2021-09-04 13:54:41 +00:00
|
|
|
//go:build linux
|
2018-06-20 18:23:24 +00:00
|
|
|
// +build linux
|
|
|
|
|
|
|
|
|
|
package libpod
|
|
|
|
|
|
|
|
|
|
import (
|
2018-07-04 15:51:20 +00:00
|
|
|
"context"
|
2018-06-20 18:23:24 +00:00
|
|
|
"fmt"
|
2019-02-06 19:17:25 +00:00
|
|
|
"io"
|
2018-09-18 09:56:19 +00:00
|
|
|
"io/ioutil"
|
2020-10-02 07:25:12 +00:00
|
|
|
"math"
|
2018-09-18 09:56:19 +00:00
|
|
|
"net"
|
|
|
|
|
"os"
|
2020-06-30 19:44:14 +00:00
|
|
|
"os/user"
|
2018-07-04 15:51:20 +00:00
|
|
|
"path"
|
2018-09-18 09:56:19 +00:00
|
|
|
"path/filepath"
|
2018-11-08 11:12:14 +00:00
|
|
|
"strconv"
|
2018-07-04 15:51:20 +00:00
|
|
|
"strings"
|
2018-10-17 18:43:36 +00:00
|
|
|
"sync"
|
2018-07-04 15:51:20 +00:00
|
|
|
"syscall"
|
|
|
|
|
"time"
|
2018-06-20 18:23:24 +00:00
|
|
|
|
2021-02-25 16:43:18 +00:00
|
|
|
metadata "github.com/checkpoint-restore/checkpointctl/lib"
|
2021-11-05 15:18:17 +00:00
|
|
|
"github.com/checkpoint-restore/go-criu/v5/stats"
|
2022-01-12 13:22:29 +00:00
|
|
|
cdi "github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
|
2018-10-17 18:43:36 +00:00
|
|
|
"github.com/containernetworking/plugins/pkg/ns"
|
2022-04-12 17:46:32 +00:00
|
|
|
"github.com/containers/buildah"
|
2021-02-15 21:22:44 +00:00
|
|
|
"github.com/containers/buildah/pkg/chrootuser"
|
2020-07-09 19:46:14 +00:00
|
|
|
"github.com/containers/buildah/pkg/overlay"
|
2021-01-06 01:50:58 +00:00
|
|
|
butil "github.com/containers/buildah/util"
|
2022-04-19 11:58:35 +00:00
|
|
|
"github.com/containers/common/libnetwork/etchosts"
|
2021-12-17 13:46:15 +00:00
|
|
|
"github.com/containers/common/libnetwork/types"
|
2020-04-17 01:54:31 +00:00
|
|
|
"github.com/containers/common/pkg/apparmor"
|
2021-12-06 11:46:27 +00:00
|
|
|
"github.com/containers/common/pkg/cgroups"
|
2021-01-06 01:50:58 +00:00
|
|
|
"github.com/containers/common/pkg/chown"
|
2020-03-27 14:13:51 +00:00
|
|
|
"github.com/containers/common/pkg/config"
|
2020-11-25 10:36:09 +00:00
|
|
|
"github.com/containers/common/pkg/subscriptions"
|
2021-01-15 06:27:23 +00:00
|
|
|
"github.com/containers/common/pkg/umask"
|
2022-05-23 16:16:49 +00:00
|
|
|
cutil "github.com/containers/common/pkg/util"
|
2022-04-12 17:46:32 +00:00
|
|
|
is "github.com/containers/image/v5/storage"
|
2022-01-18 09:14:48 +00:00
|
|
|
"github.com/containers/podman/v4/libpod/define"
|
|
|
|
|
"github.com/containers/podman/v4/libpod/events"
|
|
|
|
|
"github.com/containers/podman/v4/pkg/annotations"
|
|
|
|
|
"github.com/containers/podman/v4/pkg/checkpoint/crutils"
|
|
|
|
|
"github.com/containers/podman/v4/pkg/criu"
|
|
|
|
|
"github.com/containers/podman/v4/pkg/lookup"
|
|
|
|
|
"github.com/containers/podman/v4/pkg/resolvconf"
|
|
|
|
|
"github.com/containers/podman/v4/pkg/rootless"
|
|
|
|
|
"github.com/containers/podman/v4/pkg/util"
|
|
|
|
|
"github.com/containers/podman/v4/utils"
|
|
|
|
|
"github.com/containers/podman/v4/version"
|
2019-02-06 19:17:25 +00:00
|
|
|
"github.com/containers/storage/pkg/archive"
|
2020-10-02 07:25:12 +00:00
|
|
|
"github.com/containers/storage/pkg/idtools"
|
2022-04-19 11:58:35 +00:00
|
|
|
"github.com/containers/storage/pkg/lockfile"
|
2019-05-23 11:12:56 +00:00
|
|
|
securejoin "github.com/cyphar/filepath-securejoin"
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
runcuser "github.com/opencontainers/runc/libcontainer/user"
|
2018-07-04 15:51:20 +00:00
|
|
|
spec "github.com/opencontainers/runtime-spec/specs-go"
|
|
|
|
|
"github.com/opencontainers/runtime-tools/generate"
|
2021-10-13 20:24:46 +00:00
|
|
|
"github.com/opencontainers/selinux/go-selinux"
|
2018-07-04 15:51:20 +00:00
|
|
|
"github.com/opencontainers/selinux/go-selinux/label"
|
|
|
|
|
"github.com/pkg/errors"
|
2018-06-20 18:23:24 +00:00
|
|
|
"github.com/sirupsen/logrus"
|
2018-07-04 15:51:20 +00:00
|
|
|
"golang.org/x/sys/unix"
|
2018-06-20 18:23:24 +00:00
|
|
|
)
|
|
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
func (c *Container) mountSHM(shmOptions string) error {
|
|
|
|
|
if err := unix.Mount("shm", c.config.ShmDir, "tmpfs", unix.MS_NOEXEC|unix.MS_NOSUID|unix.MS_NODEV,
|
|
|
|
|
label.FormatMountLabel(shmOptions, c.config.MountLabel)); err != nil {
|
|
|
|
|
return errors.Wrapf(err, "failed to mount shm tmpfs %q", c.config.ShmDir)
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (c *Container) unmountSHM(mount string) error {
|
2019-09-05 14:00:50 +00:00
|
|
|
if err := unix.Unmount(mount, 0); err != nil {
|
2019-09-06 14:25:53 +00:00
|
|
|
if err != syscall.EINVAL && err != syscall.ENOENT {
|
2019-09-05 14:00:50 +00:00
|
|
|
return errors.Wrapf(err, "error unmounting container %s SHM mount %s", c.ID(), mount)
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
2019-09-06 14:25:53 +00:00
|
|
|
// If it's just an EINVAL or ENOENT, debug logs only
|
2021-09-22 13:45:15 +00:00
|
|
|
logrus.Debugf("Container %s failed to unmount %s : %v", c.ID(), mount, err)
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// prepare mounts the container and sets up other required resources like net
|
|
|
|
|
// namespaces
|
2020-01-13 12:01:45 +00:00
|
|
|
func (c *Container) prepare() error {
|
2018-10-17 18:43:36 +00:00
|
|
|
var (
|
2019-08-06 14:49:03 +00:00
|
|
|
wg sync.WaitGroup
|
|
|
|
|
netNS ns.NetNS
|
2021-08-16 14:11:26 +00:00
|
|
|
networkStatus map[string]types.StatusBlock
|
2019-08-06 14:49:03 +00:00
|
|
|
createNetNSErr, mountStorageErr error
|
|
|
|
|
mountPoint string
|
|
|
|
|
tmpStateLock sync.Mutex
|
2018-10-17 18:43:36 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
wg.Add(2)
|
|
|
|
|
|
|
|
|
|
go func() {
|
|
|
|
|
defer wg.Done()
|
|
|
|
|
// Set up network namespace if not already set up
|
2020-06-11 11:06:21 +00:00
|
|
|
noNetNS := c.state.NetNS == nil
|
|
|
|
|
if c.config.CreateNetNS && noNetNS && !c.config.PostConfigureNetNS {
|
2021-02-18 12:51:27 +00:00
|
|
|
netNS, networkStatus, createNetNSErr = c.runtime.createNetNS(c)
|
2019-06-12 17:31:18 +00:00
|
|
|
if createNetNSErr != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
2018-11-08 21:06:59 +00:00
|
|
|
|
|
|
|
|
tmpStateLock.Lock()
|
|
|
|
|
defer tmpStateLock.Unlock()
|
|
|
|
|
|
|
|
|
|
// Assign NetNS attributes to container
|
2019-06-12 17:31:18 +00:00
|
|
|
c.state.NetNS = netNS
|
|
|
|
|
c.state.NetworkStatus = networkStatus
|
|
|
|
|
}
|
2018-10-17 18:43:36 +00:00
|
|
|
}()
|
2018-07-04 15:51:20 +00:00
|
|
|
// Mount storage if not mounted
|
2018-10-17 18:43:36 +00:00
|
|
|
go func() {
|
|
|
|
|
defer wg.Done()
|
|
|
|
|
mountPoint, mountStorageErr = c.mountStorage()
|
2018-11-08 21:06:59 +00:00
|
|
|
|
|
|
|
|
if mountStorageErr != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tmpStateLock.Lock()
|
|
|
|
|
defer tmpStateLock.Unlock()
|
|
|
|
|
|
|
|
|
|
// Finish up mountStorage
|
|
|
|
|
c.state.Mounted = true
|
|
|
|
|
c.state.Mountpoint = mountPoint
|
|
|
|
|
|
|
|
|
|
logrus.Debugf("Created root filesystem for container %s at %s", c.ID(), c.state.Mountpoint)
|
|
|
|
|
}()
|
|
|
|
|
|
2018-10-17 18:43:36 +00:00
|
|
|
wg.Wait()
|
2018-11-08 21:06:59 +00:00
|
|
|
|
2019-09-03 19:03:44 +00:00
|
|
|
var createErr error
|
2018-10-17 18:43:36 +00:00
|
|
|
if createNetNSErr != nil {
|
2019-09-03 19:03:44 +00:00
|
|
|
createErr = createNetNSErr
|
2018-10-17 18:43:36 +00:00
|
|
|
}
|
|
|
|
|
if mountStorageErr != nil {
|
2019-09-06 17:52:13 +00:00
|
|
|
if createErr != nil {
|
2021-09-22 13:45:15 +00:00
|
|
|
logrus.Errorf("Preparing container %s: %v", c.ID(), createErr)
|
2019-09-06 17:52:13 +00:00
|
|
|
}
|
2019-09-03 19:03:44 +00:00
|
|
|
createErr = mountStorageErr
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Only trigger storage cleanup if mountStorage was successful.
|
|
|
|
|
// Otherwise, we may mess up mount counters.
|
|
|
|
|
if createNetNSErr != nil && mountStorageErr == nil {
|
|
|
|
|
if err := c.cleanupStorage(); err != nil {
|
|
|
|
|
// createErr is guaranteed non-nil, so print
|
|
|
|
|
// unconditionally
|
2021-09-22 13:45:15 +00:00
|
|
|
logrus.Errorf("Preparing container %s: %v", c.ID(), createErr)
|
2019-09-03 19:03:44 +00:00
|
|
|
createErr = errors.Wrapf(err, "error unmounting storage for container %s after network create failure", c.ID())
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// It's OK to unconditionally trigger network cleanup. If the network
|
|
|
|
|
// isn't ready it will do nothing.
|
|
|
|
|
if createErr != nil {
|
|
|
|
|
if err := c.cleanupNetwork(); err != nil {
|
2021-09-22 13:45:15 +00:00
|
|
|
logrus.Errorf("Preparing container %s: %v", c.ID(), createErr)
|
2019-09-03 19:03:44 +00:00
|
|
|
createErr = errors.Wrapf(err, "error cleaning up container %s network after setup failure", c.ID())
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if createErr != nil {
|
|
|
|
|
return createErr
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
|
|
|
|
|
2019-09-03 19:03:44 +00:00
|
|
|
// Save changes to container state
|
2020-07-31 21:08:06 +00:00
|
|
|
if err := c.save(); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2021-01-21 14:41:14 +00:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2022-03-02 09:37:06 +00:00
|
|
|
// isWorkDirSymlink returns true if resolved workdir is symlink or a chain of symlinks,
|
|
|
|
|
// and final resolved target is present either on volume, mount or inside of container
|
|
|
|
|
// otherwise it returns false. Following function is meant for internal use only and
|
|
|
|
|
// can change at any point of time.
|
|
|
|
|
func (c *Container) isWorkDirSymlink(resolvedPath string) bool {
|
|
|
|
|
// We cannot create workdir since explicit --workdir is
|
|
|
|
|
// set in config but workdir could also be a symlink.
|
|
|
|
|
// If its a symlink lets check if resolved link is present
|
|
|
|
|
// on the container or not.
|
|
|
|
|
|
|
|
|
|
// If we can resolve symlink and resolved link is present on the container
|
|
|
|
|
// then return nil cause its a valid use-case.
|
|
|
|
|
|
|
|
|
|
maxSymLinks := 0
|
|
|
|
|
for {
|
|
|
|
|
// Linux only supports a chain of 40 links.
|
|
|
|
|
// Reference: https://github.com/torvalds/linux/blob/master/include/linux/namei.h#L13
|
|
|
|
|
if maxSymLinks > 40 {
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
resolvedSymlink, err := os.Readlink(resolvedPath)
|
|
|
|
|
if err != nil {
|
|
|
|
|
// End sym-link resolution loop.
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
if resolvedSymlink != "" {
|
|
|
|
|
_, resolvedSymlinkWorkdir, err := c.resolvePath(c.state.Mountpoint, resolvedSymlink)
|
|
|
|
|
if isPathOnVolume(c, resolvedSymlinkWorkdir) || isPathOnBindMount(c, resolvedSymlinkWorkdir) {
|
|
|
|
|
// Resolved symlink exists on external volume or mount
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
if err != nil {
|
|
|
|
|
// Could not resolve path so end sym-link resolution loop.
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
if resolvedSymlinkWorkdir != "" {
|
|
|
|
|
resolvedPath = resolvedSymlinkWorkdir
|
|
|
|
|
_, err := os.Stat(resolvedSymlinkWorkdir)
|
|
|
|
|
if err == nil {
|
|
|
|
|
// Symlink resolved successfully and resolved path exists on container,
|
|
|
|
|
// this is a valid use-case so return nil.
|
|
|
|
|
logrus.Debugf("Workdir is a symlink with target to %q and resolved symlink exists on container", resolvedSymlink)
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
maxSymLinks++
|
|
|
|
|
}
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
2021-01-21 14:41:14 +00:00
|
|
|
// resolveWorkDir resolves the container's workdir and, depending on the
|
|
|
|
|
// configuration, will create it, or error out if it does not exist.
|
|
|
|
|
// Note that the container must be mounted before.
|
|
|
|
|
func (c *Container) resolveWorkDir() error {
|
|
|
|
|
workdir := c.WorkingDir()
|
|
|
|
|
|
|
|
|
|
// If the specified workdir is a subdir of a volume or mount,
|
|
|
|
|
// we don't need to do anything. The runtime is taking care of
|
|
|
|
|
// that.
|
|
|
|
|
if isPathOnVolume(c, workdir) || isPathOnBindMount(c, workdir) {
|
|
|
|
|
logrus.Debugf("Workdir %q resolved to a volume or mount", workdir)
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2020-07-31 21:08:06 +00:00
|
|
|
|
2021-01-21 14:41:14 +00:00
|
|
|
_, resolvedWorkdir, err := c.resolvePath(c.state.Mountpoint, workdir)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
logrus.Debugf("Workdir %q resolved to host path %q", workdir, resolvedWorkdir)
|
|
|
|
|
|
2021-02-15 21:22:44 +00:00
|
|
|
st, err := os.Stat(resolvedWorkdir)
|
|
|
|
|
if err == nil {
|
|
|
|
|
if !st.IsDir() {
|
|
|
|
|
return errors.Errorf("workdir %q exists on container %s, but is not a directory", workdir, c.ID())
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2021-01-21 14:41:14 +00:00
|
|
|
if !c.config.CreateWorkingDir {
|
2021-02-15 21:22:44 +00:00
|
|
|
// No need to create it (e.g., `--workdir=/foo`), so let's make sure
|
|
|
|
|
// the path exists on the container.
|
|
|
|
|
if err != nil {
|
2021-01-21 14:41:14 +00:00
|
|
|
if os.IsNotExist(err) {
|
2022-03-02 09:37:06 +00:00
|
|
|
// If resolved Workdir path gets marked as a valid symlink,
|
|
|
|
|
// return nil cause this is valid use-case.
|
|
|
|
|
if c.isWorkDirSymlink(resolvedWorkdir) {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2021-01-21 14:41:14 +00:00
|
|
|
return errors.Errorf("workdir %q does not exist on container %s", workdir, c.ID())
|
2020-07-31 21:08:06 +00:00
|
|
|
}
|
2021-01-21 14:41:14 +00:00
|
|
|
// This might be a serious error (e.g., permission), so
|
|
|
|
|
// we need to return the full error.
|
|
|
|
|
return errors.Wrapf(err, "error detecting workdir %q on container %s", workdir, c.ID())
|
2020-07-31 21:08:06 +00:00
|
|
|
}
|
2021-02-04 14:07:44 +00:00
|
|
|
return nil
|
2021-01-21 14:41:14 +00:00
|
|
|
}
|
|
|
|
|
if err := os.MkdirAll(resolvedWorkdir, 0755); err != nil {
|
|
|
|
|
if os.IsExist(err) {
|
|
|
|
|
return nil
|
2020-07-31 21:08:06 +00:00
|
|
|
}
|
2021-01-21 14:41:14 +00:00
|
|
|
return errors.Wrapf(err, "error creating container %s workdir", c.ID())
|
|
|
|
|
}
|
|
|
|
|
|
2021-02-15 21:22:44 +00:00
|
|
|
// Ensure container entrypoint is created (if required).
|
|
|
|
|
uid, gid, _, err := chrootuser.GetUser(c.state.Mountpoint, c.User())
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error looking up %s inside of the container %s", c.User(), c.ID())
|
|
|
|
|
}
|
|
|
|
|
if err := os.Chown(resolvedWorkdir, int(uid), int(gid)); err != nil {
|
2021-01-21 14:41:14 +00:00
|
|
|
return errors.Wrapf(err, "error chowning container %s workdir to container root", c.ID())
|
2020-07-31 21:08:06 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// cleanupNetwork unmounts and cleans up the container's network
|
|
|
|
|
func (c *Container) cleanupNetwork() error {
|
2018-12-06 19:56:57 +00:00
|
|
|
if c.config.NetNsCtr != "" {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
netDisabled, err := c.NetworkDisabled()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if netDisabled {
|
2018-11-08 11:12:14 +00:00
|
|
|
return nil
|
|
|
|
|
}
|
2018-07-04 15:51:20 +00:00
|
|
|
if c.state.NetNS == nil {
|
|
|
|
|
logrus.Debugf("Network is already cleaned up, skipping...")
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Stop the container's network namespace (if it has one)
|
|
|
|
|
if err := c.runtime.teardownNetNS(c); err != nil {
|
2021-09-22 13:45:15 +00:00
|
|
|
logrus.Errorf("Unable to cleanup network for container %s: %q", c.ID(), err)
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
c.state.NetNS = nil
|
2018-07-12 14:51:31 +00:00
|
|
|
c.state.NetworkStatus = nil
|
2021-08-16 14:11:26 +00:00
|
|
|
c.state.NetworkStatusOld = nil
|
2018-07-04 15:51:20 +00:00
|
|
|
|
|
|
|
|
if c.valid {
|
|
|
|
|
return c.save()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-09 21:10:37 +00:00
|
|
|
// reloadNetwork reloads the network for the given container, recreating
|
|
|
|
|
// firewall rules.
|
|
|
|
|
func (c *Container) reloadNetwork() error {
|
|
|
|
|
result, err := c.runtime.reloadContainerNetwork(c)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
c.state.NetworkStatus = result
|
|
|
|
|
|
|
|
|
|
return c.save()
|
|
|
|
|
}
|
|
|
|
|
|
2019-09-21 13:45:55 +00:00
|
|
|
func (c *Container) getUserOverrides() *lookup.Overrides {
|
|
|
|
|
var hasPasswdFile, hasGroupFile bool
|
|
|
|
|
overrides := lookup.Overrides{}
|
|
|
|
|
for _, m := range c.config.Spec.Mounts {
|
|
|
|
|
if m.Destination == "/etc/passwd" {
|
|
|
|
|
overrides.ContainerEtcPasswdPath = m.Source
|
|
|
|
|
hasPasswdFile = true
|
|
|
|
|
}
|
|
|
|
|
if m.Destination == "/etc/group" {
|
|
|
|
|
overrides.ContainerEtcGroupPath = m.Source
|
|
|
|
|
hasGroupFile = true
|
|
|
|
|
}
|
|
|
|
|
if m.Destination == "/etc" {
|
|
|
|
|
if !hasPasswdFile {
|
|
|
|
|
overrides.ContainerEtcPasswdPath = filepath.Join(m.Source, "passwd")
|
|
|
|
|
}
|
|
|
|
|
if !hasGroupFile {
|
|
|
|
|
overrides.ContainerEtcGroupPath = filepath.Join(m.Source, "group")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-07-14 20:20:22 +00:00
|
|
|
if path, ok := c.state.BindMounts["/etc/passwd"]; ok {
|
|
|
|
|
overrides.ContainerEtcPasswdPath = path
|
|
|
|
|
}
|
2019-09-21 13:45:55 +00:00
|
|
|
return &overrides
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-16 14:24:24 +00:00
|
|
|
func lookupHostUser(name string) (*runcuser.ExecUser, error) {
|
|
|
|
|
var execUser runcuser.ExecUser
|
|
|
|
|
// Lookup User on host
|
|
|
|
|
u, err := util.LookupUser(name)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return &execUser, err
|
|
|
|
|
}
|
|
|
|
|
uid, err := strconv.ParseUint(u.Uid, 8, 32)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return &execUser, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
gid, err := strconv.ParseUint(u.Gid, 8, 32)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return &execUser, err
|
|
|
|
|
}
|
|
|
|
|
execUser.Uid = int(uid)
|
|
|
|
|
execUser.Gid = int(gid)
|
|
|
|
|
execUser.Home = u.HomeDir
|
|
|
|
|
return &execUser, nil
|
|
|
|
|
}
|
|
|
|
|
|
2022-06-03 07:48:44 +00:00
|
|
|
// Internal only function which returns upper and work dir from
|
|
|
|
|
// overlay options.
|
|
|
|
|
func getOverlayUpperAndWorkDir(options []string) (string, string, error) {
|
|
|
|
|
upperDir := ""
|
|
|
|
|
workDir := ""
|
|
|
|
|
for _, o := range options {
|
|
|
|
|
if strings.HasPrefix(o, "upperdir") {
|
|
|
|
|
splitOpt := strings.SplitN(o, "=", 2)
|
|
|
|
|
if len(splitOpt) > 1 {
|
|
|
|
|
upperDir = splitOpt[1]
|
|
|
|
|
if upperDir == "" {
|
|
|
|
|
return "", "", errors.New("cannot accept empty value for upperdir")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if strings.HasPrefix(o, "workdir") {
|
|
|
|
|
splitOpt := strings.SplitN(o, "=", 2)
|
|
|
|
|
if len(splitOpt) > 1 {
|
|
|
|
|
workDir = splitOpt[1]
|
|
|
|
|
if workDir == "" {
|
|
|
|
|
return "", "", errors.New("cannot accept empty value for workdir")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (upperDir != "" && workDir == "") || (upperDir == "" && workDir != "") {
|
|
|
|
|
return "", "", errors.New("must specify both upperdir and workdir")
|
|
|
|
|
}
|
|
|
|
|
return upperDir, workDir, nil
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
// Generate spec for a container
|
|
|
|
|
// Accepts a map of the container's dependencies
|
|
|
|
|
func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
|
2019-09-21 13:45:55 +00:00
|
|
|
overrides := c.getUserOverrides()
|
|
|
|
|
execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, c.config.User, overrides)
|
2018-10-25 18:39:25 +00:00
|
|
|
if err != nil {
|
2022-05-23 16:16:49 +00:00
|
|
|
if cutil.StringInSlice(c.config.User, c.config.HostUsers) {
|
2021-12-16 14:24:24 +00:00
|
|
|
execUser, err = lookupHostUser(c.config.User)
|
|
|
|
|
}
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2018-10-25 18:39:25 +00:00
|
|
|
}
|
2018-10-16 20:30:53 +00:00
|
|
|
|
2022-04-22 09:51:53 +00:00
|
|
|
// NewFromSpec() is deprecated according to its comment
|
|
|
|
|
// however the recommended replace just causes a nil map panic
|
|
|
|
|
//nolint:staticcheck
|
2021-10-25 11:22:11 +00:00
|
|
|
g := generate.NewFromSpec(c.config.Spec)
|
2018-07-04 15:51:20 +00:00
|
|
|
|
|
|
|
|
// If network namespace was requested, add it now
|
|
|
|
|
if c.config.CreateNetNS {
|
|
|
|
|
if c.config.PostConfigureNetNS {
|
2019-07-23 09:56:00 +00:00
|
|
|
if err := g.AddOrReplaceLinuxNamespace(string(spec.NetworkNamespace), ""); err != nil {
|
2019-07-03 20:37:17 +00:00
|
|
|
return nil, err
|
|
|
|
|
}
|
2018-07-04 15:51:20 +00:00
|
|
|
} else {
|
2019-07-23 09:56:00 +00:00
|
|
|
if err := g.AddOrReplaceLinuxNamespace(string(spec.NetworkNamespace), c.state.NetNS.Path()); err != nil {
|
2019-07-03 20:37:17 +00:00
|
|
|
return nil, err
|
|
|
|
|
}
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
|
|
|
|
}
|
2018-11-08 11:12:14 +00:00
|
|
|
|
2019-01-09 13:54:58 +00:00
|
|
|
// Apply AppArmor checks and load the default profile if needed.
|
2020-07-15 20:33:24 +00:00
|
|
|
if len(c.config.Spec.Process.ApparmorProfile) > 0 {
|
2019-05-23 11:12:56 +00:00
|
|
|
updatedProfile, err := apparmor.CheckProfileAndLoadDefault(c.config.Spec.Process.ApparmorProfile)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
g.SetProcessApparmorProfile(updatedProfile)
|
2019-01-09 13:54:58 +00:00
|
|
|
}
|
|
|
|
|
|
2018-11-08 11:12:14 +00:00
|
|
|
if err := c.makeBindMounts(); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2019-03-15 14:01:23 +00:00
|
|
|
|
2021-03-24 11:49:29 +00:00
|
|
|
if err := c.mountNotifySocket(g); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2021-01-06 01:50:58 +00:00
|
|
|
// Get host UID and GID based on the container process UID and GID.
|
|
|
|
|
hostUID, hostGID, err := butil.GetHostIDs(util.IDtoolsToRuntimeSpec(c.config.IDMappings.UIDMap), util.IDtoolsToRuntimeSpec(c.config.IDMappings.GIDMap), uint32(execUser.Uid), uint32(execUser.Gid))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2021-05-13 18:41:38 +00:00
|
|
|
// Add named volumes
|
|
|
|
|
for _, namedVol := range c.config.NamedVolumes {
|
|
|
|
|
volume, err := c.runtime.GetVolume(namedVol.Name)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errors.Wrapf(err, "error retrieving volume %s to add to container %s", namedVol.Name, c.ID())
|
|
|
|
|
}
|
|
|
|
|
mountPoint, err := volume.MountPoint()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2021-09-20 10:08:51 +00:00
|
|
|
|
|
|
|
|
overlayFlag := false
|
2021-12-28 10:32:25 +00:00
|
|
|
upperDir := ""
|
|
|
|
|
workDir := ""
|
2021-09-20 10:08:51 +00:00
|
|
|
for _, o := range namedVol.Options {
|
|
|
|
|
if o == "O" {
|
|
|
|
|
overlayFlag = true
|
2022-06-03 07:48:44 +00:00
|
|
|
upperDir, workDir, err = getOverlayUpperAndWorkDir(namedVol.Options)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
2021-12-28 10:32:25 +00:00
|
|
|
}
|
|
|
|
|
}
|
2021-09-20 10:08:51 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if overlayFlag {
|
2021-12-28 10:32:25 +00:00
|
|
|
var overlayMount spec.Mount
|
|
|
|
|
var overlayOpts *overlay.Options
|
2021-09-20 10:08:51 +00:00
|
|
|
contentDir, err := overlay.TempDir(c.config.StaticDir, c.RootUID(), c.RootGID())
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2021-12-28 10:32:25 +00:00
|
|
|
|
|
|
|
|
overlayOpts = &overlay.Options{RootUID: c.RootUID(),
|
|
|
|
|
RootGID: c.RootGID(),
|
|
|
|
|
UpperDirOptionFragment: upperDir,
|
|
|
|
|
WorkDirOptionFragment: workDir,
|
|
|
|
|
GraphOpts: c.runtime.store.GraphOptions(),
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
overlayMount, err = overlay.MountWithOptions(contentDir, mountPoint, namedVol.Dest, overlayOpts)
|
2021-09-20 10:08:51 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, errors.Wrapf(err, "mounting overlay failed %q", mountPoint)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, o := range namedVol.Options {
|
2022-04-25 13:15:52 +00:00
|
|
|
if o == "U" {
|
2021-10-13 20:24:46 +00:00
|
|
|
if err := c.ChangeHostPathOwnership(mountPoint, true, int(hostUID), int(hostGID)); err != nil {
|
2021-09-20 10:08:51 +00:00
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2021-10-13 20:24:46 +00:00
|
|
|
if err := c.ChangeHostPathOwnership(contentDir, true, int(hostUID), int(hostGID)); err != nil {
|
2021-09-20 10:08:51 +00:00
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
g.AddMount(overlayMount)
|
|
|
|
|
} else {
|
|
|
|
|
volMount := spec.Mount{
|
|
|
|
|
Type: "bind",
|
|
|
|
|
Source: mountPoint,
|
|
|
|
|
Destination: namedVol.Dest,
|
|
|
|
|
Options: namedVol.Options,
|
|
|
|
|
}
|
|
|
|
|
g.AddMount(volMount)
|
2021-05-13 18:41:38 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-01-06 01:50:58 +00:00
|
|
|
// Check if the spec file mounts contain the options z, Z or U.
|
|
|
|
|
// If they have z or Z, relabel the source directory and then remove the option.
|
|
|
|
|
// If they have U, chown the source directory and them remove the option.
|
2019-03-20 11:05:02 +00:00
|
|
|
for i := range g.Config.Mounts {
|
|
|
|
|
m := &g.Config.Mounts[i]
|
2018-09-18 13:06:40 +00:00
|
|
|
var options []string
|
|
|
|
|
for _, o := range m.Options {
|
|
|
|
|
switch o {
|
2021-01-06 01:50:58 +00:00
|
|
|
case "U":
|
|
|
|
|
if m.Type == "tmpfs" {
|
|
|
|
|
options = append(options, []string{fmt.Sprintf("uid=%d", execUser.Uid), fmt.Sprintf("gid=%d", execUser.Gid)}...)
|
|
|
|
|
} else {
|
2021-10-13 20:24:46 +00:00
|
|
|
// only chown on initial creation of container
|
|
|
|
|
if err := c.ChangeHostPathOwnership(m.Source, true, int(hostUID), int(hostGID)); err != nil {
|
2021-01-06 01:50:58 +00:00
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-09-18 13:06:40 +00:00
|
|
|
case "z":
|
|
|
|
|
fallthrough
|
|
|
|
|
case "Z":
|
2021-10-13 20:24:46 +00:00
|
|
|
if err := c.relabel(m.Source, c.MountLabel(), label.IsShared(o)); err != nil {
|
2021-05-06 21:41:04 +00:00
|
|
|
return nil, err
|
2018-09-18 13:06:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
options = append(options, o)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
m.Options = options
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
g.SetProcessSelinuxLabel(c.ProcessLabel())
|
|
|
|
|
g.SetLinuxMountLabel(c.MountLabel())
|
2019-03-15 14:01:23 +00:00
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
// Add bind mounts to container
|
|
|
|
|
for dstPath, srcPath := range c.state.BindMounts {
|
|
|
|
|
newMount := spec.Mount{
|
|
|
|
|
Type: "bind",
|
|
|
|
|
Source: srcPath,
|
|
|
|
|
Destination: dstPath,
|
2020-10-29 17:31:55 +00:00
|
|
|
Options: []string{"bind", "rprivate"},
|
2018-09-19 17:13:54 +00:00
|
|
|
}
|
2018-12-24 11:55:24 +00:00
|
|
|
if c.IsReadOnly() && dstPath != "/dev/shm" {
|
2019-01-11 09:34:27 +00:00
|
|
|
newMount.Options = append(newMount.Options, "ro", "nosuid", "noexec", "nodev")
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
2022-02-02 09:03:13 +00:00
|
|
|
if dstPath == "/dev/shm" && c.state.BindMounts["/dev/shm"] == c.config.ShmDir {
|
|
|
|
|
newMount.Options = append(newMount.Options, "nosuid", "noexec", "nodev")
|
|
|
|
|
}
|
2018-07-04 15:51:20 +00:00
|
|
|
if !MountExists(g.Mounts(), dstPath) {
|
|
|
|
|
g.AddMount(newMount)
|
|
|
|
|
} else {
|
2020-12-01 21:15:14 +00:00
|
|
|
logrus.Infof("User mount overriding libpod mount at %q", dstPath)
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-07-09 19:46:14 +00:00
|
|
|
// Add overlay volumes
|
|
|
|
|
for _, overlayVol := range c.config.OverlayVolumes {
|
2022-06-03 07:48:44 +00:00
|
|
|
upperDir, workDir, err := getOverlayUpperAndWorkDir(overlayVol.Options)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2020-07-09 19:46:14 +00:00
|
|
|
contentDir, err := overlay.TempDir(c.config.StaticDir, c.RootUID(), c.RootGID())
|
|
|
|
|
if err != nil {
|
2020-10-28 17:16:42 +00:00
|
|
|
return nil, err
|
2020-07-09 19:46:14 +00:00
|
|
|
}
|
2022-06-03 07:48:44 +00:00
|
|
|
overlayOpts := &overlay.Options{RootUID: c.RootUID(),
|
|
|
|
|
RootGID: c.RootGID(),
|
|
|
|
|
UpperDirOptionFragment: upperDir,
|
|
|
|
|
WorkDirOptionFragment: workDir,
|
|
|
|
|
GraphOpts: c.runtime.store.GraphOptions(),
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
overlayMount, err := overlay.MountWithOptions(contentDir, overlayVol.Source, overlayVol.Dest, overlayOpts)
|
2020-07-09 19:46:14 +00:00
|
|
|
if err != nil {
|
2020-10-28 17:16:42 +00:00
|
|
|
return nil, errors.Wrapf(err, "mounting overlay failed %q", overlayVol.Source)
|
2020-07-09 19:46:14 +00:00
|
|
|
}
|
2021-01-06 01:50:58 +00:00
|
|
|
|
|
|
|
|
// Check overlay volume options
|
|
|
|
|
for _, o := range overlayVol.Options {
|
2022-04-25 13:15:52 +00:00
|
|
|
if o == "U" {
|
2021-10-13 20:24:46 +00:00
|
|
|
if err := c.ChangeHostPathOwnership(overlayVol.Source, true, int(hostUID), int(hostGID)); err != nil {
|
2021-01-06 01:50:58 +00:00
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2021-10-13 20:24:46 +00:00
|
|
|
if err := c.ChangeHostPathOwnership(contentDir, true, int(hostUID), int(hostGID)); err != nil {
|
2021-01-06 01:50:58 +00:00
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-07-09 19:46:14 +00:00
|
|
|
g.AddMount(overlayMount)
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-26 10:35:02 +00:00
|
|
|
// Add image volumes as overlay mounts
|
|
|
|
|
for _, volume := range c.config.ImageVolumes {
|
|
|
|
|
// Mount the specified image.
|
2021-04-22 06:01:12 +00:00
|
|
|
img, _, err := c.runtime.LibimageRuntime().LookupImage(volume.Source, nil)
|
2020-10-26 10:35:02 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, errors.Wrapf(err, "error creating image volume %q:%q", volume.Source, volume.Dest)
|
|
|
|
|
}
|
2021-04-22 06:01:12 +00:00
|
|
|
mountPoint, err := img.Mount(ctx, nil, "")
|
2020-10-26 10:35:02 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, errors.Wrapf(err, "error mounting image volume %q:%q", volume.Source, volume.Dest)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
contentDir, err := overlay.TempDir(c.config.StaticDir, c.RootUID(), c.RootGID())
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errors.Wrapf(err, "failed to create TempDir in the %s directory", c.config.StaticDir)
|
|
|
|
|
}
|
|
|
|
|
|
2021-01-12 14:16:12 +00:00
|
|
|
var overlayMount spec.Mount
|
2020-10-26 10:35:02 +00:00
|
|
|
if volume.ReadWrite {
|
|
|
|
|
overlayMount, err = overlay.Mount(contentDir, mountPoint, volume.Dest, c.RootUID(), c.RootGID(), c.runtime.store.GraphOptions())
|
|
|
|
|
} else {
|
|
|
|
|
overlayMount, err = overlay.MountReadOnly(contentDir, mountPoint, volume.Dest, c.RootUID(), c.RootGID(), c.runtime.store.GraphOptions())
|
|
|
|
|
}
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errors.Wrapf(err, "creating overlay mount for image %q failed", volume.Source)
|
|
|
|
|
}
|
|
|
|
|
g.AddMount(overlayMount)
|
|
|
|
|
}
|
|
|
|
|
|
2019-09-20 12:45:20 +00:00
|
|
|
hasHomeSet := false
|
|
|
|
|
for _, s := range c.config.Spec.Process.Env {
|
|
|
|
|
if strings.HasPrefix(s, "HOME=") {
|
|
|
|
|
hasHomeSet = true
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-02-16 13:15:21 +00:00
|
|
|
if !hasHomeSet && execUser.Home != "" {
|
2019-09-20 12:45:20 +00:00
|
|
|
c.config.Spec.Process.Env = append(c.config.Spec.Process.Env, fmt.Sprintf("HOME=%s", execUser.Home))
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
if c.config.User != "" {
|
|
|
|
|
// User and Group must go together
|
2018-10-25 18:39:25 +00:00
|
|
|
g.SetProcessUID(uint32(execUser.Uid))
|
|
|
|
|
g.SetProcessGID(uint32(execUser.Gid))
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
|
|
|
|
|
2020-07-17 01:49:47 +00:00
|
|
|
if c.config.Umask != "" {
|
|
|
|
|
decVal, err := strconv.ParseUint(c.config.Umask, 8, 32)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errors.Wrapf(err, "Invalid Umask Value")
|
|
|
|
|
}
|
2020-08-19 11:18:19 +00:00
|
|
|
umask := uint32(decVal)
|
|
|
|
|
g.Config.Process.User.Umask = &umask
|
2020-07-17 01:49:47 +00:00
|
|
|
}
|
|
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
// Add addition groups if c.config.GroupAdd is not empty
|
|
|
|
|
if len(c.config.Groups) > 0 {
|
2020-02-27 21:08:29 +00:00
|
|
|
gids, err := lookup.GetContainerGroups(c.config.Groups, c.state.Mountpoint, overrides)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errors.Wrapf(err, "error looking up supplemental groups for container %s", c.ID())
|
|
|
|
|
}
|
2018-10-25 18:39:25 +00:00
|
|
|
for _, gid := range gids {
|
2018-07-04 15:51:20 +00:00
|
|
|
g.AddProcessAdditionalGid(gid)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-01-14 18:49:34 +00:00
|
|
|
if c.Systemd() {
|
2018-10-17 14:45:58 +00:00
|
|
|
if err := c.setupSystemd(g.Mounts(), g); err != nil {
|
|
|
|
|
return nil, errors.Wrapf(err, "error adding systemd-specific mounts")
|
|
|
|
|
}
|
2018-10-15 19:42:12 +00:00
|
|
|
}
|
|
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
// Look up and add groups the user belongs to, if a group wasn't directly specified
|
2020-10-01 14:52:58 +00:00
|
|
|
if !strings.Contains(c.config.User, ":") {
|
2020-10-02 07:25:12 +00:00
|
|
|
// the gidMappings that are present inside the container user namespace
|
|
|
|
|
var gidMappings []idtools.IDMap
|
|
|
|
|
|
|
|
|
|
switch {
|
|
|
|
|
case len(c.config.IDMappings.GIDMap) > 0:
|
|
|
|
|
gidMappings = c.config.IDMappings.GIDMap
|
|
|
|
|
case rootless.IsRootless():
|
|
|
|
|
// Check whether the current user namespace has enough gids available.
|
|
|
|
|
availableGids, err := rootless.GetAvailableGids()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errors.Wrapf(err, "cannot read number of available GIDs")
|
|
|
|
|
}
|
|
|
|
|
gidMappings = []idtools.IDMap{{
|
|
|
|
|
ContainerID: 0,
|
|
|
|
|
HostID: 0,
|
|
|
|
|
Size: int(availableGids),
|
|
|
|
|
}}
|
|
|
|
|
default:
|
|
|
|
|
gidMappings = []idtools.IDMap{{
|
|
|
|
|
ContainerID: 0,
|
|
|
|
|
HostID: 0,
|
|
|
|
|
Size: math.MaxInt32,
|
|
|
|
|
}}
|
|
|
|
|
}
|
2018-10-24 15:39:12 +00:00
|
|
|
for _, gid := range execUser.Sgids {
|
2021-02-11 13:15:26 +00:00
|
|
|
isGIDAvailable := false
|
2020-10-02 07:25:12 +00:00
|
|
|
for _, m := range gidMappings {
|
|
|
|
|
if gid >= m.ContainerID && gid < m.ContainerID+m.Size {
|
2021-02-11 13:15:26 +00:00
|
|
|
isGIDAvailable = true
|
2020-10-02 07:25:12 +00:00
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-02-11 13:15:26 +00:00
|
|
|
if isGIDAvailable {
|
2020-10-02 07:25:12 +00:00
|
|
|
g.AddProcessAdditionalGid(uint32(gid))
|
|
|
|
|
} else {
|
2021-09-22 13:45:15 +00:00
|
|
|
logrus.Warnf("Additional gid=%d is not present in the user namespace, skip setting it", gid)
|
2020-10-02 07:25:12 +00:00
|
|
|
}
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Add shared namespaces from other containers
|
|
|
|
|
if c.config.IPCNsCtr != "" {
|
|
|
|
|
if err := c.addNamespaceContainer(&g, IPCNS, c.config.IPCNsCtr, spec.IPCNamespace); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if c.config.MountNsCtr != "" {
|
|
|
|
|
if err := c.addNamespaceContainer(&g, MountNS, c.config.MountNsCtr, spec.MountNamespace); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if c.config.NetNsCtr != "" {
|
|
|
|
|
if err := c.addNamespaceContainer(&g, NetNS, c.config.NetNsCtr, spec.NetworkNamespace); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if c.config.PIDNsCtr != "" {
|
2019-07-23 09:56:00 +00:00
|
|
|
if err := c.addNamespaceContainer(&g, PIDNS, c.config.PIDNsCtr, spec.PIDNamespace); err != nil {
|
2018-07-04 15:51:20 +00:00
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if c.config.UserNsCtr != "" {
|
|
|
|
|
if err := c.addNamespaceContainer(&g, UserNS, c.config.UserNsCtr, spec.UserNamespace); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2019-07-24 09:20:31 +00:00
|
|
|
if len(g.Config.Linux.UIDMappings) == 0 {
|
|
|
|
|
// runc complains if no mapping is specified, even if we join another ns. So provide a dummy mapping
|
|
|
|
|
g.AddLinuxUIDMapping(uint32(0), uint32(0), uint32(1))
|
|
|
|
|
g.AddLinuxGIDMapping(uint32(0), uint32(0), uint32(1))
|
|
|
|
|
}
|
2018-07-04 15:51:20 +00:00
|
|
|
}
|
2020-04-27 13:43:12 +00:00
|
|
|
|
2020-12-23 13:21:28 +00:00
|
|
|
availableUIDs, availableGIDs, err := rootless.GetAvailableIDMaps()
|
|
|
|
|
if err != nil {
|
2021-03-26 20:25:58 +00:00
|
|
|
if os.IsNotExist(err) {
|
|
|
|
|
// The kernel-provided files only exist if user namespaces are supported
|
2021-09-22 13:45:15 +00:00
|
|
|
logrus.Debugf("User or group ID mappings not available: %s", err)
|
2021-03-26 20:25:58 +00:00
|
|
|
} else {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
g.Config.Linux.UIDMappings = rootless.MaybeSplitMappings(g.Config.Linux.UIDMappings, availableUIDs)
|
|
|
|
|
g.Config.Linux.GIDMappings = rootless.MaybeSplitMappings(g.Config.Linux.GIDMappings, availableGIDs)
|
2020-12-23 13:21:28 +00:00
|
|
|
}
|
|
|
|
|
|
2021-01-05 16:48:37 +00:00
|
|
|
// Hostname handling:
|
|
|
|
|
// If we have a UTS namespace, set Hostname in the OCI spec.
|
|
|
|
|
// Set the HOSTNAME environment variable unless explicitly overridden by
|
|
|
|
|
// the user (already present in OCI spec). If we don't have a UTS ns,
|
|
|
|
|
// set it to the host's hostname instead.
|
|
|
|
|
hostname := c.Hostname()
|
|
|
|
|
foundUTS := false
|
2020-12-23 13:21:28 +00:00
|
|
|
|
2020-04-27 13:43:12 +00:00
|
|
|
for _, i := range c.config.Spec.Linux.Namespaces {
|
2020-06-10 12:52:08 +00:00
|
|
|
if i.Type == spec.UTSNamespace && i.Path == "" {
|
2021-01-05 16:48:37 +00:00
|
|
|
foundUTS = true
|
2020-04-27 13:43:12 +00:00
|
|
|
g.SetHostname(hostname)
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-01-05 16:48:37 +00:00
|
|
|
if !foundUTS {
|
|
|
|
|
tmpHostname, err := os.Hostname()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
hostname = tmpHostname
|
|
|
|
|
}
|
|
|
|
|
needEnv := true
|
|
|
|
|
for _, checkEnv := range g.Config.Process.Env {
|
|
|
|
|
if strings.SplitN(checkEnv, "=", 2)[0] == "HOSTNAME" {
|
|
|
|
|
needEnv = false
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if needEnv {
|
|
|
|
|
g.AddProcessEnv("HOSTNAME", hostname)
|
|
|
|
|
}
|
2020-04-27 13:43:12 +00:00
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
if c.config.UTSNsCtr != "" {
|
|
|
|
|
if err := c.addNamespaceContainer(&g, UTSNS, c.config.UTSNsCtr, spec.UTSNamespace); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if c.config.CgroupNsCtr != "" {
|
|
|
|
|
if err := c.addNamespaceContainer(&g, CgroupNS, c.config.CgroupNsCtr, spec.CgroupNamespace); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-01 21:23:40 +00:00
|
|
|
if c.config.UserNsCtr == "" && c.config.IDMappings.AutoUserNs {
|
2020-02-24 16:38:06 +00:00
|
|
|
if err := g.AddOrReplaceLinuxNamespace(string(spec.UserNamespace), ""); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
g.ClearLinuxUIDMappings()
|
|
|
|
|
for _, uidmap := range c.config.IDMappings.UIDMap {
|
|
|
|
|
g.AddLinuxUIDMapping(uint32(uidmap.HostID), uint32(uidmap.ContainerID), uint32(uidmap.Size))
|
|
|
|
|
}
|
|
|
|
|
g.ClearLinuxGIDMappings()
|
|
|
|
|
for _, gidmap := range c.config.IDMappings.GIDMap {
|
|
|
|
|
g.AddLinuxGIDMapping(uint32(gidmap.HostID), uint32(gidmap.ContainerID), uint32(gidmap.Size))
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-21 11:18:42 +00:00
|
|
|
g.SetRootPath(c.state.Mountpoint)
|
2019-09-03 09:10:01 +00:00
|
|
|
g.AddAnnotation(annotations.Created, c.config.CreatedTime.Format(time.RFC3339Nano))
|
2018-07-04 15:51:20 +00:00
|
|
|
g.AddAnnotation("org.opencontainers.image.stopSignal", fmt.Sprintf("%d", c.config.StopSignal))
|
|
|
|
|
|
2019-09-03 09:10:01 +00:00
|
|
|
if _, exists := g.Config.Annotations[annotations.ContainerManager]; !exists {
|
|
|
|
|
g.AddAnnotation(annotations.ContainerManager, annotations.ContainerManagerLibpod)
|
|
|
|
|
}
|
|
|
|
|
|
2019-10-10 18:45:56 +00:00
|
|
|
cgroupPath, err := c.getOCICgroupPath()
|
2019-06-19 12:22:09 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2019-10-10 18:45:56 +00:00
|
|
|
g.SetLinuxCgroupsPath(cgroupPath)
|
2018-07-04 15:51:20 +00:00
|
|
|
|
2021-03-30 00:21:00 +00:00
|
|
|
// Warning: CDI may alter g.Config in place.
|
|
|
|
|
if len(c.config.CDIDevices) > 0 {
|
2022-01-12 13:22:29 +00:00
|
|
|
registry := cdi.GetRegistry()
|
|
|
|
|
if errs := registry.GetErrors(); len(errs) > 0 {
|
|
|
|
|
logrus.Debugf("The following errors were triggered when creating the CDI registry: %v", errs)
|
|
|
|
|
}
|
|
|
|
|
_, err := registry.InjectDevices(g.Config, c.config.CDIDevices...)
|
|
|
|
|
if err != nil {
|
2021-03-30 00:21:00 +00:00
|
|
|
return nil, errors.Wrapf(err, "error setting up CDI devices")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-08-10 18:46:59 +00:00
|
|
|
// Mounts need to be sorted so paths will not cover other paths
|
|
|
|
|
mounts := sortMounts(g.Mounts())
|
|
|
|
|
g.ClearMounts()
|
2018-11-21 14:56:31 +00:00
|
|
|
|
|
|
|
|
// Determine property of RootPropagation based on volume properties. If
|
|
|
|
|
// a volume is shared, then keep root propagation shared. This should
|
|
|
|
|
// work for slave and private volumes too.
|
|
|
|
|
//
|
|
|
|
|
// For slave volumes, it can be either [r]shared/[r]slave.
|
|
|
|
|
//
|
|
|
|
|
// For private volumes any root propagation value should work.
|
|
|
|
|
rootPropagation := ""
|
2018-08-10 18:46:59 +00:00
|
|
|
for _, m := range mounts {
|
2019-03-08 20:33:12 +00:00
|
|
|
// We need to remove all symlinks from tmpfs mounts.
|
|
|
|
|
// Runc and other runtimes may choke on them.
|
|
|
|
|
// Easy solution: use securejoin to do a scoped evaluation of
|
|
|
|
|
// the links, then trim off the mount prefix.
|
|
|
|
|
if m.Type == "tmpfs" {
|
|
|
|
|
finalPath, err := securejoin.SecureJoin(c.state.Mountpoint, m.Destination)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errors.Wrapf(err, "error resolving symlinks for mount destination %s", m.Destination)
|
|
|
|
|
}
|
|
|
|
|
trimmedPath := strings.TrimPrefix(finalPath, strings.TrimSuffix(c.state.Mountpoint, "/"))
|
|
|
|
|
m.Destination = trimmedPath
|
|
|
|
|
}
|
2018-08-10 18:46:59 +00:00
|
|
|
g.AddMount(m)
|
2018-11-21 14:56:31 +00:00
|
|
|
for _, opt := range m.Options {
|
|
|
|
|
switch opt {
|
|
|
|
|
case MountShared, MountRShared:
|
|
|
|
|
if rootPropagation != MountShared && rootPropagation != MountRShared {
|
|
|
|
|
rootPropagation = MountShared
|
|
|
|
|
}
|
|
|
|
|
case MountSlave, MountRSlave:
|
|
|
|
|
if rootPropagation != MountShared && rootPropagation != MountRShared && rootPropagation != MountSlave && rootPropagation != MountRSlave {
|
|
|
|
|
rootPropagation = MountRSlave
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if rootPropagation != "" {
|
2021-09-22 13:45:15 +00:00
|
|
|
logrus.Debugf("Set root propagation to %q", rootPropagation)
|
2019-07-03 20:37:17 +00:00
|
|
|
if err := g.SetLinuxRootPropagation(rootPropagation); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2018-08-10 18:46:59 +00:00
|
|
|
}
|
2018-11-19 17:22:32 +00:00
|
|
|
|
|
|
|
|
// Warning: precreate hooks may alter g.Config in place.
|
|
|
|
|
if c.state.ExtensionStageHooks, err = c.setupOCIHooks(ctx, g.Config); err != nil {
|
|
|
|
|
return nil, errors.Wrapf(err, "error setting up OCI Hooks")
|
|
|
|
|
}
|
2021-05-05 14:34:13 +00:00
|
|
|
if len(c.config.EnvSecrets) > 0 {
|
2021-05-14 20:29:44 +00:00
|
|
|
manager, err := c.runtime.SecretsManager()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2021-05-05 14:34:13 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
for name, secr := range c.config.EnvSecrets {
|
|
|
|
|
_, data, err := manager.LookupSecretData(secr.Name)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
g.AddProcessEnv(name, string(data))
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-11-19 17:22:32 +00:00
|
|
|
|
2021-08-24 15:34:47 +00:00
|
|
|
// Pass down the LISTEN_* environment (see #10443).
|
|
|
|
|
for _, key := range []string{"LISTEN_PID", "LISTEN_FDS", "LISTEN_FDNAMES"} {
|
|
|
|
|
if val, ok := os.LookupEnv(key); ok {
|
|
|
|
|
// Force the PID to `1` since we cannot rely on (all
|
|
|
|
|
// versions of) all runtimes to do it for us.
|
|
|
|
|
if key == "LISTEN_PID" {
|
|
|
|
|
val = "1"
|
|
|
|
|
}
|
|
|
|
|
g.AddProcessEnv(key, val)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
return g.Config, nil
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-24 11:49:29 +00:00
|
|
|
// mountNotifySocket mounts the NOTIFY_SOCKET into the container if it's set
|
|
|
|
|
// and if the sdnotify mode is set to container. It also sets c.notifySocket
|
|
|
|
|
// to avoid redundantly looking up the env variable.
|
|
|
|
|
func (c *Container) mountNotifySocket(g generate.Generator) error {
|
|
|
|
|
notify, ok := os.LookupEnv("NOTIFY_SOCKET")
|
|
|
|
|
if !ok {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
c.notifySocket = notify
|
|
|
|
|
|
|
|
|
|
if c.config.SdNotifyMode != define.SdNotifyModeContainer {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
notifyDir := filepath.Join(c.bundlePath(), "notify")
|
2021-09-22 13:45:15 +00:00
|
|
|
logrus.Debugf("Checking notify %q dir", notifyDir)
|
2021-03-24 11:49:29 +00:00
|
|
|
if err := os.MkdirAll(notifyDir, 0755); err != nil {
|
|
|
|
|
if !os.IsExist(err) {
|
|
|
|
|
return errors.Wrapf(err, "unable to create notify %q dir", notifyDir)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if err := label.Relabel(notifyDir, c.MountLabel(), true); err != nil {
|
|
|
|
|
return errors.Wrapf(err, "relabel failed %q", notifyDir)
|
|
|
|
|
}
|
2021-09-22 13:45:15 +00:00
|
|
|
logrus.Debugf("Add bindmount notify %q dir", notifyDir)
|
2021-03-24 11:49:29 +00:00
|
|
|
if _, ok := c.state.BindMounts["/run/notify"]; !ok {
|
|
|
|
|
c.state.BindMounts["/run/notify"] = notifyDir
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Set the container's notify socket to the proxy socket created by conmon
|
|
|
|
|
g.AddProcessEnv("NOTIFY_SOCKET", "/run/notify/notify.sock")
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-15 19:42:12 +00:00
|
|
|
// systemd expects to have /run, /run/lock and /tmp on tmpfs
|
|
|
|
|
// It also expects to be able to write to /sys/fs/cgroup/systemd and /var/log/journal
|
2018-10-17 14:45:58 +00:00
|
|
|
func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) error {
|
2022-03-23 18:12:07 +00:00
|
|
|
var containerUUIDSet bool
|
|
|
|
|
for _, s := range c.config.Spec.Process.Env {
|
|
|
|
|
if strings.HasPrefix(s, "container_uuid=") {
|
|
|
|
|
containerUUIDSet = true
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if !containerUUIDSet {
|
|
|
|
|
g.AddProcessEnv("container_uuid", c.ID()[:32])
|
|
|
|
|
}
|
2020-09-02 11:49:11 +00:00
|
|
|
options := []string{"rw", "rprivate", "nosuid", "nodev"}
|
2019-06-11 11:54:53 +00:00
|
|
|
for _, dest := range []string{"/run", "/run/lock"} {
|
2018-10-15 19:42:12 +00:00
|
|
|
if MountExists(mounts, dest) {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
tmpfsMnt := spec.Mount{
|
|
|
|
|
Destination: dest,
|
|
|
|
|
Type: "tmpfs",
|
|
|
|
|
Source: "tmpfs",
|
2020-08-17 20:24:56 +00:00
|
|
|
Options: append(options, "tmpcopyup"),
|
2018-10-15 19:42:12 +00:00
|
|
|
}
|
|
|
|
|
g.AddMount(tmpfsMnt)
|
|
|
|
|
}
|
|
|
|
|
for _, dest := range []string{"/tmp", "/var/log/journal"} {
|
|
|
|
|
if MountExists(mounts, dest) {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
tmpfsMnt := spec.Mount{
|
|
|
|
|
Destination: dest,
|
|
|
|
|
Type: "tmpfs",
|
|
|
|
|
Source: "tmpfs",
|
|
|
|
|
Options: append(options, "tmpcopyup"),
|
|
|
|
|
}
|
|
|
|
|
g.AddMount(tmpfsMnt)
|
|
|
|
|
}
|
2018-10-17 14:45:58 +00:00
|
|
|
|
2019-07-31 07:03:00 +00:00
|
|
|
unified, err := cgroups.IsCgroup2UnifiedMode()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2018-10-17 14:45:58 +00:00
|
|
|
|
2019-07-31 07:03:00 +00:00
|
|
|
if unified {
|
2019-08-06 07:11:47 +00:00
|
|
|
g.RemoveMount("/sys/fs/cgroup")
|
|
|
|
|
|
2019-09-12 12:33:10 +00:00
|
|
|
hasCgroupNs := false
|
|
|
|
|
for _, ns := range c.config.Spec.Linux.Namespaces {
|
|
|
|
|
if ns.Type == spec.CgroupNamespace {
|
|
|
|
|
hasCgroupNs = true
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var systemdMnt spec.Mount
|
|
|
|
|
if hasCgroupNs {
|
|
|
|
|
systemdMnt = spec.Mount{
|
|
|
|
|
Destination: "/sys/fs/cgroup",
|
|
|
|
|
Type: "cgroup",
|
|
|
|
|
Source: "cgroup",
|
|
|
|
|
Options: []string{"private", "rw"},
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
systemdMnt = spec.Mount{
|
|
|
|
|
Destination: "/sys/fs/cgroup",
|
|
|
|
|
Type: "bind",
|
|
|
|
|
Source: "/sys/fs/cgroup",
|
|
|
|
|
Options: []string{"bind", "private", "rw"},
|
|
|
|
|
}
|
2018-11-05 19:02:50 +00:00
|
|
|
}
|
|
|
|
|
g.AddMount(systemdMnt)
|
2018-11-05 21:48:29 +00:00
|
|
|
} else {
|
2020-10-24 08:50:33 +00:00
|
|
|
mountOptions := []string{"bind", "rprivate"}
|
|
|
|
|
|
|
|
|
|
var statfs unix.Statfs_t
|
|
|
|
|
if err := unix.Statfs("/sys/fs/cgroup/systemd", &statfs); err != nil {
|
|
|
|
|
mountOptions = append(mountOptions, "nodev", "noexec", "nosuid")
|
|
|
|
|
} else {
|
|
|
|
|
if statfs.Flags&unix.MS_NODEV == unix.MS_NODEV {
|
|
|
|
|
mountOptions = append(mountOptions, "nodev")
|
|
|
|
|
}
|
|
|
|
|
if statfs.Flags&unix.MS_NOEXEC == unix.MS_NOEXEC {
|
|
|
|
|
mountOptions = append(mountOptions, "noexec")
|
|
|
|
|
}
|
|
|
|
|
if statfs.Flags&unix.MS_NOSUID == unix.MS_NOSUID {
|
|
|
|
|
mountOptions = append(mountOptions, "nosuid")
|
|
|
|
|
}
|
|
|
|
|
if statfs.Flags&unix.MS_RDONLY == unix.MS_RDONLY {
|
|
|
|
|
mountOptions = append(mountOptions, "ro")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-08-06 07:11:47 +00:00
|
|
|
systemdMnt := spec.Mount{
|
|
|
|
|
Destination: "/sys/fs/cgroup/systemd",
|
|
|
|
|
Type: "bind",
|
|
|
|
|
Source: "/sys/fs/cgroup/systemd",
|
2020-10-24 08:50:33 +00:00
|
|
|
Options: mountOptions,
|
2018-11-05 21:48:29 +00:00
|
|
|
}
|
2019-08-06 07:11:47 +00:00
|
|
|
g.AddMount(systemdMnt)
|
2019-10-25 19:50:29 +00:00
|
|
|
g.AddLinuxMaskedPaths("/sys/fs/cgroup/systemd/release_agent")
|
2018-10-15 19:42:12 +00:00
|
|
|
}
|
2018-10-17 14:45:58 +00:00
|
|
|
|
|
|
|
|
return nil
|
2018-10-15 19:42:12 +00:00
|
|
|
}
|
|
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
// Add an existing container's namespace to the spec
|
2019-07-23 09:56:00 +00:00
|
|
|
func (c *Container) addNamespaceContainer(g *generate.Generator, ns LinuxNS, ctr string, specNS spec.LinuxNamespaceType) error {
|
2018-07-04 15:51:20 +00:00
|
|
|
nsCtr, err := c.runtime.state.Container(ctr)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error retrieving dependency %s of container %s from state", ctr, c.ID())
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-27 13:43:12 +00:00
|
|
|
if specNS == spec.UTSNamespace {
|
|
|
|
|
hostname := nsCtr.Hostname()
|
2020-06-10 12:52:08 +00:00
|
|
|
// Joining an existing namespace, cannot set the hostname
|
|
|
|
|
g.SetHostname("")
|
2020-04-27 13:43:12 +00:00
|
|
|
g.AddProcessEnv("HOSTNAME", hostname)
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-04 15:51:20 +00:00
|
|
|
nsPath, err := nsCtr.NamespacePath(ns)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2019-07-23 09:56:00 +00:00
|
|
|
if err := g.AddOrReplaceLinuxNamespace(string(specNS), nsPath); err != nil {
|
2018-07-04 15:51:20 +00:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2018-09-18 09:56:19 +00:00
|
|
|
|
2022-04-12 17:46:32 +00:00
|
|
|
func (c *Container) addCheckpointImageMetadata(importBuilder *buildah.Builder) error {
|
|
|
|
|
// Get information about host environment
|
|
|
|
|
hostInfo, err := c.Runtime().hostInfo()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("getting host info: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
criuVersion, err := criu.GetCriuVestion()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("getting criu version: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rootfsImageID, rootfsImageName := c.Image()
|
|
|
|
|
|
|
|
|
|
// Add image annotations with information about the container and the host.
|
|
|
|
|
// This information is useful to check compatibility before restoring the checkpoint
|
|
|
|
|
|
|
|
|
|
checkpointImageAnnotations := map[string]string{
|
|
|
|
|
define.CheckpointAnnotationName: c.config.Name,
|
|
|
|
|
define.CheckpointAnnotationRawImageName: c.config.RawImageName,
|
|
|
|
|
define.CheckpointAnnotationRootfsImageID: rootfsImageID,
|
|
|
|
|
define.CheckpointAnnotationRootfsImageName: rootfsImageName,
|
|
|
|
|
define.CheckpointAnnotationPodmanVersion: version.Version.String(),
|
|
|
|
|
define.CheckpointAnnotationCriuVersion: strconv.Itoa(criuVersion),
|
|
|
|
|
define.CheckpointAnnotationRuntimeName: hostInfo.OCIRuntime.Name,
|
|
|
|
|
define.CheckpointAnnotationRuntimeVersion: hostInfo.OCIRuntime.Version,
|
|
|
|
|
define.CheckpointAnnotationConmonVersion: hostInfo.Conmon.Version,
|
|
|
|
|
define.CheckpointAnnotationHostArch: hostInfo.Arch,
|
|
|
|
|
define.CheckpointAnnotationHostKernel: hostInfo.Kernel,
|
|
|
|
|
define.CheckpointAnnotationCgroupVersion: hostInfo.CgroupsVersion,
|
|
|
|
|
define.CheckpointAnnotationDistributionVersion: hostInfo.Distribution.Version,
|
|
|
|
|
define.CheckpointAnnotationDistributionName: hostInfo.Distribution.Distribution,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for key, value := range checkpointImageAnnotations {
|
|
|
|
|
importBuilder.SetAnnotation(key, value)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (c *Container) resolveCheckpointImageName(options *ContainerCheckpointOptions) error {
|
|
|
|
|
if options.CreateImage == "" {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Resolve image name
|
|
|
|
|
resolvedImageName, err := c.runtime.LibimageRuntime().ResolveName(options.CreateImage)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
options.CreateImage = resolvedImageName
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (c *Container) createCheckpointImage(ctx context.Context, options ContainerCheckpointOptions) error {
|
|
|
|
|
if options.CreateImage == "" {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
logrus.Debugf("Create checkpoint image %s", options.CreateImage)
|
|
|
|
|
|
|
|
|
|
// Create storage reference
|
|
|
|
|
imageRef, err := is.Transport.ParseStoreReference(c.runtime.store, options.CreateImage)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Errorf("Failed to parse image name")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Build an image scratch
|
|
|
|
|
builderOptions := buildah.BuilderOptions{
|
|
|
|
|
FromImage: "scratch",
|
|
|
|
|
}
|
|
|
|
|
importBuilder, err := buildah.NewBuilder(ctx, c.runtime.store, builderOptions)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
// Clean-up buildah working container
|
2022-04-27 12:28:38 +00:00
|
|
|
defer func() {
|
|
|
|
|
if err := importBuilder.Delete(); err != nil {
|
|
|
|
|
logrus.Errorf("Image builder delete failed: %v", err)
|
|
|
|
|
}
|
|
|
|
|
}()
|
2022-04-12 17:46:32 +00:00
|
|
|
|
|
|
|
|
if err := c.prepareCheckpointExport(); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Export checkpoint into temporary tar file
|
|
|
|
|
tmpDir, err := ioutil.TempDir("", "checkpoint_image_")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
defer os.RemoveAll(tmpDir)
|
|
|
|
|
|
|
|
|
|
options.TargetFile = path.Join(tmpDir, "checkpoint.tar")
|
|
|
|
|
|
|
|
|
|
if err := c.exportCheckpoint(options); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Copy checkpoint from temporary tar file in the image
|
|
|
|
|
addAndCopyOptions := buildah.AddAndCopyOptions{}
|
2022-04-27 12:28:38 +00:00
|
|
|
if err := importBuilder.Add("", true, addAndCopyOptions, options.TargetFile); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2022-04-12 17:46:32 +00:00
|
|
|
|
|
|
|
|
if err := c.addCheckpointImageMetadata(importBuilder); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
commitOptions := buildah.CommitOptions{
|
|
|
|
|
Squash: true,
|
|
|
|
|
SystemContext: c.runtime.imageContext,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Create checkpoint image
|
|
|
|
|
id, _, _, err := importBuilder.Commit(ctx, imageRef, commitOptions)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
logrus.Debugf("Created checkpoint image: %s", id)
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-18 19:31:16 +00:00
|
|
|
func (c *Container) exportCheckpoint(options ContainerCheckpointOptions) error {
|
2021-07-12 11:43:45 +00:00
|
|
|
if len(c.Dependencies()) == 1 {
|
|
|
|
|
// Check if the dependency is an infra container. If it is we can checkpoint
|
|
|
|
|
// the container out of the Pod.
|
|
|
|
|
if c.config.Pod == "" {
|
|
|
|
|
return errors.Errorf("cannot export checkpoints of containers with dependencies")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pod, err := c.runtime.state.Pod(c.config.Pod)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "container %s is in pod %s, but pod cannot be retrieved", c.ID(), c.config.Pod)
|
|
|
|
|
}
|
|
|
|
|
infraID, err := pod.InfraContainerID()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "cannot retrieve infra container ID for pod %s", c.config.Pod)
|
|
|
|
|
}
|
|
|
|
|
if c.Dependencies()[0] != infraID {
|
|
|
|
|
return errors.Errorf("cannot export checkpoints of containers with dependencies")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if len(c.Dependencies()) > 1 {
|
|
|
|
|
return errors.Errorf("cannot export checkpoints of containers with dependencies")
|
2019-02-06 19:22:46 +00:00
|
|
|
}
|
2020-12-18 19:31:16 +00:00
|
|
|
logrus.Debugf("Exporting checkpoint image of container %q to %q", c.ID(), options.TargetFile)
|
2019-06-27 06:16:32 +00:00
|
|
|
|
2019-06-27 07:56:39 +00:00
|
|
|
includeFiles := []string{
|
|
|
|
|
"artifacts",
|
2021-12-20 19:28:24 +00:00
|
|
|
metadata.DevShmCheckpointTar,
|
2021-02-25 16:43:18 +00:00
|
|
|
metadata.ConfigDumpFile,
|
|
|
|
|
metadata.SpecDumpFile,
|
|
|
|
|
metadata.NetworkStatusFile,
|
2021-11-05 15:18:17 +00:00
|
|
|
stats.StatsDump,
|
2021-02-25 16:43:18 +00:00
|
|
|
}
|
2019-06-27 07:56:39 +00:00
|
|
|
|
2021-10-14 18:08:51 +00:00
|
|
|
if c.LogDriver() == define.KubernetesLogging ||
|
|
|
|
|
c.LogDriver() == define.JSONLogging {
|
|
|
|
|
includeFiles = append(includeFiles, "ctr.log")
|
|
|
|
|
}
|
2021-01-10 10:12:12 +00:00
|
|
|
if options.PreCheckPoint {
|
2021-06-10 12:27:09 +00:00
|
|
|
includeFiles = append(includeFiles, preCheckpointDir)
|
|
|
|
|
} else {
|
|
|
|
|
includeFiles = append(includeFiles, metadata.CheckpointDirectory)
|
2021-01-10 10:12:12 +00:00
|
|
|
}
|
2019-06-27 06:16:32 +00:00
|
|
|
// Get root file-system changes included in the checkpoint archive
|
2021-02-25 15:34:12 +00:00
|
|
|
var addToTarFiles []string
|
2020-12-18 19:31:16 +00:00
|
|
|
if !options.IgnoreRootfs {
|
2019-12-04 15:06:51 +00:00
|
|
|
// To correctly track deleted files, let's go through the output of 'podman diff'
|
2021-07-01 13:24:20 +00:00
|
|
|
rootFsChanges, err := c.runtime.GetDiff("", c.ID(), define.DiffContainer)
|
2019-06-27 07:56:39 +00:00
|
|
|
if err != nil {
|
2021-02-25 15:34:12 +00:00
|
|
|
return errors.Wrapf(err, "error exporting root file-system diff for %q", c.ID())
|
2019-06-27 07:56:39 +00:00
|
|
|
}
|
2019-12-04 15:06:51 +00:00
|
|
|
|
2021-02-25 15:34:12 +00:00
|
|
|
addToTarFiles, err := crutils.CRCreateRootFsDiffTar(&rootFsChanges, c.state.Mountpoint, c.bundlePath())
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
2019-12-04 15:06:51 +00:00
|
|
|
}
|
|
|
|
|
|
2021-02-25 15:34:12 +00:00
|
|
|
includeFiles = append(includeFiles, addToTarFiles...)
|
2019-06-27 06:16:32 +00:00
|
|
|
}
|
|
|
|
|
|
2020-12-18 20:07:08 +00:00
|
|
|
// Folder containing archived volumes that will be included in the export
|
2022-04-12 17:46:32 +00:00
|
|
|
expVolDir := filepath.Join(c.bundlePath(), metadata.CheckpointVolumesDirectory)
|
2020-12-18 20:07:08 +00:00
|
|
|
|
|
|
|
|
// Create an archive for each volume associated with the container
|
|
|
|
|
if !options.IgnoreVolumes {
|
|
|
|
|
if err := os.MkdirAll(expVolDir, 0700); err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error creating volumes export directory %q", expVolDir)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, v := range c.config.NamedVolumes {
|
2022-04-12 17:46:32 +00:00
|
|
|
volumeTarFilePath := filepath.Join(metadata.CheckpointVolumesDirectory, v.Name+".tar")
|
2020-12-18 20:07:08 +00:00
|
|
|
volumeTarFileFullPath := filepath.Join(c.bundlePath(), volumeTarFilePath)
|
|
|
|
|
|
|
|
|
|
volumeTarFile, err := os.Create(volumeTarFileFullPath)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error creating %q", volumeTarFileFullPath)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
volume, err := c.runtime.GetVolume(v.Name)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
Initial implementation of volume plugins
This implements support for mounting and unmounting volumes
backed by volume plugins. Support for actually retrieving
plugins requires a pull request to land in containers.conf and
then that to be vendored, and as such is not yet ready. Given
this, this code is only compile tested. However, the code for
everything past retrieving the plugin has been written - there is
support for creating, removing, mounting, and unmounting volumes,
which should allow full functionality once the c/common PR is
merged.
A major change is the signature of the MountPoint function for
volumes, which now, by necessity, returns an error. Named volumes
managed by a plugin do not have a mountpoint we control; instead,
it is managed entirely by the plugin. As such, we need to cache
the path in the DB, and calls to retrieve it now need to access
the DB (and may fail as such).
Notably absent is support for SELinux relabelling and chowning
these volumes. Given that we don't manage the mountpoint for
these volumes, I am extremely reluctant to try and modify it - we
could easily break the plugin trying to chown or relabel it.
Also, we had no less than *5* separate implementations of
inspecting a volume floating around in pkg/infra/abi and
pkg/api/handlers/libpod. And none of them used volume.Inspect(),
the only correct way of inspecting volumes. Remove them all and
consolidate to using the correct way. Compat API is likely still
doing things the wrong way, but that is an issue for another day.
Fixes #4304
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-12-04 21:24:56 +00:00
|
|
|
mp, err := volume.MountPoint()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if mp == "" {
|
|
|
|
|
return errors.Wrapf(define.ErrInternal, "volume %s is not mounted, cannot export", volume.Name())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
input, err := archive.TarWithOptions(mp, &archive.TarOptions{
|
2020-12-18 20:07:08 +00:00
|
|
|
Compression: archive.Uncompressed,
|
|
|
|
|
IncludeSourceDir: true,
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error reading volume directory %q", v.Dest)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_, err = io.Copy(volumeTarFile, input)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
volumeTarFile.Close()
|
|
|
|
|
|
|
|
|
|
includeFiles = append(includeFiles, volumeTarFilePath)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-06 19:17:25 +00:00
|
|
|
input, err := archive.TarWithOptions(c.bundlePath(), &archive.TarOptions{
|
2021-06-04 13:45:33 +00:00
|
|
|
Compression: options.Compression,
|
2019-02-06 19:17:25 +00:00
|
|
|
IncludeSourceDir: true,
|
2019-06-27 07:56:39 +00:00
|
|
|
IncludeFiles: includeFiles,
|
2019-02-06 19:17:25 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error reading checkpoint directory %q", c.ID())
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-18 19:31:16 +00:00
|
|
|
outFile, err := os.Create(options.TargetFile)
|
2019-02-06 19:17:25 +00:00
|
|
|
if err != nil {
|
2020-12-18 19:31:16 +00:00
|
|
|
return errors.Wrapf(err, "error creating checkpoint export file %q", options.TargetFile)
|
2019-02-06 19:17:25 +00:00
|
|
|
}
|
|
|
|
|
defer outFile.Close()
|
|
|
|
|
|
2020-12-18 19:31:16 +00:00
|
|
|
if err := os.Chmod(options.TargetFile, 0600); err != nil {
|
2020-10-28 17:16:42 +00:00
|
|
|
return err
|
2019-02-06 19:17:25 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_, err = io.Copy(outFile, input)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2021-02-25 15:34:12 +00:00
|
|
|
for _, file := range addToTarFiles {
|
|
|
|
|
os.Remove(filepath.Join(c.bundlePath(), file))
|
|
|
|
|
}
|
2019-06-27 06:16:32 +00:00
|
|
|
|
2020-12-18 20:07:08 +00:00
|
|
|
if !options.IgnoreVolumes {
|
|
|
|
|
os.RemoveAll(expVolDir)
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-06 19:17:25 +00:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2021-07-08 15:24:31 +00:00
|
|
|
func (c *Container) checkpointRestoreSupported(version int) error {
|
|
|
|
|
if !criu.CheckForCriu(version) {
|
|
|
|
|
return errors.Errorf("checkpoint/restore requires at least CRIU %d", version)
|
2019-02-28 17:24:08 +00:00
|
|
|
}
|
2019-10-08 17:53:36 +00:00
|
|
|
if !c.ociRuntime.SupportsCheckpoint() {
|
Initial implementation of volume plugins
This implements support for mounting and unmounting volumes
backed by volume plugins. Support for actually retrieving
plugins requires a pull request to land in containers.conf and
then that to be vendored, and as such is not yet ready. Given
this, this code is only compile tested. However, the code for
everything past retrieving the plugin has been written - there is
support for creating, removing, mounting, and unmounting volumes,
which should allow full functionality once the c/common PR is
merged.
A major change is the signature of the MountPoint function for
volumes, which now, by necessity, returns an error. Named volumes
managed by a plugin do not have a mountpoint we control; instead,
it is managed entirely by the plugin. As such, we need to cache
the path in the DB, and calls to retrieve it now need to access
the DB (and may fail as such).
Notably absent is support for SELinux relabelling and chowning
these volumes. Given that we don't manage the mountpoint for
these volumes, I am extremely reluctant to try and modify it - we
could easily break the plugin trying to chown or relabel it.
Also, we had no less than *5* separate implementations of
inspecting a volume floating around in pkg/infra/abi and
pkg/api/handlers/libpod. And none of them used volume.Inspect(),
the only correct way of inspecting volumes. Remove them all and
consolidate to using the correct way. Compat API is likely still
doing things the wrong way, but that is an issue for another day.
Fixes #4304
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-12-04 21:24:56 +00:00
|
|
|
return errors.Errorf("configured runtime does not support checkpoint/restore")
|
2019-02-28 17:24:08 +00:00
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
Added optional container checkpointing statistics
This adds the parameter '--print-stats' to 'podman container checkpoint'.
With '--print-stats' Podman will measure how long Podman itself, the OCI
runtime and CRIU requires to create a checkpoint and print out these
information. CRIU already creates checkpointing statistics which are
just read in addition to the added measurements. In contrast to just
printing out the ID of the checkpointed container, Podman will now print
out JSON:
# podman container checkpoint --latest --print-stats
{
"podman_checkpoint_duration": 360749,
"container_statistics": [
{
"Id": "25244244bf2efbef30fb6857ddea8cb2e5489f07eb6659e20dda117f0c466808",
"runtime_checkpoint_duration": 177222,
"criu_statistics": {
"freezing_time": 100657,
"frozen_time": 60700,
"memdump_time": 8162,
"memwrite_time": 4224,
"pages_scanned": 20561,
"pages_written": 2129
}
}
]
}
The output contains 'podman_checkpoint_duration' which contains the
number of microseconds Podman required to create the checkpoint. The
output also includes 'runtime_checkpoint_duration' which is the time
the runtime needed to checkpoint that specific container. Each container
also includes 'criu_statistics' which displays the timing information
collected by CRIU.
Signed-off-by: Adrian Reber <areber@redhat.com>
2021-11-09 09:15:50 +00:00
|
|
|
func (c *Container) checkpoint(ctx context.Context, options ContainerCheckpointOptions) (*define.CRIUCheckpointRestoreStatistics, int64, error) {
|
2021-07-08 15:24:31 +00:00
|
|
|
if err := c.checkpointRestoreSupported(criu.MinCriuVersion); err != nil {
|
Added optional container checkpointing statistics
This adds the parameter '--print-stats' to 'podman container checkpoint'.
With '--print-stats' Podman will measure how long Podman itself, the OCI
runtime and CRIU requires to create a checkpoint and print out these
information. CRIU already creates checkpointing statistics which are
just read in addition to the added measurements. In contrast to just
printing out the ID of the checkpointed container, Podman will now print
out JSON:
# podman container checkpoint --latest --print-stats
{
"podman_checkpoint_duration": 360749,
"container_statistics": [
{
"Id": "25244244bf2efbef30fb6857ddea8cb2e5489f07eb6659e20dda117f0c466808",
"runtime_checkpoint_duration": 177222,
"criu_statistics": {
"freezing_time": 100657,
"frozen_time": 60700,
"memdump_time": 8162,
"memwrite_time": 4224,
"pages_scanned": 20561,
"pages_written": 2129
}
}
]
}
The output contains 'podman_checkpoint_duration' which contains the
number of microseconds Podman required to create the checkpoint. The
output also includes 'runtime_checkpoint_duration' which is the time
the runtime needed to checkpoint that specific container. Each container
also includes 'criu_statistics' which displays the timing information
collected by CRIU.
Signed-off-by: Adrian Reber <areber@redhat.com>
2021-11-09 09:15:50 +00:00
|
|
|
return nil, 0, err
|
2019-04-12 13:12:38 +00:00
|
|
|
}
|
|
|
|
|
|
2019-06-25 13:40:19 +00:00
|
|
|
if c.state.State != define.ContainerStateRunning {
|
Added optional container checkpointing statistics
This adds the parameter '--print-stats' to 'podman container checkpoint'.
With '--print-stats' Podman will measure how long Podman itself, the OCI
runtime and CRIU requires to create a checkpoint and print out these
information. CRIU already creates checkpointing statistics which are
just read in addition to the added measurements. In contrast to just
printing out the ID of the checkpointed container, Podman will now print
out JSON:
# podman container checkpoint --latest --print-stats
{
"podman_checkpoint_duration": 360749,
"container_statistics": [
{
"Id": "25244244bf2efbef30fb6857ddea8cb2e5489f07eb6659e20dda117f0c466808",
"runtime_checkpoint_duration": 177222,
"criu_statistics": {
"freezing_time": 100657,
"frozen_time": 60700,
"memdump_time": 8162,
"memwrite_time": 4224,
"pages_scanned": 20561,
"pages_written": 2129
}
}
]
}
The output contains 'podman_checkpoint_duration' which contains the
number of microseconds Podman required to create the checkpoint. The
output also includes 'runtime_checkpoint_duration' which is the time
the runtime needed to checkpoint that specific container. Each container
also includes 'criu_statistics' which displays the timing information
collected by CRIU.
Signed-off-by: Adrian Reber <areber@redhat.com>
2021-11-09 09:15:50 +00:00
|
|
|
return nil, 0, errors.Wrapf(define.ErrCtrStateInvalid, "%q is not running, cannot checkpoint", c.state.State)
|
2019-04-12 13:12:38 +00:00
|
|
|
}
|
|
|
|
|
|
2019-11-28 19:04:35 +00:00
|
|
|
if c.AutoRemove() && options.TargetFile == "" {
|
Added optional container checkpointing statistics
This adds the parameter '--print-stats' to 'podman container checkpoint'.
With '--print-stats' Podman will measure how long Podman itself, the OCI
runtime and CRIU requires to create a checkpoint and print out these
information. CRIU already creates checkpointing statistics which are
just read in addition to the added measurements. In contrast to just
printing out the ID of the checkpointed container, Podman will now print
out JSON:
# podman container checkpoint --latest --print-stats
{
"podman_checkpoint_duration": 360749,
"container_statistics": [
{
"Id": "25244244bf2efbef30fb6857ddea8cb2e5489f07eb6659e20dda117f0c466808",
"runtime_checkpoint_duration": 177222,
"criu_statistics": {
"freezing_time": 100657,
"frozen_time": 60700,
"memdump_time": 8162,
"memwrite_time": 4224,
"pages_scanned": 20561,
"pages_written": 2129
}
}
]
}
The output contains 'podman_checkpoint_duration' which contains the
number of microseconds Podman required to create the checkpoint. The
output also includes 'runtime_checkpoint_duration' which is the time
the runtime needed to checkpoint that specific container. Each container
also includes 'criu_statistics' which displays the timing information
collected by CRIU.
Signed-off-by: Adrian Reber <areber@redhat.com>
2021-11-09 09:15:50 +00:00
|
|
|
return nil, 0, errors.Errorf("cannot checkpoint containers that have been started with '--rm' unless '--export' is used")
|
2019-11-28 19:04:35 +00:00
|
|
|
}
|
|
|
|
|
|
2022-04-12 17:46:32 +00:00
|
|
|
if err := c.resolveCheckpointImageName(&options); err != nil {
|
|
|
|
|
return nil, 0, err
|
|
|
|
|
}
|
|
|
|
|
|
2021-02-25 15:34:12 +00:00
|
|
|
if err := crutils.CRCreateFileWithLabel(c.bundlePath(), "dump.log", c.MountLabel()); err != nil {
|
Added optional container checkpointing statistics
This adds the parameter '--print-stats' to 'podman container checkpoint'.
With '--print-stats' Podman will measure how long Podman itself, the OCI
runtime and CRIU requires to create a checkpoint and print out these
information. CRIU already creates checkpointing statistics which are
just read in addition to the added measurements. In contrast to just
printing out the ID of the checkpointed container, Podman will now print
out JSON:
# podman container checkpoint --latest --print-stats
{
"podman_checkpoint_duration": 360749,
"container_statistics": [
{
"Id": "25244244bf2efbef30fb6857ddea8cb2e5489f07eb6659e20dda117f0c466808",
"runtime_checkpoint_duration": 177222,
"criu_statistics": {
"freezing_time": 100657,
"frozen_time": 60700,
"memdump_time": 8162,
"memwrite_time": 4224,
"pages_scanned": 20561,
"pages_written": 2129
}
}
]
}
The output contains 'podman_checkpoint_duration' which contains the
number of microseconds Podman required to create the checkpoint. The
output also includes 'runtime_checkpoint_duration' which is the time
the runtime needed to checkpoint that specific container. Each container
also includes 'criu_statistics' which displays the timing information
collected by CRIU.
Signed-off-by: Adrian Reber <areber@redhat.com>
2021-11-09 09:15:50 +00:00
|
|
|
return nil, 0, err
|
2019-04-12 13:12:38 +00:00
|
|
|
}
|
2019-02-20 16:42:44 +00:00
|
|
|
|
2021-12-15 16:37:02 +00:00
|
|
|
// Setting CheckpointLog early in case there is a failure.
|
|
|
|
|
c.state.CheckpointLog = path.Join(c.bundlePath(), "dump.log")
|
|
|
|
|
c.state.CheckpointPath = c.CheckpointPath()
|
|
|
|
|
|
Added optional container checkpointing statistics
This adds the parameter '--print-stats' to 'podman container checkpoint'.
With '--print-stats' Podman will measure how long Podman itself, the OCI
runtime and CRIU requires to create a checkpoint and print out these
information. CRIU already creates checkpointing statistics which are
just read in addition to the added measurements. In contrast to just
printing out the ID of the checkpointed container, Podman will now print
out JSON:
# podman container checkpoint --latest --print-stats
{
"podman_checkpoint_duration": 360749,
"container_statistics": [
{
"Id": "25244244bf2efbef30fb6857ddea8cb2e5489f07eb6659e20dda117f0c466808",
"runtime_checkpoint_duration": 177222,
"criu_statistics": {
"freezing_time": 100657,
"frozen_time": 60700,
"memdump_time": 8162,
"memwrite_time": 4224,
"pages_scanned": 20561,
"pages_written": 2129
}
}
]
}
The output contains 'podman_checkpoint_duration' which contains the
number of microseconds Podman required to create the checkpoint. The
output also includes 'runtime_checkpoint_duration' which is the time
the runtime needed to checkpoint that specific container. Each container
also includes 'criu_statistics' which displays the timing information
collected by CRIU.
Signed-off-by: Adrian Reber <areber@redhat.com>
2021-11-09 09:15:50 +00:00
|
|
|
runtimeCheckpointDuration, err := c.ociRuntime.CheckpointContainer(c, options)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, 0, err
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
|
|
2021-12-20 19:28:24 +00:00
|
|
|
// Keep the content of /dev/shm directory
|
|
|
|
|
if c.config.ShmDir != "" && c.state.BindMounts["/dev/shm"] == c.config.ShmDir {
|
|
|
|
|
shmDirTarFileFullPath := filepath.Join(c.bundlePath(), metadata.DevShmCheckpointTar)
|
|
|
|
|
|
|
|
|
|
shmDirTarFile, err := os.Create(shmDirTarFileFullPath)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, 0, err
|
|
|
|
|
}
|
|
|
|
|
defer shmDirTarFile.Close()
|
|
|
|
|
|
|
|
|
|
input, err := archive.TarWithOptions(c.config.ShmDir, &archive.TarOptions{
|
|
|
|
|
Compression: archive.Uncompressed,
|
|
|
|
|
IncludeSourceDir: true,
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, 0, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if _, err = io.Copy(shmDirTarFile, input); err != nil {
|
|
|
|
|
return nil, 0, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-18 09:56:19 +00:00
|
|
|
// Save network.status. This is needed to restore the container with
|
|
|
|
|
// the same IP. Currently limited to one IP address in a container
|
|
|
|
|
// with one interface.
|
2021-08-16 14:11:26 +00:00
|
|
|
// FIXME: will this break something?
|
|
|
|
|
if _, err := metadata.WriteJSONFile(c.getNetworkStatus(), c.bundlePath(), metadata.NetworkStatusFile); err != nil {
|
Added optional container checkpointing statistics
This adds the parameter '--print-stats' to 'podman container checkpoint'.
With '--print-stats' Podman will measure how long Podman itself, the OCI
runtime and CRIU requires to create a checkpoint and print out these
information. CRIU already creates checkpointing statistics which are
just read in addition to the added measurements. In contrast to just
printing out the ID of the checkpointed container, Podman will now print
out JSON:
# podman container checkpoint --latest --print-stats
{
"podman_checkpoint_duration": 360749,
"container_statistics": [
{
"Id": "25244244bf2efbef30fb6857ddea8cb2e5489f07eb6659e20dda117f0c466808",
"runtime_checkpoint_duration": 177222,
"criu_statistics": {
"freezing_time": 100657,
"frozen_time": 60700,
"memdump_time": 8162,
"memwrite_time": 4224,
"pages_scanned": 20561,
"pages_written": 2129
}
}
]
}
The output contains 'podman_checkpoint_duration' which contains the
number of microseconds Podman required to create the checkpoint. The
output also includes 'runtime_checkpoint_duration' which is the time
the runtime needed to checkpoint that specific container. Each container
also includes 'criu_statistics' which displays the timing information
collected by CRIU.
Signed-off-by: Adrian Reber <areber@redhat.com>
2021-11-09 09:15:50 +00:00
|
|
|
return nil, 0, err
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
|
|
Add ContainerStateRemoving
When Libpod removes a container, there is the possibility that
removal will not fully succeed. The most notable problems are
storage issues, where the container cannot be removed from
c/storage.
When this occurs, we were faced with a choice. We can keep the
container in the state, appearing in `podman ps` and available for
other API operations, but likely unable to do any of them as it's
been partially removed. Or we can remove it very early and clean
up after it's already gone. We have, until now, used the second
approach.
The problem that arises is intermittent problems removing
storage. We end up removing a container, failing to remove its
storage, and ending up with a container permanently stuck in
c/storage that we can't remove with the normal Podman CLI, can't
use the name of, and generally can't interact with. A notable
cause is when Podman is hit by a SIGKILL midway through removal,
which can consistently cause `podman rm` to fail to remove
storage.
We now add a new state for containers that are in the process of
being removed, ContainerStateRemoving. We set this at the
beginning of the removal process. It notifies Podman that the
container cannot be used anymore, but preserves it in the DB
until it is fully removed. This will allow Remove to be run on
these containers again, which should successfully remove storage
if it fails.
Fixes #3906
Signed-off-by: Matthew Heon <mheon@redhat.com>
2019-11-11 14:52:13 +00:00
|
|
|
defer c.newContainerEvent(events.Checkpoint)
|
|
|
|
|
|
2021-01-10 10:12:12 +00:00
|
|
|
// There is a bug from criu: https://github.com/checkpoint-restore/criu/issues/116
|
|
|
|
|
// We have to change the symbolic link from absolute path to relative path
|
|
|
|
|
if options.WithPrevious {
|
|
|
|
|
os.Remove(path.Join(c.CheckpointPath(), "parent"))
|
|
|
|
|
if err := os.Symlink("../pre-checkpoint", path.Join(c.CheckpointPath(), "parent")); err != nil {
|
Added optional container checkpointing statistics
This adds the parameter '--print-stats' to 'podman container checkpoint'.
With '--print-stats' Podman will measure how long Podman itself, the OCI
runtime and CRIU requires to create a checkpoint and print out these
information. CRIU already creates checkpointing statistics which are
just read in addition to the added measurements. In contrast to just
printing out the ID of the checkpointed container, Podman will now print
out JSON:
# podman container checkpoint --latest --print-stats
{
"podman_checkpoint_duration": 360749,
"container_statistics": [
{
"Id": "25244244bf2efbef30fb6857ddea8cb2e5489f07eb6659e20dda117f0c466808",
"runtime_checkpoint_duration": 177222,
"criu_statistics": {
"freezing_time": 100657,
"frozen_time": 60700,
"memdump_time": 8162,
"memwrite_time": 4224,
"pages_scanned": 20561,
"pages_written": 2129
}
}
]
}
The output contains 'podman_checkpoint_duration' which contains the
number of microseconds Podman required to create the checkpoint. The
output also includes 'runtime_checkpoint_duration' which is the time
the runtime needed to checkpoint that specific container. Each container
also includes 'criu_statistics' which displays the timing information
collected by CRIU.
Signed-off-by: Adrian Reber <areber@redhat.com>
2021-11-09 09:15:50 +00:00
|
|
|
return nil, 0, err
|
2021-01-10 10:12:12 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-06 19:22:46 +00:00
|
|
|
if options.TargetFile != "" {
|
2021-02-25 16:43:18 +00:00
|
|
|
if err := c.exportCheckpoint(options); err != nil {
|
Added optional container checkpointing statistics
This adds the parameter '--print-stats' to 'podman container checkpoint'.
With '--print-stats' Podman will measure how long Podman itself, the OCI
runtime and CRIU requires to create a checkpoint and print out these
information. CRIU already creates checkpointing statistics which are
just read in addition to the added measurements. In contrast to just
printing out the ID of the checkpointed container, Podman will now print
out JSON:
# podman container checkpoint --latest --print-stats
{
"podman_checkpoint_duration": 360749,
"container_statistics": [
{
"Id": "25244244bf2efbef30fb6857ddea8cb2e5489f07eb6659e20dda117f0c466808",
"runtime_checkpoint_duration": 177222,
"criu_statistics": {
"freezing_time": 100657,
"frozen_time": 60700,
"memdump_time": 8162,
"memwrite_time": 4224,
"pages_scanned": 20561,
"pages_written": 2129
}
}
]
}
The output contains 'podman_checkpoint_duration' which contains the
number of microseconds Podman required to create the checkpoint. The
output also includes 'runtime_checkpoint_duration' which is the time
the runtime needed to checkpoint that specific container. Each container
also includes 'criu_statistics' which displays the timing information
collected by CRIU.
Signed-off-by: Adrian Reber <areber@redhat.com>
2021-11-09 09:15:50 +00:00
|
|
|
return nil, 0, err
|
2019-02-06 19:22:46 +00:00
|
|
|
}
|
2022-04-12 17:46:32 +00:00
|
|
|
} else {
|
|
|
|
|
if err := c.createCheckpointImage(ctx, options); err != nil {
|
|
|
|
|
return nil, 0, err
|
|
|
|
|
}
|
2019-02-06 19:22:46 +00:00
|
|
|
}
|
|
|
|
|
|
2018-09-18 09:56:19 +00:00
|
|
|
logrus.Debugf("Checkpointed container %s", c.ID())
|
|
|
|
|
|
2021-01-10 10:12:12 +00:00
|
|
|
if !options.KeepRunning && !options.PreCheckPoint {
|
2019-06-25 13:40:19 +00:00
|
|
|
c.state.State = define.ContainerStateStopped
|
2021-09-07 18:16:01 +00:00
|
|
|
c.state.Checkpointed = true
|
2021-12-15 16:37:02 +00:00
|
|
|
c.state.CheckpointedTime = time.Now()
|
|
|
|
|
c.state.Restored = false
|
|
|
|
|
c.state.RestoredTime = time.Time{}
|
2018-09-18 09:56:19 +00:00
|
|
|
|
2018-11-20 15:34:15 +00:00
|
|
|
// Cleanup Storage and Network
|
|
|
|
|
if err := c.cleanup(ctx); err != nil {
|
Added optional container checkpointing statistics
This adds the parameter '--print-stats' to 'podman container checkpoint'.
With '--print-stats' Podman will measure how long Podman itself, the OCI
runtime and CRIU requires to create a checkpoint and print out these
information. CRIU already creates checkpointing statistics which are
just read in addition to the added measurements. In contrast to just
printing out the ID of the checkpointed container, Podman will now print
out JSON:
# podman container checkpoint --latest --print-stats
{
"podman_checkpoint_duration": 360749,
"container_statistics": [
{
"Id": "25244244bf2efbef30fb6857ddea8cb2e5489f07eb6659e20dda117f0c466808",
"runtime_checkpoint_duration": 177222,
"criu_statistics": {
"freezing_time": 100657,
"frozen_time": 60700,
"memdump_time": 8162,
"memwrite_time": 4224,
"pages_scanned": 20561,
"pages_written": 2129
}
}
]
}
The output contains 'podman_checkpoint_duration' which contains the
number of microseconds Podman required to create the checkpoint. The
output also includes 'runtime_checkpoint_duration' which is the time
the runtime needed to checkpoint that specific container. Each container
also includes 'criu_statistics' which displays the timing information
collected by CRIU.
Signed-off-by: Adrian Reber <areber@redhat.com>
2021-11-09 09:15:50 +00:00
|
|
|
return nil, 0, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
criuStatistics, err := func() (*define.CRIUCheckpointRestoreStatistics, error) {
|
|
|
|
|
if !options.PrintStats {
|
|
|
|
|
return nil, nil
|
|
|
|
|
}
|
|
|
|
|
statsDirectory, err := os.Open(c.bundlePath())
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errors.Wrapf(err, "Not able to open %q", c.bundlePath())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dumpStatistics, err := stats.CriuGetDumpStats(statsDirectory)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errors.Wrap(err, "Displaying checkpointing statistics not possible")
|
2018-11-20 15:34:15 +00:00
|
|
|
}
|
Added optional container checkpointing statistics
This adds the parameter '--print-stats' to 'podman container checkpoint'.
With '--print-stats' Podman will measure how long Podman itself, the OCI
runtime and CRIU requires to create a checkpoint and print out these
information. CRIU already creates checkpointing statistics which are
just read in addition to the added measurements. In contrast to just
printing out the ID of the checkpointed container, Podman will now print
out JSON:
# podman container checkpoint --latest --print-stats
{
"podman_checkpoint_duration": 360749,
"container_statistics": [
{
"Id": "25244244bf2efbef30fb6857ddea8cb2e5489f07eb6659e20dda117f0c466808",
"runtime_checkpoint_duration": 177222,
"criu_statistics": {
"freezing_time": 100657,
"frozen_time": 60700,
"memdump_time": 8162,
"memwrite_time": 4224,
"pages_scanned": 20561,
"pages_written": 2129
}
}
]
}
The output contains 'podman_checkpoint_duration' which contains the
number of microseconds Podman required to create the checkpoint. The
output also includes 'runtime_checkpoint_duration' which is the time
the runtime needed to checkpoint that specific container. Each container
also includes 'criu_statistics' which displays the timing information
collected by CRIU.
Signed-off-by: Adrian Reber <areber@redhat.com>
2021-11-09 09:15:50 +00:00
|
|
|
|
|
|
|
|
return &define.CRIUCheckpointRestoreStatistics{
|
|
|
|
|
FreezingTime: dumpStatistics.GetFreezingTime(),
|
|
|
|
|
FrozenTime: dumpStatistics.GetFrozenTime(),
|
|
|
|
|
MemdumpTime: dumpStatistics.GetMemdumpTime(),
|
|
|
|
|
MemwriteTime: dumpStatistics.GetMemwriteTime(),
|
|
|
|
|
PagesScanned: dumpStatistics.GetPagesScanned(),
|
|
|
|
|
PagesWritten: dumpStatistics.GetPagesWritten(),
|
|
|
|
|
}, nil
|
|
|
|
|
}()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, 0, err
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
|
|
2021-01-10 10:12:12 +00:00
|
|
|
if !options.Keep && !options.PreCheckPoint {
|
2019-02-06 19:17:25 +00:00
|
|
|
cleanup := []string{
|
|
|
|
|
"dump.log",
|
2021-11-05 15:18:17 +00:00
|
|
|
stats.StatsDump,
|
2021-02-25 16:43:18 +00:00
|
|
|
metadata.ConfigDumpFile,
|
|
|
|
|
metadata.SpecDumpFile,
|
2019-02-06 19:17:25 +00:00
|
|
|
}
|
2019-07-03 20:37:17 +00:00
|
|
|
for _, del := range cleanup {
|
|
|
|
|
file := filepath.Join(c.bundlePath(), del)
|
|
|
|
|
if err := os.Remove(file); err != nil {
|
2021-09-22 13:45:15 +00:00
|
|
|
logrus.Debugf("Unable to remove file %s", file)
|
2019-07-03 20:37:17 +00:00
|
|
|
}
|
2019-02-06 19:17:25 +00:00
|
|
|
}
|
2021-12-15 16:37:02 +00:00
|
|
|
// The file has been deleted. Do not mention it.
|
|
|
|
|
c.state.CheckpointLog = ""
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
|
|
2019-07-05 13:23:09 +00:00
|
|
|
c.state.FinishedTime = time.Now()
|
Added optional container checkpointing statistics
This adds the parameter '--print-stats' to 'podman container checkpoint'.
With '--print-stats' Podman will measure how long Podman itself, the OCI
runtime and CRIU requires to create a checkpoint and print out these
information. CRIU already creates checkpointing statistics which are
just read in addition to the added measurements. In contrast to just
printing out the ID of the checkpointed container, Podman will now print
out JSON:
# podman container checkpoint --latest --print-stats
{
"podman_checkpoint_duration": 360749,
"container_statistics": [
{
"Id": "25244244bf2efbef30fb6857ddea8cb2e5489f07eb6659e20dda117f0c466808",
"runtime_checkpoint_duration": 177222,
"criu_statistics": {
"freezing_time": 100657,
"frozen_time": 60700,
"memdump_time": 8162,
"memwrite_time": 4224,
"pages_scanned": 20561,
"pages_written": 2129
}
}
]
}
The output contains 'podman_checkpoint_duration' which contains the
number of microseconds Podman required to create the checkpoint. The
output also includes 'runtime_checkpoint_duration' which is the time
the runtime needed to checkpoint that specific container. Each container
also includes 'criu_statistics' which displays the timing information
collected by CRIU.
Signed-off-by: Adrian Reber <areber@redhat.com>
2021-11-09 09:15:50 +00:00
|
|
|
return criuStatistics, runtimeCheckpointDuration, c.save()
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
|
|
2022-04-12 17:46:32 +00:00
|
|
|
func (c *Container) generateContainerSpec() error {
|
2019-02-06 19:17:25 +00:00
|
|
|
// Make sure the newly created config.json exists on disk
|
2022-04-22 09:51:53 +00:00
|
|
|
|
|
|
|
|
// NewFromSpec() is deprecated according to its comment
|
|
|
|
|
// however the recommended replace just causes a nil map panic
|
|
|
|
|
//nolint:staticcheck
|
2021-10-25 11:22:11 +00:00
|
|
|
g := generate.NewFromSpec(c.config.Spec)
|
|
|
|
|
|
2021-02-25 15:34:12 +00:00
|
|
|
if err := c.saveSpec(g.Config); err != nil {
|
Initial implementation of volume plugins
This implements support for mounting and unmounting volumes
backed by volume plugins. Support for actually retrieving
plugins requires a pull request to land in containers.conf and
then that to be vendored, and as such is not yet ready. Given
this, this code is only compile tested. However, the code for
everything past retrieving the plugin has been written - there is
support for creating, removing, mounting, and unmounting volumes,
which should allow full functionality once the c/common PR is
merged.
A major change is the signature of the MountPoint function for
volumes, which now, by necessity, returns an error. Named volumes
managed by a plugin do not have a mountpoint we control; instead,
it is managed entirely by the plugin. As such, we need to cache
the path in the DB, and calls to retrieve it now need to access
the DB (and may fail as such).
Notably absent is support for SELinux relabelling and chowning
these volumes. Given that we don't manage the mountpoint for
these volumes, I am extremely reluctant to try and modify it - we
could easily break the plugin trying to chown or relabel it.
Also, we had no less than *5* separate implementations of
inspecting a volume floating around in pkg/infra/abi and
pkg/api/handlers/libpod. And none of them used volume.Inspect(),
the only correct way of inspecting volumes. Remove them all and
consolidate to using the correct way. Compat API is likely still
doing things the wrong way, but that is an issue for another day.
Fixes #4304
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-12-04 21:24:56 +00:00
|
|
|
return errors.Wrap(err, "saving imported container specification for restore failed")
|
2019-02-06 19:17:25 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-12 17:46:32 +00:00
|
|
|
func (c *Container) importCheckpointImage(ctx context.Context, imageID string) error {
|
|
|
|
|
img, _, err := c.Runtime().LibimageRuntime().LookupImage(imageID, nil)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
mountPoint, err := img.Mount(ctx, nil, "")
|
2022-04-27 12:28:38 +00:00
|
|
|
defer func() {
|
|
|
|
|
if err := c.unmount(true); err != nil {
|
|
|
|
|
logrus.Errorf("Failed to unmount container: %v", err)
|
|
|
|
|
}
|
|
|
|
|
}()
|
2022-04-12 17:46:32 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Import all checkpoint files except ConfigDumpFile and SpecDumpFile. We
|
|
|
|
|
// generate new container config files to enable to specifying a new
|
|
|
|
|
// container name.
|
|
|
|
|
checkpoint := []string{
|
|
|
|
|
"artifacts",
|
|
|
|
|
metadata.CheckpointDirectory,
|
|
|
|
|
metadata.CheckpointVolumesDirectory,
|
|
|
|
|
metadata.DevShmCheckpointTar,
|
|
|
|
|
metadata.RootFsDiffTar,
|
|
|
|
|
metadata.DeletedFilesFile,
|
|
|
|
|
metadata.PodOptionsFile,
|
|
|
|
|
metadata.PodDumpFile,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, name := range checkpoint {
|
|
|
|
|
src := filepath.Join(mountPoint, name)
|
|
|
|
|
dst := filepath.Join(c.bundlePath(), name)
|
|
|
|
|
if err := archive.NewDefaultArchiver().CopyWithTar(src, dst); err != nil {
|
|
|
|
|
logrus.Debugf("Can't import '%s' from checkpoint image", name)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return c.generateContainerSpec()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (c *Container) importCheckpointTar(input string) error {
|
|
|
|
|
if err := crutils.CRImportCheckpointWithoutConfig(c.bundlePath(), input); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return c.generateContainerSpec()
|
|
|
|
|
}
|
|
|
|
|
|
2021-01-10 10:12:12 +00:00
|
|
|
func (c *Container) importPreCheckpoint(input string) error {
|
|
|
|
|
archiveFile, err := os.Open(input)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrap(err, "failed to open pre-checkpoint archive for import")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
defer archiveFile.Close()
|
|
|
|
|
|
|
|
|
|
err = archive.Untar(archiveFile, c.bundlePath(), nil)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "Unpacking of pre-checkpoint archive %s failed", input)
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2021-11-09 21:21:07 +00:00
|
|
|
func (c *Container) restore(ctx context.Context, options ContainerCheckpointOptions) (criuStatistics *define.CRIUCheckpointRestoreStatistics, runtimeRestoreDuration int64, retErr error) {
|
2021-07-12 11:43:45 +00:00
|
|
|
minCriuVersion := func() int {
|
|
|
|
|
if options.Pod == "" {
|
|
|
|
|
return criu.MinCriuVersion
|
|
|
|
|
}
|
|
|
|
|
return criu.PodCriuVersion
|
|
|
|
|
}()
|
|
|
|
|
if err := c.checkpointRestoreSupported(minCriuVersion); err != nil {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, err
|
2018-10-02 13:38:28 +00:00
|
|
|
}
|
|
|
|
|
|
2021-07-12 11:43:45 +00:00
|
|
|
if options.Pod != "" && !crutils.CRRuntimeSupportsPodCheckpointRestore(c.ociRuntime.Path()) {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, errors.Errorf("runtime %s does not support pod restore", c.ociRuntime.Path())
|
2021-07-12 11:43:45 +00:00
|
|
|
}
|
|
|
|
|
|
Add ContainerStateRemoving
When Libpod removes a container, there is the possibility that
removal will not fully succeed. The most notable problems are
storage issues, where the container cannot be removed from
c/storage.
When this occurs, we were faced with a choice. We can keep the
container in the state, appearing in `podman ps` and available for
other API operations, but likely unable to do any of them as it's
been partially removed. Or we can remove it very early and clean
up after it's already gone. We have, until now, used the second
approach.
The problem that arises is intermittent problems removing
storage. We end up removing a container, failing to remove its
storage, and ending up with a container permanently stuck in
c/storage that we can't remove with the normal Podman CLI, can't
use the name of, and generally can't interact with. A notable
cause is when Podman is hit by a SIGKILL midway through removal,
which can consistently cause `podman rm` to fail to remove
storage.
We now add a new state for containers that are in the process of
being removed, ContainerStateRemoving. We set this at the
beginning of the removal process. It notifies Podman that the
container cannot be used anymore, but preserves it in the DB
until it is fully removed. This will allow Remove to be run on
these containers again, which should successfully remove storage
if it fails.
Fixes #3906
Signed-off-by: Matthew Heon <mheon@redhat.com>
2019-11-11 14:52:13 +00:00
|
|
|
if !c.ensureState(define.ContainerStateConfigured, define.ContainerStateExited) {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, errors.Wrapf(define.ErrCtrStateInvalid, "container %s is running or paused, cannot restore", c.ID())
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
|
|
2021-01-10 10:12:12 +00:00
|
|
|
if options.ImportPrevious != "" {
|
|
|
|
|
if err := c.importPreCheckpoint(options.ImportPrevious); err != nil {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, err
|
2021-01-10 10:12:12 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-06 19:22:46 +00:00
|
|
|
if options.TargetFile != "" {
|
2022-04-12 17:46:32 +00:00
|
|
|
if err := c.importCheckpointTar(options.TargetFile); err != nil {
|
|
|
|
|
return nil, 0, err
|
|
|
|
|
}
|
|
|
|
|
} else if options.CheckpointImageID != "" {
|
|
|
|
|
if err := c.importCheckpointImage(ctx, options.CheckpointImageID); err != nil {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, err
|
2019-02-06 19:22:46 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-18 09:56:19 +00:00
|
|
|
// Let's try to stat() CRIU's inventory file. If it does not exist, it makes
|
|
|
|
|
// no sense to try a restore. This is a minimal check if a checkpoint exist.
|
|
|
|
|
if _, err := os.Stat(filepath.Join(c.CheckpointPath(), "inventory.img")); os.IsNotExist(err) {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, errors.Wrapf(err, "a complete checkpoint for this container cannot be found, cannot restore")
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
|
|
2021-02-25 15:34:12 +00:00
|
|
|
if err := crutils.CRCreateFileWithLabel(c.bundlePath(), "restore.log", c.MountLabel()); err != nil {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, err
|
2019-04-12 13:12:38 +00:00
|
|
|
}
|
|
|
|
|
|
2021-12-15 16:37:02 +00:00
|
|
|
// Setting RestoreLog early in case there is a failure.
|
|
|
|
|
c.state.RestoreLog = path.Join(c.bundlePath(), "restore.log")
|
|
|
|
|
c.state.CheckpointPath = c.CheckpointPath()
|
|
|
|
|
|
2018-09-18 09:56:19 +00:00
|
|
|
// Read network configuration from checkpoint
|
2021-08-16 14:11:26 +00:00
|
|
|
var netStatus map[string]types.StatusBlock
|
|
|
|
|
_, err := metadata.ReadJSONFile(&netStatus, c.bundlePath(), metadata.NetworkStatusFile)
|
|
|
|
|
if err != nil {
|
2021-09-22 13:45:15 +00:00
|
|
|
logrus.Infof("Failed to unmarshal network status, cannot restore the same ip/mac: %v", err)
|
2021-08-16 14:11:26 +00:00
|
|
|
}
|
2019-03-14 07:57:16 +00:00
|
|
|
// If the restored container should get a new name, the IP address of
|
|
|
|
|
// the container will not be restored. This assumes that if a new name is
|
|
|
|
|
// specified, the container is restored multiple times.
|
|
|
|
|
// TODO: This implicit restoring with or without IP depending on an
|
|
|
|
|
// unrelated restore parameter (--name) does not seem like the
|
|
|
|
|
// best solution.
|
2019-09-17 22:26:48 +00:00
|
|
|
if err == nil && options.Name == "" && (!options.IgnoreStaticIP || !options.IgnoreStaticMAC) {
|
2018-09-18 09:56:19 +00:00
|
|
|
// The file with the network.status does exist. Let's restore the
|
2021-08-16 14:11:26 +00:00
|
|
|
// container with the same networks settings as during checkpointing.
|
2021-12-07 18:04:13 +00:00
|
|
|
networkOpts, err := c.networks()
|
2021-08-16 14:11:26 +00:00
|
|
|
if err != nil {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, err
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
2021-12-07 18:04:13 +00:00
|
|
|
|
2021-08-16 14:11:26 +00:00
|
|
|
netOpts := make(map[string]types.PerNetworkOptions, len(netStatus))
|
2021-12-07 18:04:13 +00:00
|
|
|
for network, perNetOpts := range networkOpts {
|
|
|
|
|
// unset mac and ips before we start adding the ones from the status
|
|
|
|
|
perNetOpts.StaticMAC = nil
|
|
|
|
|
perNetOpts.StaticIPs = nil
|
|
|
|
|
for name, netInt := range netStatus[network].Interfaces {
|
|
|
|
|
perNetOpts.InterfaceName = name
|
|
|
|
|
if !options.IgnoreStaticIP {
|
2021-08-16 14:11:26 +00:00
|
|
|
perNetOpts.StaticMAC = netInt.MacAddress
|
|
|
|
|
}
|
|
|
|
|
if !options.IgnoreStaticIP {
|
2021-11-16 17:49:23 +00:00
|
|
|
for _, netAddress := range netInt.Subnets {
|
|
|
|
|
perNetOpts.StaticIPs = append(perNetOpts.StaticIPs, netAddress.IPNet.IP)
|
2021-08-16 14:11:26 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
// Normally interfaces have a length of 1, only for some special cni configs we could get more.
|
|
|
|
|
// For now just use the first interface to get the ips this should be good enough for most cases.
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
netOpts[network] = perNetOpts
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
2021-08-16 14:11:26 +00:00
|
|
|
c.perNetworkOpts = netOpts
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
defer func() {
|
2020-07-09 17:50:01 +00:00
|
|
|
if retErr != nil {
|
|
|
|
|
if err := c.cleanup(ctx); err != nil {
|
2021-09-22 13:45:15 +00:00
|
|
|
logrus.Errorf("Cleaning up container %s: %v", c.ID(), err)
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}()
|
|
|
|
|
|
2018-11-07 16:44:33 +00:00
|
|
|
if err := c.prepare(); err != nil {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, err
|
2018-11-07 16:44:33 +00:00
|
|
|
}
|
|
|
|
|
|
2018-09-18 09:56:19 +00:00
|
|
|
// Read config
|
|
|
|
|
jsonPath := filepath.Join(c.bundlePath(), "config.json")
|
|
|
|
|
logrus.Debugf("generate.NewFromFile at %v", jsonPath)
|
|
|
|
|
g, err := generate.NewFromFile(jsonPath)
|
|
|
|
|
if err != nil {
|
|
|
|
|
logrus.Debugf("generate.NewFromFile failed with %v", err)
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, err
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
|
|
2019-02-06 19:22:46 +00:00
|
|
|
// Restoring from an import means that we are doing migration
|
2022-04-12 17:46:32 +00:00
|
|
|
if options.TargetFile != "" || options.CheckpointImageID != "" {
|
2019-02-06 19:22:46 +00:00
|
|
|
g.SetRootPath(c.state.Mountpoint)
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-18 09:56:19 +00:00
|
|
|
// We want to have the same network namespace as before.
|
|
|
|
|
if c.config.CreateNetNS {
|
2019-11-09 23:23:30 +00:00
|
|
|
netNSPath := ""
|
|
|
|
|
if !c.config.PostConfigureNetNS {
|
|
|
|
|
netNSPath = c.state.NetNS.Path()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := g.AddOrReplaceLinuxNamespace(string(spec.NetworkNamespace), netNSPath); err != nil {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, err
|
2019-07-03 20:37:17 +00:00
|
|
|
}
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
|
|
2021-07-12 11:43:45 +00:00
|
|
|
if options.Pod != "" {
|
|
|
|
|
// Running in a Pod means that we have to change all namespace settings to
|
|
|
|
|
// the ones from the infrastructure container.
|
|
|
|
|
pod, err := c.runtime.LookupPod(options.Pod)
|
|
|
|
|
if err != nil {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, errors.Wrapf(err, "pod %q cannot be retrieved", options.Pod)
|
2021-07-12 11:43:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
infraContainer, err := pod.InfraContainer()
|
|
|
|
|
if err != nil {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, errors.Wrapf(err, "cannot retrieved infra container from pod %q", options.Pod)
|
2021-07-12 11:43:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
infraContainer.lock.Lock()
|
|
|
|
|
if err := infraContainer.syncContainer(); err != nil {
|
|
|
|
|
infraContainer.lock.Unlock()
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, errors.Wrapf(err, "Error syncing infrastructure container %s status", infraContainer.ID())
|
2021-07-12 11:43:45 +00:00
|
|
|
}
|
|
|
|
|
if infraContainer.state.State != define.ContainerStateRunning {
|
|
|
|
|
if err := infraContainer.initAndStart(ctx); err != nil {
|
|
|
|
|
infraContainer.lock.Unlock()
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, errors.Wrapf(err, "Error starting infrastructure container %s status", infraContainer.ID())
|
2021-07-12 11:43:45 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
infraContainer.lock.Unlock()
|
|
|
|
|
|
|
|
|
|
if c.config.IPCNsCtr != "" {
|
|
|
|
|
nsPath, err := infraContainer.namespacePath(IPCNS)
|
|
|
|
|
if err != nil {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, errors.Wrapf(err, "cannot retrieve IPC namespace path for Pod %q", options.Pod)
|
2021-07-12 11:43:45 +00:00
|
|
|
}
|
|
|
|
|
if err := g.AddOrReplaceLinuxNamespace(string(spec.IPCNamespace), nsPath); err != nil {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, err
|
2021-07-12 11:43:45 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if c.config.NetNsCtr != "" {
|
|
|
|
|
nsPath, err := infraContainer.namespacePath(NetNS)
|
|
|
|
|
if err != nil {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, errors.Wrapf(err, "cannot retrieve network namespace path for Pod %q", options.Pod)
|
2021-07-12 11:43:45 +00:00
|
|
|
}
|
|
|
|
|
if err := g.AddOrReplaceLinuxNamespace(string(spec.NetworkNamespace), nsPath); err != nil {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, err
|
2021-07-12 11:43:45 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if c.config.PIDNsCtr != "" {
|
|
|
|
|
nsPath, err := infraContainer.namespacePath(PIDNS)
|
|
|
|
|
if err != nil {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, errors.Wrapf(err, "cannot retrieve PID namespace path for Pod %q", options.Pod)
|
2021-07-12 11:43:45 +00:00
|
|
|
}
|
|
|
|
|
if err := g.AddOrReplaceLinuxNamespace(string(spec.PIDNamespace), nsPath); err != nil {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, err
|
2021-07-12 11:43:45 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if c.config.UTSNsCtr != "" {
|
|
|
|
|
nsPath, err := infraContainer.namespacePath(UTSNS)
|
|
|
|
|
if err != nil {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, errors.Wrapf(err, "cannot retrieve UTS namespace path for Pod %q", options.Pod)
|
2021-07-12 11:43:45 +00:00
|
|
|
}
|
|
|
|
|
if err := g.AddOrReplaceLinuxNamespace(string(spec.UTSNamespace), nsPath); err != nil {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, err
|
2021-07-12 11:43:45 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if c.config.CgroupNsCtr != "" {
|
|
|
|
|
nsPath, err := infraContainer.namespacePath(CgroupNS)
|
|
|
|
|
if err != nil {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, errors.Wrapf(err, "cannot retrieve Cgroup namespace path for Pod %q", options.Pod)
|
2021-07-12 11:43:45 +00:00
|
|
|
}
|
|
|
|
|
if err := g.AddOrReplaceLinuxNamespace(string(spec.CgroupNamespace), nsPath); err != nil {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, err
|
2021-07-12 11:43:45 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-06 19:22:46 +00:00
|
|
|
if err := c.makeBindMounts(); err != nil {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, err
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
|
|
2022-04-12 17:46:32 +00:00
|
|
|
if options.TargetFile != "" || options.CheckpointImageID != "" {
|
2019-02-06 19:22:46 +00:00
|
|
|
for dstPath, srcPath := range c.state.BindMounts {
|
|
|
|
|
newMount := spec.Mount{
|
|
|
|
|
Type: "bind",
|
|
|
|
|
Source: srcPath,
|
|
|
|
|
Destination: dstPath,
|
|
|
|
|
Options: []string{"bind", "private"},
|
|
|
|
|
}
|
|
|
|
|
if c.IsReadOnly() && dstPath != "/dev/shm" {
|
|
|
|
|
newMount.Options = append(newMount.Options, "ro", "nosuid", "noexec", "nodev")
|
|
|
|
|
}
|
2022-02-02 09:03:13 +00:00
|
|
|
if dstPath == "/dev/shm" && c.state.BindMounts["/dev/shm"] == c.config.ShmDir {
|
|
|
|
|
newMount.Options = append(newMount.Options, "nosuid", "noexec", "nodev")
|
|
|
|
|
}
|
2019-02-06 19:22:46 +00:00
|
|
|
if !MountExists(g.Mounts(), dstPath) {
|
|
|
|
|
g.AddMount(newMount)
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
|
|
2021-12-20 19:28:24 +00:00
|
|
|
// Restore /dev/shm content
|
|
|
|
|
if c.config.ShmDir != "" && c.state.BindMounts["/dev/shm"] == c.config.ShmDir {
|
|
|
|
|
shmDirTarFileFullPath := filepath.Join(c.bundlePath(), metadata.DevShmCheckpointTar)
|
|
|
|
|
if _, err := os.Stat(shmDirTarFileFullPath); err != nil {
|
|
|
|
|
logrus.Debug("Container checkpoint doesn't contain dev/shm: ", err.Error())
|
|
|
|
|
} else {
|
|
|
|
|
shmDirTarFile, err := os.Open(shmDirTarFileFullPath)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, 0, err
|
|
|
|
|
}
|
|
|
|
|
defer shmDirTarFile.Close()
|
|
|
|
|
|
|
|
|
|
if err := archive.UntarUncompressed(shmDirTarFile, c.config.ShmDir, nil); err != nil {
|
|
|
|
|
return nil, 0, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-18 09:56:19 +00:00
|
|
|
// Cleanup for a working restore.
|
2019-07-03 20:37:17 +00:00
|
|
|
if err := c.removeConmonFiles(); err != nil {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, err
|
2019-07-03 20:37:17 +00:00
|
|
|
}
|
2018-09-18 09:56:19 +00:00
|
|
|
|
2019-02-06 19:22:46 +00:00
|
|
|
// Save the OCI spec to disk
|
2019-07-11 10:44:12 +00:00
|
|
|
if err := c.saveSpec(g.Config); err != nil {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, err
|
2019-02-06 19:22:46 +00:00
|
|
|
}
|
2019-06-27 06:16:32 +00:00
|
|
|
|
2020-12-18 20:07:08 +00:00
|
|
|
// When restoring from an imported archive, allow restoring the content of volumes.
|
|
|
|
|
// Volumes are created in setupContainer()
|
2022-04-12 17:46:32 +00:00
|
|
|
if !options.IgnoreVolumes && (options.TargetFile != "" || options.CheckpointImageID != "") {
|
2020-12-18 20:07:08 +00:00
|
|
|
for _, v := range c.config.NamedVolumes {
|
2022-04-12 17:46:32 +00:00
|
|
|
volumeFilePath := filepath.Join(c.bundlePath(), metadata.CheckpointVolumesDirectory, v.Name+".tar")
|
2020-12-18 20:07:08 +00:00
|
|
|
|
|
|
|
|
volumeFile, err := os.Open(volumeFilePath)
|
|
|
|
|
if err != nil {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, errors.Wrapf(err, "failed to open volume file %s", volumeFilePath)
|
2020-12-18 20:07:08 +00:00
|
|
|
}
|
|
|
|
|
defer volumeFile.Close()
|
|
|
|
|
|
|
|
|
|
volume, err := c.runtime.GetVolume(v.Name)
|
|
|
|
|
if err != nil {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, errors.Wrapf(err, "failed to retrieve volume %s", v.Name)
|
2020-12-18 20:07:08 +00:00
|
|
|
}
|
|
|
|
|
|
Initial implementation of volume plugins
This implements support for mounting and unmounting volumes
backed by volume plugins. Support for actually retrieving
plugins requires a pull request to land in containers.conf and
then that to be vendored, and as such is not yet ready. Given
this, this code is only compile tested. However, the code for
everything past retrieving the plugin has been written - there is
support for creating, removing, mounting, and unmounting volumes,
which should allow full functionality once the c/common PR is
merged.
A major change is the signature of the MountPoint function for
volumes, which now, by necessity, returns an error. Named volumes
managed by a plugin do not have a mountpoint we control; instead,
it is managed entirely by the plugin. As such, we need to cache
the path in the DB, and calls to retrieve it now need to access
the DB (and may fail as such).
Notably absent is support for SELinux relabelling and chowning
these volumes. Given that we don't manage the mountpoint for
these volumes, I am extremely reluctant to try and modify it - we
could easily break the plugin trying to chown or relabel it.
Also, we had no less than *5* separate implementations of
inspecting a volume floating around in pkg/infra/abi and
pkg/api/handlers/libpod. And none of them used volume.Inspect(),
the only correct way of inspecting volumes. Remove them all and
consolidate to using the correct way. Compat API is likely still
doing things the wrong way, but that is an issue for another day.
Fixes #4304
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-12-04 21:24:56 +00:00
|
|
|
mountPoint, err := volume.MountPoint()
|
|
|
|
|
if err != nil {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, err
|
Initial implementation of volume plugins
This implements support for mounting and unmounting volumes
backed by volume plugins. Support for actually retrieving
plugins requires a pull request to land in containers.conf and
then that to be vendored, and as such is not yet ready. Given
this, this code is only compile tested. However, the code for
everything past retrieving the plugin has been written - there is
support for creating, removing, mounting, and unmounting volumes,
which should allow full functionality once the c/common PR is
merged.
A major change is the signature of the MountPoint function for
volumes, which now, by necessity, returns an error. Named volumes
managed by a plugin do not have a mountpoint we control; instead,
it is managed entirely by the plugin. As such, we need to cache
the path in the DB, and calls to retrieve it now need to access
the DB (and may fail as such).
Notably absent is support for SELinux relabelling and chowning
these volumes. Given that we don't manage the mountpoint for
these volumes, I am extremely reluctant to try and modify it - we
could easily break the plugin trying to chown or relabel it.
Also, we had no less than *5* separate implementations of
inspecting a volume floating around in pkg/infra/abi and
pkg/api/handlers/libpod. And none of them used volume.Inspect(),
the only correct way of inspecting volumes. Remove them all and
consolidate to using the correct way. Compat API is likely still
doing things the wrong way, but that is an issue for another day.
Fixes #4304
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-12-04 21:24:56 +00:00
|
|
|
}
|
|
|
|
|
if mountPoint == "" {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, errors.Wrapf(err, "unable to import volume %s as it is not mounted", volume.Name())
|
Initial implementation of volume plugins
This implements support for mounting and unmounting volumes
backed by volume plugins. Support for actually retrieving
plugins requires a pull request to land in containers.conf and
then that to be vendored, and as such is not yet ready. Given
this, this code is only compile tested. However, the code for
everything past retrieving the plugin has been written - there is
support for creating, removing, mounting, and unmounting volumes,
which should allow full functionality once the c/common PR is
merged.
A major change is the signature of the MountPoint function for
volumes, which now, by necessity, returns an error. Named volumes
managed by a plugin do not have a mountpoint we control; instead,
it is managed entirely by the plugin. As such, we need to cache
the path in the DB, and calls to retrieve it now need to access
the DB (and may fail as such).
Notably absent is support for SELinux relabelling and chowning
these volumes. Given that we don't manage the mountpoint for
these volumes, I am extremely reluctant to try and modify it - we
could easily break the plugin trying to chown or relabel it.
Also, we had no less than *5* separate implementations of
inspecting a volume floating around in pkg/infra/abi and
pkg/api/handlers/libpod. And none of them used volume.Inspect(),
the only correct way of inspecting volumes. Remove them all and
consolidate to using the correct way. Compat API is likely still
doing things the wrong way, but that is an issue for another day.
Fixes #4304
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-12-04 21:24:56 +00:00
|
|
|
}
|
2020-12-18 20:07:08 +00:00
|
|
|
if err := archive.UntarUncompressed(volumeFile, mountPoint, nil); err != nil {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, errors.Wrapf(err, "Failed to extract volume %s to %s", volumeFilePath, mountPoint)
|
2020-12-18 20:07:08 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-27 06:16:32 +00:00
|
|
|
// Before actually restarting the container, apply the root file-system changes
|
2019-06-27 07:56:39 +00:00
|
|
|
if !options.IgnoreRootfs {
|
2021-02-25 15:34:12 +00:00
|
|
|
if err := crutils.CRApplyRootFsDiffTar(c.bundlePath(), c.state.Mountpoint); err != nil {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, err
|
2019-12-04 15:06:51 +00:00
|
|
|
}
|
2021-02-25 15:34:12 +00:00
|
|
|
|
|
|
|
|
if err := crutils.CRRemoveDeletedFiles(c.ID(), c.bundlePath(), c.state.Mountpoint); err != nil {
|
2021-11-09 21:21:07 +00:00
|
|
|
return nil, 0, err
|
2019-06-27 06:16:32 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-11-09 21:21:07 +00:00
|
|
|
runtimeRestoreDuration, err = c.ociRuntime.CreateContainer(c, &options)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, 0, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
criuStatistics, err = func() (*define.CRIUCheckpointRestoreStatistics, error) {
|
|
|
|
|
if !options.PrintStats {
|
|
|
|
|
return nil, nil
|
|
|
|
|
}
|
|
|
|
|
statsDirectory, err := os.Open(c.bundlePath())
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errors.Wrapf(err, "Not able to open %q", c.bundlePath())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
restoreStatistics, err := stats.CriuGetRestoreStats(statsDirectory)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errors.Wrap(err, "Displaying restore statistics not possible")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return &define.CRIUCheckpointRestoreStatistics{
|
|
|
|
|
PagesCompared: restoreStatistics.GetPagesCompared(),
|
|
|
|
|
PagesSkippedCow: restoreStatistics.GetPagesSkippedCow(),
|
|
|
|
|
ForkingTime: restoreStatistics.GetForkingTime(),
|
|
|
|
|
RestoreTime: restoreStatistics.GetRestoreTime(),
|
|
|
|
|
PagesRestored: restoreStatistics.GetPagesRestored(),
|
|
|
|
|
}, nil
|
|
|
|
|
}()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, 0, err
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
logrus.Debugf("Restored container %s", c.ID())
|
|
|
|
|
|
2019-06-25 13:40:19 +00:00
|
|
|
c.state.State = define.ContainerStateRunning
|
2021-10-27 13:38:43 +00:00
|
|
|
c.state.Checkpointed = false
|
2021-12-15 16:37:02 +00:00
|
|
|
c.state.Restored = true
|
|
|
|
|
c.state.CheckpointedTime = time.Time{}
|
|
|
|
|
c.state.RestoredTime = time.Now()
|
2018-09-18 09:56:19 +00:00
|
|
|
|
2018-11-21 13:09:17 +00:00
|
|
|
if !options.Keep {
|
2018-09-18 09:56:19 +00:00
|
|
|
// Delete all checkpoint related files. At this point, in theory, all files
|
|
|
|
|
// should exist. Still ignoring errors for now as the container should be
|
|
|
|
|
// restored and running. Not erroring out just because some cleanup operation
|
|
|
|
|
// failed. Starting with the checkpoint directory
|
|
|
|
|
err = os.RemoveAll(c.CheckpointPath())
|
|
|
|
|
if err != nil {
|
|
|
|
|
logrus.Debugf("Non-fatal: removal of checkpoint directory (%s) failed: %v", c.CheckpointPath(), err)
|
|
|
|
|
}
|
2021-12-15 16:37:02 +00:00
|
|
|
c.state.CheckpointPath = ""
|
2021-01-10 10:12:12 +00:00
|
|
|
err = os.RemoveAll(c.PreCheckPointPath())
|
|
|
|
|
if err != nil {
|
|
|
|
|
logrus.Debugf("Non-fatal: removal of pre-checkpoint directory (%s) failed: %v", c.PreCheckPointPath(), err)
|
|
|
|
|
}
|
2022-04-12 17:46:32 +00:00
|
|
|
err = os.RemoveAll(c.CheckpointVolumesPath())
|
|
|
|
|
if err != nil {
|
|
|
|
|
logrus.Debugf("Non-fatal: removal of checkpoint volumes directory (%s) failed: %v", c.CheckpointVolumesPath(), err)
|
|
|
|
|
}
|
2021-02-25 16:43:18 +00:00
|
|
|
cleanup := [...]string{
|
|
|
|
|
"restore.log",
|
|
|
|
|
"dump.log",
|
2021-11-05 15:18:17 +00:00
|
|
|
stats.StatsDump,
|
|
|
|
|
stats.StatsRestore,
|
2022-04-12 17:46:32 +00:00
|
|
|
metadata.DevShmCheckpointTar,
|
2021-02-25 16:43:18 +00:00
|
|
|
metadata.NetworkStatusFile,
|
|
|
|
|
metadata.RootFsDiffTar,
|
|
|
|
|
metadata.DeletedFilesFile,
|
|
|
|
|
}
|
2019-07-03 20:37:17 +00:00
|
|
|
for _, del := range cleanup {
|
|
|
|
|
file := filepath.Join(c.bundlePath(), del)
|
2018-09-18 09:56:19 +00:00
|
|
|
err = os.Remove(file)
|
|
|
|
|
if err != nil {
|
|
|
|
|
logrus.Debugf("Non-fatal: removal of checkpoint file (%s) failed: %v", file, err)
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-12-15 16:37:02 +00:00
|
|
|
c.state.CheckpointLog = ""
|
|
|
|
|
c.state.RestoreLog = ""
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
|
|
|
|
|
2021-11-09 21:21:07 +00:00
|
|
|
return criuStatistics, runtimeRestoreDuration, c.save()
|
2018-09-18 09:56:19 +00:00
|
|
|
}
|
2018-11-08 11:12:14 +00:00
|
|
|
|
2021-01-28 03:13:23 +00:00
|
|
|
// Retrieves a container's "root" net namespace container dependency.
|
|
|
|
|
func (c *Container) getRootNetNsDepCtr() (depCtr *Container, err error) {
|
|
|
|
|
containersVisited := map[string]int{c.config.ID: 1}
|
|
|
|
|
nextCtr := c.config.NetNsCtr
|
|
|
|
|
for nextCtr != "" {
|
|
|
|
|
// Make sure we aren't in a loop
|
|
|
|
|
if _, visited := containersVisited[nextCtr]; visited {
|
|
|
|
|
return nil, errors.New("loop encountered while determining net namespace container")
|
|
|
|
|
}
|
|
|
|
|
containersVisited[nextCtr] = 1
|
|
|
|
|
|
|
|
|
|
depCtr, err = c.runtime.state.Container(nextCtr)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errors.Wrapf(err, "error fetching dependency %s of container %s", c.config.NetNsCtr, c.ID())
|
|
|
|
|
}
|
|
|
|
|
// This should never happen without an error
|
|
|
|
|
if depCtr == nil {
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
nextCtr = depCtr.config.NetNsCtr
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if depCtr == nil {
|
|
|
|
|
return nil, errors.New("unexpected error depCtr is nil without reported error from runtime state")
|
|
|
|
|
}
|
|
|
|
|
return depCtr, nil
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-12 11:45:49 +00:00
|
|
|
// Ensure standard bind mounts are mounted into all root directories (including chroot directories)
|
|
|
|
|
func (c *Container) mountIntoRootDirs(mountName string, mountPath string) error {
|
|
|
|
|
c.state.BindMounts[mountName] = mountPath
|
|
|
|
|
|
|
|
|
|
for _, chrootDir := range c.config.ChrootDirs {
|
|
|
|
|
c.state.BindMounts[filepath.Join(chrootDir, mountName)] = mountPath
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-08 11:12:14 +00:00
|
|
|
// Make standard bind mounts to include in the container
|
|
|
|
|
func (c *Container) makeBindMounts() error {
|
|
|
|
|
if err := os.Chown(c.state.RunDir, c.RootUID(), c.RootGID()); err != nil {
|
2020-10-28 17:16:42 +00:00
|
|
|
return errors.Wrap(err, "cannot chown run directory")
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if c.state.BindMounts == nil {
|
|
|
|
|
c.state.BindMounts = make(map[string]string)
|
|
|
|
|
}
|
2018-12-06 19:56:57 +00:00
|
|
|
netDisabled, err := c.NetworkDisabled()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2018-11-08 11:12:14 +00:00
|
|
|
|
2018-12-06 19:56:57 +00:00
|
|
|
if !netDisabled {
|
2018-12-11 21:53:12 +00:00
|
|
|
// If /etc/resolv.conf and /etc/hosts exist, delete them so we
|
2019-03-10 16:16:30 +00:00
|
|
|
// will recreate. Only do this if we aren't sharing them with
|
|
|
|
|
// another container.
|
|
|
|
|
if c.config.NetNsCtr == "" {
|
2019-07-03 20:37:17 +00:00
|
|
|
if resolvePath, ok := c.state.BindMounts["/etc/resolv.conf"]; ok {
|
|
|
|
|
if err := os.Remove(resolvePath); err != nil && !os.IsNotExist(err) {
|
2020-10-28 17:16:42 +00:00
|
|
|
return errors.Wrapf(err, "container %s", c.ID())
|
2019-03-10 16:16:30 +00:00
|
|
|
}
|
|
|
|
|
delete(c.state.BindMounts, "/etc/resolv.conf")
|
2018-12-11 21:53:12 +00:00
|
|
|
}
|
2019-07-03 20:37:17 +00:00
|
|
|
if hostsPath, ok := c.state.BindMounts["/etc/hosts"]; ok {
|
|
|
|
|
if err := os.Remove(hostsPath); err != nil && !os.IsNotExist(err) {
|
2020-10-28 17:16:42 +00:00
|
|
|
return errors.Wrapf(err, "container %s", c.ID())
|
2019-03-10 16:16:30 +00:00
|
|
|
}
|
|
|
|
|
delete(c.state.BindMounts, "/etc/hosts")
|
2018-12-11 21:53:12 +00:00
|
|
|
}
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
|
2019-03-26 17:55:19 +00:00
|
|
|
if c.config.NetNsCtr != "" && (!c.config.UseImageResolvConf || !c.config.UseImageHosts) {
|
2019-03-22 18:39:09 +00:00
|
|
|
// We share a net namespace.
|
2018-12-11 21:53:12 +00:00
|
|
|
// We want /etc/resolv.conf and /etc/hosts from the
|
2019-03-22 18:39:09 +00:00
|
|
|
// other container. Unless we're not creating both of
|
|
|
|
|
// them.
|
2021-01-28 03:13:23 +00:00
|
|
|
depCtr, err := c.getRootNetNsDepCtr()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error fetching network namespace dependency container for container %s", c.ID())
|
2018-12-11 21:53:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// We need that container's bind mounts
|
|
|
|
|
bindMounts, err := depCtr.BindMounts()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error fetching bind mounts from dependency %s of container %s", depCtr.ID(), c.ID())
|
|
|
|
|
}
|
|
|
|
|
|
2020-02-17 21:49:59 +00:00
|
|
|
// The other container may not have a resolv.conf or /etc/hosts
|
|
|
|
|
// If it doesn't, don't copy them
|
|
|
|
|
resolvPath, exists := bindMounts["/etc/resolv.conf"]
|
|
|
|
|
if !c.config.UseImageResolvConf && exists {
|
2022-02-12 11:45:49 +00:00
|
|
|
err := c.mountIntoRootDirs("/etc/resolv.conf", resolvPath)
|
|
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error assigning mounts to container %s", c.ID())
|
|
|
|
|
}
|
2019-02-23 12:52:05 +00:00
|
|
|
}
|
2019-03-04 03:54:41 +00:00
|
|
|
|
2020-02-17 21:49:59 +00:00
|
|
|
// check if dependency container has an /etc/hosts file.
|
|
|
|
|
// It may not have one, so only use it if it does.
|
2022-04-19 11:58:35 +00:00
|
|
|
hostsPath, exists := bindMounts[config.DefaultHostsFile]
|
2020-02-17 21:49:59 +00:00
|
|
|
if !c.config.UseImageHosts && exists {
|
2022-04-19 11:58:35 +00:00
|
|
|
// we cannot use the dependency container lock due ABBA deadlocks in cleanup()
|
|
|
|
|
lock, err := lockfile.GetLockfile(hostsPath)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("failed to lock hosts file: %w", err)
|
|
|
|
|
}
|
|
|
|
|
lock.Lock()
|
2019-03-04 03:54:41 +00:00
|
|
|
|
2022-04-19 11:58:35 +00:00
|
|
|
// add the newly added container to the hosts file
|
|
|
|
|
// we always use 127.0.0.1 as ip since they have the same netns
|
|
|
|
|
err = etchosts.Add(hostsPath, getLocalhostHostEntry(c))
|
|
|
|
|
lock.Unlock()
|
2019-03-22 18:39:09 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error creating hosts file for container %s which depends on container %s", c.ID(), depCtr.ID())
|
|
|
|
|
}
|
2019-03-04 03:54:41 +00:00
|
|
|
|
2019-03-22 18:39:09 +00:00
|
|
|
// finally, save it in the new container
|
2022-04-19 11:58:35 +00:00
|
|
|
err = c.mountIntoRootDirs(config.DefaultHostsFile, hostsPath)
|
2022-02-12 11:45:49 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error assigning mounts to container %s", c.ID())
|
|
|
|
|
}
|
2019-03-22 18:39:09 +00:00
|
|
|
}
|
2020-06-10 12:45:11 +00:00
|
|
|
|
|
|
|
|
if !hasCurrentUserMapped(c) {
|
|
|
|
|
if err := makeAccessible(resolvPath, c.RootUID(), c.RootGID()); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if err := makeAccessible(hostsPath, c.RootUID(), c.RootGID()); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-12-11 21:53:12 +00:00
|
|
|
} else {
|
2019-03-26 17:55:19 +00:00
|
|
|
if !c.config.UseImageResolvConf {
|
2022-04-29 12:41:33 +00:00
|
|
|
if err := c.generateResolvConf(); err != nil {
|
2019-03-22 18:39:09 +00:00
|
|
|
return errors.Wrapf(err, "error creating resolv.conf for container %s", c.ID())
|
|
|
|
|
}
|
2018-12-11 21:53:12 +00:00
|
|
|
}
|
|
|
|
|
|
2019-03-26 17:55:19 +00:00
|
|
|
if !c.config.UseImageHosts {
|
2022-04-19 11:58:35 +00:00
|
|
|
if err := c.createHosts(); err != nil {
|
2019-03-22 18:39:09 +00:00
|
|
|
return errors.Wrapf(err, "error creating hosts file for container %s", c.ID())
|
|
|
|
|
}
|
2018-12-11 21:53:12 +00:00
|
|
|
}
|
|
|
|
|
}
|
2019-02-23 12:52:05 +00:00
|
|
|
|
2019-03-22 18:39:09 +00:00
|
|
|
if c.state.BindMounts["/etc/hosts"] != "" {
|
2021-10-13 20:24:46 +00:00
|
|
|
if err := c.relabel(c.state.BindMounts["/etc/hosts"], c.config.MountLabel, true); err != nil {
|
2019-03-22 18:39:09 +00:00
|
|
|
return err
|
|
|
|
|
}
|
2019-02-23 12:52:05 +00:00
|
|
|
}
|
|
|
|
|
|
2019-03-22 18:39:09 +00:00
|
|
|
if c.state.BindMounts["/etc/resolv.conf"] != "" {
|
2021-10-13 20:24:46 +00:00
|
|
|
if err := c.relabel(c.state.BindMounts["/etc/resolv.conf"], c.config.MountLabel, true); err != nil {
|
2019-03-22 18:39:09 +00:00
|
|
|
return err
|
|
|
|
|
}
|
2019-02-23 12:52:05 +00:00
|
|
|
}
|
2022-04-25 13:15:52 +00:00
|
|
|
} else if !c.config.UseImageHosts && c.state.BindMounts["/etc/hosts"] == "" {
|
|
|
|
|
if err := c.createHosts(); err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error creating hosts file for container %s", c.ID())
|
2020-11-15 13:41:06 +00:00
|
|
|
}
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
|
2022-03-28 13:10:14 +00:00
|
|
|
if c.config.ShmDir != "" {
|
|
|
|
|
// If ShmDir has a value SHM is always added when we mount the container
|
|
|
|
|
c.state.BindMounts["/dev/shm"] = c.config.ShmDir
|
|
|
|
|
}
|
2018-11-08 11:12:14 +00:00
|
|
|
|
2021-12-22 16:39:52 +00:00
|
|
|
if c.config.Passwd == nil || *c.config.Passwd {
|
2021-12-20 15:23:08 +00:00
|
|
|
newPasswd, newGroup, err := c.generatePasswdAndGroup()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error creating temporary passwd file for container %s", c.ID())
|
|
|
|
|
}
|
|
|
|
|
if newPasswd != "" {
|
|
|
|
|
// Make /etc/passwd
|
|
|
|
|
// If it already exists, delete so we can recreate
|
|
|
|
|
delete(c.state.BindMounts, "/etc/passwd")
|
|
|
|
|
c.state.BindMounts["/etc/passwd"] = newPasswd
|
|
|
|
|
}
|
|
|
|
|
if newGroup != "" {
|
|
|
|
|
// Make /etc/group
|
|
|
|
|
// If it already exists, delete so we can recreate
|
|
|
|
|
delete(c.state.BindMounts, "/etc/group")
|
|
|
|
|
c.state.BindMounts["/etc/group"] = newGroup
|
|
|
|
|
}
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
}
|
2018-11-08 11:12:14 +00:00
|
|
|
|
|
|
|
|
// Make /etc/hostname
|
|
|
|
|
// This should never change, so no need to recreate if it exists
|
|
|
|
|
if _, ok := c.state.BindMounts["/etc/hostname"]; !ok {
|
|
|
|
|
hostnamePath, err := c.writeStringToRundir("hostname", c.Hostname())
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error creating hostname file for container %s", c.ID())
|
|
|
|
|
}
|
|
|
|
|
c.state.BindMounts["/etc/hostname"] = hostnamePath
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-30 21:21:52 +00:00
|
|
|
// Make /etc/localtime
|
2021-02-28 00:53:03 +00:00
|
|
|
ctrTimezone := c.Timezone()
|
|
|
|
|
if ctrTimezone != "" {
|
|
|
|
|
// validate the format of the timezone specified if it's not "local"
|
|
|
|
|
if ctrTimezone != "local" {
|
|
|
|
|
_, err = time.LoadLocation(ctrTimezone)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error finding timezone for container %s", c.ID())
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-06-30 21:21:52 +00:00
|
|
|
if _, ok := c.state.BindMounts["/etc/localtime"]; !ok {
|
|
|
|
|
var zonePath string
|
2021-02-28 00:53:03 +00:00
|
|
|
if ctrTimezone == "local" {
|
2020-06-30 21:21:52 +00:00
|
|
|
zonePath, err = filepath.EvalSymlinks("/etc/localtime")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error finding local timezone for container %s", c.ID())
|
|
|
|
|
}
|
|
|
|
|
} else {
|
2021-02-28 00:53:03 +00:00
|
|
|
zone := filepath.Join("/usr/share/zoneinfo", ctrTimezone)
|
2020-06-30 21:21:52 +00:00
|
|
|
zonePath, err = filepath.EvalSymlinks(zone)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error setting timezone for container %s", c.ID())
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
localtimePath, err := c.copyTimezoneFile(zonePath)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error setting timezone for container %s", c.ID())
|
|
|
|
|
}
|
|
|
|
|
c.state.BindMounts["/etc/localtime"] = localtimePath
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-02 15:40:35 +00:00
|
|
|
// Make .containerenv if it does not exist
|
2018-11-08 11:12:14 +00:00
|
|
|
if _, ok := c.state.BindMounts["/run/.containerenv"]; !ok {
|
2021-02-05 11:04:30 +00:00
|
|
|
containerenv := c.runtime.graphRootMountedFlag(c.config.Spec.Mounts)
|
2020-12-02 15:40:35 +00:00
|
|
|
isRootless := 0
|
|
|
|
|
if rootless.IsRootless() {
|
|
|
|
|
isRootless = 1
|
|
|
|
|
}
|
|
|
|
|
imageID, imageName := c.Image()
|
|
|
|
|
|
|
|
|
|
if c.Privileged() {
|
|
|
|
|
// Populate the .containerenv with container information
|
|
|
|
|
containerenv = fmt.Sprintf(`engine="podman-%s"
|
|
|
|
|
name=%q
|
|
|
|
|
id=%q
|
|
|
|
|
image=%q
|
|
|
|
|
imageid=%q
|
|
|
|
|
rootless=%d
|
2021-02-05 11:04:30 +00:00
|
|
|
%s`, version.Version.String(), c.Name(), c.ID(), imageName, imageID, isRootless, containerenv)
|
2020-12-02 15:40:35 +00:00
|
|
|
}
|
|
|
|
|
containerenvPath, err := c.writeStringToRundir(".containerenv", containerenv)
|
2018-11-08 11:12:14 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error creating containerenv file for container %s", c.ID())
|
|
|
|
|
}
|
|
|
|
|
c.state.BindMounts["/run/.containerenv"] = containerenvPath
|
|
|
|
|
}
|
|
|
|
|
|
2021-01-15 06:27:23 +00:00
|
|
|
// Add Subscription Mounts
|
|
|
|
|
subscriptionMounts := subscriptions.MountsWithUIDGID(c.config.MountLabel, c.state.RunDir, c.runtime.config.Containers.DefaultMountsFile, c.state.Mountpoint, c.RootUID(), c.RootGID(), rootless.IsRootless(), false)
|
|
|
|
|
for _, mount := range subscriptionMounts {
|
2018-11-08 11:12:14 +00:00
|
|
|
if _, ok := c.state.BindMounts[mount.Destination]; !ok {
|
|
|
|
|
c.state.BindMounts[mount.Destination] = mount.Source
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-01-15 06:27:23 +00:00
|
|
|
// Secrets are mounted by getting the secret data from the secrets manager,
|
|
|
|
|
// copying the data into the container's static dir,
|
|
|
|
|
// then mounting the copied dir into /run/secrets.
|
|
|
|
|
// The secrets mounting must come after subscription mounts, since subscription mounts
|
|
|
|
|
// creates the /run/secrets dir in the container where we mount as well.
|
|
|
|
|
if len(c.Secrets()) > 0 {
|
|
|
|
|
// create /run/secrets if subscriptions did not create
|
|
|
|
|
if err := c.createSecretMountDir(); err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error creating secrets mount")
|
|
|
|
|
}
|
|
|
|
|
for _, secret := range c.Secrets() {
|
2021-11-15 09:09:26 +00:00
|
|
|
secretFileName := secret.Name
|
|
|
|
|
base := "/run/secrets"
|
|
|
|
|
if secret.Target != "" {
|
|
|
|
|
secretFileName = secret.Target
|
2022-04-25 13:15:52 +00:00
|
|
|
// If absolute path for target given remove base.
|
2021-11-15 09:09:26 +00:00
|
|
|
if filepath.IsAbs(secretFileName) {
|
|
|
|
|
base = ""
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-01-15 06:27:23 +00:00
|
|
|
src := filepath.Join(c.config.SecretsPath, secret.Name)
|
2021-11-15 09:09:26 +00:00
|
|
|
dest := filepath.Join(base, secretFileName)
|
2021-01-15 06:27:23 +00:00
|
|
|
c.state.BindMounts[dest] = src
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-03-24 11:49:29 +00:00
|
|
|
|
2018-11-08 11:12:14 +00:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// generateResolvConf generates a containers resolv.conf
|
2022-04-29 12:41:33 +00:00
|
|
|
func (c *Container) generateResolvConf() error {
|
2019-08-28 18:19:15 +00:00
|
|
|
var (
|
2021-08-16 14:11:26 +00:00
|
|
|
nameservers []string
|
|
|
|
|
networkNameServers []string
|
|
|
|
|
networkSearchDomains []string
|
2019-08-28 18:19:15 +00:00
|
|
|
)
|
|
|
|
|
|
2022-04-29 13:01:56 +00:00
|
|
|
hostns := true
|
2019-02-18 02:55:30 +00:00
|
|
|
resolvConf := "/etc/resolv.conf"
|
2019-07-03 20:37:17 +00:00
|
|
|
for _, namespace := range c.config.Spec.Linux.Namespaces {
|
|
|
|
|
if namespace.Type == spec.NetworkNamespace {
|
2022-04-29 13:01:56 +00:00
|
|
|
hostns = false
|
2019-07-03 20:37:17 +00:00
|
|
|
if namespace.Path != "" && !strings.HasPrefix(namespace.Path, "/proc/") {
|
|
|
|
|
definedPath := filepath.Join("/etc/netns", filepath.Base(namespace.Path), "resolv.conf")
|
2019-02-18 02:55:30 +00:00
|
|
|
_, err := os.Stat(definedPath)
|
|
|
|
|
if err == nil {
|
|
|
|
|
resolvConf = definedPath
|
|
|
|
|
} else if !os.IsNotExist(err) {
|
2022-04-29 12:41:33 +00:00
|
|
|
return err
|
2019-02-18 02:55:30 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-06-08 09:28:46 +00:00
|
|
|
contents, err := ioutil.ReadFile(resolvConf)
|
2020-10-22 17:21:07 +00:00
|
|
|
// resolv.conf doesn't have to exists
|
|
|
|
|
if err != nil && !os.IsNotExist(err) {
|
2022-04-29 12:41:33 +00:00
|
|
|
return err
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
|
2021-06-08 09:28:46 +00:00
|
|
|
ns := resolvconf.GetNameservers(contents)
|
|
|
|
|
// check if systemd-resolved is used, assume it is used when 127.0.0.53 is the only nameserver
|
2022-04-29 13:01:56 +00:00
|
|
|
if !hostns && len(ns) == 1 && ns[0] == "127.0.0.53" {
|
2021-06-08 09:28:46 +00:00
|
|
|
// read the actual resolv.conf file for systemd-resolved
|
2021-06-19 21:34:25 +00:00
|
|
|
resolvedContents, err := ioutil.ReadFile("/run/systemd/resolve/resolv.conf")
|
2021-06-08 09:28:46 +00:00
|
|
|
if err != nil {
|
2021-06-19 21:34:25 +00:00
|
|
|
if !os.IsNotExist(err) {
|
2022-04-29 12:41:33 +00:00
|
|
|
return errors.Wrapf(err, "detected that systemd-resolved is in use, but could not locate real resolv.conf")
|
2021-06-19 21:34:25 +00:00
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
contents = resolvedContents
|
2021-06-08 09:28:46 +00:00
|
|
|
}
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
|
2021-08-16 14:11:26 +00:00
|
|
|
netStatus := c.getNetworkStatus()
|
|
|
|
|
for _, status := range netStatus {
|
|
|
|
|
if status.DNSServerIPs != nil {
|
|
|
|
|
for _, nsIP := range status.DNSServerIPs {
|
|
|
|
|
networkNameServers = append(networkNameServers, nsIP.String())
|
|
|
|
|
}
|
2021-09-22 13:45:15 +00:00
|
|
|
logrus.Debugf("Adding nameserver(s) from network status of '%q'", status.DNSServerIPs)
|
2019-08-28 18:19:15 +00:00
|
|
|
}
|
2021-08-16 14:11:26 +00:00
|
|
|
if status.DNSSearchDomains != nil {
|
|
|
|
|
networkSearchDomains = append(networkSearchDomains, status.DNSSearchDomains...)
|
2021-09-22 13:45:15 +00:00
|
|
|
logrus.Debugf("Adding search domain(s) from network status of '%q'", status.DNSSearchDomains)
|
2021-02-24 09:41:56 +00:00
|
|
|
}
|
2019-03-11 10:42:01 +00:00
|
|
|
}
|
2019-08-28 18:19:15 +00:00
|
|
|
|
2022-02-09 20:02:55 +00:00
|
|
|
ipv6, err := c.checkForIPv6(netStatus)
|
|
|
|
|
if err != nil {
|
2022-04-29 12:41:33 +00:00
|
|
|
return err
|
2021-06-02 19:00:26 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Ensure that the container's /etc/resolv.conf is compatible with its
|
|
|
|
|
// network configuration.
|
2022-04-29 13:01:56 +00:00
|
|
|
resolv, err := resolvconf.FilterResolvDNS(contents, ipv6, !hostns)
|
2021-06-02 19:00:26 +00:00
|
|
|
if err != nil {
|
2022-04-29 12:41:33 +00:00
|
|
|
return errors.Wrapf(err, "error parsing host resolv.conf")
|
2021-06-02 19:00:26 +00:00
|
|
|
}
|
|
|
|
|
|
2022-04-25 13:15:52 +00:00
|
|
|
dns := make([]net.IP, 0, len(c.runtime.config.Containers.DNSServers)+len(c.config.DNSServer))
|
2020-03-27 14:13:51 +00:00
|
|
|
for _, i := range c.runtime.config.Containers.DNSServers {
|
|
|
|
|
result := net.ParseIP(i)
|
|
|
|
|
if result == nil {
|
2022-04-29 12:41:33 +00:00
|
|
|
return errors.Wrapf(define.ErrInvalidArg, "invalid IP address %s", i)
|
2020-03-27 14:13:51 +00:00
|
|
|
}
|
|
|
|
|
dns = append(dns, result)
|
|
|
|
|
}
|
2022-04-25 13:15:52 +00:00
|
|
|
dns = append(dns, c.config.DNSServer...)
|
2019-08-28 18:19:15 +00:00
|
|
|
// If the user provided dns, it trumps all; then dns masq; then resolv.conf
|
2022-02-04 14:48:41 +00:00
|
|
|
var search []string
|
2020-01-13 12:01:45 +00:00
|
|
|
switch {
|
2022-04-25 13:15:52 +00:00
|
|
|
case len(dns) > 0:
|
2018-11-08 11:12:14 +00:00
|
|
|
// We store DNS servers as net.IP, so need to convert to string
|
2022-04-25 13:15:52 +00:00
|
|
|
for _, server := range dns {
|
2018-11-08 11:12:14 +00:00
|
|
|
nameservers = append(nameservers, server.String())
|
|
|
|
|
}
|
2020-01-13 12:01:45 +00:00
|
|
|
default:
|
2019-08-28 18:19:15 +00:00
|
|
|
// Make a new resolv.conf
|
2022-02-04 14:48:41 +00:00
|
|
|
// first add the nameservers from the networks status
|
|
|
|
|
nameservers = append(nameservers, networkNameServers...)
|
|
|
|
|
// when we add network dns server we also have to add the search domains
|
|
|
|
|
search = networkSearchDomains
|
|
|
|
|
// slirp4netns has a built in DNS forwarder.
|
2019-08-28 18:19:15 +00:00
|
|
|
if c.config.NetMode.IsSlirp4netns() {
|
2021-01-28 03:13:23 +00:00
|
|
|
slirp4netnsDNS, err := GetSlirp4netnsDNS(c.slirp4netnsSubnet)
|
|
|
|
|
if err != nil {
|
2021-09-22 13:45:15 +00:00
|
|
|
logrus.Warn("Failed to determine Slirp4netns DNS: ", err.Error())
|
2021-01-28 03:13:23 +00:00
|
|
|
} else {
|
2022-02-04 14:48:41 +00:00
|
|
|
nameservers = append(nameservers, slirp4netnsDNS.String())
|
2021-01-28 03:13:23 +00:00
|
|
|
}
|
2019-08-28 18:19:15 +00:00
|
|
|
}
|
2022-02-04 14:48:41 +00:00
|
|
|
nameservers = append(nameservers, resolvconf.GetNameservers(resolv.Content)...)
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
|
2022-02-04 14:48:41 +00:00
|
|
|
if len(c.config.DNSSearch) > 0 || len(c.runtime.config.Containers.DNSSearches) > 0 {
|
2022-05-23 16:16:49 +00:00
|
|
|
if !cutil.StringInSlice(".", c.config.DNSSearch) {
|
2022-02-04 14:48:41 +00:00
|
|
|
search = append(search, c.runtime.config.Containers.DNSSearches...)
|
2020-03-27 14:13:51 +00:00
|
|
|
search = append(search, c.config.DNSSearch...)
|
|
|
|
|
}
|
|
|
|
|
} else {
|
2022-02-04 14:48:41 +00:00
|
|
|
search = append(search, resolvconf.GetSearchDomains(resolv.Content)...)
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
|
2020-03-27 14:13:51 +00:00
|
|
|
var options []string
|
|
|
|
|
if len(c.config.DNSOption) > 0 || len(c.runtime.config.Containers.DNSOptions) > 0 {
|
|
|
|
|
options = c.runtime.config.Containers.DNSOptions
|
|
|
|
|
options = append(options, c.config.DNSOption...)
|
|
|
|
|
} else {
|
|
|
|
|
options = resolvconf.GetOptions(resolv.Content)
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
destPath := filepath.Join(c.state.RunDir, "resolv.conf")
|
|
|
|
|
|
|
|
|
|
if err := os.Remove(destPath); err != nil && !os.IsNotExist(err) {
|
2022-04-29 12:41:33 +00:00
|
|
|
return errors.Wrapf(err, "container %s", c.ID())
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Build resolv.conf
|
|
|
|
|
if _, err = resolvconf.Build(destPath, nameservers, search, options); err != nil {
|
2022-04-29 12:41:33 +00:00
|
|
|
return errors.Wrapf(err, "error building resolv.conf for container %s", c.ID())
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
|
2022-04-29 12:41:33 +00:00
|
|
|
return c.bindMountRootFile(destPath, "/etc/resolv.conf")
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
|
2022-02-09 20:02:55 +00:00
|
|
|
// Check if a container uses IPv6.
|
|
|
|
|
func (c *Container) checkForIPv6(netStatus map[string]types.StatusBlock) (bool, error) {
|
|
|
|
|
for _, status := range netStatus {
|
|
|
|
|
for _, netInt := range status.Interfaces {
|
|
|
|
|
for _, netAddress := range netInt.Subnets {
|
|
|
|
|
// Note: only using To16() does not work since it also returns a valid ip for ipv4
|
|
|
|
|
if netAddress.IPNet.IP.To4() == nil && netAddress.IPNet.IP.To16() != nil {
|
|
|
|
|
return true, nil
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if c.config.NetMode.IsSlirp4netns() {
|
|
|
|
|
ctrNetworkSlipOpts := []string{}
|
|
|
|
|
if c.config.NetworkOptions != nil {
|
|
|
|
|
ctrNetworkSlipOpts = append(ctrNetworkSlipOpts, c.config.NetworkOptions["slirp4netns"]...)
|
|
|
|
|
}
|
|
|
|
|
slirpOpts, err := parseSlirp4netnsNetworkOptions(c.runtime, ctrNetworkSlipOpts)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return false, err
|
|
|
|
|
}
|
|
|
|
|
return slirpOpts.enableIPv6, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Add a new nameserver to the container's resolv.conf, ensuring that it is the
|
|
|
|
|
// first nameserver present.
|
|
|
|
|
// Usable only with running containers.
|
|
|
|
|
func (c *Container) addNameserver(ips []string) error {
|
|
|
|
|
// Take no action if container is not running.
|
|
|
|
|
if !c.ensureState(define.ContainerStateRunning, define.ContainerStateCreated) {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Do we have a resolv.conf at all?
|
|
|
|
|
path, ok := c.state.BindMounts["/etc/resolv.conf"]
|
|
|
|
|
if !ok {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Read in full contents, parse out existing nameservers
|
|
|
|
|
contents, err := ioutil.ReadFile(path)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
ns := resolvconf.GetNameservers(contents)
|
|
|
|
|
options := resolvconf.GetOptions(contents)
|
|
|
|
|
search := resolvconf.GetSearchDomains(contents)
|
|
|
|
|
|
|
|
|
|
// We could verify that it doesn't already exist
|
|
|
|
|
// but extra nameservers shouldn't harm anything.
|
|
|
|
|
// Ensure we are the first entry in resolv.conf though, otherwise we
|
|
|
|
|
// might be after user-added servers.
|
|
|
|
|
ns = append(ips, ns...)
|
|
|
|
|
|
|
|
|
|
// We're rewriting the container's resolv.conf as part of this, but we
|
|
|
|
|
// hold the container lock, so there should be no risk of parallel
|
|
|
|
|
// modification.
|
|
|
|
|
if _, err := resolvconf.Build(path, ns, search, options); err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error adding new nameserver to container %s resolv.conf", c.ID())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Remove an entry from the existing resolv.conf of the container.
|
|
|
|
|
// Usable only with running containers.
|
|
|
|
|
func (c *Container) removeNameserver(ips []string) error {
|
|
|
|
|
// Take no action if container is not running.
|
|
|
|
|
if !c.ensureState(define.ContainerStateRunning, define.ContainerStateCreated) {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Do we have a resolv.conf at all?
|
|
|
|
|
path, ok := c.state.BindMounts["/etc/resolv.conf"]
|
|
|
|
|
if !ok {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Read in full contents, parse out existing nameservers
|
|
|
|
|
contents, err := ioutil.ReadFile(path)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
ns := resolvconf.GetNameservers(contents)
|
|
|
|
|
options := resolvconf.GetOptions(contents)
|
|
|
|
|
search := resolvconf.GetSearchDomains(contents)
|
|
|
|
|
|
|
|
|
|
toRemove := make(map[string]bool)
|
|
|
|
|
for _, ip := range ips {
|
|
|
|
|
toRemove[ip] = true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
newNS := make([]string, 0, len(ns))
|
|
|
|
|
for _, server := range ns {
|
|
|
|
|
if !toRemove[server] {
|
|
|
|
|
newNS = append(newNS, server)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if _, err := resolvconf.Build(path, newNS, search, options); err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error removing nameservers from container %s resolv.conf", c.ID())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-19 11:58:35 +00:00
|
|
|
func getLocalhostHostEntry(c *Container) etchosts.HostEntries {
|
|
|
|
|
return etchosts.HostEntries{{IP: "127.0.0.1", Names: []string{c.Hostname(), c.config.Name}}}
|
2019-03-04 03:54:41 +00:00
|
|
|
}
|
|
|
|
|
|
2022-04-19 11:58:35 +00:00
|
|
|
// getHostsEntries returns the container ip host entries for the correct netmode
|
|
|
|
|
func (c *Container) getHostsEntries() (etchosts.HostEntries, error) {
|
|
|
|
|
var entries etchosts.HostEntries
|
|
|
|
|
names := []string{c.Hostname(), c.config.Name}
|
|
|
|
|
switch {
|
|
|
|
|
case c.config.NetMode.IsBridge():
|
|
|
|
|
entries = etchosts.GetNetworkHostEntries(c.state.NetworkStatus, names...)
|
|
|
|
|
case c.config.NetMode.IsSlirp4netns():
|
|
|
|
|
ip, err := GetSlirp4netnsIP(c.slirp4netnsSubnet)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
2021-08-03 18:07:28 +00:00
|
|
|
}
|
2022-04-19 11:58:35 +00:00
|
|
|
entries = etchosts.HostEntries{{IP: ip.String(), Names: names}}
|
|
|
|
|
default:
|
|
|
|
|
// check for net=none
|
|
|
|
|
if !c.config.CreateNetNS {
|
2021-09-16 10:37:06 +00:00
|
|
|
for _, ns := range c.config.Spec.Linux.Namespaces {
|
|
|
|
|
if ns.Type == spec.NetworkNamespace {
|
|
|
|
|
if ns.Path == "" {
|
2022-04-19 11:58:35 +00:00
|
|
|
entries = etchosts.HostEntries{{IP: "127.0.0.1", Names: names}}
|
2021-09-16 10:37:06 +00:00
|
|
|
}
|
|
|
|
|
break
|
2020-10-19 19:25:06 +00:00
|
|
|
}
|
|
|
|
|
}
|
2021-08-03 18:07:28 +00:00
|
|
|
}
|
2020-10-19 19:25:06 +00:00
|
|
|
}
|
2022-04-19 11:58:35 +00:00
|
|
|
return entries, nil
|
|
|
|
|
}
|
2021-01-28 03:13:23 +00:00
|
|
|
|
2022-04-19 11:58:35 +00:00
|
|
|
func (c *Container) createHosts() error {
|
|
|
|
|
var containerIPsEntries etchosts.HostEntries
|
|
|
|
|
var err error
|
|
|
|
|
// if we configure the netns after the container create we should not add
|
|
|
|
|
// the hosts here since we have no information about the actual ips
|
|
|
|
|
// instead we will add them in c.completeNetworkSetup()
|
|
|
|
|
if !c.config.PostConfigureNetNS {
|
|
|
|
|
containerIPsEntries, err = c.getHostsEntries()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("failed to get container ip host entries: %w", err)
|
2021-09-20 09:26:40 +00:00
|
|
|
}
|
2022-04-19 11:58:35 +00:00
|
|
|
}
|
|
|
|
|
baseHostFile, err := etchosts.GetBaseHostFile(c.runtime.config.Containers.BaseHostsFile, c.state.Mountpoint)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2021-09-20 09:26:40 +00:00
|
|
|
|
2022-04-19 11:58:35 +00:00
|
|
|
targetFile := filepath.Join(c.state.RunDir, "hosts")
|
|
|
|
|
err = etchosts.New(&etchosts.Params{
|
|
|
|
|
BaseFile: baseHostFile,
|
|
|
|
|
ExtraHosts: c.config.HostAdd,
|
|
|
|
|
ContainerIPs: containerIPsEntries,
|
|
|
|
|
HostContainersInternalIP: etchosts.GetHostContainersInternalIP(c.runtime.config, c.state.NetworkStatus, c.runtime.network),
|
|
|
|
|
TargetFile: targetFile,
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2022-01-11 14:30:38 +00:00
|
|
|
|
2022-04-29 12:41:33 +00:00
|
|
|
return c.bindMountRootFile(targetFile, config.DefaultHostsFile)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// bindMountRootFile will chown and relabel the source file to make it usable in the container.
|
|
|
|
|
// It will also add the path to the container bind mount map.
|
|
|
|
|
// source is the path on the host, dest is the path in the container.
|
|
|
|
|
func (c *Container) bindMountRootFile(source, dest string) error {
|
|
|
|
|
if err := os.Chown(source, c.RootUID(), c.RootGID()); err != nil {
|
2022-04-19 11:58:35 +00:00
|
|
|
return err
|
|
|
|
|
}
|
2022-04-29 12:41:33 +00:00
|
|
|
if err := label.Relabel(source, c.MountLabel(), false); err != nil {
|
2022-04-19 11:58:35 +00:00
|
|
|
return err
|
2021-01-28 03:13:23 +00:00
|
|
|
}
|
|
|
|
|
|
2022-04-29 12:41:33 +00:00
|
|
|
return c.mountIntoRootDirs(dest, source)
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
// generateGroupEntry generates an entry or entries into /etc/group as
|
|
|
|
|
// required by container configuration.
|
2020-12-21 22:48:43 +00:00
|
|
|
// Generally speaking, we will make an entry under two circumstances:
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
// 1. The container is started as a specific user:group, and that group is both
|
|
|
|
|
// numeric, and does not already exist in /etc/group.
|
|
|
|
|
// 2. It is requested that Libpod add the group that launched Podman to
|
|
|
|
|
// /etc/group via AddCurrentUserPasswdEntry (though this does not trigger if
|
|
|
|
|
// the group in question already exists in /etc/passwd).
|
|
|
|
|
// Returns group entry (as a string that can be appended to /etc/group) and any
|
|
|
|
|
// error that occurred.
|
|
|
|
|
func (c *Container) generateGroupEntry() (string, error) {
|
|
|
|
|
groupString := ""
|
|
|
|
|
|
|
|
|
|
// Things we *can't* handle: adding the user we added in
|
|
|
|
|
// generatePasswdEntry to any *existing* groups.
|
|
|
|
|
addedGID := 0
|
|
|
|
|
if c.config.AddCurrentUserPasswdEntry {
|
|
|
|
|
entry, gid, err := c.generateCurrentUserGroupEntry()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
groupString += entry
|
|
|
|
|
addedGID = gid
|
|
|
|
|
}
|
|
|
|
|
if c.config.User != "" {
|
2022-04-22 13:10:13 +00:00
|
|
|
entry, err := c.generateUserGroupEntry(addedGID)
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
groupString += entry
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return groupString, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Make an entry in /etc/group for the group of the user running podman iff we
|
|
|
|
|
// are rootless.
|
|
|
|
|
func (c *Container) generateCurrentUserGroupEntry() (string, int, error) {
|
|
|
|
|
gid := rootless.GetRootlessGID()
|
|
|
|
|
if gid == 0 {
|
|
|
|
|
return "", 0, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
g, err := user.LookupGroupId(strconv.Itoa(gid))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", 0, errors.Wrapf(err, "failed to get current group")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Lookup group name to see if it exists in the image.
|
|
|
|
|
_, err = lookup.GetGroup(c.state.Mountpoint, g.Name)
|
|
|
|
|
if err != runcuser.ErrNoGroupEntries {
|
|
|
|
|
return "", 0, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Lookup GID to see if it exists in the image.
|
|
|
|
|
_, err = lookup.GetGroup(c.state.Mountpoint, g.Gid)
|
|
|
|
|
if err != runcuser.ErrNoGroupEntries {
|
|
|
|
|
return "", 0, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// We need to get the username of the rootless user so we can add it to
|
|
|
|
|
// the group.
|
|
|
|
|
username := ""
|
|
|
|
|
uid := rootless.GetRootlessUID()
|
|
|
|
|
if uid != 0 {
|
|
|
|
|
u, err := user.LookupId(strconv.Itoa(uid))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", 0, errors.Wrapf(err, "failed to get current user to make group entry")
|
|
|
|
|
}
|
|
|
|
|
username = u.Username
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Make the entry.
|
|
|
|
|
return fmt.Sprintf("%s:x:%s:%s\n", g.Name, g.Gid, username), gid, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Make an entry in /etc/group for the group the container was specified to run
|
|
|
|
|
// as.
|
2022-04-22 13:10:13 +00:00
|
|
|
func (c *Container) generateUserGroupEntry(addedGID int) (string, error) {
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
if c.config.User == "" {
|
2022-04-22 13:10:13 +00:00
|
|
|
return "", nil
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
splitUser := strings.SplitN(c.config.User, ":", 2)
|
|
|
|
|
group := splitUser[0]
|
|
|
|
|
if len(splitUser) > 1 {
|
|
|
|
|
group = splitUser[1]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
gid, err := strconv.ParseUint(group, 10, 32)
|
|
|
|
|
if err != nil {
|
2022-04-22 13:10:13 +00:00
|
|
|
return "", nil // nolint: nilerr
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if addedGID != 0 && addedGID == int(gid) {
|
2022-04-22 13:10:13 +00:00
|
|
|
return "", nil
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check if the group already exists
|
|
|
|
|
_, err = lookup.GetGroup(c.state.Mountpoint, group)
|
|
|
|
|
if err != runcuser.ErrNoGroupEntries {
|
2022-04-22 13:10:13 +00:00
|
|
|
return "", err
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
}
|
|
|
|
|
|
2022-04-22 13:10:13 +00:00
|
|
|
return fmt.Sprintf("%d:x:%d:%s\n", gid, gid, splitUser[0]), nil
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// generatePasswdEntry generates an entry or entries into /etc/passwd as
|
|
|
|
|
// required by container configuration.
|
|
|
|
|
// Generally speaking, we will make an entry under two circumstances:
|
|
|
|
|
// 1. The container is started as a specific user who is not in /etc/passwd.
|
|
|
|
|
// This only triggers if the user is given as a *numeric* ID.
|
|
|
|
|
// 2. It is requested that Libpod add the user that launched Podman to
|
|
|
|
|
// /etc/passwd via AddCurrentUserPasswdEntry (though this does not trigger if
|
|
|
|
|
// the user in question already exists in /etc/passwd) or the UID to be added
|
|
|
|
|
// is 0).
|
2021-12-16 14:24:24 +00:00
|
|
|
// 3. The user specified additional host user accounts to add the the /etc/passwd file
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
// Returns password entry (as a string that can be appended to /etc/passwd) and
|
|
|
|
|
// any error that occurred.
|
|
|
|
|
func (c *Container) generatePasswdEntry() (string, error) {
|
|
|
|
|
passwdString := ""
|
|
|
|
|
|
|
|
|
|
addedUID := 0
|
2021-12-16 14:24:24 +00:00
|
|
|
for _, userid := range c.config.HostUsers {
|
|
|
|
|
// Lookup User on host
|
|
|
|
|
u, err := util.LookupUser(userid)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
entry, err := c.userPasswdEntry(u)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
passwdString += entry
|
|
|
|
|
}
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
if c.config.AddCurrentUserPasswdEntry {
|
|
|
|
|
entry, uid, _, err := c.generateCurrentUserPasswdEntry()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
passwdString += entry
|
|
|
|
|
addedUID = uid
|
|
|
|
|
}
|
|
|
|
|
if c.config.User != "" {
|
2022-04-22 13:10:13 +00:00
|
|
|
entry, err := c.generateUserPasswdEntry(addedUID)
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
passwdString += entry
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return passwdString, nil
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-30 19:44:14 +00:00
|
|
|
// generateCurrentUserPasswdEntry generates an /etc/passwd entry for the user
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
// running the container engine.
|
|
|
|
|
// Returns a passwd entry for the user, and the UID and GID of the added entry.
|
|
|
|
|
func (c *Container) generateCurrentUserPasswdEntry() (string, int, int, error) {
|
2020-06-30 19:44:14 +00:00
|
|
|
uid := rootless.GetRootlessUID()
|
|
|
|
|
if uid == 0 {
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
return "", 0, 0, nil
|
2020-06-30 19:44:14 +00:00
|
|
|
}
|
2020-07-15 19:25:12 +00:00
|
|
|
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
u, err := user.LookupId(strconv.Itoa(uid))
|
2020-06-30 19:44:14 +00:00
|
|
|
if err != nil {
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
return "", 0, 0, errors.Wrapf(err, "failed to get current user")
|
2020-06-30 19:44:14 +00:00
|
|
|
}
|
2021-12-16 14:24:24 +00:00
|
|
|
pwd, err := c.userPasswdEntry(u)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", 0, 0, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return pwd, uid, rootless.GetRootlessGID(), nil
|
|
|
|
|
}
|
2020-07-15 19:25:12 +00:00
|
|
|
|
2021-12-16 14:24:24 +00:00
|
|
|
func (c *Container) userPasswdEntry(u *user.User) (string, error) {
|
2020-07-15 19:25:12 +00:00
|
|
|
// Lookup the user to see if it exists in the container image.
|
2021-12-16 14:24:24 +00:00
|
|
|
_, err := lookup.GetUser(c.state.Mountpoint, u.Username)
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
if err != runcuser.ErrNoPasswdEntries {
|
2021-12-16 14:24:24 +00:00
|
|
|
return "", err
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Lookup the UID to see if it exists in the container image.
|
|
|
|
|
_, err = lookup.GetUser(c.state.Mountpoint, u.Uid)
|
|
|
|
|
if err != runcuser.ErrNoPasswdEntries {
|
2021-12-16 14:24:24 +00:00
|
|
|
return "", err
|
2020-07-15 19:25:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// If the user's actual home directory exists, or was mounted in - use
|
|
|
|
|
// that.
|
|
|
|
|
homeDir := c.WorkingDir()
|
2020-10-13 21:43:26 +00:00
|
|
|
hDir := u.HomeDir
|
|
|
|
|
for hDir != "/" {
|
|
|
|
|
if MountExists(c.config.Spec.Mounts, hDir) {
|
|
|
|
|
homeDir = u.HomeDir
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
hDir = filepath.Dir(hDir)
|
|
|
|
|
}
|
|
|
|
|
if homeDir != u.HomeDir {
|
|
|
|
|
for _, hDir := range c.UserVolumes() {
|
|
|
|
|
if hDir == u.HomeDir {
|
|
|
|
|
homeDir = u.HomeDir
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
// Set HOME environment if not already set
|
|
|
|
|
hasHomeSet := false
|
|
|
|
|
for _, s := range c.config.Spec.Process.Env {
|
|
|
|
|
if strings.HasPrefix(s, "HOME=") {
|
|
|
|
|
hasHomeSet = true
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if !hasHomeSet {
|
|
|
|
|
c.config.Spec.Process.Env = append(c.config.Spec.Process.Env, fmt.Sprintf("HOME=%s", homeDir))
|
2020-07-15 19:25:12 +00:00
|
|
|
}
|
2022-03-21 15:43:14 +00:00
|
|
|
if c.config.PasswdEntry != "" {
|
|
|
|
|
return c.passwdEntry(u.Username, u.Uid, u.Gid, u.Name, homeDir), nil
|
|
|
|
|
}
|
2020-07-15 19:25:12 +00:00
|
|
|
|
2021-12-16 14:24:24 +00:00
|
|
|
return fmt.Sprintf("%s:*:%s:%s:%s:%s:/bin/sh\n", u.Username, u.Uid, u.Gid, u.Name, homeDir), nil
|
2020-06-30 19:44:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// generateUserPasswdEntry generates an /etc/passwd entry for the container user
|
|
|
|
|
// to run in the container.
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
// The UID and GID of the added entry will also be returned.
|
|
|
|
|
// Accepts one argument, that being any UID that has already been added to the
|
|
|
|
|
// passwd file by other functions; if it matches the UID we were given, we don't
|
|
|
|
|
// need to do anything.
|
2022-04-22 13:10:13 +00:00
|
|
|
func (c *Container) generateUserPasswdEntry(addedUID int) (string, error) {
|
2018-11-08 11:12:14 +00:00
|
|
|
var (
|
|
|
|
|
groupspec string
|
|
|
|
|
gid int
|
|
|
|
|
)
|
|
|
|
|
if c.config.User == "" {
|
2022-04-22 13:10:13 +00:00
|
|
|
return "", nil
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
2019-07-03 20:37:17 +00:00
|
|
|
splitSpec := strings.SplitN(c.config.User, ":", 2)
|
|
|
|
|
userspec := splitSpec[0]
|
|
|
|
|
if len(splitSpec) > 1 {
|
|
|
|
|
groupspec = splitSpec[1]
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
// If a non numeric User, then don't generate passwd
|
|
|
|
|
uid, err := strconv.ParseUint(userspec, 10, 32)
|
|
|
|
|
if err != nil {
|
2022-04-22 13:10:13 +00:00
|
|
|
return "", nil // nolint: nilerr
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if addedUID != 0 && int(uid) == addedUID {
|
2022-04-22 13:10:13 +00:00
|
|
|
return "", nil
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
2020-06-30 19:44:14 +00:00
|
|
|
|
2018-11-08 11:12:14 +00:00
|
|
|
// Lookup the user to see if it exists in the container image
|
|
|
|
|
_, err = lookup.GetUser(c.state.Mountpoint, userspec)
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
if err != runcuser.ErrNoPasswdEntries {
|
2022-04-22 13:10:13 +00:00
|
|
|
return "", err
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
2020-06-30 19:44:14 +00:00
|
|
|
|
2018-11-08 11:12:14 +00:00
|
|
|
if groupspec != "" {
|
2018-12-04 19:46:17 +00:00
|
|
|
ugid, err := strconv.ParseUint(groupspec, 10, 32)
|
|
|
|
|
if err == nil {
|
|
|
|
|
gid = int(ugid)
|
|
|
|
|
} else {
|
|
|
|
|
group, err := lookup.GetGroup(c.state.Mountpoint, groupspec)
|
|
|
|
|
if err != nil {
|
2022-04-22 13:10:13 +00:00
|
|
|
return "", errors.Wrapf(err, "unable to get gid %s from group file", groupspec)
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
2018-12-04 19:46:17 +00:00
|
|
|
gid = group.Gid
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
|
|
|
|
}
|
2022-03-21 15:43:14 +00:00
|
|
|
|
|
|
|
|
if c.config.PasswdEntry != "" {
|
|
|
|
|
entry := c.passwdEntry(fmt.Sprintf("%d", uid), fmt.Sprintf("%d", uid), fmt.Sprintf("%d", gid), "container user", c.WorkingDir())
|
2022-04-22 13:10:13 +00:00
|
|
|
return entry, nil
|
2022-03-21 15:43:14 +00:00
|
|
|
}
|
|
|
|
|
|
2022-04-22 13:10:13 +00:00
|
|
|
return fmt.Sprintf("%d:*:%d:%d:container user:%s:/bin/sh\n", uid, uid, gid, c.WorkingDir()), nil
|
2020-06-30 19:44:14 +00:00
|
|
|
}
|
|
|
|
|
|
2022-03-21 15:43:14 +00:00
|
|
|
func (c *Container) passwdEntry(username string, uid, gid, name, homeDir string) string {
|
|
|
|
|
s := c.config.PasswdEntry
|
2022-04-25 13:15:52 +00:00
|
|
|
s = strings.ReplaceAll(s, "$USERNAME", username)
|
|
|
|
|
s = strings.ReplaceAll(s, "$UID", uid)
|
|
|
|
|
s = strings.ReplaceAll(s, "$GID", gid)
|
|
|
|
|
s = strings.ReplaceAll(s, "$NAME", name)
|
|
|
|
|
s = strings.ReplaceAll(s, "$HOME", homeDir)
|
2022-03-21 15:43:14 +00:00
|
|
|
return s + "\n"
|
|
|
|
|
}
|
|
|
|
|
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
// generatePasswdAndGroup generates container-specific passwd and group files
|
|
|
|
|
// iff g.config.User is a number or we are configured to make a passwd entry for
|
2021-12-16 14:24:24 +00:00
|
|
|
// the current user or the user specified HostsUsers
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
// Returns path to file to mount at /etc/passwd, path to file to mount at
|
|
|
|
|
// /etc/group, and any error that occurred. If no passwd/group file were
|
|
|
|
|
// required, the empty string will be returned for those path (this may occur
|
|
|
|
|
// even if no error happened).
|
|
|
|
|
// This may modify the mounted container's /etc/passwd and /etc/group instead of
|
|
|
|
|
// making copies to bind-mount in, so we don't break useradd (it wants to make a
|
|
|
|
|
// copy of /etc/passwd and rename the copy to /etc/passwd, which is impossible
|
|
|
|
|
// with a bind mount). This is done in cases where the container is *not*
|
|
|
|
|
// read-only. In this case, the function will return nothing ("", "", nil).
|
|
|
|
|
func (c *Container) generatePasswdAndGroup() (string, string, error) {
|
2021-12-16 14:24:24 +00:00
|
|
|
if !c.config.AddCurrentUserPasswdEntry && c.config.User == "" &&
|
|
|
|
|
len(c.config.HostUsers) == 0 {
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
return "", "", nil
|
2020-06-30 19:44:14 +00:00
|
|
|
}
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
|
|
|
|
|
needPasswd := true
|
|
|
|
|
needGroup := true
|
|
|
|
|
|
|
|
|
|
// First, check if there's a mount at /etc/passwd or group, we don't
|
|
|
|
|
// want to interfere with user mounts.
|
2020-07-14 20:20:22 +00:00
|
|
|
if MountExists(c.config.Spec.Mounts, "/etc/passwd") {
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
needPasswd = false
|
2020-07-14 20:20:22 +00:00
|
|
|
}
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
if MountExists(c.config.Spec.Mounts, "/etc/group") {
|
|
|
|
|
needGroup = false
|
2020-07-14 20:20:22 +00:00
|
|
|
}
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
|
2020-12-21 22:48:43 +00:00
|
|
|
// Next, check if we already made the files. If we didn't, don't need to
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
// do anything more.
|
|
|
|
|
if needPasswd {
|
|
|
|
|
passwdPath := filepath.Join(c.config.StaticDir, "passwd")
|
|
|
|
|
if _, err := os.Stat(passwdPath); err == nil {
|
|
|
|
|
needPasswd = false
|
|
|
|
|
}
|
2020-08-31 18:06:49 +00:00
|
|
|
}
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
if needGroup {
|
|
|
|
|
groupPath := filepath.Join(c.config.StaticDir, "group")
|
|
|
|
|
if _, err := os.Stat(groupPath); err == nil {
|
|
|
|
|
needGroup = false
|
2020-08-31 18:06:49 +00:00
|
|
|
}
|
|
|
|
|
}
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
|
|
|
|
|
// Next, check if the container even has a /etc/passwd or /etc/group.
|
|
|
|
|
// If it doesn't we don't want to create them ourselves.
|
|
|
|
|
if needPasswd {
|
|
|
|
|
exists, err := c.checkFileExistsInRootfs("/etc/passwd")
|
2020-06-30 19:44:14 +00:00
|
|
|
if err != nil {
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
return "", "", err
|
2020-06-30 19:44:14 +00:00
|
|
|
}
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
needPasswd = exists
|
2020-06-30 19:44:14 +00:00
|
|
|
}
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
if needGroup {
|
|
|
|
|
exists, err := c.checkFileExistsInRootfs("/etc/group")
|
2020-06-30 19:44:14 +00:00
|
|
|
if err != nil {
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
return "", "", err
|
2020-06-30 19:44:14 +00:00
|
|
|
}
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
needGroup = exists
|
2020-06-30 19:44:14 +00:00
|
|
|
}
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
|
|
|
|
|
// If we don't need a /etc/passwd or /etc/group at this point we can
|
|
|
|
|
// just return.
|
|
|
|
|
if !needPasswd && !needGroup {
|
|
|
|
|
return "", "", nil
|
2020-06-30 19:44:14 +00:00
|
|
|
}
|
2020-07-15 19:25:12 +00:00
|
|
|
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
passwdPath := ""
|
|
|
|
|
groupPath := ""
|
|
|
|
|
|
|
|
|
|
ro := c.IsReadOnly()
|
|
|
|
|
|
|
|
|
|
if needPasswd {
|
|
|
|
|
passwdEntry, err := c.generatePasswdEntry()
|
2020-07-15 19:25:12 +00:00
|
|
|
if err != nil {
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
return "", "", err
|
2020-07-15 19:25:12 +00:00
|
|
|
}
|
|
|
|
|
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
needsWrite := passwdEntry != ""
|
|
|
|
|
switch {
|
|
|
|
|
case ro && needsWrite:
|
|
|
|
|
logrus.Debugf("Making /etc/passwd for container %s", c.ID())
|
|
|
|
|
originPasswdFile, err := securejoin.SecureJoin(c.state.Mountpoint, "/etc/passwd")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", "", errors.Wrapf(err, "error creating path to container %s /etc/passwd", c.ID())
|
|
|
|
|
}
|
|
|
|
|
orig, err := ioutil.ReadFile(originPasswdFile)
|
|
|
|
|
if err != nil && !os.IsNotExist(err) {
|
2020-10-28 17:16:42 +00:00
|
|
|
return "", "", err
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
}
|
|
|
|
|
passwdFile, err := c.writeStringToStaticDir("passwd", string(orig)+passwdEntry)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", "", errors.Wrapf(err, "failed to create temporary passwd file")
|
|
|
|
|
}
|
|
|
|
|
if err := os.Chmod(passwdFile, 0644); err != nil {
|
|
|
|
|
return "", "", err
|
|
|
|
|
}
|
|
|
|
|
passwdPath = passwdFile
|
|
|
|
|
case !ro && needsWrite:
|
|
|
|
|
logrus.Debugf("Modifying container %s /etc/passwd", c.ID())
|
|
|
|
|
containerPasswd, err := securejoin.SecureJoin(c.state.Mountpoint, "/etc/passwd")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", "", errors.Wrapf(err, "error looking up location of container %s /etc/passwd", c.ID())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
f, err := os.OpenFile(containerPasswd, os.O_APPEND|os.O_WRONLY, 0600)
|
|
|
|
|
if err != nil {
|
2020-10-28 17:16:42 +00:00
|
|
|
return "", "", errors.Wrapf(err, "container %s", c.ID())
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
}
|
|
|
|
|
defer f.Close()
|
|
|
|
|
|
|
|
|
|
if _, err := f.WriteString(passwdEntry); err != nil {
|
|
|
|
|
return "", "", errors.Wrapf(err, "unable to append to container %s /etc/passwd", c.ID())
|
|
|
|
|
}
|
|
|
|
|
default:
|
|
|
|
|
logrus.Debugf("Not modifying container %s /etc/passwd", c.ID())
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if needGroup {
|
|
|
|
|
groupEntry, err := c.generateGroupEntry()
|
2020-07-15 19:25:12 +00:00
|
|
|
if err != nil {
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
return "", "", err
|
2020-07-15 19:25:12 +00:00
|
|
|
}
|
|
|
|
|
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
needsWrite := groupEntry != ""
|
|
|
|
|
switch {
|
|
|
|
|
case ro && needsWrite:
|
|
|
|
|
logrus.Debugf("Making /etc/group for container %s", c.ID())
|
|
|
|
|
originGroupFile, err := securejoin.SecureJoin(c.state.Mountpoint, "/etc/group")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", "", errors.Wrapf(err, "error creating path to container %s /etc/group", c.ID())
|
|
|
|
|
}
|
|
|
|
|
orig, err := ioutil.ReadFile(originGroupFile)
|
|
|
|
|
if err != nil && !os.IsNotExist(err) {
|
2020-10-28 17:16:42 +00:00
|
|
|
return "", "", err
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
}
|
|
|
|
|
groupFile, err := c.writeStringToStaticDir("group", string(orig)+groupEntry)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", "", errors.Wrapf(err, "failed to create temporary group file")
|
|
|
|
|
}
|
|
|
|
|
if err := os.Chmod(groupFile, 0644); err != nil {
|
|
|
|
|
return "", "", err
|
|
|
|
|
}
|
|
|
|
|
groupPath = groupFile
|
|
|
|
|
case !ro && needsWrite:
|
|
|
|
|
logrus.Debugf("Modifying container %s /etc/group", c.ID())
|
|
|
|
|
containerGroup, err := securejoin.SecureJoin(c.state.Mountpoint, "/etc/group")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", "", errors.Wrapf(err, "error looking up location of container %s /etc/group", c.ID())
|
|
|
|
|
}
|
2020-07-15 19:25:12 +00:00
|
|
|
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
f, err := os.OpenFile(containerGroup, os.O_APPEND|os.O_WRONLY, 0600)
|
|
|
|
|
if err != nil {
|
2020-10-28 17:16:42 +00:00
|
|
|
return "", "", errors.Wrapf(err, "container %s", c.ID())
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
}
|
|
|
|
|
defer f.Close()
|
2020-07-15 19:25:12 +00:00
|
|
|
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
if _, err := f.WriteString(groupEntry); err != nil {
|
|
|
|
|
return "", "", errors.Wrapf(err, "unable to append to container %s /etc/group", c.ID())
|
|
|
|
|
}
|
|
|
|
|
default:
|
|
|
|
|
logrus.Debugf("Not modifying container %s /etc/group", c.ID())
|
|
|
|
|
}
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
|
|
|
|
|
return passwdPath, groupPath, nil
|
2018-11-08 11:12:14 +00:00
|
|
|
}
|
2019-03-14 12:33:53 +00:00
|
|
|
|
2021-05-05 19:58:35 +00:00
|
|
|
func isRootlessCgroupSet(cgroup string) bool {
|
|
|
|
|
// old versions of podman were setting the CgroupParent to CgroupfsDefaultCgroupParent
|
|
|
|
|
// by default. Avoid breaking these versions and check whether the cgroup parent is
|
|
|
|
|
// set to the default and in this case enable the old behavior. It should not be a real
|
|
|
|
|
// problem because the default CgroupParent is usually owned by root so rootless users
|
|
|
|
|
// cannot access it.
|
|
|
|
|
// This check might be lifted in a future version of Podman.
|
|
|
|
|
// Check both that the cgroup or its parent is set to the default value (used by pods).
|
|
|
|
|
return cgroup != CgroupfsDefaultCgroupParent && filepath.Dir(cgroup) != CgroupfsDefaultCgroupParent
|
|
|
|
|
}
|
|
|
|
|
|
2022-01-12 15:52:38 +00:00
|
|
|
func (c *Container) expectPodCgroup() (bool, error) {
|
|
|
|
|
unified, err := cgroups.IsCgroup2UnifiedMode()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return false, err
|
|
|
|
|
}
|
|
|
|
|
cgroupManager := c.CgroupManager()
|
|
|
|
|
switch {
|
|
|
|
|
case c.config.NoCgroups:
|
|
|
|
|
return false, nil
|
|
|
|
|
case cgroupManager == config.SystemdCgroupsManager:
|
|
|
|
|
return !rootless.IsRootless() || unified, nil
|
|
|
|
|
case cgroupManager == config.CgroupfsCgroupsManager:
|
|
|
|
|
return !rootless.IsRootless(), nil
|
|
|
|
|
default:
|
|
|
|
|
return false, errors.Wrapf(define.ErrInvalidArg, "invalid cgroup mode %s requested for pods", cgroupManager)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-10-10 18:45:56 +00:00
|
|
|
// Get cgroup path in a format suitable for the OCI spec
|
|
|
|
|
func (c *Container) getOCICgroupPath() (string, error) {
|
|
|
|
|
unified, err := cgroups.IsCgroup2UnifiedMode()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
2020-10-08 19:25:06 +00:00
|
|
|
cgroupManager := c.CgroupManager()
|
2020-01-13 12:01:45 +00:00
|
|
|
switch {
|
2021-04-29 19:08:23 +00:00
|
|
|
case c.config.NoCgroups:
|
2019-10-10 18:45:56 +00:00
|
|
|
return "", nil
|
2020-06-18 11:56:30 +00:00
|
|
|
case c.config.CgroupsMode == cgroupSplit:
|
2022-05-21 02:19:38 +00:00
|
|
|
selfCgroup, err := utils.GetOwnCgroupDisallowRoot()
|
2020-06-18 11:56:30 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
2021-11-24 09:35:07 +00:00
|
|
|
return filepath.Join(selfCgroup, fmt.Sprintf("libpod-payload-%s", c.ID())), nil
|
2020-10-08 19:25:06 +00:00
|
|
|
case cgroupManager == config.SystemdCgroupsManager:
|
2020-06-18 11:56:30 +00:00
|
|
|
// When the OCI runtime is set to use Systemd as a cgroup manager, it
|
2019-10-10 18:45:56 +00:00
|
|
|
// expects cgroups to be passed as follows:
|
|
|
|
|
// slice:prefix:name
|
|
|
|
|
systemdCgroups := fmt.Sprintf("%s:libpod:%s", path.Base(c.config.CgroupParent), c.ID())
|
2022-01-13 19:51:06 +00:00
|
|
|
logrus.Debugf("Setting Cgroups for container %s to %s", c.ID(), systemdCgroups)
|
2019-10-10 18:45:56 +00:00
|
|
|
return systemdCgroups, nil
|
2021-09-10 08:06:45 +00:00
|
|
|
case (rootless.IsRootless() && (cgroupManager == config.CgroupfsCgroupsManager || !unified)):
|
|
|
|
|
if c.config.CgroupParent == "" || !isRootlessCgroupSet(c.config.CgroupParent) {
|
|
|
|
|
return "", nil
|
|
|
|
|
}
|
|
|
|
|
fallthrough
|
2020-10-08 19:25:06 +00:00
|
|
|
case cgroupManager == config.CgroupfsCgroupsManager:
|
2020-11-10 12:31:19 +00:00
|
|
|
cgroupPath := filepath.Join(c.config.CgroupParent, fmt.Sprintf("libpod-%s", c.ID()))
|
2022-01-13 19:51:06 +00:00
|
|
|
logrus.Debugf("Setting Cgroup path for container %s to %s", c.ID(), cgroupPath)
|
2019-10-10 18:45:56 +00:00
|
|
|
return cgroupPath, nil
|
2020-01-13 12:01:45 +00:00
|
|
|
default:
|
2020-10-08 19:25:06 +00:00
|
|
|
return "", errors.Wrapf(define.ErrInvalidArg, "invalid cgroup manager %s requested", cgroupManager)
|
2019-10-10 18:45:56 +00:00
|
|
|
}
|
|
|
|
|
}
|
2020-06-30 21:21:52 +00:00
|
|
|
|
|
|
|
|
func (c *Container) copyTimezoneFile(zonePath string) (string, error) {
|
2022-04-22 11:38:41 +00:00
|
|
|
localtimeCopy := filepath.Join(c.state.RunDir, "localtime")
|
2020-06-30 21:21:52 +00:00
|
|
|
file, err := os.Stat(zonePath)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
if file.IsDir() {
|
|
|
|
|
return "", errors.New("Invalid timezone: is a directory")
|
|
|
|
|
}
|
|
|
|
|
src, err := os.Open(zonePath)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
defer src.Close()
|
|
|
|
|
dest, err := os.Create(localtimeCopy)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
defer dest.Close()
|
|
|
|
|
_, err = io.Copy(dest, src)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
2021-10-13 20:24:46 +00:00
|
|
|
if err := c.relabel(localtimeCopy, c.config.MountLabel, false); err != nil {
|
2020-06-30 21:21:52 +00:00
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
if err := dest.Chown(c.RootUID(), c.RootGID()); err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
return localtimeCopy, err
|
|
|
|
|
}
|
2020-07-09 19:46:14 +00:00
|
|
|
|
|
|
|
|
func (c *Container) cleanupOverlayMounts() error {
|
|
|
|
|
return overlay.CleanupContent(c.config.StaticDir)
|
|
|
|
|
}
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
|
|
|
|
|
// Check if a file exists at the given path in the container's root filesystem.
|
|
|
|
|
// Container must already be mounted for this to be used.
|
|
|
|
|
func (c *Container) checkFileExistsInRootfs(file string) (bool, error) {
|
|
|
|
|
checkPath, err := securejoin.SecureJoin(c.state.Mountpoint, file)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return false, errors.Wrapf(err, "cannot create path to container %s file %q", c.ID(), file)
|
|
|
|
|
}
|
|
|
|
|
stat, err := os.Stat(checkPath)
|
|
|
|
|
if err != nil {
|
|
|
|
|
if os.IsNotExist(err) {
|
|
|
|
|
return false, nil
|
|
|
|
|
}
|
2020-10-28 17:16:42 +00:00
|
|
|
return false, errors.Wrapf(err, "container %s", c.ID())
|
Make an entry in /etc/group when we modify /etc/passwd
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes #7503
Fixes #7389
Fixes #7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-09-04 18:23:43 +00:00
|
|
|
}
|
|
|
|
|
if stat.IsDir() {
|
|
|
|
|
return false, nil
|
|
|
|
|
}
|
|
|
|
|
return true, nil
|
|
|
|
|
}
|
2021-01-15 06:27:23 +00:00
|
|
|
|
|
|
|
|
// Creates and mounts an empty dir to mount secrets into, if it does not already exist
|
|
|
|
|
func (c *Container) createSecretMountDir() error {
|
|
|
|
|
src := filepath.Join(c.state.RunDir, "/run/secrets")
|
|
|
|
|
_, err := os.Stat(src)
|
|
|
|
|
if os.IsNotExist(err) {
|
|
|
|
|
oldUmask := umask.Set(0)
|
|
|
|
|
defer umask.Set(oldUmask)
|
|
|
|
|
|
2021-05-14 20:29:44 +00:00
|
|
|
if err := os.MkdirAll(src, 0755); err != nil {
|
2021-01-15 06:27:23 +00:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if err := label.Relabel(src, c.config.MountLabel, false); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if err := os.Chown(src, c.RootUID(), c.RootGID()); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
c.state.BindMounts["/run/secrets"] = src
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return err
|
|
|
|
|
}
|
2021-06-02 09:28:26 +00:00
|
|
|
|
|
|
|
|
// Fix ownership and permissions of the specified volume if necessary.
|
|
|
|
|
func (c *Container) fixVolumePermissions(v *ContainerNamedVolume) error {
|
|
|
|
|
vol, err := c.runtime.state.Volume(v.Name)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error retrieving named volume %s for container %s", v.Name, c.ID())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
vol.lock.Lock()
|
|
|
|
|
defer vol.lock.Unlock()
|
|
|
|
|
|
|
|
|
|
// The volume may need a copy-up. Check the state.
|
|
|
|
|
if err := vol.update(); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-23 17:27:04 +00:00
|
|
|
// Volumes owned by a volume driver are not chowned - we don't want to
|
|
|
|
|
// mess with a mount not managed by us.
|
2021-06-02 09:28:26 +00:00
|
|
|
if vol.state.NeedsChown && !vol.UsesVolumeDriver() {
|
|
|
|
|
vol.state.NeedsChown = false
|
|
|
|
|
|
|
|
|
|
uid := int(c.config.Spec.Process.User.UID)
|
|
|
|
|
gid := int(c.config.Spec.Process.User.GID)
|
|
|
|
|
|
|
|
|
|
if c.config.IDMappings.UIDMap != nil {
|
|
|
|
|
p := idtools.IDPair{
|
|
|
|
|
UID: uid,
|
|
|
|
|
GID: gid,
|
|
|
|
|
}
|
|
|
|
|
mappings := idtools.NewIDMappingsFromMaps(c.config.IDMappings.UIDMap, c.config.IDMappings.GIDMap)
|
|
|
|
|
newPair, err := mappings.ToHost(p)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "error mapping user %d:%d", uid, gid)
|
|
|
|
|
}
|
|
|
|
|
uid = newPair.UID
|
|
|
|
|
gid = newPair.GID
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
vol.state.UIDChowned = uid
|
|
|
|
|
vol.state.GIDChowned = gid
|
|
|
|
|
|
|
|
|
|
if err := vol.save(); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
mountPoint, err := vol.MountPoint()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := os.Lchown(mountPoint, uid, gid); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Make sure the new volume matches the permissions of the target directory.
|
|
|
|
|
// https://github.com/containers/podman/issues/10188
|
|
|
|
|
st, err := os.Lstat(filepath.Join(c.state.Mountpoint, v.Dest))
|
|
|
|
|
if err == nil {
|
2021-07-12 12:56:55 +00:00
|
|
|
if stat, ok := st.Sys().(*syscall.Stat_t); ok {
|
|
|
|
|
if err := os.Lchown(mountPoint, int(stat.Uid), int(stat.Gid)); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-12-07 09:38:52 +00:00
|
|
|
if err := os.Chmod(mountPoint, st.Mode()); err != nil {
|
2021-06-02 09:28:26 +00:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
stat := st.Sys().(*syscall.Stat_t)
|
2022-05-19 08:45:28 +00:00
|
|
|
atime := time.Unix(int64(stat.Atim.Sec), int64(stat.Atim.Nsec)) // nolint: unconvert
|
2021-06-02 09:28:26 +00:00
|
|
|
if err := os.Chtimes(mountPoint, atime, st.ModTime()); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
} else if !os.IsNotExist(err) {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2021-10-13 20:24:46 +00:00
|
|
|
|
|
|
|
|
func (c *Container) relabel(src, mountLabel string, recurse bool) error {
|
|
|
|
|
if !selinux.GetEnabled() || mountLabel == "" {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
// only relabel on initial creation of container
|
|
|
|
|
if !c.ensureState(define.ContainerStateConfigured, define.ContainerStateUnknown) {
|
|
|
|
|
label, err := label.FileLabel(src)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
// If labels are different, might be on a tmpfs
|
|
|
|
|
if label == mountLabel {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return label.Relabel(src, mountLabel, recurse)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (c *Container) ChangeHostPathOwnership(src string, recurse bool, uid, gid int) error {
|
|
|
|
|
// only chown on initial creation of container
|
|
|
|
|
if !c.ensureState(define.ContainerStateConfigured, define.ContainerStateUnknown) {
|
|
|
|
|
st, err := os.Stat(src)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// If labels are different, might be on a tmpfs
|
|
|
|
|
if int(st.Sys().(*syscall.Stat_t).Uid) == uid && int(st.Sys().(*syscall.Stat_t).Gid) == gid {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return chown.ChangeHostPathOwnership(src, recurse, uid, gid)
|
|
|
|
|
}
|