diff options
author | dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> | 2020-04-27 10:23:05 +0000 |
---|---|---|
committer | Valentin Rothberg <rothberg@redhat.com> | 2020-04-27 12:28:24 +0200 |
commit | ddbe1aef170be5d290b6118ce2361677566c3e8a (patch) | |
tree | b6df2646b00c4c5a85470863d5edf0787aa5ece0 /vendor/github.com | |
parent | c2a33b7bf9c35e836657c2f764a5a17b7e6c483e (diff) | |
download | podman-ddbe1aef170be5d290b6118ce2361677566c3e8a.tar.gz podman-ddbe1aef170be5d290b6118ce2361677566c3e8a.tar.bz2 podman-ddbe1aef170be5d290b6118ce2361677566c3e8a.zip |
build(deps): bump github.com/rootless-containers/rootlesskit
Bumps [github.com/rootless-containers/rootlesskit](https://github.com/rootless-containers/rootlesskit) from 0.9.3 to 0.9.4.
- [Release notes](https://github.com/rootless-containers/rootlesskit/releases)
- [Commits](https://github.com/rootless-containers/rootlesskit/compare/v0.9.3...v0.9.4)
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Diffstat (limited to 'vendor/github.com')
-rw-r--r-- | vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/parent.go | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/parent.go b/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/parent.go index 893bf1da9..8ffadd859 100644 --- a/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/parent.go +++ b/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/parent.go @@ -2,11 +2,14 @@ package parent import ( "context" + "fmt" "io" "io/ioutil" "net" "os" "path/filepath" + "strconv" + "strings" "sync" "syscall" @@ -84,6 +87,39 @@ func (d *driver) RunParentDriver(initComplete chan struct{}, quit <-chan struct{ return nil } +func isEPERM(err error) bool { + k := "permission denied" + // As of Go 1.14, errors.Is(err, syscall.EPERM) does not seem to work for + // "listen tcp 0.0.0.0:80: bind: permission denied" error from net.ListenTCP(). + return errors.Is(err, syscall.EPERM) || strings.Contains(err.Error(), k) +} + +// annotateEPERM annotates origErr for human-readability +func annotateEPERM(origErr error, spec port.Spec) error { + // Read "net.ipv4.ip_unprivileged_port_start" value (typically 1024) + // TODO: what for IPv6? + // NOTE: sync.Once should not be used here + b, e := ioutil.ReadFile("/proc/sys/net/ipv4/ip_unprivileged_port_start") + if e != nil { + return origErr + } + start, e := strconv.Atoi(strings.TrimSpace(string(b))) + if e != nil { + return origErr + } + if spec.ParentPort >= start { + // origErr is unrelated to ip_unprivileged_port_start + return origErr + } + text := fmt.Sprintf("cannot expose privileged port %d, you might need to add \"net.ipv4.ip_unprivileged_port_start=0\" (currently %d) to /etc/sysctl.conf", spec.ParentPort, start) + if filepath.Base(os.Args[0]) == "rootlesskit" { + // NOTE: The following sentence is appended only if Args[0] == "rootlesskit", because it does not apply to Podman (as of Podman v1.9). + // Podman launches the parent driver in the child user namespace (but in the parent network namespace), which disables the file capability. + text += ", or set CAP_NET_BIND_SERVICE on rootlesskit binary" + } + return errors.Wrap(origErr, text) +} + func (d *driver) AddPort(ctx context.Context, spec port.Spec) (*port.Status, error) { d.mu.Lock() err := portutil.ValidatePortSpec(spec, d.ports) @@ -106,6 +142,9 @@ func (d *driver) AddPort(ctx context.Context, spec port.Spec) (*port.Status, err return nil, errors.New("spec was not validated?") } if err != nil { + if isEPERM(err) { + err = annotateEPERM(err, spec) + } return nil, err } d.mu.Lock() |