diff options
| -rw-r--r-- | Makefile | 5 | ||||
| -rw-r--r-- | cmd/podman/shared/funcs.go | 2 | ||||
| -rw-r--r-- | libpod/info.go | 13 | ||||
| -rw-r--r-- | pkg/rootless/rootless_linux.go | 8 | ||||
| -rw-r--r-- | pkg/rootless/rootless_unsupported.go | 5 | ||||
| -rw-r--r-- | pkg/spec/spec.go | 10 | ||||
| -rw-r--r-- | troubleshooting.md | 2 |
7 files changed, 36 insertions, 9 deletions
@@ -438,7 +438,10 @@ install.systemd: install ${SELINUXOPT} -m 644 contrib/varlink/io.podman.socket ${DESTDIR}${SYSTEMDDIR}/io.podman.socket install ${SELINUXOPT} -m 644 contrib/varlink/io.podman.socket ${DESTDIR}${USERSYSTEMDDIR}/io.podman.socket install ${SELINUXOPT} -m 644 contrib/varlink/io.podman.service ${DESTDIR}${SYSTEMDDIR}/io.podman.service - install ${SELINUXOPT} -m 644 contrib/varlink/io.podman.service ${DESTDIR}${USERSYSTEMDDIR}/io.podman.service + install ${SELINUXOPT} -d ${DESTDIR}${USERSYSTEMDDIR} + # User units are ordered differently, we can't make the *system* multi-user.target depend on a user unit. + # For user units the default.target that's the default is fine. + sed -e 's,^WantedBy=.*,WantedBy=default.target,' < contrib/varlink/io.podman.service > ${DESTDIR}${USERSYSTEMDDIR}/io.podman.service install ${SELINUXOPT} -m 644 contrib/varlink/podman.conf ${DESTDIR}${TMPFILESDIR}/podman.conf uninstall: diff --git a/cmd/podman/shared/funcs.go b/cmd/podman/shared/funcs.go index bb4eed1e3..9362e8e9b 100644 --- a/cmd/podman/shared/funcs.go +++ b/cmd/podman/shared/funcs.go @@ -21,7 +21,7 @@ func GetAuthFile(authfile string) string { } if runtimeDir, err := util.GetRuntimeDir(); err == nil { - return filepath.Join(runtimeDir, "auth.json") + return filepath.Join(runtimeDir, "containers/auth.json") } return "" } diff --git a/libpod/info.go b/libpod/info.go index 297086ebb..6caa87038 100644 --- a/libpod/info.go +++ b/libpod/info.go @@ -69,6 +69,18 @@ func (r *Runtime) hostInfo() (map[string]interface{}, error) { program["Package"] = packageVersion(path) info["slirp4netns"] = program } + uidmappings, err := rootless.ReadMappingsProc("/proc/self/uid_map") + if err != nil { + return nil, errors.Wrapf(err, "error reading uid mappings") + } + gidmappings, err := rootless.ReadMappingsProc("/proc/self/gid_map") + if err != nil { + return nil, errors.Wrapf(err, "error reading gid mappings") + } + idmappings := make(map[string]interface{}) + idmappings["uidmap"] = uidmappings + idmappings["gidmap"] = gidmappings + info["IDMappings"] = idmappings } info["OCIRuntime"] = map[string]interface{}{ "path": r.defaultOCIRuntime.path, @@ -128,6 +140,7 @@ func (r *Runtime) hostInfo() (map[string]interface{}, error) { } info["hostname"] = host info["eventlogger"] = r.eventer.String() + return info, nil } diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go index 05d641383..99307e8c4 100644 --- a/pkg/rootless/rootless_linux.go +++ b/pkg/rootless/rootless_linux.go @@ -431,12 +431,14 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (bool, if err != nil { return false, -1, errors.Wrapf(err, "cannot write setgroups file") } + logrus.Debugf("write setgroups file exited with 0") uidMap := fmt.Sprintf("/proc/%d/uid_map", pid) err = ioutil.WriteFile(uidMap, []byte(fmt.Sprintf("%d %d 1\n", 0, os.Geteuid())), 0666) if err != nil { return false, -1, errors.Wrapf(err, "cannot write uid_map") } + logrus.Debugf("write uid_map exited with 0") } gidsMapped := false @@ -602,7 +604,7 @@ func TryJoinFromFilePaths(pausePidPath string, needNewNamespace bool, paths []st return joinUserAndMountNS(uint(pausePid), pausePidPath) } -func readMappingsProc(path string) ([]idtools.IDMap, error) { +func ReadMappingsProc(path string) ([]idtools.IDMap, error) { file, err := os.Open(path) if err != nil { return nil, errors.Wrapf(err, "cannot open %s", path) @@ -668,7 +670,7 @@ func ConfigurationMatches() (bool, error) { return false, err } - currentUIDs, err := readMappingsProc("/proc/self/uid_map") + currentUIDs, err := ReadMappingsProc("/proc/self/uid_map") if err != nil { return false, err } @@ -677,7 +679,7 @@ func ConfigurationMatches() (bool, error) { return false, err } - currentGIDs, err := readMappingsProc("/proc/self/gid_map") + currentGIDs, err := ReadMappingsProc("/proc/self/gid_map") if err != nil { return false, err } diff --git a/pkg/rootless/rootless_unsupported.go b/pkg/rootless/rootless_unsupported.go index ddd9182b0..ce488f364 100644 --- a/pkg/rootless/rootless_unsupported.go +++ b/pkg/rootless/rootless_unsupported.go @@ -65,3 +65,8 @@ func ConfigurationMatches() (bool, error) { func GetConfiguredMappings() ([]idtools.IDMap, []idtools.IDMap, error) { return nil, nil, errors.New("this function is not supported on this os") } + +// ReadMappingsProc returns the uid_map and gid_map +func ReadMappingsProc(path string) ([]idtools.IDMap, error) { + return nil, nil +} diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index 57c6e8da7..8f00d3270 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -302,8 +302,8 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM // RESOURCES - PIDS if config.Resources.PidsLimit > 0 { - // if running on rootless on a cgroupv1 machine, pids limit is - // not supported. If the value is still the default + // if running on rootless on a cgroupv1 machine or using the cgroupfs manager, pids + // limit is not supported. If the value is still the default // then ignore the settings. If the caller asked for a // non-default, then try to use it. setPidLimit := true @@ -312,7 +312,11 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM if err != nil { return nil, err } - if !cgroup2 && config.Resources.PidsLimit == sysinfo.GetDefaultPidsLimit() { + runtimeConfig, err := runtime.GetConfig() + if err != nil { + return nil, err + } + if (!cgroup2 || runtimeConfig.CgroupManager != libpod.SystemdCgroupsManager) && config.Resources.PidsLimit == sysinfo.GetDefaultPidsLimit() { setPidLimit = false } } diff --git a/troubleshooting.md b/troubleshooting.md index 89c850356..6fed719f7 100644 --- a/troubleshooting.md +++ b/troubleshooting.md @@ -142,7 +142,7 @@ If you are using a useradd command within a Dockerfile with a large UID/GID, it #### Solution -If the entry in the Dockerfile looked like: RUN useradd -u 99999000 -g users newuser then add the `--log-no-init` parameter to change it to: `RUN useradd --log-no-init -u 99999000 -g users newuser`. This option tells useradd to stop creating the lastlog file. +If the entry in the Dockerfile looked like: RUN useradd -u 99999000 -g users newuser then add the `--no-log-init` parameter to change it to: `RUN useradd --no-log-init -u 99999000 -g users newuser`. This option tells useradd to stop creating the lastlog file. ### 7) Permission denied when running Podman commands |