diff options
| author | Paul Holzinger <pholzing@redhat.com> | 2021-09-14 11:13:28 +0200 |
|---|---|---|
| committer | Matthew Heon <mheon@redhat.com> | 2021-09-16 09:42:14 -0400 |
| commit | 0ca62196a0432355365ba2db0c20934fa36d8039 (patch) | |
| tree | 2ffe2d1a0a5115ee384d1693e3fe79f0cdeb63be | |
| parent | b6789c3d5f763b2b7ff9a795e1a046de745bd3eb (diff) | |
| download | podman-0ca62196a0432355365ba2db0c20934fa36d8039.tar.gz podman-0ca62196a0432355365ba2db0c20934fa36d8039.tar.bz2 podman-0ca62196a0432355365ba2db0c20934fa36d8039.zip | |
libpod: rootful close binded ports
For rootful users ports are forwarded via iptables. To make sure no
other process tries to use them, libpod will bind the ports and pass the
fds to conmon. There seems to be race when a container is restarted
because libpod tries to bind the port before the conmon process exited.
The problem only hapens with the podman service because it keeps the
connection open. Once we have the fd and passed it to conmon the
podman service should close the connection.
To verify run `sudo ss -tulpn` and check that only the conmon process
keeps the port open. Previously you would also see the podman server
process listed.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| -rw-r--r-- | libpod/oci_conmon_linux.go | 1 | ||||
| -rw-r--r-- | libpod/oci_util.go | 13 |
2 files changed, 14 insertions, 0 deletions
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go index 924df2310..8a823e4fc 100644 --- a/libpod/oci_conmon_linux.go +++ b/libpod/oci_conmon_linux.go @@ -1138,6 +1138,7 @@ func (r *ConmonOCIRuntime) createOCIContainer(ctr *Container, restoreOptions *Co if err != nil { return err } + filesToClose = append(filesToClose, ports...) // Leak the port we bound in the conmon process. These fd's won't be used // by the container and conmon will keep the ports busy so that another diff --git a/libpod/oci_util.go b/libpod/oci_util.go index 1cafd5863..f2843b09b 100644 --- a/libpod/oci_util.go +++ b/libpod/oci_util.go @@ -68,6 +68,12 @@ func bindPorts(ports []ocicni.PortMapping) ([]*os.File, error) { return nil, errors.Wrapf(err, "cannot get file for UDP socket") } files = append(files, f) + // close the listener + // note that this does not affect the fd, see the godoc for server.File() + err = server.Close() + if err != nil { + logrus.Warnf("failed to close connection: %v", err) + } case "tcp": var ( @@ -96,6 +102,13 @@ func bindPorts(ports []ocicni.PortMapping) ([]*os.File, error) { return nil, errors.Wrapf(err, "cannot get file for TCP socket") } files = append(files, f) + // close the listener + // note that this does not affect the fd, see the godoc for server.File() + err = server.Close() + if err != nil { + logrus.Warnf("failed to close connection: %v", err) + } + case "sctp": if !notifySCTP { notifySCTP = true |