summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAdrian Reber <areber@redhat.com>2021-10-25 15:00:22 +0000
committerAdrian Reber <areber@redhat.com>2021-10-26 14:42:32 +0000
commitbf8fd943ef61941b7ffe10cd389615256b381e2f (patch)
tree0bf8fbeb1e46b5dd448c6f5e20d74164a9ae1e35
parentdbe770e3ce2ac2e34ffa8e28b80df57eb0182a68 (diff)
downloadpodman-bf8fd943ef61941b7ffe10cd389615256b381e2f.tar.gz
podman-bf8fd943ef61941b7ffe10cd389615256b381e2f.tar.bz2
podman-bf8fd943ef61941b7ffe10cd389615256b381e2f.zip
Allow 'container restore' with '--ipc host'
Trying to restore a container that was started with '--ipc host' fails with: Error: error creating container storage: ProcessLabel and Mountlabel must either not be specified or both specified We already fixed this exact same error message for containers started with '--privileged'. The previous fix was to check if the to be restored container is a privileged container (c.config.Privileged). Unfortunately this does not work for containers started with '--ipc host'. This commit changes the check for a privileged container to check if both the ProcessLabel and the MountLabel is actually set and only then re-uses those labels. Signed-off-by: Adrian Reber <areber@redhat.com>
-rw-r--r--libpod/container_internal.go10
-rw-r--r--test/e2e/checkpoint_test.go35
2 files changed, 41 insertions, 4 deletions
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index 994ffeec7..d4384b791 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -457,10 +457,12 @@ func (c *Container) setupStorage(ctx context.Context) error {
options.StorageOpt[split2[0]] = split2[1]
}
}
- if c.restoreFromCheckpoint && !c.config.Privileged {
- // If restoring from a checkpoint, the root file-system
- // needs to be mounted with the same SELinux labels as
- // it was mounted previously.
+ if c.restoreFromCheckpoint && c.config.ProcessLabel != "" && c.config.MountLabel != "" {
+ // If restoring from a checkpoint, the root file-system needs
+ // to be mounted with the same SELinux labels as it was mounted
+ // previously. But only if both labels have been set. For
+ // privileged containers or '--ipc host' only ProcessLabel will
+ // be set and so we will skip it for cases like that.
if options.Flags == nil {
options.Flags = make(map[string]interface{})
}
diff --git a/test/e2e/checkpoint_test.go b/test/e2e/checkpoint_test.go
index 770a7c7bd..a8efe1ca9 100644
--- a/test/e2e/checkpoint_test.go
+++ b/test/e2e/checkpoint_test.go
@@ -1156,4 +1156,39 @@ var _ = Describe("Podman checkpoint", func() {
os.Remove(fileName)
})
}
+
+ It("podman checkpoint container with export (migration) and --ipc host", func() {
+ localRunString := getRunString([]string{"--rm", "--ipc", "host", ALPINE, "top"})
+ session := podmanTest.Podman(localRunString)
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ Expect(podmanTest.NumberOfContainersRunning()).To(Equal(1))
+ cid := session.OutputToString()
+ fileName := "/tmp/checkpoint-" + cid + ".tar.gz"
+
+ result := podmanTest.Podman([]string{"container", "checkpoint", "-l", "-e", fileName})
+ result.WaitWithDefaultTimeout()
+
+ // As the container has been started with '--rm' it will be completely
+ // cleaned up after checkpointing.
+ Expect(result).Should(Exit(0))
+ Expect(podmanTest.NumberOfContainersRunning()).To(Equal(0))
+ Expect(podmanTest.NumberOfContainers()).To(Equal(0))
+
+ result = podmanTest.Podman([]string{"container", "restore", "-i", fileName})
+ result.WaitWithDefaultTimeout()
+
+ Expect(result).Should(Exit(0))
+ Expect(podmanTest.NumberOfContainersRunning()).To(Equal(1))
+ Expect(podmanTest.GetContainerStatus()).To(ContainSubstring("Up"))
+
+ result = podmanTest.Podman([]string{"rm", "-t", "0", "-fa"})
+ result.WaitWithDefaultTimeout()
+ Expect(result).Should(Exit(0))
+ Expect(podmanTest.NumberOfContainersRunning()).To(Equal(0))
+ Expect(podmanTest.NumberOfContainers()).To(Equal(0))
+
+ // Remove exported checkpoint
+ os.Remove(fileName)
+ })
})