summaryrefslogtreecommitdiff
path: root/pkg/adapter
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2019-03-19 12:08:52 +0100
committerGiuseppe Scrivano <gscrivan@redhat.com>2019-04-01 15:32:58 +0200
commit72382a12a7b5ac85e53474dfd6dcd83cd64a2738 (patch)
tree583f29064a2f11241895c23eabbd75cc1d5eb332 /pkg/adapter
parented326206f2b0ed80cdeddc63430bfbe60016c7df (diff)
downloadpodman-72382a12a7b5ac85e53474dfd6dcd83cd64a2738.tar.gz
podman-72382a12a7b5ac85e53474dfd6dcd83cd64a2738.tar.bz2
podman-72382a12a7b5ac85e53474dfd6dcd83cd64a2738.zip
rootless: use a single user namespace
simplify the rootless implementation to use a single user namespace for all the running containers. This makes the rootless implementation behave more like root Podman, where each container is created in the host environment. There are multiple advantages to it: 1) much simpler implementation as there is only one namespace to join. 2) we can join namespaces owned by different containers. 3) commands like ps won't be limited to what container they can access as previously we either had access to the storage from a new namespace or access to /proc when running from the host. 4) rootless varlink works. 5) there are only two ways to enter in a namespace, either by creating a new one if no containers are running or joining the existing one from any container. Containers created by older Podman versions must be restarted. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'pkg/adapter')
-rw-r--r--pkg/adapter/runtime.go73
-rw-r--r--pkg/adapter/runtime_remote.go7
2 files changed, 0 insertions, 80 deletions
diff --git a/pkg/adapter/runtime.go b/pkg/adapter/runtime.go
index 6a68a3aea..f4d564cf8 100644
--- a/pkg/adapter/runtime.go
+++ b/pkg/adapter/runtime.go
@@ -8,7 +8,6 @@ import (
"io"
"io/ioutil"
"os"
- "strconv"
"text/template"
"github.com/containers/buildah"
@@ -123,38 +122,6 @@ func (r *LocalRuntime) Export(name string, path string) error {
if err != nil {
return errors.Wrapf(err, "error looking up container %q", name)
}
- if os.Geteuid() != 0 {
- state, err := ctr.State()
- if err != nil {
- return errors.Wrapf(err, "cannot read container state %q", ctr.ID())
- }
- if state == libpod.ContainerStateRunning || state == libpod.ContainerStatePaused {
- data, err := ioutil.ReadFile(ctr.Config().ConmonPidFile)
- if err != nil {
- return errors.Wrapf(err, "cannot read conmon PID file %q", ctr.Config().ConmonPidFile)
- }
- conmonPid, err := strconv.Atoi(string(data))
- if err != nil {
- return errors.Wrapf(err, "cannot parse PID %q", data)
- }
- became, ret, err := rootless.JoinDirectUserAndMountNS(uint(conmonPid))
- if err != nil {
- return err
- }
- if became {
- os.Exit(ret)
- }
- } else {
- became, ret, err := rootless.BecomeRootInUserNS()
- if err != nil {
- return err
- }
- if became {
- os.Exit(ret)
- }
- }
- }
-
return ctr.Export(path)
}
@@ -342,46 +309,6 @@ func (r *LocalRuntime) HealthCheck(c *cliconfig.HealthCheckValues) (libpod.Healt
return r.Runtime.HealthCheck(c.InputArgs[0])
}
-// JoinOrCreateRootlessPod joins the specified pod if it is running or it creates a new user namespace
-// if the pod is stopped
-func (r *LocalRuntime) JoinOrCreateRootlessPod(pod *Pod) (bool, int, error) {
- if os.Geteuid() == 0 {
- return false, 0, nil
- }
- opts := rootless.Opts{
- Argument: pod.ID(),
- }
-
- inspect, err := pod.Inspect()
- if err != nil {
- return false, 0, err
- }
- for _, ctr := range inspect.Containers {
- prevCtr, err := r.LookupContainer(ctr.ID)
- if err != nil {
- return false, -1, err
- }
- s, err := prevCtr.State()
- if err != nil {
- return false, -1, err
- }
- if s != libpod.ContainerStateRunning && s != libpod.ContainerStatePaused {
- continue
- }
- data, err := ioutil.ReadFile(prevCtr.Config().ConmonPidFile)
- if err != nil {
- return false, -1, errors.Wrapf(err, "cannot read conmon PID file %q", prevCtr.Config().ConmonPidFile)
- }
- conmonPid, err := strconv.Atoi(string(data))
- if err != nil {
- return false, -1, errors.Wrapf(err, "cannot parse PID %q", data)
- }
- return rootless.JoinDirectUserAndMountNSWithOpts(uint(conmonPid), &opts)
- }
-
- return rootless.BecomeRootInUserNSWithOpts(&opts)
-}
-
// Events is a wrapper to libpod to obtain libpod/podman events
func (r *LocalRuntime) Events(c *cliconfig.EventValues) error {
var (
diff --git a/pkg/adapter/runtime_remote.go b/pkg/adapter/runtime_remote.go
index dcc2d5aa6..48d7eb986 100644
--- a/pkg/adapter/runtime_remote.go
+++ b/pkg/adapter/runtime_remote.go
@@ -755,13 +755,6 @@ func (r *LocalRuntime) HealthCheck(c *cliconfig.HealthCheckValues) (libpod.Healt
return -1, libpod.ErrNotImplemented
}
-// JoinOrCreateRootlessPod joins the specified pod if it is running or it creates a new user namespace
-// if the pod is stopped
-func (r *LocalRuntime) JoinOrCreateRootlessPod(pod *Pod) (bool, int, error) {
- // Nothing to do in the remote case
- return true, 0, nil
-}
-
// Events monitors libpod/podman events over a varlink connection
func (r *LocalRuntime) Events(c *cliconfig.EventValues) error {
var more uint64