diff options
author | Doug Rabson <dfr@rabson.org> | 2022-08-17 10:29:40 +0100 |
---|---|---|
committer | Doug Rabson <dfr@rabson.org> | 2022-08-18 08:05:42 +0100 |
commit | 6791cdbdf153a0b3103810679995cc09ea8db340 (patch) | |
tree | 6fb660d304777416b87d97b41f1d82311e7dfabf /libpod/oci_conmon_linux.go | |
parent | 68b2450d3de0344b2a4cfacdcabed8d1c854cb68 (diff) | |
download | podman-6791cdbdf153a0b3103810679995cc09ea8db340.tar.gz podman-6791cdbdf153a0b3103810679995cc09ea8db340.tar.bz2 podman-6791cdbdf153a0b3103810679995cc09ea8db340.zip |
libpod: Move rootless handling from oci_conmon_common.go to oci_conmon_linux.go
[NO NEW TESTS NEEDED]
Signed-off-by: Doug Rabson <dfr@rabson.org>
Diffstat (limited to 'libpod/oci_conmon_linux.go')
-rw-r--r-- | libpod/oci_conmon_linux.go | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go new file mode 100644 index 000000000..4e8bbafd6 --- /dev/null +++ b/libpod/oci_conmon_linux.go @@ -0,0 +1,70 @@ +package libpod + +import ( + "fmt" + "os" + "runtime" + "strings" + + "github.com/containers/podman/v4/pkg/errorhandling" + pmount "github.com/containers/storage/pkg/mount" + "github.com/sirupsen/logrus" + "golang.org/x/sys/unix" +) + +func (r *ConmonOCIRuntime) createRootlessContainer(ctr *Container, restoreOptions *ContainerCheckpointOptions) (int64, error) { + type result struct { + restoreDuration int64 + err error + } + ch := make(chan result) + go func() { + runtime.LockOSThread() + restoreDuration, err := func() (int64, error) { + fd, err := os.Open(fmt.Sprintf("/proc/%d/task/%d/ns/mnt", os.Getpid(), unix.Gettid())) + if err != nil { + return 0, err + } + defer errorhandling.CloseQuiet(fd) + + // create a new mountns on the current thread + if err = unix.Unshare(unix.CLONE_NEWNS); err != nil { + return 0, err + } + defer func() { + if err := unix.Setns(int(fd.Fd()), unix.CLONE_NEWNS); err != nil { + logrus.Errorf("Unable to clone new namespace: %q", err) + } + }() + + // don't spread our mounts around. We are setting only /sys to be slave + // so that the cleanup process is still able to umount the storage and the + // changes are propagated to the host. + err = unix.Mount("/sys", "/sys", "none", unix.MS_REC|unix.MS_SLAVE, "") + if err != nil { + return 0, fmt.Errorf("cannot make /sys slave: %w", err) + } + + mounts, err := pmount.GetMounts() + if err != nil { + return 0, err + } + for _, m := range mounts { + if !strings.HasPrefix(m.Mountpoint, "/sys/kernel") { + continue + } + err = unix.Unmount(m.Mountpoint, 0) + if err != nil && !os.IsNotExist(err) { + return 0, fmt.Errorf("cannot unmount %s: %w", m.Mountpoint, err) + } + } + return r.createOCIContainer(ctr, restoreOptions) + }() + ch <- result{ + restoreDuration: restoreDuration, + err: err, + } + }() + res := <-ch + return res.restoreDuration, res.err +} |