summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2021-05-19 11:45:55 -0400
committerGitHub <noreply@github.com>2021-05-19 11:45:55 -0400
commit46832259a878a7e6438c7022be83a2170734eb48 (patch)
treeca6e4710bd3b6894c736b33f45199bd9519f012d
parent18efc5a3a78ba7352e42517ba251212833b4583d (diff)
parentbc0e12a047cce2cc717320257545663073383f48 (diff)
downloadpodman-46832259a878a7e6438c7022be83a2170734eb48.tar.gz
podman-46832259a878a7e6438c7022be83a2170734eb48.tar.bz2
podman-46832259a878a7e6438c7022be83a2170734eb48.zip
Merge pull request #10327 from rhatdan/copy
Fix problem copying files when container is in host pid namespace
-rw-r--r--libpod/container_copy_linux.go25
-rw-r--r--libpod/container_inspect.go23
-rw-r--r--test/e2e/cp_test.go44
-rw-r--r--test/system/065-cp.bats16
4 files changed, 101 insertions, 7 deletions
diff --git a/libpod/container_copy_linux.go b/libpod/container_copy_linux.go
index 5c275c641..0ab322829 100644
--- a/libpod/container_copy_linux.go
+++ b/libpod/container_copy_linux.go
@@ -237,21 +237,32 @@ func (c *Container) joinMountAndExec(ctx context.Context, f func() error) error
}
defer mountFD.Close()
- pidFD, err := getFD(PIDNS)
+ inHostPidNS, err := c.inHostPidNS()
if err != nil {
- errChan <- err
+ errChan <- errors.Wrap(err, "checking inHostPidNS")
return
}
- defer pidFD.Close()
- if err := unix.Unshare(unix.CLONE_NEWNS); err != nil {
- errChan <- err
- return
+ var pidFD *os.File
+ if !inHostPidNS {
+ pidFD, err = getFD(PIDNS)
+ if err != nil {
+ errChan <- err
+ return
+ }
+ defer pidFD.Close()
}
- if err := unix.Setns(int(pidFD.Fd()), unix.CLONE_NEWPID); err != nil {
+
+ if err := unix.Unshare(unix.CLONE_NEWNS); err != nil {
errChan <- err
return
}
+ if pidFD != nil {
+ if err := unix.Setns(int(pidFD.Fd()), unix.CLONE_NEWPID); err != nil {
+ errChan <- err
+ return
+ }
+ }
if err := unix.Setns(int(mountFD.Fd()), unix.CLONE_NEWNS); err != nil {
errChan <- err
return
diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go
index 4210bc581..638e0b756 100644
--- a/libpod/container_inspect.go
+++ b/libpod/container_inspect.go
@@ -892,3 +892,26 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named
return hostConfig, nil
}
+
+// Return true if the container is running in the host's PID NS.
+func (c *Container) inHostPidNS() (bool, error) {
+ if c.config.PIDNsCtr != "" {
+ return false, nil
+ }
+ ctrSpec, err := c.specFromState()
+ if err != nil {
+ return false, err
+ }
+ if ctrSpec.Linux != nil {
+ // Locate the spec's PID namespace.
+ // If there is none, it's pid=host.
+ // If there is one and it has a path, it's "ns:".
+ // If there is no path, it's default - the empty string.
+ for _, ns := range ctrSpec.Linux.Namespaces {
+ if ns.Type == spec.PIDNamespace {
+ return false, nil
+ }
+ }
+ }
+ return true, nil
+}
diff --git a/test/e2e/cp_test.go b/test/e2e/cp_test.go
index c0fb3f887..be4901833 100644
--- a/test/e2e/cp_test.go
+++ b/test/e2e/cp_test.go
@@ -91,6 +91,50 @@ var _ = Describe("Podman cp", func() {
Expect(roundtripContent).To(Equal(originalContent))
})
+ // Copy a file to the container, then back to the host in --pid=host
+ It("podman cp --pid=host file", func() {
+ SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1")
+ srcFile, err := ioutil.TempFile("", "")
+ Expect(err).To(BeNil())
+ defer srcFile.Close()
+ defer os.Remove(srcFile.Name())
+
+ originalContent := []byte("podman cp file test")
+ err = ioutil.WriteFile(srcFile.Name(), originalContent, 0644)
+ Expect(err).To(BeNil())
+
+ // Create a container. NOTE that container mustn't be running for copying.
+ session := podmanTest.Podman([]string{"create", "--pid=host", ALPINE, "top"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ name := session.OutputToString()
+
+ session = podmanTest.Podman([]string{"start", name})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+
+ // The file will now be created (and written to).
+ session = podmanTest.Podman([]string{"cp", srcFile.Name(), name + ":foo"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+
+ // Copy FROM the container.
+
+ destFile, err := ioutil.TempFile("", "")
+ Expect(err).To(BeNil())
+ defer destFile.Close()
+ defer os.Remove(destFile.Name())
+
+ session = podmanTest.Podman([]string{"cp", name + ":foo", destFile.Name()})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+
+ // Now make sure the content matches.
+ roundtripContent, err := ioutil.ReadFile(destFile.Name())
+ Expect(err).To(BeNil())
+ Expect(roundtripContent).To(Equal(originalContent))
+ })
+
// Create a symlink in the container, use it as a copy destination and
// make sure that the link and the resolved path are accessible and
// give the right content.
diff --git a/test/system/065-cp.bats b/test/system/065-cp.bats
index 679cdc209..24ac8118e 100644
--- a/test/system/065-cp.bats
+++ b/test/system/065-cp.bats
@@ -130,6 +130,22 @@ load helpers
}
+@test "podman cp file from/to host while --pid=host" {
+ if is_rootless && ! is_cgroupsv2; then
+ skip "'podman cp --pid=host' (rootless) only works with cgroups v2"
+ fi
+
+ srcdir=$PODMAN_TMPDIR/cp-pid-equals-host
+ mkdir -p $srcdir
+ touch $srcdir/hostfile
+
+ run_podman run --pid=host -d --name cpcontainer $IMAGE sleep infinity
+ run_podman cp $srcdir/hostfile cpcontainer:/tmp/hostfile
+ run_podman cp cpcontainer:/tmp/hostfile $srcdir/hostfile1
+ run_podman kill cpcontainer
+ run_podman rm -f cpcontainer
+}
+
@test "podman cp file from container to host" {
srcdir=$PODMAN_TMPDIR/cp-test-file-ctr-to-host
mkdir -p $srcdir