Merge pull request #11606 from giuseppe/always-move-pause-process-to-scope

runtime: move pause process to scope

3 files changed, 46 insertions, 42 deletions

diff --git a/libpod/runtime.go b/libpod/runtime.go
index d2b3d36da..a2279e56d 100644
--- a/libpod/runtime.go
+++ b/libpod/runtime.go
@@ -35,6 +35,7 @@ import (
 	"github.com/containers/podman/v3/pkg/rootless"
 	"github.com/containers/podman/v3/pkg/systemd"
 	"github.com/containers/podman/v3/pkg/util"
+	"github.com/containers/podman/v3/utils"
 	"github.com/containers/storage"
 	"github.com/containers/storage/pkg/unshare"
 	"github.com/docker/docker/pkg/namesgenerator"
@@ -543,6 +544,7 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (retErr error) {
 				return err
 			}
 			if became {
+				utils.MovePauseProcessToScope(pausePid)
 				os.Exit(ret)
 			}
 		}
diff --git a/pkg/domain/infra/abi/system.go b/pkg/domain/infra/abi/system.go
index bc98edd06..e326f26a8 100644
--- a/pkg/domain/infra/abi/system.go
+++ b/pkg/domain/infra/abi/system.go
@@ -3,16 +3,12 @@ package abi
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
 	"net/url"
 	"os"
 	"os/exec"
 	"path/filepath"
-	"strconv"
-	"strings"
 
 	"github.com/containers/common/pkg/config"
-	"github.com/containers/podman/v3/libpod"
 	"github.com/containers/podman/v3/libpod/define"
 	"github.com/containers/podman/v3/pkg/cgroups"
 	"github.com/containers/podman/v3/pkg/domain/entities"
@@ -72,11 +68,7 @@ func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool)
 			if err != nil {
 				return err
 			}
-
-			initCommand, err := ioutil.ReadFile("/proc/1/comm")
-			// On errors, default to systemd
-			runsUnderSystemd := err != nil || strings.TrimRight(string(initCommand), "\n") == "systemd"
-
+			runsUnderSystemd := utils.RunsOnSystemd()
 			unitName := fmt.Sprintf("podman-%d.scope", os.Getpid())
 			if runsUnderSystemd || conf.Engine.CgroupManager == config.SystemdCgroupsManager {
 				if err := utils.RunUnderSystemdScope(os.Getpid(), "user.slice", unitName); err != nil {
@@ -120,18 +112,7 @@ func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool)
 	}
 
 	became, ret, err = rootless.TryJoinFromFilePaths(pausePidPath, true, paths)
-
-	if err := movePauseProcessToScope(ic.Libpod); err != nil {
-		conf, err2 := ic.Config(context.Background())
-		if err2 != nil {
-			return err
-		}
-		if conf.Engine.CgroupManager == config.SystemdCgroupsManager {
-			logrus.Warnf("Failed to add pause process to systemd sandbox cgroup: %v", err)
-		} else {
-			logrus.Debugf("Failed to add pause process to systemd sandbox cgroup: %v", err)
-		}
-	}
+	utils.MovePauseProcessToScope(pausePidPath)
 	if err != nil {
 		logrus.Error(errors.Wrapf(err, "invalid internal status, try resetting the pause process with %q", os.Args[0]+" system migrate"))
 		os.Exit(1)
@@ -142,27 +123,6 @@ func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool)
 	return nil
 }
 
-func movePauseProcessToScope(r *libpod.Runtime) error {
-	tmpDir, err := r.TmpDir()
-	if err != nil {
-		return err
-	}
-	pausePidPath, err := util.GetRootlessPauseProcessPidPathGivenDir(tmpDir)
-	if err != nil {
-		return errors.Wrapf(err, "could not get pause process pid file path")
-	}
-	data, err := ioutil.ReadFile(pausePidPath)
-	if err != nil {
-		return errors.Wrapf(err, "cannot read pause pid file")
-	}
-	pid, err := strconv.ParseUint(string(data), 10, 0)
-	if err != nil {
-		return errors.Wrapf(err, "cannot parse pid file %s", pausePidPath)
-	}
-
-	return utils.RunUnderSystemdScope(int(pid), "user.slice", "podman-pause.scope")
-}
-
 // SystemPrune removes unused data from the system. Pruning pods, containers, volumes and images.
 func (ic *ContainerEngine) SystemPrune(ctx context.Context, options entities.SystemPruneOptions) (*entities.SystemPruneReport, error) {
 	var systemPruneReport = new(entities.SystemPruneReport)
diff --git a/utils/utils.go b/utils/utils.go
index 2e415130e..185ac4865 100644
--- a/utils/utils.go
+++ b/utils/utils.go
@@ -4,10 +4,12 @@ import (
 	"bytes"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"os"
 	"os/exec"
 	"strconv"
 	"strings"
+	"sync"
 
 	"github.com/containers/podman/v3/libpod/define"
 	"github.com/containers/storage/pkg/archive"
@@ -155,3 +157,43 @@ func RemoveScientificNotationFromFloat(x float64) (float64, error) {
 	}
 	return result, nil
 }
+
+var (
+	runsOnSystemdOnce sync.Once
+	runsOnSystemd     bool
+)
+
+// RunsOnSystemd returns whether the system is using systemd
+func RunsOnSystemd() bool {
+	runsOnSystemdOnce.Do(func() {
+		initCommand, err := ioutil.ReadFile("/proc/1/comm")
+		// On errors, default to systemd
+		runsOnSystemd = err != nil || strings.TrimRight(string(initCommand), "\n") == "systemd"
+	})
+	return runsOnSystemd
+}
+
+func moveProcessToScope(pidPath, slice, scope string) error {
+	data, err := ioutil.ReadFile(pidPath)
+	if err != nil {
+		return errors.Wrapf(err, "cannot read pid file %s", pidPath)
+	}
+	pid, err := strconv.ParseUint(string(data), 10, 0)
+	if err != nil {
+		return errors.Wrapf(err, "cannot parse pid file %s", pidPath)
+	}
+	return RunUnderSystemdScope(int(pid), slice, scope)
+}
+
+// MovePauseProcessToScope moves the pause process used for rootless mode to keep the namespaces alive to
+// a separate scope.
+func MovePauseProcessToScope(pausePidPath string) {
+	err := moveProcessToScope(pausePidPath, "user.slice", "podman-pause.scope")
+	if err != nil {
+		if RunsOnSystemd() {
+			logrus.Warnf("Failed to add pause process to systemd sandbox cgroup: %v", err)
+		} else {
+			logrus.Debugf("Failed to add pause process to systemd sandbox cgroup: %v", err)
+		}
+	}
+}