diff options
| author | Daniel J Walsh <dwalsh@redhat.com> | 2019-09-13 12:44:50 -0400 |
|---|---|---|
| committer | Daniel J Walsh <dwalsh@redhat.com> | 2019-09-13 16:43:50 -0400 |
| commit | a481a1265acbfb011a5400ffba39bbcb020a1c7c (patch) | |
| tree | 665aefef3e57b91527938ff075338719dedb0515 | |
| parent | 0079c24ec16b4d08b5460f7e06ad5a4908c8b8be (diff) | |
| download | podman-a481a1265acbfb011a5400ffba39bbcb020a1c7c.tar.gz podman-a481a1265acbfb011a5400ffba39bbcb020a1c7c.tar.bz2 podman-a481a1265acbfb011a5400ffba39bbcb020a1c7c.zip | |
Fix default to pause in podman cp
We want to default to secure when running containers as root,
in rootless, we need to change the default if the system does not
support cgroup v1.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
| -rw-r--r-- | cmd/podman/cp.go | 14 | ||||
| -rw-r--r-- | docs/podman-cp.1.md | 2 |
2 files changed, 14 insertions, 2 deletions
diff --git a/cmd/podman/cp.go b/cmd/podman/cp.go index 661d0a530..7205f9357 100644 --- a/cmd/podman/cp.go +++ b/cmd/podman/cp.go @@ -14,6 +14,7 @@ import ( "github.com/containers/libpod/cmd/podman/libpodruntime" "github.com/containers/libpod/libpod" "github.com/containers/libpod/libpod/define" + "github.com/containers/libpod/pkg/cgroups" "github.com/containers/libpod/pkg/rootless" "github.com/containers/storage" "github.com/containers/storage/pkg/archive" @@ -52,7 +53,7 @@ func init() { cpCommand.Command = _cpCommand flags := cpCommand.Flags() flags.BoolVar(&cpCommand.Extract, "extract", false, "Extract the tar file into the destination directory.") - flags.BoolVar(&cpCommand.Pause, "pause", true, "Pause the container while copying") + flags.BoolVar(&cpCommand.Pause, "pause", copyPause(), "Pause the container while copying") cpCommand.SetHelpTemplate(HelpTemplate()) cpCommand.SetUsageTemplate(UsageTemplate()) } @@ -480,3 +481,14 @@ func pathWithBindMountSource(m specs.Mount, path string) (string, error) { } return securejoin.SecureJoin(m.Source, strings.TrimPrefix(path, m.Destination)) } + +func copyPause() bool { + if !remoteclient && rootless.IsRootless() { + cgroupv2, _ := cgroups.IsCgroup2UnifiedMode() + if !cgroupv2 { + logrus.Debugf("defaulting to pause==false on rootless cp in cgroupv1 systems") + return false + } + } + return true +} diff --git a/docs/podman-cp.1.md b/docs/podman-cp.1.md index e3d992b55..736bdb12a 100644 --- a/docs/podman-cp.1.md +++ b/docs/podman-cp.1.md @@ -65,7 +65,7 @@ Extract the tar file into the destination directory. If the destination director **--pause** -Pause the container while copying into it to avoid potential security issues around symlinks. Defaults to *false*. +Pause the container while copying into it to avoid potential security issues around symlinks. Defaults to *true*. On rootless containers with cgroups V1, defaults to false. ## ALTERNATIVES |