aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2019-08-12 16:53:46 +0200
committerGitHub <noreply@github.com>2019-08-12 16:53:46 +0200
commitec93c9d8753c1cf346fe7fee3035af1a0dcf9b55 (patch)
tree37a407bad913399b31b543db9caa7dbb5e13a232
parentf18cfa47686a30166cfe6f743dbda0e13575e4f2 (diff)
parent9e2f9c8b7804cec7ed7bcf595272de976f799ef6 (diff)
downloadpodman-ec93c9d8753c1cf346fe7fee3035af1a0dcf9b55.tar.gz
podman-ec93c9d8753c1cf346fe7fee3035af1a0dcf9b55.tar.bz2
podman-ec93c9d8753c1cf346fe7fee3035af1a0dcf9b55.zip
Merge pull request #3786 from giuseppe/fix-rootless-checks
rootless: drop some superflous checks
-rw-r--r--cmd/podman/pod_create.go2
-rw-r--r--cmd/podman/pod_stats.go13
-rw-r--r--cmd/podman/shared/create.go6
-rw-r--r--cmd/podman/stats.go13
-rw-r--r--libpod/oci_internal_linux.go42
-rw-r--r--pkg/spec/storage.go5
6 files changed, 44 insertions, 37 deletions
diff --git a/cmd/podman/pod_create.go b/cmd/podman/pod_create.go
index b6154b4db..d04c85dba 100644
--- a/cmd/podman/pod_create.go
+++ b/cmd/podman/pod_create.go
@@ -78,7 +78,7 @@ func podCreateCmd(c *cliconfig.PodCreateValues) error {
if !c.Infra && c.Flag("share").Changed && c.Share != "none" && c.Share != "" {
return errors.Errorf("You cannot share kernel namespaces on the pod level without an infra container")
}
- if c.Flag("pod-id-file").Changed && os.Geteuid() == 0 {
+ if c.Flag("pod-id-file").Changed {
podIdFile, err = util.OpenExclusiveFile(c.PodIDFile)
if err != nil && os.IsExist(err) {
return errors.Errorf("pod id file exists. Ensure another pod is not using it or delete %s", c.PodIDFile)
diff --git a/cmd/podman/pod_stats.go b/cmd/podman/pod_stats.go
index 46cacc026..2f1ebd3ac 100644
--- a/cmd/podman/pod_stats.go
+++ b/cmd/podman/pod_stats.go
@@ -15,6 +15,8 @@ import (
"github.com/containers/libpod/libpod"
"github.com/containers/libpod/libpod/define"
"github.com/containers/libpod/pkg/adapter"
+ "github.com/containers/libpod/pkg/cgroups"
+ "github.com/containers/libpod/pkg/rootless"
"github.com/pkg/errors"
"github.com/spf13/cobra"
)
@@ -53,9 +55,14 @@ func init() {
}
func podStatsCmd(c *cliconfig.PodStatsValues) error {
-
- if os.Geteuid() != 0 {
- return errors.New("stats is not supported in rootless mode")
+ if rootless.IsRootless() {
+ unified, err := cgroups.IsCgroup2UnifiedMode()
+ if err != nil {
+ return err
+ }
+ if !unified {
+ return errors.New("stats is not supported in rootless mode without cgroups v2")
+ }
}
format := c.Format
diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go
index 84cba4b75..e29e6b28e 100644
--- a/cmd/podman/shared/create.go
+++ b/cmd/podman/shared/create.go
@@ -55,7 +55,7 @@ func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod.
rootfs = c.InputArgs[0]
}
- if c.IsSet("cidfile") && os.Geteuid() == 0 {
+ if c.IsSet("cidfile") {
cidFile, err = util.OpenExclusiveFile(c.String("cidfile"))
if err != nil && os.IsExist(err) {
return nil, nil, errors.Errorf("container id file exists. Ensure another container is not using it or delete %s", c.String("cidfile"))
@@ -70,8 +70,8 @@ func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod.
imageName := ""
var data *inspect.ImageData = nil
- // Set the storage if we are running as euid == 0 and there is no rootfs specified
- if rootfs == "" && os.Geteuid() == 0 {
+ // Set the storage if there is no rootfs specified
+ if rootfs == "" {
var writer io.Writer
if !c.Bool("quiet") {
writer = os.Stderr
diff --git a/cmd/podman/stats.go b/cmd/podman/stats.go
index 3accae1b6..2f696445e 100644
--- a/cmd/podman/stats.go
+++ b/cmd/podman/stats.go
@@ -2,7 +2,6 @@ package main
import (
"fmt"
- "os"
"reflect"
"strings"
"time"
@@ -13,6 +12,8 @@ import (
"github.com/containers/libpod/cmd/podman/libpodruntime"
"github.com/containers/libpod/libpod"
"github.com/containers/libpod/libpod/define"
+ "github.com/containers/libpod/pkg/cgroups"
+ "github.com/containers/libpod/pkg/rootless"
"github.com/docker/go-units"
"github.com/pkg/errors"
"github.com/spf13/cobra"
@@ -66,8 +67,14 @@ func init() {
}
func statsCmd(c *cliconfig.StatsValues) error {
- if os.Geteuid() != 0 {
- return errors.New("stats is not supported for rootless containers")
+ if rootless.IsRootless() {
+ unified, err := cgroups.IsCgroup2UnifiedMode()
+ if err != nil {
+ return err
+ }
+ if !unified {
+ return errors.New("stats is not supported in rootless mode without cgroups v2")
+ }
}
all := c.All
diff --git a/libpod/oci_internal_linux.go b/libpod/oci_internal_linux.go
index 52cebefab..e2c73f5ed 100644
--- a/libpod/oci_internal_linux.go
+++ b/libpod/oci_internal_linux.go
@@ -352,31 +352,29 @@ func startCommandGivenSelinux(cmd *exec.Cmd) error {
// it then signals for conmon to start by sending nonse data down the start fd
func (r *OCIRuntime) moveConmonToCgroupAndSignal(ctr *Container, cmd *exec.Cmd, startFd *os.File, uuid string) error {
cgroupParent := ctr.CgroupParent()
- if os.Geteuid() == 0 {
- if r.cgroupManager == SystemdCgroupsManager {
- unitName := createUnitName("libpod-conmon", ctr.ID())
-
- realCgroupParent := cgroupParent
- splitParent := strings.Split(cgroupParent, "/")
- if strings.HasSuffix(cgroupParent, ".slice") && len(splitParent) > 1 {
- realCgroupParent = splitParent[len(splitParent)-1]
- }
+ if r.cgroupManager == SystemdCgroupsManager {
+ unitName := createUnitName("libpod-conmon", ctr.ID())
- logrus.Infof("Running conmon under slice %s and unitName %s", realCgroupParent, unitName)
- if err := utils.RunUnderSystemdScope(cmd.Process.Pid, realCgroupParent, unitName); err != nil {
- logrus.Warnf("Failed to add conmon to systemd sandbox cgroup: %v", err)
- }
+ realCgroupParent := cgroupParent
+ splitParent := strings.Split(cgroupParent, "/")
+ if strings.HasSuffix(cgroupParent, ".slice") && len(splitParent) > 1 {
+ realCgroupParent = splitParent[len(splitParent)-1]
+ }
+
+ logrus.Infof("Running conmon under slice %s and unitName %s", realCgroupParent, unitName)
+ if err := utils.RunUnderSystemdScope(cmd.Process.Pid, realCgroupParent, unitName); err != nil {
+ logrus.Warnf("Failed to add conmon to systemd sandbox cgroup: %v", err)
+ }
+ } else {
+ cgroupPath := filepath.Join(ctr.config.CgroupParent, "conmon")
+ control, err := cgroups.New(cgroupPath, &spec.LinuxResources{})
+ if err != nil {
+ logrus.Warnf("Failed to add conmon to cgroupfs sandbox cgroup: %v", err)
} else {
- cgroupPath := filepath.Join(ctr.config.CgroupParent, "conmon")
- control, err := cgroups.New(cgroupPath, &spec.LinuxResources{})
- if err != nil {
+ // we need to remove this defer and delete the cgroup once conmon exits
+ // maybe need a conmon monitor?
+ if err := control.AddPid(cmd.Process.Pid); err != nil {
logrus.Warnf("Failed to add conmon to cgroupfs sandbox cgroup: %v", err)
- } else {
- // we need to remove this defer and delete the cgroup once conmon exits
- // maybe need a conmon monitor?
- if err := control.AddPid(cmd.Process.Pid); err != nil {
- logrus.Warnf("Failed to add conmon to cgroupfs sandbox cgroup: %v", err)
- }
}
}
}
diff --git a/pkg/spec/storage.go b/pkg/spec/storage.go
index e0bb48a9c..a8dc7f4a8 100644
--- a/pkg/spec/storage.go
+++ b/pkg/spec/storage.go
@@ -238,11 +238,6 @@ func (config *CreateConfig) parseVolumes(runtime *libpod.Runtime) ([]spec.Mount,
// Conflicts are resolved simply - the last container specified wins.
// Container names may be suffixed by mount options after a colon.
func (config *CreateConfig) getVolumesFrom(runtime *libpod.Runtime) (map[string]spec.Mount, map[string]*libpod.ContainerNamedVolume, error) {
- // TODO: This can probably be disabled now
- if os.Geteuid() != 0 {
- return nil, nil, nil
- }
-
// Both of these are maps of mount destination to mount type.
// We ensure that each destination is only mounted to once in this way.
finalMounts := make(map[string]spec.Mount)