summaryrefslogtreecommitdiff
path: root/cmd
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2019-09-06 15:30:30 +0200
committerGiuseppe Scrivano <gscrivan@redhat.com>2019-09-12 08:35:26 +0200
commitafd0818326aa37f03a3bc74f0269a06a403db16d (patch)
tree8ebc91774297027f2c244b22a4428222d42fa3ad /cmd
parentb94a5e241095a55a6838970148d296e109b2afd1 (diff)
downloadpodman-afd0818326aa37f03a3bc74f0269a06a403db16d.tar.gz
podman-afd0818326aa37f03a3bc74f0269a06a403db16d.tar.bz2
podman-afd0818326aa37f03a3bc74f0269a06a403db16d.zip
rootless: automatically create a systemd scope
when running in rootless mode and using systemd as cgroup manager create automatically a systemd scope when the user doesn't own the current cgroup. This solves a couple of issues: on cgroup v2 it is necessary that a process before it can moved to a different cgroup tree must be in a directory owned by the unprivileged user. This is not always true, e.g. when creating a session with su -l. Closes: https://github.com/containers/libpod/issues/3937 Also, for running systemd in a container it was before necessary to specify "systemd-run --scope --user podman ...", now this is done automatically as part of this PR. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'cmd')
-rw-r--r--cmd/podman/main_local.go49
1 files changed, 39 insertions, 10 deletions
diff --git a/cmd/podman/main_local.go b/cmd/podman/main_local.go
index 0feba609b..56874baad 100644
--- a/cmd/podman/main_local.go
+++ b/cmd/podman/main_local.go
@@ -5,6 +5,7 @@ package main
import (
"context"
+ "fmt"
"log/syslog"
"os"
"runtime/pprof"
@@ -18,6 +19,7 @@ import (
"github.com/containers/libpod/pkg/rootless"
"github.com/containers/libpod/pkg/tracing"
"github.com/containers/libpod/pkg/util"
+ "github.com/containers/libpod/utils"
"github.com/opentracing/opentracing-go"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
@@ -120,6 +122,10 @@ func profileOff(cmd *cobra.Command) error {
}
func setupRootless(cmd *cobra.Command, args []string) error {
+ if !rootless.IsRootless() {
+ return nil
+ }
+
matches, err := rootless.ConfigurationMatches()
if err != nil {
return err
@@ -128,9 +134,6 @@ func setupRootless(cmd *cobra.Command, args []string) error {
logrus.Warningf("the current user namespace doesn't match the configuration in /etc/subuid or /etc/subgid")
logrus.Warningf("you can use `%s system migrate` to recreate the user namespace and restart the containers", os.Args[0])
}
- if os.Geteuid() == 0 || cmd == _searchCommand || cmd == _versionCommand || cmd == _mountCommand || cmd == _migrateCommand || strings.HasPrefix(cmd.Use, "help") {
- return nil
- }
podmanCmd := cliconfig.PodmanCommand{
Command: cmd,
@@ -139,6 +142,39 @@ func setupRootless(cmd *cobra.Command, args []string) error {
Remote: remoteclient,
}
+ runtime, err := libpodruntime.GetRuntime(getContext(), &podmanCmd)
+ if err != nil {
+ return errors.Wrapf(err, "could not get runtime")
+ }
+ defer runtime.DeferredShutdown(false)
+
+ // do it only after podman has already re-execed and running with uid==0.
+ if os.Geteuid() == 0 {
+ ownsCgroup, err := cgroups.UserOwnsCurrentSystemdCgroup()
+ if err != nil {
+ return err
+ }
+
+ if !ownsCgroup {
+ unitName := fmt.Sprintf("podman-%d.scope", os.Getpid())
+ if err := utils.RunUnderSystemdScope(os.Getpid(), "user.slice", unitName); err != nil {
+ conf, err := runtime.GetConfig()
+ if err != nil {
+ return err
+ }
+ if conf.CgroupManager == libpod.SystemdCgroupsManager {
+ logrus.Warnf("Failed to add podman to systemd sandbox cgroup: %v", err)
+ } else {
+ logrus.Debugf("Failed to add podman to systemd sandbox cgroup: %v", err)
+ }
+ }
+ }
+ }
+
+ if os.Geteuid() == 0 || cmd == _searchCommand || cmd == _versionCommand || cmd == _mountCommand || cmd == _migrateCommand || strings.HasPrefix(cmd.Use, "help") {
+ return nil
+ }
+
pausePidPath, err := util.GetRootlessPauseProcessPidPath()
if err != nil {
return errors.Wrapf(err, "could not get pause process pid file path")
@@ -158,13 +194,6 @@ func setupRootless(cmd *cobra.Command, args []string) error {
}
// if there is no pid file, try to join existing containers, and create a pause process.
-
- runtime, err := libpodruntime.GetRuntime(getContext(), &podmanCmd)
- if err != nil {
- return errors.Wrapf(err, "could not get runtime")
- }
- defer runtime.DeferredShutdown(false)
-
ctrs, err := runtime.GetRunningContainers()
if err != nil {
logrus.Errorf(err.Error())