summaryrefslogtreecommitdiff
path: root/vendor/github.com
diff options
context:
space:
mode:
authordependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>2020-04-27 10:23:05 +0000
committerValentin Rothberg <rothberg@redhat.com>2020-04-27 12:28:24 +0200
commitddbe1aef170be5d290b6118ce2361677566c3e8a (patch)
treeb6df2646b00c4c5a85470863d5edf0787aa5ece0 /vendor/github.com
parentc2a33b7bf9c35e836657c2f764a5a17b7e6c483e (diff)
downloadpodman-ddbe1aef170be5d290b6118ce2361677566c3e8a.tar.gz
podman-ddbe1aef170be5d290b6118ce2361677566c3e8a.tar.bz2
podman-ddbe1aef170be5d290b6118ce2361677566c3e8a.zip
build(deps): bump github.com/rootless-containers/rootlesskit
Bumps [github.com/rootless-containers/rootlesskit](https://github.com/rootless-containers/rootlesskit) from 0.9.3 to 0.9.4. - [Release notes](https://github.com/rootless-containers/rootlesskit/releases) - [Commits](https://github.com/rootless-containers/rootlesskit/compare/v0.9.3...v0.9.4) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Diffstat (limited to 'vendor/github.com')
-rw-r--r--vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/parent.go39
1 files changed, 39 insertions, 0 deletions
diff --git a/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/parent.go b/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/parent.go
index 893bf1da9..8ffadd859 100644
--- a/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/parent.go
+++ b/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/parent.go
@@ -2,11 +2,14 @@ package parent
import (
"context"
+ "fmt"
"io"
"io/ioutil"
"net"
"os"
"path/filepath"
+ "strconv"
+ "strings"
"sync"
"syscall"
@@ -84,6 +87,39 @@ func (d *driver) RunParentDriver(initComplete chan struct{}, quit <-chan struct{
return nil
}
+func isEPERM(err error) bool {
+ k := "permission denied"
+ // As of Go 1.14, errors.Is(err, syscall.EPERM) does not seem to work for
+ // "listen tcp 0.0.0.0:80: bind: permission denied" error from net.ListenTCP().
+ return errors.Is(err, syscall.EPERM) || strings.Contains(err.Error(), k)
+}
+
+// annotateEPERM annotates origErr for human-readability
+func annotateEPERM(origErr error, spec port.Spec) error {
+ // Read "net.ipv4.ip_unprivileged_port_start" value (typically 1024)
+ // TODO: what for IPv6?
+ // NOTE: sync.Once should not be used here
+ b, e := ioutil.ReadFile("/proc/sys/net/ipv4/ip_unprivileged_port_start")
+ if e != nil {
+ return origErr
+ }
+ start, e := strconv.Atoi(strings.TrimSpace(string(b)))
+ if e != nil {
+ return origErr
+ }
+ if spec.ParentPort >= start {
+ // origErr is unrelated to ip_unprivileged_port_start
+ return origErr
+ }
+ text := fmt.Sprintf("cannot expose privileged port %d, you might need to add \"net.ipv4.ip_unprivileged_port_start=0\" (currently %d) to /etc/sysctl.conf", spec.ParentPort, start)
+ if filepath.Base(os.Args[0]) == "rootlesskit" {
+ // NOTE: The following sentence is appended only if Args[0] == "rootlesskit", because it does not apply to Podman (as of Podman v1.9).
+ // Podman launches the parent driver in the child user namespace (but in the parent network namespace), which disables the file capability.
+ text += ", or set CAP_NET_BIND_SERVICE on rootlesskit binary"
+ }
+ return errors.Wrap(origErr, text)
+}
+
func (d *driver) AddPort(ctx context.Context, spec port.Spec) (*port.Status, error) {
d.mu.Lock()
err := portutil.ValidatePortSpec(spec, d.ports)
@@ -106,6 +142,9 @@ func (d *driver) AddPort(ctx context.Context, spec port.Spec) (*port.Status, err
return nil, errors.New("spec was not validated?")
}
if err != nil {
+ if isEPERM(err) {
+ err = annotateEPERM(err, spec)
+ }
return nil, err
}
d.mu.Lock()