diff options
author | Valentin Rothberg <rothberg@redhat.com> | 2020-10-01 14:17:02 +0200 |
---|---|---|
committer | Valentin Rothberg <rothberg@redhat.com> | 2020-10-01 18:30:20 +0200 |
commit | 04dddbbf7f85824f4917ff8f62eed27301088090 (patch) | |
tree | 9c72cd46bcb30f57948530c77759a842a595d9e7 | |
parent | c70f5fb19bb411f81183d025d18bbf1e8cdc0938 (diff) | |
download | podman-04dddbbf7f85824f4917ff8f62eed27301088090.tar.gz podman-04dddbbf7f85824f4917ff8f62eed27301088090.tar.bz2 podman-04dddbbf7f85824f4917ff8f62eed27301088090.zip |
remote: fix name and ID collisions of containers and pods
Fix the look up of containers and pods in the remote client. User input
can refer to both, names or IDs of containers and pods, so there is a
fair chance of collisions (e.g., "c1" name with a "c1...." ID).
Those collisions are well handled (and battle tested) in the local
client which is directly using the libpod backend. Hence, the remote
client should not attempt to introduce its own logic to prevent bugs and
divergence between the local and the remote clients. To prevent
collisions such as in #7837, do a container/pod inspect on the
user-provided input to find the corresponding ID and eventually do full
ID comparisons to avoid potential collisions with names.
Note that this has a cost that I am not entirely happy with. Looking at
issue #7837, the collisions are happening when removing the two
containers. Remote container removal is now very chatty with the server
as it first queries for all containers, then iterates over the provided
names or IDs and does a remote inspect to figure out the IDs and find a
matching container object. However, remote removal could just pass the
names and IDs directly to the batch removal endpoint. Querying for all
containers could be prevented if the batch removal endpoint would remove
all if the slice is empty.
In other words, the bug is fixed but there's room for performance
improvements.
Fixes: #7837
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
-rw-r--r-- | pkg/domain/infra/tunnel/helpers.go | 92 |
1 files changed, 68 insertions, 24 deletions
diff --git a/pkg/domain/infra/tunnel/helpers.go b/pkg/domain/infra/tunnel/helpers.go index 5944f855a..7d28f1bd3 100644 --- a/pkg/domain/infra/tunnel/helpers.go +++ b/pkg/domain/infra/tunnel/helpers.go @@ -2,74 +2,118 @@ package tunnel import ( "context" - "strings" "github.com/containers/podman/v2/libpod/define" "github.com/containers/podman/v2/pkg/bindings" "github.com/containers/podman/v2/pkg/bindings/containers" "github.com/containers/podman/v2/pkg/bindings/pods" "github.com/containers/podman/v2/pkg/domain/entities" - "github.com/containers/podman/v2/pkg/util" + "github.com/containers/podman/v2/pkg/errorhandling" "github.com/pkg/errors" ) +// FIXME: the `ignore` parameter is very likely wrong here as it should rather +// be used on *errors* from operations such as remove. func getContainersByContext(contextWithConnection context.Context, all, ignore bool, namesOrIDs []string) ([]entities.ListContainer, error) { - var ( - cons []entities.ListContainer - ) if all && len(namesOrIDs) > 0 { return nil, errors.New("cannot lookup containers and all") } - c, err := containers.List(contextWithConnection, nil, bindings.PTrue, nil, nil, bindings.PTrue) + + allContainers, err := containers.List(contextWithConnection, nil, bindings.PTrue, nil, nil, bindings.PTrue) if err != nil { return nil, err } if all { - return c, err + return allContainers, err } - for _, id := range namesOrIDs { - var found bool - for _, con := range c { - if id == con.ID || strings.HasPrefix(con.ID, id) || util.StringInSlice(id, con.Names) { - cons = append(cons, con) + + // Note: it would be nicer if the lists endpoint would support that as + // we could use the libpod backend for looking up containers rather + // than risking diverging the local and remote lookups. + // + // A `--filter nameOrId=abc` that can be specified multiple times would + // be awesome to have. + filtered := []entities.ListContainer{} + for _, nameOrID := range namesOrIDs { + // First determine if the container exists by doing an inspect. + // Inspect takes supports names and IDs and let's us determine + // a containers full ID. + inspectData, err := containers.Inspect(contextWithConnection, nameOrID, bindings.PFalse) + if err != nil { + if ignore && errorhandling.Contains(err, define.ErrNoSuchCtr) { + continue + } + return nil, err + } + + // Now we can do a full match of the ID to find the right + // container. Note that we *really* need a full ID match to + // prevent any ambiguities between IDs and names (see #7837). + found := false + for _, ctr := range allContainers { + if ctr.ID == inspectData.ID { + filtered = append(filtered, ctr) found = true break } + } + if !found && !ignore { - return nil, errors.Wrapf(define.ErrNoSuchCtr, "unable to find container %q", id) + return nil, errors.Wrapf(define.ErrNoSuchCtr, "unable to find container %q", nameOrID) } } - return cons, nil + return filtered, nil } func getPodsByContext(contextWithConnection context.Context, all bool, namesOrIDs []string) ([]*entities.ListPodsReport, error) { - var ( - sPods []*entities.ListPodsReport - ) if all && len(namesOrIDs) > 0 { return nil, errors.New("cannot lookup specific pods and all") } - fPods, err := pods.List(contextWithConnection, nil) + allPods, err := pods.List(contextWithConnection, nil) if err != nil { return nil, err } if all { - return fPods, nil + return allPods, nil } + + filtered := []*entities.ListPodsReport{} + // Note: it would be nicer if the lists endpoint would support that as + // we could use the libpod backend for looking up pods rather than + // risking diverging the local and remote lookups. + // + // A `--filter nameOrId=abc` that can be specified multiple times would + // be awesome to have. for _, nameOrID := range namesOrIDs { - var found bool - for _, f := range fPods { - if f.Name == nameOrID || strings.HasPrefix(f.Id, nameOrID) { - sPods = append(sPods, f) + // First determine if the pod exists by doing an inspect. + // Inspect takes supports names and IDs and let's us determine + // a containers full ID. + inspectData, err := pods.Inspect(contextWithConnection, nameOrID) + if err != nil { + if errorhandling.Contains(err, define.ErrNoSuchPod) { + return nil, errors.Wrapf(define.ErrNoSuchPod, "unable to find pod %q", nameOrID) + } + return nil, err + } + + // Now we can do a full match of the ID to find the right pod. + // Note that we *really* need a full ID match to prevent any + // ambiguities between IDs and names (see #7837). + found := false + for _, pod := range allPods { + if pod.Id == inspectData.ID { + filtered = append(filtered, pod) found = true break } + } + if !found { return nil, errors.Wrapf(define.ErrNoSuchPod, "unable to find pod %q", nameOrID) } } - return sPods, nil + return filtered, nil } |