aboutsummaryrefslogtreecommitdiff
path: root/pkg
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2019-03-08 12:06:16 +0100
committerGiuseppe Scrivano <gscrivan@redhat.com>2019-03-11 11:48:28 +0100
commit231129e4dc083d9f63cf1876cc1695f7f8c03f25 (patch)
tree4113cdca5717e8d7a1e0cc97694f03fa1e903410 /pkg
parent35432ecaae4a8372a6f40a6cac476f0140094c7c (diff)
downloadpodman-231129e4dc083d9f63cf1876cc1695f7f8c03f25.tar.gz
podman-231129e4dc083d9f63cf1876cc1695f7f8c03f25.tar.bz2
podman-231129e4dc083d9f63cf1876cc1695f7f8c03f25.zip
rootless: fix pod stop|rm if uid in the container != 0
join the user namespace where the pod is running, so that we can both manage the storage and correctly send the kill signal to a process which is not running as root in the namespace. Closes: https://github.com/containers/libpod/issues/2577 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'pkg')
-rw-r--r--pkg/adapter/runtime.go40
-rw-r--r--pkg/adapter/runtime_remote.go7
2 files changed, 47 insertions, 0 deletions
diff --git a/pkg/adapter/runtime.go b/pkg/adapter/runtime.go
index 732b89530..482b6119a 100644
--- a/pkg/adapter/runtime.go
+++ b/pkg/adapter/runtime.go
@@ -337,3 +337,43 @@ func IsImageNotFound(err error) bool {
func (r *LocalRuntime) HealthCheck(c *cliconfig.HealthCheckValues) (libpod.HealthCheckStatus, error) {
return r.Runtime.HealthCheck(c.InputArgs[0])
}
+
+// JoinOrCreateRootlessPod joins the specified pod if it is running or it creates a new user namespace
+// if the pod is stopped
+func (r *LocalRuntime) JoinOrCreateRootlessPod(pod *Pod) (bool, int, error) {
+ if os.Geteuid() == 0 {
+ return false, 0, nil
+ }
+ opts := rootless.Opts{
+ Argument: pod.ID(),
+ }
+
+ inspect, err := pod.Inspect()
+ if err != nil {
+ return false, 0, err
+ }
+ for _, ctr := range inspect.Containers {
+ prevCtr, err := r.LookupContainer(ctr.ID)
+ if err != nil {
+ return false, -1, err
+ }
+ s, err := prevCtr.State()
+ if err != nil {
+ return false, -1, err
+ }
+ if s != libpod.ContainerStateRunning && s != libpod.ContainerStatePaused {
+ continue
+ }
+ data, err := ioutil.ReadFile(prevCtr.Config().ConmonPidFile)
+ if err != nil {
+ return false, -1, errors.Wrapf(err, "cannot read conmon PID file %q", prevCtr.Config().ConmonPidFile)
+ }
+ conmonPid, err := strconv.Atoi(string(data))
+ if err != nil {
+ return false, -1, errors.Wrapf(err, "cannot parse PID %q", data)
+ }
+ return rootless.JoinDirectUserAndMountNSWithOpts(uint(conmonPid), &opts)
+ }
+
+ return rootless.BecomeRootInUserNSWithOpts(&opts)
+}
diff --git a/pkg/adapter/runtime_remote.go b/pkg/adapter/runtime_remote.go
index 10c25c3f3..9ca4e245f 100644
--- a/pkg/adapter/runtime_remote.go
+++ b/pkg/adapter/runtime_remote.go
@@ -751,3 +751,10 @@ func IsImageNotFound(err error) bool {
func (r *LocalRuntime) HealthCheck(c *cliconfig.HealthCheckValues) (libpod.HealthCheckStatus, error) {
return -1, libpod.ErrNotImplemented
}
+
+// JoinOrCreateRootlessPod joins the specified pod if it is running or it creates a new user namespace
+// if the pod is stopped
+func (r *LocalRuntime) JoinOrCreateRootlessPod(pod *Pod) (bool, int, error) {
+ // Nothing to do in the remote case
+ return true, 0, nil
+}