diff options
| author | Paul Holzinger <pholzing@redhat.com> | 2021-07-15 11:22:01 +0200 |
|---|---|---|
| committer | Paul Holzinger <pholzing@redhat.com> | 2021-07-15 14:33:56 +0200 |
| commit | 0007c98ddb3497de0d4c0f349fd07b8d018cb300 (patch) | |
| tree | d95cac02186415cd9df111064221065e973a1ab6 /pkg/domain | |
| parent | 1568247ec8fa0c1a23bbd4631c1ea2fcfd85e281 (diff) | |
| download | podman-0007c98ddb3497de0d4c0f349fd07b8d018cb300.tar.gz podman-0007c98ddb3497de0d4c0f349fd07b8d018cb300.tar.bz2 podman-0007c98ddb3497de0d4c0f349fd07b8d018cb300.zip | |
Fix race conditions in rootless cni setup
There was an race condition when calling `GetRootlessCNINetNs()`. It
created the rootless cni directory before it got locked. Therefore
another process could have called cleanup and removed this directory
before it was used resulting in errors. The lockfile got moved into the
XDG_RUNTIME_DIR directory to prevent a panic when the parent dir was
removed by cleanup.
Fixes #10930
Fixes #10922
To make this even more robust `GetRootlessCNINetNs()` will now return
locked. This guarantees that we can run `Do()` after `GetRootlessCNINetNs()`
before another process could have called `Cleanup()` in between.
[NO TESTS NEEDED] CI is flaking, hopefully this will fix it.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Diffstat (limited to 'pkg/domain')
| -rw-r--r-- | pkg/domain/infra/abi/system.go | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/pkg/domain/infra/abi/system.go b/pkg/domain/infra/abi/system.go index ebe59e871..155cda21d 100644 --- a/pkg/domain/infra/abi/system.go +++ b/pkg/domain/infra/abi/system.go @@ -403,6 +403,8 @@ func (ic *ContainerEngine) Unshare(ctx context.Context, args []string, options e if err != nil { return err } + // make sure to unlock, unshare can run for a long time + rootlesscni.Lock.Unlock() defer rootlesscni.Cleanup(ic.Libpod) return rootlesscni.Do(unshare) } |