summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2018-08-30 18:26:41 +0200
committerAtomic Bot <atomic-devel@projectatomic.io>2018-09-04 14:36:57 +0000
commit14c0f9d63c1f9ab6b4f09a827a061dfeb7f4eb79 (patch)
treefd2c4d72e9fe57fec8cc826522d077833637e5d8
parentdaa28349c8cfadc53de96a851b7d1d71de7b14e9 (diff)
downloadpodman-14c0f9d63c1f9ab6b4f09a827a061dfeb7f4eb79.tar.gz
podman-14c0f9d63c1f9ab6b4f09a827a061dfeb7f4eb79.tar.bz2
podman-14c0f9d63c1f9ab6b4f09a827a061dfeb7f4eb79.zip
rootless: be in an userns to initialize the runtime
be sure to be in an userns for a rootless process before initializing the runtime. In case we are not running as uid==0, take advantage of "podman info" that creates the runtime. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1372 Approved by: mheon
-rw-r--r--cmd/podman/main.go2
-rw-r--r--libpod/runtime.go28
2 files changed, 27 insertions, 3 deletions
diff --git a/cmd/podman/main.go b/cmd/podman/main.go
index 0e6a2e600..6b9bda55e 100644
--- a/cmd/podman/main.go
+++ b/cmd/podman/main.go
@@ -29,6 +29,8 @@ var cmdsNotRequiringRootless = map[string]bool{
"help": true,
"version": true,
"exec": true,
+ // `info` must be executed in an user namespace.
+ // If this change, please also update libpod.refreshRootless()
"login": true,
"logout": true,
"kill": true,
diff --git a/libpod/runtime.go b/libpod/runtime.go
index 2df4ef760..da5d9fa70 100644
--- a/libpod/runtime.go
+++ b/libpod/runtime.go
@@ -4,6 +4,7 @@ import (
"fmt"
"io/ioutil"
"os"
+ "os/exec"
"path/filepath"
"sync"
"syscall"
@@ -547,7 +548,12 @@ func makeRuntime(runtime *Runtime) (err error) {
// TODO: we can't close the FD in this lock, so we should keep it around
// and use it to lock important operations
aliveLock.Lock()
- defer aliveLock.Unlock()
+ locked := true
+ defer func() {
+ if locked {
+ aliveLock.Unlock()
+ }
+ }()
_, err = os.Stat(runtimeAliveFile)
if err != nil {
// If the file doesn't exist, we need to refresh the state
@@ -555,8 +561,16 @@ func makeRuntime(runtime *Runtime) (err error) {
// empty state only creates a single file
// As such, it's not really a performance concern
if os.IsNotExist(err) {
- if err2 := runtime.refresh(runtimeAliveFile); err2 != nil {
- return err2
+ if os.Getuid() != 0 {
+ aliveLock.Unlock()
+ locked = false
+ if err2 := runtime.refreshRootless(); err2 != nil {
+ return err2
+ }
+ } else {
+ if err2 := runtime.refresh(runtimeAliveFile); err2 != nil {
+ return err2
+ }
}
} else {
return errors.Wrapf(err, "error reading runtime status file %s", runtimeAliveFile)
@@ -631,6 +645,14 @@ func (r *Runtime) Shutdown(force bool) error {
return lastError
}
+// Reconfigures the runtime after a reboot for a rootless process
+func (r *Runtime) refreshRootless() error {
+ // Take advantage of a command that requires a new userns
+ // so that we are running as the root user and able to use refresh()
+ cmd := exec.Command(os.Args[0], "info")
+ return cmd.Run()
+}
+
// Reconfigures the runtime after a reboot
// Refreshes the state, recreating temporary files
// Does not check validity as the runtime is not valid until after this has run