00
|
|
|
// We want /etc/resolv.conf and /etc/hosts from the
|
2019-03-22 18:39:09 +00:00
|
|
|
// other container. Unless we're not creating both of
|
|
|
|
// them.
|
2019-12-03 15:27:15 +00:00
|
|
|
var (
|
|
|
|
depCtr *Container
|
|
|
|
nextCtr string
|
|
|
|
)
|
|
|
|
|
|
|
|
// I don't like infinite loops, but I don't think there's
|
|
|
|
// a serious risk of looping dependencies - too many
|
|
|
|
// protections against that elsewhere.
|
|
|
|
nextCtr = c.config.NetNsCtr
|
|
|
|
for {
|
|
|
|
depCtr, err = c.runtime.state.Container(nextCtr)
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrapf(err, "error fetching dependency %s of container %s", c.config.NetNsCtr, c.ID())
|
|
|
|
}
|
|
|
|
nextCtr = depCtr.config.NetNsCtr
|
|
|
|
if nextCtr == "" {
|
|
|
|
break
|
|
|
|
}
|
2018-12-11 21:53:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// We need that container's bind mounts
|
|
|
|
bindMounts, err := depCtr.BindMounts()
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrapf(err, "error fetching bind mounts from dependency %s of container %s", depCtr.ID(), c.ID())
|
|
|
|
}
|
|
|
|
|
2020-02-17 21:49:59 +00:00
|
|
|
// The other container may not have a resolv.conf or /etc/hosts
|
|
|
|
// If it doesn't, don't copy them
|
|
|
|
resolvPath, exists := bindMounts["/etc/resolv.conf"]
|
|
|
|
if !c.config.UseImageResolvConf && exists {
|
|
|
|
c.state.BindMounts["/etc/resolv.conf"] = resolvPath
|
2019-02-23 12:52:05 +00:00
|
|
|
}
|
2019-03-04 03:54:41 +00:00
|
|
|
|
2020-02-17 21:49:59 +00:00
|
|
|
// check if dependency container has an /etc/hosts file.
|
|
|
|
// It may not have one, so only use it if it does.
|
|
|
|
hostsPath, exists := bindMounts["/etc/hosts"]
|
|
|
|
if !c.config.UseImageHosts && exists {
|
2019-03-22 18:39:09 +00:00
|
|
|
depCtr.lock.Lock()
|
|
|
|
// generate a hosts file for the dependency container,
|
|
|
|
// based on either its old hosts file, or the default,
|
|
|
|
// and add the relevant information from the new container (hosts and IP)
|
|
|
|
hostsPath, err = depCtr.appendHosts(hostsPath, c)
|
2019-03-04 03:54:41 +00:00
|
|
|
|
2019-03-22 18:39:09 +00:00
|
|
|
if err != nil {
|
|
|
|
depCtr.lock.Unlock()
|
|
|
|
return errors.Wrapf(err, "error creating hosts file for container %s which depends on container %s", c.ID(), depCtr.ID())
|
|
|
|
}
|
2019-03-04 03:54:41 +00:00
|
|
|
depCtr.lock.Unlock()
|
|
|
|
|
2019-03-22 18:39:09 +00:00
|
|
|
// finally, save it in the new container
|
|
|
|
c.state.BindMounts["/etc/hosts"] = hostsPath
|
|
|
|
}
|
2020-06-10 12:45:11 +00:00
|
|
|
|
|
|
|
if !hasCurrentUserMapped(c) {
|
|
|
|
if err := makeAccessible(resolvPath, c.RootUID(), c.RootGID()); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if err := makeAccessible(hostsPath, c.RootUID(), c.RootGID()); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
2018-12-11 21:53:12 +00:00
|
|
|
} else {
|
2019-03-26 17:55:19 +00:00
|
|
|
if !c.config.UseImageResolvConf {
|
2019-03-22 18:39:09 +00:00
|
|
|
newResolv, err := c.generateResolvConf()
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrapf(err, "error creating resolv.conf for container %s", c.ID())
|
|
|
|
}
|
|
|
|
c.state.BindMounts["/etc/resolv.conf"] = newResolv
|
2018-12-11 21:53:12 +00:00
|
|
|
}
|
|
|
|
|
2019-03-26 17:55:19 +00:00
|
|
|
if !c.config.UseImageHosts {
|
2019-03-22 18:39:09 +00:00
|
|
|
newHosts, err := c.generateHosts("/etc/hosts")
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrapf(err, "error creating hosts file for container %s", c.ID())
|
|
|
|
}
|
|
|
|
c.state.BindMounts["/etc/hosts"] = newHosts
|
2018-12-11 21:53:12 +00:00
|
|
|
}
|
|
|
|
}
|
2019-02-23 12:52:05 +00:00
|
|
|
|
2019-03-22 18:39:09 +00:00
|
|
|
if c.state.BindMounts["/etc/hosts"] != "" {
|
|
|
|
if err := label.Relabel(c.state.BindMounts["/etc/hosts"], c.config.MountLabel, true); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2019-02-23 12:52:05 +00:00
|
|
|
}
|
|
|
|
|
2019-03-22 18:39:09 +00:00
|
|
|
if c.state.BindMounts["/etc/resolv.conf"] != "" {
|
|
|
|
if err := label.Relabel(c.state.BindMounts["/etc/resolv.conf"], c.config.MountLabel, true); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2019-02-23 12:52:05 +00:00
|
|
|
}
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// SHM is always added when we mount the container
|
|
|
|
c.state.BindMounts["/dev/shm"] = c.config.ShmDir
|
|
|
|
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
newPasswd, newGroup, err := c.generatePasswdAndGroup()
|
2018-11-08 11:12:14 +00:00
|
|
|
if err != nil {
|
|
|
|
return errors.Wrapf(err, "error creating temporary passwd file for container %s", c.ID())
|
|
|
|
}
|
|
|
|
if newPasswd != "" {
|
|
|
|
// Make /etc/passwd
|
|
|
|
if _, ok := c.state.BindMounts["/etc/passwd"]; ok {
|
|
|
|
// If it already exists, delete so we can recreate
|
|
|
|
delete(c.state.BindMounts, "/etc/passwd")
|
|
|
|
}
|
|
|
|
c.state.BindMounts["/etc/passwd"] = newPasswd
|
|
|
|
}
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
if newGroup != "" {
|
|
|
|
// Make /etc/group
|
|
|
|
if _, ok := c.state.BindMounts["/etc/group"]; ok {
|
|
|
|
// If it already exists, delete so we can recreate
|
|
|
|
delete(c.state.BindMounts, "/etc/group")
|
|
|
|
}
|
|
|
|
c.state.BindMounts["/etc/group"] = newGroup
|
|
|
|
}
|
2018-11-08 11:12:14 +00:00
|
|
|
|
|
|
|
// Make /etc/hostname
|
|
|
|
// This should never change, so no need to recreate if it exists
|
|
|
|
if _, ok := c.state.BindMounts["/etc/hostname"]; !ok {
|
|
|
|
hostnamePath, err := c.writeStringToRundir("hostname", c.Hostname())
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrapf(err, "error creating hostname file for container %s", c.ID())
|
|
|
|
}
|
|
|
|
c.state.BindMounts["/etc/hostname"] = hostnamePath
|
|
|
|
}
|
|
|
|
|
2020-06-30 21:21:52 +00:00
|
|
|
// Make /etc/localtime
|
|
|
|
if c.Timezone() != "" {
|
|
|
|
if _, ok := c.state.BindMounts["/etc/localtime"]; !ok {
|
|
|
|
var zonePath string
|
|
|
|
if c.Timezone() == "local" {
|
|
|
|
zonePath, err = filepath.EvalSymlinks("/etc/localtime")
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrapf(err, "error finding local timezone for container %s", c.ID())
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
zone := filepath.Join("/usr/share/zoneinfo", c.Timezone())
|
|
|
|
zonePath, err = filepath.EvalSymlinks(zone)
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrapf(err, "error setting timezone for container %s", c.ID())
|
|
|
|
}
|
|
|
|
}
|
|
|
|
localtimePath, err := c.copyTimezoneFile(zonePath)
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrapf(err, "error setting timezone for container %s", c.ID())
|
|
|
|
}
|
|
|
|
c.state.BindMounts["/etc/localtime"] = localtimePath
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-11-08 11:12:14 +00:00
|
|
|
// Make .containerenv
|
|
|
|
// Empty file, so no need to recreate if it exists
|
|
|
|
if _, ok := c.state.BindMounts["/run/.containerenv"]; !ok {
|
|
|
|
// Empty string for now, but we may consider populating this later
|
|
|
|
containerenvPath, err := c.writeStringToRundir(".containerenv", "")
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrapf(err, "error creating containerenv file for container %s", c.ID())
|
|
|
|
}
|
|
|
|
c.state.BindMounts["/run/.containerenv"] = containerenvPath
|
|
|
|
}
|
|
|
|
|
|
|
|
// Add Secret Mounts
|
2020-05-19 20:32:42 +00:00
|
|
|
secretMounts := secrets.SecretMountsWithUIDGID(c.config.MountLabel, c.state.RunDir, c.runtime.config.Containers.DefaultMountsFile, c.state.Mountpoint, c.RootUID(), c.RootGID(), rootless.IsRootless(), false)
|
2018-11-08 11:12:14 +00:00
|
|
|
for _, mount := range secretMounts {
|
|
|
|
if _, ok := c.state.BindMounts[mount.Destination]; !ok {
|
|
|
|
c.state.BindMounts[mount.Destination] = mount.Source
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// generateResolvConf generates a containers resolv.conf
|
|
|
|
func (c *Container) generateResolvConf() (string, error) {
|
2019-08-28 18:19:15 +00:00
|
|
|
var (
|
|
|
|
nameservers []string
|
|
|
|
cniNameServers []string
|
|
|
|
)
|
|
|
|
|
2019-02-18 02:55:30 +00:00
|
|
|
resolvConf := "/etc/resolv.conf"
|
2019-07-03 20:37:17 +00:00
|
|
|
for _, namespace := range c.config.Spec.Linux.Namespaces {
|
|
|
|
if namespace.Type == spec.NetworkNamespace {
|
|
|
|
if namespace.Path != "" && !strings.HasPrefix(namespace.Path, "/proc/") {
|
|
|
|
definedPath := filepath.Join("/etc/netns", filepath.Base(namespace.Path), "resolv.conf")
|
2019-02-18 02:55:30 +00:00
|
|
|
_, err := os.Stat(definedPath)
|
|
|
|
if err == nil {
|
|
|
|
resolvConf = definedPath
|
|
|
|
} else if !os.IsNotExist(err) {
|
|
|
|
return "", errors.Wrapf(err, "failed to stat %s", definedPath)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-11-08 11:12:14 +00:00
|
|
|
// Determine the endpoint for resolv.conf in case it is a symlink
|
2019-02-18 02:55:30 +00:00
|
|
|
resolvPath, err := filepath.EvalSymlinks(resolvConf)
|
2018-11-08 11:12:14 +00:00
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
2020-09-12 01:57:48 +00:00
|
|
|
// Determine if symlink points to any of the systemd-resolved files
|
|
|
|
if strings.HasPrefix(resolvPath, "/run/systemd/resolve/") {
|
|
|
|
resolvPath = "/run/systemd/resolve/resolv.conf"
|
|
|
|
}
|
|
|
|
|
2018-11-08 11:12:14 +00:00
|
|
|
contents, err := ioutil.ReadFile(resolvPath)
|
|
|
|
if err != nil {
|
|
|
|
return "", errors.Wrapf(err, "unable to read %s", resolvPath)
|
|
|
|
}
|
|
|
|
|
2018-11-21 14:30:03 +00:00
|
|
|
// Ensure that the container's /etc/resolv.conf is compatible with its
|
|
|
|
// network configuration.
|
2018-11-08 11:12:14 +00:00
|
|
|
// TODO: set ipv6 enable bool more sanely
|
2018-11-21 14:30:03 +00:00
|
|
|
resolv, err := resolvconf.FilterResolvDNS(contents, true, c.config.CreateNetNS)
|
2018-11-08 11:12:14 +00:00
|
|
|
if err != nil {
|
|
|
|
return "", errors.Wrapf(err, "error parsing host resolv.conf")
|
|
|
|
}
|
|
|
|
|
2019-08-28 18:19:15 +00:00
|
|
|
// Check if CNI gave back and DNS servers for us to add in
|
|
|
|
cniResponse := c.state.NetworkStatus
|
|
|
|
for _, i := range cniResponse {
|
|
|
|
if i.DNS.Nameservers != nil {
|
|
|
|
cniNameServers = append(cniNameServers, i.DNS.Nameservers...)
|
|
|
|
logrus.Debugf("adding nameserver(s) from cni response of '%q'", i.DNS.Nameservers)
|
|
|
|
}
|
2019-03-11 10:42:01 +00:00
|
|
|
}
|
2019-08-28 18:19:15 +00:00
|
|
|
|
2020-06-11 18:40:38 +00:00
|
|
|
dns := make([]net.IP, 0, len(c.runtime.config.Containers.DNSServers))
|
2020-03-27 14:13:51 +00:00
|
|
|
for _, i := range c.runtime.config.Containers.DNSServers {
|
|
|
|
result := net.ParseIP(i)
|
|
|
|
if result == nil {
|
|
|
|
return "", errors.Wrapf(define.ErrInvalidArg, "invalid IP address %s", i)
|
|
|
|
}
|
|
|
|
dns = append(dns, result)
|
|
|
|
}
|
|
|
|
dnsServers := append(dns, c.config.DNSServer...)
|
2019-08-28 18:19:15 +00:00
|
|
|
// If the user provided dns, it trumps all; then dns masq; then resolv.conf
|
2020-01-13 12:01:45 +00:00
|
|
|
switch {
|
2020-03-27 14:13:51 +00:00
|
|
|
case len(dnsServers) > 0:
|
|
|
|
|
2018-11-08 11:12:14 +00:00
|
|
|
// We store DNS servers as net.IP, so need to convert to string
|
2020-03-27 14:13:51 +00:00
|
|
|
for _, server := range dnsServers {
|
2018-11-08 11:12:14 +00:00
|
|
|
nameservers = append(nameservers, server.String())
|
|
|
|
}
|
2020-01-13 12:01:45 +00:00
|
|
|
case len(cniNameServers) > 0:
|
2019-08-28 18:19:15 +00:00
|
|
|
nameservers = append(nameservers, cniNameServers...)
|
2020-01-13 12:01:45 +00:00
|
|
|
default:
|
2019-08-28 18:19:15 +00:00
|
|
|
// Make a new resolv.conf
|
|
|
|
nameservers = resolvconf.GetNameservers(resolv.Content)
|
|
|
|
// slirp4netns has a built in DNS server.
|
|
|
|
if c.config.NetMode.IsSlirp4netns() {
|
|
|
|
nameservers = append([]string{"10.0.2.3"}, nameservers...)
|
|
|
|
}
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
2020-03-27 14:13:51 +00:00
|
|
|
var search []string
|
|
|
|
if len(c.config.DNSSearch) > 0 || len(c.runtime.config.Containers.DNSSearches) > 0 {
|
|
|
|
if !util.StringInSlice(".", c.config.DNSSearch) {
|
|
|
|
search = c.runtime.config.Containers.DNSSearches
|
|
|
|
search = append(search, c.config.DNSSearch...)
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
search = resolvconf.GetSearchDomains(resolv.Content)
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
2020-03-27 14:13:51 +00:00
|
|
|
var options []string
|
|
|
|
if len(c.config.DNSOption) > 0 || len(c.runtime.config.Containers.DNSOptions) > 0 {
|
|
|
|
options = c.runtime.config.Containers.DNSOptions
|
|
|
|
options = append(options, c.config.DNSOption...)
|
|
|
|
} else {
|
|
|
|
options = resolvconf.GetOptions(resolv.Content)
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
destPath := filepath.Join(c.state.RunDir, "resolv.conf")
|
|
|
|
|
|
|
|
if err := os.Remove(destPath); err != nil && !os.IsNotExist(err) {
|
|
|
|
return "", errors.Wrapf(err, "error removing resolv.conf for container %s", c.ID())
|
|
|
|
}
|
|
|
|
|
|
|
|
// Build resolv.conf
|
|
|
|
if _, err = resolvconf.Build(destPath, nameservers, search, options); err != nil {
|
2018-11-27 16:33:19 +00:00
|
|
|
return "", errors.Wrapf(err, "error building resolv.conf for container %s", c.ID())
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Relabel resolv.conf for the container
|
2019-02-23 12:52:05 +00:00
|
|
|
if err := label.Relabel(destPath, c.config.MountLabel, true); err != nil {
|
2018-11-08 11:12:14 +00:00
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
2019-03-21 11:18:42 +00:00
|
|
|
return filepath.Join(c.state.RunDir, "resolv.conf"), nil
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// generateHosts creates a containers hosts file
|
2019-03-04 03:54:41 +00:00
|
|
|
func (c *Container) generateHosts(path string) (string, error) {
|
|
|
|
orig, err := ioutil.ReadFile(path)
|
2018-11-08 11:12:14 +00:00
|
|
|
if err != nil {
|
2019-03-04 03:54:41 +00:00
|
|
|
return "", errors.Wrapf(err, "unable to read %s", path)
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
hosts := string(orig)
|
2019-03-04 03:54:41 +00:00
|
|
|
hosts += c.getHosts()
|
|
|
|
return c.writeStringToRundir("hosts", hosts)
|
|
|
|
}
|
|
|
|
|
|
|
|
// appendHosts appends a container's config and state pertaining to hosts to a container's
|
|
|
|
// local hosts file. netCtr is the container from which the netNS information is
|
|
|
|
// taken.
|
|
|
|
// path is the basis of the hosts file, into which netCtr's netNS information will be appended.
|
2020-06-11 18:40:38 +00:00
|
|
|
// FIXME. Path should be used by this function,but I am not sure what is correct; remove //lint
|
|
|
|
// once this is fixed
|
|
|
|
func (c *Container) appendHosts(path string, netCtr *Container) (string, error) { //nolint
|
2019-03-04 03:54:41 +00:00
|
|
|
return c.appendStringToRundir("hosts", netCtr.getHosts())
|
|
|
|
}
|
|
|
|
|
|
|
|
// getHosts finds the pertinent information for a container's host file in its config and state
|
|
|
|
// and returns a string in a format that can be written to the host file
|
|
|
|
func (c *Container) getHosts() string {
|
|
|
|
var hosts string
|
2018-11-08 11:12:14 +00:00
|
|
|
if len(c.config.HostAdd) > 0 {
|
|
|
|
for _, host := range c.config.HostAdd {
|
|
|
|
// the host format has already been verified at this point
|
|
|
|
fields := strings.SplitN(host, ":", 2)
|
|
|
|
hosts += fmt.Sprintf("%s %s\n", fields[1], fields[0])
|
|
|
|
}
|
|
|
|
}
|
2020-06-19 10:41:58 +00:00
|
|
|
|
2020-10-06 11:04:18 +00:00
|
|
|
hosts += c.cniHosts()
|
2020-10-19 19:25:06 +00:00
|
|
|
|
|
|
|
// If not making a network namespace, add our own hostname.
|
|
|
|
if c.Hostname() != "" {
|
|
|
|
if c.config.NetMode.IsSlirp4netns() {
|
|
|
|
// When using slirp4netns, the interface gets a static IP
|
|
|
|
hosts += fmt.Sprintf("# used by slirp4netns\n%s\t%s %s\n", "10.0.2.100", c.Hostname(), c.config.Name)
|
|
|
|
} else {
|
|
|
|
hasNetNS := false
|
2020-10-21 17:45:41 +00:00
|
|
|
netNone := false
|
2020-10-19 19:25:06 +00:00
|
|
|
for _, ns := range c.config.Spec.Linux.Namespaces {
|
|
|
|
if ns.Type == spec.NetworkNamespace {
|
|
|
|
hasNetNS = true
|
2020-10-21 17:45:41 +00:00
|
|
|
if ns.Path == "" && !c.config.CreateNetNS {
|
|
|
|
netNone = true
|
|
|
|
}
|
2020-10-19 19:25:06 +00:00
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if !hasNetNS {
|
|
|
|
// 127.0.1.1 and host's hostname to match Docker
|
|
|
|
osHostname, err := os.Hostname()
|
|
|
|
if err != nil {
|
|
|
|
osHostname = c.Hostname()
|
|
|
|
}
|
|
|
|
hosts += fmt.Sprintf("127.0.1.1 %s\n", osHostname)
|
|
|
|
}
|
2020-10-21 17:45:41 +00:00
|
|
|
if netNone {
|
|
|
|
hosts += fmt.Sprintf("127.0.1.1 %s\n", c.Hostname())
|
|
|
|
}
|
2020-10-19 19:25:06 +00:00
|
|
|
}
|
|
|
|
}
|
2019-03-04 03:54:41 +00:00
|
|
|
return hosts
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
// generateGroupEntry generates an entry or entries into /etc/group as
|
|
|
|
// required by container configuration.
|
|
|
|
// Generatlly speaking, we will make an entry under two circumstances:
|
|
|
|
// 1. The container is started as a specific user:group, and that group is both
|
|
|
|
// numeric, and does not already exist in /etc/group.
|
|
|
|
// 2. It is requested that Libpod add the group that launched Podman to
|
|
|
|
// /etc/group via AddCurrentUserPasswdEntry (though this does not trigger if
|
|
|
|
// the group in question already exists in /etc/passwd).
|
|
|
|
// Returns group entry (as a string that can be appended to /etc/group) and any
|
|
|
|
// error that occurred.
|
|
|
|
func (c *Container) generateGroupEntry() (string, error) {
|
|
|
|
groupString := ""
|
|
|
|
|
|
|
|
// Things we *can't* handle: adding the user we added in
|
|
|
|
// generatePasswdEntry to any *existing* groups.
|
|
|
|
addedGID := 0
|
|
|
|
if c.config.AddCurrentUserPasswdEntry {
|
|
|
|
entry, gid, err := c.generateCurrentUserGroupEntry()
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
groupString += entry
|
|
|
|
addedGID = gid
|
|
|
|
}
|
|
|
|
if c.config.User != "" {
|
|
|
|
entry, _, err := c.generateUserGroupEntry(addedGID)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
groupString += entry
|
|
|
|
}
|
|
|
|
|
|
|
|
return groupString, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Make an entry in /etc/group for the group of the user running podman iff we
|
|
|
|
// are rootless.
|
|
|
|
func (c *Container) generateCurrentUserGroupEntry() (string, int, error) {
|
|
|
|
gid := rootless.GetRootlessGID()
|
|
|
|
if gid == 0 {
|
|
|
|
return "", 0, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
g, err := user.LookupGroupId(strconv.Itoa(gid))
|
|
|
|
if err != nil {
|
|
|
|
return "", 0, errors.Wrapf(err, "failed to get current group")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Lookup group name to see if it exists in the image.
|
|
|
|
_, err = lookup.GetGroup(c.state.Mountpoint, g.Name)
|
|
|
|
if err != runcuser.ErrNoGroupEntries {
|
|
|
|
return "", 0, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Lookup GID to see if it exists in the image.
|
|
|
|
_, err = lookup.GetGroup(c.state.Mountpoint, g.Gid)
|
|
|
|
if err != runcuser.ErrNoGroupEntries {
|
|
|
|
return "", 0, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// We need to get the username of the rootless user so we can add it to
|
|
|
|
// the group.
|
|
|
|
username := ""
|
|
|
|
uid := rootless.GetRootlessUID()
|
|
|
|
if uid != 0 {
|
|
|
|
u, err := user.LookupId(strconv.Itoa(uid))
|
|
|
|
if err != nil {
|
|
|
|
return "", 0, errors.Wrapf(err, "failed to get current user to make group entry")
|
|
|
|
}
|
|
|
|
username = u.Username
|
|
|
|
}
|
|
|
|
|
|
|
|
// Make the entry.
|
|
|
|
return fmt.Sprintf("%s:x:%s:%s\n", g.Name, g.Gid, username), gid, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Make an entry in /etc/group for the group the container was specified to run
|
|
|
|
// as.
|
|
|
|
func (c *Container) generateUserGroupEntry(addedGID int) (string, int, error) {
|
|
|
|
if c.config.User == "" {
|
|
|
|
return "", 0, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
splitUser := strings.SplitN(c.config.User, ":", 2)
|
|
|
|
group := splitUser[0]
|
|
|
|
if len(splitUser) > 1 {
|
|
|
|
group = splitUser[1]
|
|
|
|
}
|
|
|
|
|
|
|
|
gid, err := strconv.ParseUint(group, 10, 32)
|
|
|
|
if err != nil {
|
|
|
|
return "", 0, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
if addedGID != 0 && addedGID == int(gid) {
|
|
|
|
return "", 0, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check if the group already exists
|
|
|
|
_, err = lookup.GetGroup(c.state.Mountpoint, group)
|
|
|
|
if err != runcuser.ErrNoGroupEntries {
|
|
|
|
return "", 0, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return fmt.Sprintf("%d:x:%d:%s\n", gid, gid, splitUser[0]), int(gid), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// generatePasswdEntry generates an entry or entries into /etc/passwd as
|
|
|
|
// required by container configuration.
|
|
|
|
// Generally speaking, we will make an entry under two circumstances:
|
|
|
|
// 1. The container is started as a specific user who is not in /etc/passwd.
|
|
|
|
// This only triggers if the user is given as a *numeric* ID.
|
|
|
|
// 2. It is requested that Libpod add the user that launched Podman to
|
|
|
|
// /etc/passwd via AddCurrentUserPasswdEntry (though this does not trigger if
|
|
|
|
// the user in question already exists in /etc/passwd) or the UID to be added
|
|
|
|
// is 0).
|
|
|
|
// Returns password entry (as a string that can be appended to /etc/passwd) and
|
|
|
|
// any error that occurred.
|
|
|
|
func (c *Container) generatePasswdEntry() (string, error) {
|
|
|
|
passwdString := ""
|
|
|
|
|
|
|
|
addedUID := 0
|
|
|
|
if c.config.AddCurrentUserPasswdEntry {
|
|
|
|
entry, uid, _, err := c.generateCurrentUserPasswdEntry()
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
passwdString += entry
|
|
|
|
addedUID = uid
|
|
|
|
}
|
|
|
|
if c.config.User != "" {
|
|
|
|
entry, _, _, err := c.generateUserPasswdEntry(addedUID)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
passwdString += entry
|
|
|
|
}
|
|
|
|
|
|
|
|
return passwdString, nil
|
|
|
|
}
|
|
|
|
|
2020-06-30 19:44:14 +00:00
|
|
|
// generateCurrentUserPasswdEntry generates an /etc/passwd entry for the user
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
// running the container engine.
|
|
|
|
// Returns a passwd entry for the user, and the UID and GID of the added entry.
|
|
|
|
func (c *Container) generateCurrentUserPasswdEntry() (string, int, int, error) {
|
2020-06-30 19:44:14 +00:00
|
|
|
uid := rootless.GetRootlessUID()
|
|
|
|
if uid == 0 {
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
return "", 0, 0, nil
|
2020-06-30 19:44:14 +00:00
|
|
|
}
|
2020-07-15 19:25:12 +00:00
|
|
|
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
u, err := user.LookupId(strconv.Itoa(uid))
|
2020-06-30 19:44:14 +00:00
|
|
|
if err != nil {
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
return "", 0, 0, errors.Wrapf(err, "failed to get current user")
|
2020-06-30 19:44:14 +00:00
|
|
|
}
|
2020-07-15 19:25:12 +00:00
|
|
|
|
|
|
|
// Lookup the user to see if it exists in the container image.
|
|
|
|
_, err = lookup.GetUser(c.state.Mountpoint, u.Username)
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
if err != runcuser.ErrNoPasswdEntries {
|
|
|
|
return "", 0, 0, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Lookup the UID to see if it exists in the container image.
|
|
|
|
_, err = lookup.GetUser(c.state.Mountpoint, u.Uid)
|
|
|
|
if err != runcuser.ErrNoPasswdEntries {
|
|
|
|
return "", 0, 0, err
|
2020-07-15 19:25:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// If the user's actual home directory exists, or was mounted in - use
|
|
|
|
// that.
|
|
|
|
homeDir := c.WorkingDir()
|
2020-10-13 21:43:26 +00:00
|
|
|
hDir := u.HomeDir
|
|
|
|
for hDir != "/" {
|
|
|
|
if MountExists(c.config.Spec.Mounts, hDir) {
|
|
|
|
homeDir = u.HomeDir
|
|
|
|
break
|
|
|
|
}
|
|
|
|
hDir = filepath.Dir(hDir)
|
|
|
|
}
|
|
|
|
if homeDir != u.HomeDir {
|
|
|
|
for _, hDir := range c.UserVolumes() {
|
|
|
|
if hDir == u.HomeDir {
|
|
|
|
homeDir = u.HomeDir
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
// Set HOME environment if not already set
|
|
|
|
hasHomeSet := false
|
|
|
|
for _, s := range c.config.Spec.Process.Env {
|
|
|
|
if strings.HasPrefix(s, "HOME=") {
|
|
|
|
hasHomeSet = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if !hasHomeSet {
|
|
|
|
c.config.Spec.Process.Env = append(c.config.Spec.Process.Env, fmt.Sprintf("HOME=%s", homeDir))
|
2020-07-15 19:25:12 +00:00
|
|
|
}
|
|
|
|
|
2020-10-13 21:43:26 +00:00
|
|
|
return fmt.Sprintf("%s:*:%s:%s:%s:%s:/bin/sh\n", u.Username, u.Uid, u.Gid, u.Name, homeDir), uid, rootless.GetRootlessGID(), nil
|
2020-06-30 19:44:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// generateUserPasswdEntry generates an /etc/passwd entry for the container user
|
|
|
|
// to run in the container.
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
// The UID and GID of the added entry will also be returned.
|
|
|
|
// Accepts one argument, that being any UID that has already been added to the
|
|
|
|
// passwd file by other functions; if it matches the UID we were given, we don't
|
|
|
|
// need to do anything.
|
|
|
|
func (c *Container) generateUserPasswdEntry(addedUID int) (string, int, int, error) {
|
2018-11-08 11:12:14 +00:00
|
|
|
var (
|
|
|
|
groupspec string
|
|
|
|
gid int
|
|
|
|
)
|
|
|
|
if c.config.User == "" {
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
return "", 0, 0, nil
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
2019-07-03 20:37:17 +00:00
|
|
|
splitSpec := strings.SplitN(c.config.User, ":", 2)
|
|
|
|
userspec := splitSpec[0]
|
|
|
|
if len(splitSpec) > 1 {
|
|
|
|
groupspec = splitSpec[1]
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
// If a non numeric User, then don't generate passwd
|
|
|
|
uid, err := strconv.ParseUint(userspec, 10, 32)
|
|
|
|
if err != nil {
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
return "", 0, 0, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
if addedUID != 0 && int(uid) == addedUID {
|
|
|
|
return "", 0, 0, nil
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
2020-06-30 19:44:14 +00:00
|
|
|
|
2018-11-08 11:12:14 +00:00
|
|
|
// Lookup the user to see if it exists in the container image
|
|
|
|
_, err = lookup.GetUser(c.state.Mountpoint, userspec)
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
if err != runcuser.ErrNoPasswdEntries {
|
|
|
|
return "", 0, 0, err
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
2020-06-30 19:44:14 +00:00
|
|
|
|
2018-11-08 11:12:14 +00:00
|
|
|
if groupspec != "" {
|
2018-12-04 19:46:17 +00:00
|
|
|
ugid, err := strconv.ParseUint(groupspec, 10, 32)
|
|
|
|
if err == nil {
|
|
|
|
gid = int(ugid)
|
|
|
|
} else {
|
|
|
|
group, err := lookup.GetGroup(c.state.Mountpoint, groupspec)
|
|
|
|
if err != nil {
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
return "", 0, 0, errors.Wrapf(err, "unable to get gid %s from group file", groupspec)
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
2018-12-04 19:46:17 +00:00
|
|
|
gid = group.Gid
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
}
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
return fmt.Sprintf("%d:*:%d:%d:container user:%s:/bin/sh\n", uid, uid, gid, c.WorkingDir()), int(uid), gid, nil
|
2020-06-30 19:44:14 +00:00
|
|
|
}
|
|
|
|
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
// generatePasswdAndGroup generates container-specific passwd and group files
|
|
|
|
// iff g.config.User is a number or we are configured to make a passwd entry for
|
|
|
|
// the current user.
|
|
|
|
// Returns path to file to mount at /etc/passwd, path to file to mount at
|
|
|
|
// /etc/group, and any error that occurred. If no passwd/group file were
|
|
|
|
// required, the empty string will be returned for those path (this may occur
|
|
|
|
// even if no error happened).
|
|
|
|
// This may modify the mounted container's /etc/passwd and /etc/group instead of
|
|
|
|
// making copies to bind-mount in, so we don't break useradd (it wants to make a
|
|
|
|
// copy of /etc/passwd and rename the copy to /etc/passwd, which is impossible
|
|
|
|
// with a bind mount). This is done in cases where the container is *not*
|
|
|
|
// read-only. In this case, the function will return nothing ("", "", nil).
|
|
|
|
func (c *Container) generatePasswdAndGroup() (string, string, error) {
|
2020-06-30 19:44:14 +00:00
|
|
|
if !c.config.AddCurrentUserPasswdEntry && c.config.User == "" {
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
return "", "", nil
|
2020-06-30 19:44:14 +00:00
|
|
|
}
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
|
|
|
|
needPasswd := true
|
|
|
|
needGroup := true
|
|
|
|
|
|
|
|
// First, check if there's a mount at /etc/passwd or group, we don't
|
|
|
|
// want to interfere with user mounts.
|
2020-07-14 20:20:22 +00:00
|
|
|
if MountExists(c.config.Spec.Mounts, "/etc/passwd") {
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
needPasswd = false
|
2020-07-14 20:20:22 +00:00
|
|
|
}
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
if MountExists(c.config.Spec.Mounts, "/etc/group") {
|
|
|
|
needGroup = false
|
2020-07-14 20:20:22 +00:00
|
|
|
}
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
|
|
|
|
// Next, check if we already made the files. If we didn, don't need to
|
|
|
|
// do anything more.
|
|
|
|
if needPasswd {
|
|
|
|
passwdPath := filepath.Join(c.config.StaticDir, "passwd")
|
|
|
|
if _, err := os.Stat(passwdPath); err == nil {
|
|
|
|
needPasswd = false
|
|
|
|
}
|
2020-08-31 18:06:49 +00:00
|
|
|
}
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
if needGroup {
|
|
|
|
groupPath := filepath.Join(c.config.StaticDir, "group")
|
|
|
|
if _, err := os.Stat(groupPath); err == nil {
|
|
|
|
needGroup = false
|
2020-08-31 18:06:49 +00:00
|
|
|
}
|
|
|
|
}
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
|
|
|
|
// Next, check if the container even has a /etc/passwd or /etc/group.
|
|
|
|
// If it doesn't we don't want to create them ourselves.
|
|
|
|
if needPasswd {
|
|
|
|
exists, err := c.checkFileExistsInRootfs("/etc/passwd")
|
2020-06-30 19:44:14 +00:00
|
|
|
if err != nil {
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
return "", "", err
|
2020-06-30 19:44:14 +00:00
|
|
|
}
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
needPasswd = exists
|
2020-06-30 19:44:14 +00:00
|
|
|
}
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
if needGroup {
|
|
|
|
exists, err := c.checkFileExistsInRootfs("/etc/group")
|
2020-06-30 19:44:14 +00:00
|
|
|
if err != nil {
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
return "", "", err
|
2020-06-30 19:44:14 +00:00
|
|
|
}
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
needGroup = exists
|
2020-06-30 19:44:14 +00:00
|
|
|
}
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
|
|
|
|
// If we don't need a /etc/passwd or /etc/group at this point we can
|
|
|
|
// just return.
|
|
|
|
if !needPasswd && !needGroup {
|
|
|
|
return "", "", nil
|
2020-06-30 19:44:14 +00:00
|
|
|
}
|
2020-07-15 19:25:12 +00:00
|
|
|
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
passwdPath := ""
|
|
|
|
groupPath := ""
|
|
|
|
|
|
|
|
ro := c.IsReadOnly()
|
|
|
|
|
|
|
|
if needPasswd {
|
|
|
|
passwdEntry, err := c.generatePasswdEntry()
|
2020-07-15 19:25:12 +00:00
|
|
|
if err != nil {
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
return "", "", err
|
2020-07-15 19:25:12 +00:00
|
|
|
}
|
|
|
|
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
needsWrite := passwdEntry != ""
|
|
|
|
switch {
|
|
|
|
case ro && needsWrite:
|
|
|
|
logrus.Debugf("Making /etc/passwd for container %s", c.ID())
|
|
|
|
originPasswdFile, err := securejoin.SecureJoin(c.state.Mountpoint, "/etc/passwd")
|
|
|
|
if err != nil {
|
|
|
|
return "", "", errors.Wrapf(err, "error creating path to container %s /etc/passwd", c.ID())
|
|
|
|
}
|
|
|
|
orig, err := ioutil.ReadFile(originPasswdFile)
|
|
|
|
if err != nil && !os.IsNotExist(err) {
|
|
|
|
return "", "", errors.Wrapf(err, "unable to read passwd file %s", originPasswdFile)
|
|
|
|
}
|
|
|
|
passwdFile, err := c.writeStringToStaticDir("passwd", string(orig)+passwdEntry)
|
|
|
|
if err != nil {
|
|
|
|
return "", "", errors.Wrapf(err, "failed to create temporary passwd file")
|
|
|
|
}
|
|
|
|
if err := os.Chmod(passwdFile, 0644); err != nil {
|
|
|
|
return "", "", err
|
|
|
|
}
|
|
|
|
passwdPath = passwdFile
|
|
|
|
case !ro && needsWrite:
|
|
|
|
logrus.Debugf("Modifying container %s /etc/passwd", c.ID())
|
|
|
|
containerPasswd, err := securejoin.SecureJoin(c.state.Mountpoint, "/etc/passwd")
|
|
|
|
if err != nil {
|
|
|
|
return "", "", errors.Wrapf(err, "error looking up location of container %s /etc/passwd", c.ID())
|
|
|
|
}
|
|
|
|
|
|
|
|
f, err := os.OpenFile(containerPasswd, os.O_APPEND|os.O_WRONLY, 0600)
|
|
|
|
if err != nil {
|
|
|
|
return "", "", errors.Wrapf(err, "error opening container %s /etc/passwd", c.ID())
|
|
|
|
}
|
|
|
|
defer f.Close()
|
|
|
|
|
|
|
|
if _, err := f.WriteString(passwdEntry); err != nil {
|
|
|
|
return "", "", errors.Wrapf(err, "unable to append to container %s /etc/passwd", c.ID())
|
|
|
|
}
|
|
|
|
default:
|
|
|
|
logrus.Debugf("Not modifying container %s /etc/passwd", c.ID())
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if needGroup {
|
|
|
|
groupEntry, err := c.generateGroupEntry()
|
2020-07-15 19:25:12 +00:00
|
|
|
if err != nil {
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
return "", "", err
|
2020-07-15 19:25:12 +00:00
|
|
|
}
|
|
|
|
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
needsWrite := groupEntry != ""
|
|
|
|
switch {
|
|
|
|
case ro && needsWrite:
|
|
|
|
logrus.Debugf("Making /etc/group for container %s", c.ID())
|
|
|
|
originGroupFile, err := securejoin.SecureJoin(c.state.Mountpoint, "/etc/group")
|
|
|
|
if err != nil {
|
|
|
|
return "", "", errors.Wrapf(err, "error creating path to container %s /etc/group", c.ID())
|
|
|
|
}
|
|
|
|
orig, err := ioutil.ReadFile(originGroupFile)
|
|
|
|
if err != nil && !os.IsNotExist(err) {
|
|
|
|
return "", "", errors.Wrapf(err, "unable to read group file %s", originGroupFile)
|
|
|
|
}
|
|
|
|
groupFile, err := c.writeStringToStaticDir("group", string(orig)+groupEntry)
|
|
|
|
if err != nil {
|
|
|
|
return "", "", errors.Wrapf(err, "failed to create temporary group file")
|
|
|
|
}
|
|
|
|
if err := os.Chmod(groupFile, 0644); err != nil {
|
|
|
|
return "", "", err
|
|
|
|
}
|
|
|
|
groupPath = groupFile
|
|
|
|
case !ro && needsWrite:
|
|
|
|
logrus.Debugf("Modifying container %s /etc/group", c.ID())
|
|
|
|
containerGroup, err := securejoin.SecureJoin(c.state.Mountpoint, "/etc/group")
|
|
|
|
if err != nil {
|
|
|
|
return "", "", errors.Wrapf(err, "error looking up location of container %s /etc/group", c.ID())
|
|
|
|
}
|
2020-07-15 19:25:12 +00:00
|
|
|
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
f, err := os.OpenFile(containerGroup, os.O_APPEND|os.O_WRONLY, 0600)
|
|
|
|
if err != nil {
|
|
|
|
return "", "", errors.Wrapf(err, "error opening container %s /etc/group", c.ID())
|
|
|
|
}
|
|
|
|
defer f.Close()
|
2020-07-15 19:25:12 +00:00
|
|
|
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
if _, err := f.WriteString(groupEntry); err != nil {
|
|
|
|
return "", "", errors.Wrapf(err, "unable to append to container %s /etc/group", c.ID())
|
|
|
|
}
|
|
|
|
default:
|
|
|
|
logrus.Debugf("Not modifying container %s /etc/group", c.ID())
|
|
|
|
}
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
|
|
|
|
return passwdPath, groupPath, nil
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
2019-03-14 12:33:53 +00:00
|
|
|
|
|
|
|
func (c *Container) copyOwnerAndPerms(source, dest string) error {
|
|
|
|
info, err := os.Stat(source)
|
|
|
|
if err != nil {
|
|
|
|
if os.IsNotExist(err) {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return errors.Wrapf(err, "cannot stat `%s`", dest)
|
|
|
|
}
|
|
|
|
if err := os.Chmod(dest, info.Mode()); err != nil {
|
|
|
|
return errors.Wrapf(err, "cannot chmod `%s`", dest)
|
|
|
|
}
|
|
|
|
if err := os.Chown(dest, int(info.Sys().(*syscall.Stat_t).Uid), int(info.Sys().(*syscall.Stat_t).Gid)); err != nil {
|
|
|
|
return errors.Wrapf(err, "cannot chown `%s`", dest)
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
2019-09-23 18:54:10 +00:00
|
|
|
|
2019-10-10 18:45:56 +00:00
|
|
|
// Get cgroup path in a format suitable for the OCI spec
|
|
|
|
func (c *Container) getOCICgroupPath() (string, error) {
|
|
|
|
unified, err := cgroups.IsCgroup2UnifiedMode()
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
2020-10-08 19:25:06 +00:00
|
|
|
cgroupManager := c.CgroupManager()
|
2020-01-13 12:01:45 +00:00
|
|
|
switch {
|
|
|
|
case (rootless.IsRootless() && !unified) || c.config.NoCgroups:
|
2019-10-10 18:45:56 +00:00
|
|
|
return "", nil
|
2020-06-18 11:56:30 +00:00
|
|
|
case c.config.CgroupsMode == cgroupSplit:
|
|
|
|
if c.config.CgroupParent != "" {
|
|
|
|
return c.config.CgroupParent, nil
|
|
|
|
}
|
|
|
|
selfCgroup, err := utils.GetOwnCgroup()
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
return filepath.Join(selfCgroup, "container"), nil
|
2020-10-08 19:25:06 +00:00
|
|
|
case cgroupManager == config.SystemdCgroupsManager:
|
2020-06-18 11:56:30 +00:00
|
|
|
// When the OCI runtime is set to use Systemd as a cgroup manager, it
|
2019-10-10 18:45:56 +00:00
|
|
|
// expects cgroups to be passed as follows:
|
|
|
|
// slice:prefix:name
|
|
|
|
systemdCgroups := fmt.Sprintf("%s:libpod:%s", path.Base(c.config.CgroupParent), c.ID())
|
|
|
|
logrus.Debugf("Setting CGroups for container %s to %s", c.ID(), systemdCgroups)
|
|
|
|
return systemdCgroups, nil
|
2020-10-08 19:25:06 +00:00
|
|
|
case cgroupManager == config.CgroupfsCgroupsManager:
|
2019-10-10 18:45:56 +00:00
|
|
|
cgroupPath, err := c.CGroupPath()
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
logrus.Debugf("Setting CGroup path for container %s to %s", c.ID(), cgroupPath)
|
|
|
|
return cgroupPath, nil
|
2020-01-13 12:01:45 +00:00
|
|
|
default:
|
2020-10-08 19:25:06 +00:00
|
|
|
return "", errors.Wrapf(define.ErrInvalidArg, "invalid cgroup manager %s requested", cgroupManager)
|
2019-10-10 18:45:56 +00:00
|
|
|
}
|
|
|
|
}
|
2020-06-30 21:21:52 +00:00
|
|
|
|
|
|
|
func (c *Container) copyTimezoneFile(zonePath string) (string, error) {
|
|
|
|
var localtimeCopy string = filepath.Join(c.state.RunDir, "localtime")
|
|
|
|
file, err := os.Stat(zonePath)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
if file.IsDir() {
|
|
|
|
return "", errors.New("Invalid timezone: is a directory")
|
|
|
|
}
|
|
|
|
src, err := os.Open(zonePath)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
defer src.Close()
|
|
|
|
dest, err := os.Create(localtimeCopy)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
defer dest.Close()
|
|
|
|
_, err = io.Copy(dest, src)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
if err := label.Relabel(localtimeCopy, c.config.MountLabel, false); err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
if err := dest.Chown(c.RootUID(), c.RootGID()); err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
return localtimeCopy, err
|
|
|
|
}
|
2020-07-09 19:46:14 +00:00
|
|
|
|
|
|
|
func (c *Container) cleanupOverlayMounts() error {
|
|
|
|
return overlay.CleanupContent(c.config.StaticDir)
|
|
|
|
}
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
|
|
|
|
// Check if a file exists at the given path in the container's root filesystem.
|
|
|
|
// Container must already be mounted for this to be used.
|
|
|
|
func (c *Container) checkFileExistsInRootfs(file string) (bool, error) {
|
|
|
|
checkPath, err := securejoin.SecureJoin(c.state.Mountpoint, file)
|
|
|
|
if err != nil {
|
|
|
|
return false, errors.Wrapf(err, "cannot create path to container %s file %q", c.ID(), file)
|
|
|
|
}
|
|
|
|
stat, err := os.Stat(checkPath)
|
|
|
|
if err != nil {
|
|
|
|
if os.IsNotExist(err) {
|
|
|
|
return false, nil
|
|
|
|
}
|
|
|
|
return false, errors.Wrapf(err, "error accessing container %s file %q", c.ID(), file)
|
|
|
|
}
|
|
|
|
if stat.IsDir() {
|
|
|
|
return false, nil
|
|
|
|
}
|
|
|
|
return true, nil
|
|
|
|
}
|