diff options
| -rw-r--r-- | cmd/podman/common/specgen.go | 51 | ||||
| -rw-r--r-- | cmd/podman/containers/diff.go | 6 | ||||
| -rw-r--r-- | cmd/podman/diff.go | 14 | ||||
| -rw-r--r-- | cmd/podman/images/diff.go | 12 | ||||
| -rw-r--r-- | pkg/rootless/rootless_linux.c | 45 | ||||
| -rw-r--r-- | pkg/rootless/rootless_linux.go | 113 |
6 files changed, 91 insertions, 150 deletions
diff --git a/cmd/podman/common/specgen.go b/cmd/podman/common/specgen.go index 85b344b3c..b8526993c 100644 --- a/cmd/podman/common/specgen.go +++ b/cmd/podman/common/specgen.go @@ -47,6 +47,12 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string if err != nil { return err } + if s.ResourceLimits == nil { + s.ResourceLimits = &specs.LinuxResources{} + } + if s.ResourceLimits.Memory == nil { + s.ResourceLimits.Memory = &specs.LinuxMemory{} + } if m := c.Memory; len(m) > 0 { ml, err := units.RAMInBytes(m) if err != nil { @@ -81,6 +87,9 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string } s.ResourceLimits.Memory.Kernel = &mk } + if s.ResourceLimits.BlockIO == nil { + s.ResourceLimits.BlockIO = &specs.LinuxBlockIO{} + } if b := c.BlkIOWeight; len(b) > 0 { u, err := strconv.ParseUint(b, 10, 16) if err != nil { @@ -313,14 +322,16 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string s.StopSignal = &stopSignal } } - swappiness := uint64(c.MemorySwappiness) if s.ResourceLimits == nil { s.ResourceLimits = &specs.LinuxResources{} } if s.ResourceLimits.Memory == nil { s.ResourceLimits.Memory = &specs.LinuxMemory{} } - s.ResourceLimits.Memory.Swappiness = &swappiness + if c.MemorySwappiness >= 0 { + swappiness := uint64(c.MemorySwappiness) + s.ResourceLimits.Memory.Swappiness = &swappiness + } if s.LogConfiguration == nil { s.LogConfiguration = &specgen.LogConfig{} @@ -332,7 +343,9 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string if s.ResourceLimits.Pids == nil { s.ResourceLimits.Pids = &specs.LinuxPids{} } - s.ResourceLimits.Pids.Limit = c.PIDsLimit + if c.PIDsLimit > 0 { + s.ResourceLimits.Pids.Limit = c.PIDsLimit + } if c.CGroups == "disabled" && c.PIDsLimit > 0 { s.ResourceLimits.Pids.Limit = -1 } @@ -507,18 +520,28 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string if s.ResourceLimits.CPU == nil { s.ResourceLimits.CPU = &specs.LinuxCPU{} } - s.ResourceLimits.CPU.Shares = &c.CPUShares - s.ResourceLimits.CPU.Period = &c.CPUPeriod - - // TODO research these - //s.ResourceLimits.CPU.Cpus = c.CPUS - //s.ResourceLimits.CPU.Cpus = c.CPUSetCPUs + if c.CPUShares > 0 { + s.ResourceLimits.CPU.Shares = &c.CPUShares + } + if c.CPUPeriod > 0 { + s.ResourceLimits.CPU.Period = &c.CPUPeriod + } - //s.ResourceLimits.CPU. = c.CPUSetCPUs - s.ResourceLimits.CPU.Mems = c.CPUSetMems - s.ResourceLimits.CPU.Quota = &c.CPUQuota - s.ResourceLimits.CPU.RealtimePeriod = &c.CPURTPeriod - s.ResourceLimits.CPU.RealtimeRuntime = &c.CPURTRuntime + if c.CPUSetCPUs != "" { + s.ResourceLimits.CPU.Cpus = c.CPUSetCPUs + } + if c.CPUSetMems != "" { + s.ResourceLimits.CPU.Mems = c.CPUSetMems + } + if c.CPUQuota > 0 { + s.ResourceLimits.CPU.Quota = &c.CPUQuota + } + if c.CPURTPeriod > 0 { + s.ResourceLimits.CPU.RealtimePeriod = &c.CPURTPeriod + } + if c.CPURTRuntime > 0 { + s.ResourceLimits.CPU.RealtimeRuntime = &c.CPURTRuntime + } s.OOMScoreAdj = &c.OOMScoreAdj s.RestartPolicy = c.Restart s.Remove = c.Rm diff --git a/cmd/podman/containers/diff.go b/cmd/podman/containers/diff.go index ebc0d8ea1..046dac53e 100644 --- a/cmd/podman/containers/diff.go +++ b/cmd/podman/containers/diff.go @@ -45,7 +45,11 @@ func diff(cmd *cobra.Command, args []string) error { return errors.New("container must be specified: podman container diff [options [...]] ID-NAME") } - results, err := registry.ContainerEngine().ContainerDiff(registry.GetContext(), args[0], entities.DiffOptions{}) + var id string + if len(args) > 0 { + id = args[0] + } + results, err := registry.ContainerEngine().ContainerDiff(registry.GetContext(), id, *diffOpts) if err != nil { return err } diff --git a/cmd/podman/diff.go b/cmd/podman/diff.go index 8db76e8af..ec94c0918 100644 --- a/cmd/podman/diff.go +++ b/cmd/podman/diff.go @@ -46,10 +46,9 @@ func init() { } func diff(cmd *cobra.Command, args []string) error { - if found, err := registry.ImageEngine().Exists(registry.GetContext(), args[0]); err != nil { - return err - } else if found.Value { - return images.Diff(cmd, args, diffOpts) + // Latest implies looking for a container + if diffOpts.Latest { + return containers.Diff(cmd, args, diffOpts) } if found, err := registry.ContainerEngine().ContainerExists(registry.GetContext(), args[0]); err != nil { @@ -57,5 +56,12 @@ func diff(cmd *cobra.Command, args []string) error { } else if found.Value { return containers.Diff(cmd, args, diffOpts) } + + if found, err := registry.ImageEngine().Exists(registry.GetContext(), args[0]); err != nil { + return err + } else if found.Value { + return images.Diff(cmd, args, diffOpts) + } + return fmt.Errorf("%s not found on system", args[0]) } diff --git a/cmd/podman/images/diff.go b/cmd/podman/images/diff.go index dd98dc4d6..7cfacfc6c 100644 --- a/cmd/podman/images/diff.go +++ b/cmd/podman/images/diff.go @@ -11,8 +11,8 @@ import ( var ( // podman container _inspect_ diffCmd = &cobra.Command{ - Use: "diff [flags] CONTAINER", - Args: registry.IdOrLatestArgs, + Use: "diff [flags] IMAGE", + Args: cobra.ExactArgs(1), Short: "Inspect changes on image's file systems", Long: `Displays changes on a image's filesystem. The image will be compared to its parent layer.`, RunE: diff, @@ -32,16 +32,16 @@ func init() { diffOpts = &entities.DiffOptions{} flags := diffCmd.Flags() flags.BoolVar(&diffOpts.Archive, "archive", true, "Save the diff as a tar archive") - _ = flags.MarkHidden("archive") + _ = flags.MarkDeprecated("archive", "Provided for backwards compatibility, has no impact on output.") flags.StringVar(&diffOpts.Format, "format", "", "Change the output format") } func diff(cmd *cobra.Command, args []string) error { - if len(args) == 0 && !diffOpts.Latest { - return errors.New("image must be specified: podman image diff [options [...]] ID-NAME") + if diffOpts.Latest { + return errors.New("image diff does not support --latest") } - results, err := registry.ImageEngine().Diff(registry.GetContext(), args[0], entities.DiffOptions{}) + results, err := registry.ImageEngine().Diff(registry.GetContext(), args[0], *diffOpts) if err != nil { return err } diff --git a/pkg/rootless/rootless_linux.c b/pkg/rootless/rootless_linux.c index da52a7217..72d461cdc 100644 --- a/pkg/rootless/rootless_linux.c +++ b/pkg/rootless/rootless_linux.c @@ -535,8 +535,36 @@ create_pause_process (const char *pause_pid_file_path, char **argv) } } +static void +join_namespace_or_die (int pid_to_join, const char *ns_file) +{ + char ns_path[PATH_MAX]; + int ret; + int fd; + + ret = snprintf (ns_path, PATH_MAX, "/proc/%d/ns/%s", pid_to_join, ns_file); + if (ret == PATH_MAX) + { + fprintf (stderr, "internal error: namespace path too long\n"); + _exit (EXIT_FAILURE); + } + + fd = open (ns_path, O_CLOEXEC | O_RDONLY); + if (fd < 0) + { + fprintf (stderr, "cannot open: %s\n", ns_path); + _exit (EXIT_FAILURE); + } + if (setns (fd, 0) < 0) + { + fprintf (stderr, "cannot set namespace to %s: %s\n", ns_path, strerror (errno)); + _exit (EXIT_FAILURE); + } + close (fd); +} + int -reexec_userns_join (int userns, int mountns, char *pause_pid_file_path) +reexec_userns_join (int pid_to_join, char *pause_pid_file_path) { char uid[16]; char gid[16]; @@ -606,19 +634,8 @@ reexec_userns_join (int userns, int mountns, char *pause_pid_file_path) _exit (EXIT_FAILURE); } - if (setns (userns, 0) < 0) - { - fprintf (stderr, "cannot setns: %s\n", strerror (errno)); - _exit (EXIT_FAILURE); - } - close (userns); - - if (mountns >= 0 && setns (mountns, 0) < 0) - { - fprintf (stderr, "cannot setns: %s\n", strerror (errno)); - _exit (EXIT_FAILURE); - } - close (mountns); + join_namespace_or_die (pid_to_join, "user"); + join_namespace_or_die (pid_to_join, "mnt"); if (syscall_setresgid (0, 0, 0) < 0) { diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go index 5ddfab7ad..3de136f12 100644 --- a/pkg/rootless/rootless_linux.go +++ b/pkg/rootless/rootless_linux.go @@ -31,7 +31,7 @@ extern uid_t rootless_uid(); extern uid_t rootless_gid(); extern int reexec_in_user_namespace(int ready, char *pause_pid_file_path, char *file_to_read, int fd); extern int reexec_in_user_namespace_wait(int pid, int options); -extern int reexec_userns_join(int userns, int mountns, char *pause_pid_file_path); +extern int reexec_userns_join(int pid, char *pause_pid_file_path); */ import "C" @@ -124,91 +124,6 @@ func tryMappingTool(tool string, pid int, hostID int, mappings []idtools.IDMap) return nil } -func readUserNs(path string) (string, error) { - b := make([]byte, 256) - _, err := unix.Readlink(path, b) - if err != nil { - return "", err - } - return string(b), nil -} - -func readUserNsFd(fd uintptr) (string, error) { - return readUserNs(fmt.Sprintf("/proc/self/fd/%d", fd)) -} - -func getParentUserNs(fd uintptr) (uintptr, error) { - const nsGetParent = 0xb702 - ret, _, errno := unix.Syscall(unix.SYS_IOCTL, fd, uintptr(nsGetParent), 0) - if errno != 0 { - return 0, errno - } - return (uintptr)(unsafe.Pointer(ret)), nil -} - -// getUserNSFirstChild returns an open FD for the first direct child user namespace that created the process -// Each container creates a new user namespace where the runtime runs. The current process in the container -// might have created new user namespaces that are child of the initial namespace we created. -// This function finds the initial namespace created for the container that is a child of the current namespace. -// -// current ns -// / \ -// TARGET -> a [other containers] -// / -// b -// / -// NS READ USING THE PID -> c -func getUserNSFirstChild(fd uintptr) (*os.File, error) { - currentNS, err := readUserNs("/proc/self/ns/user") - if err != nil { - return nil, err - } - - ns, err := readUserNsFd(fd) - if err != nil { - return nil, errors.Wrapf(err, "cannot read user namespace") - } - if ns == currentNS { - return nil, errors.New("process running in the same user namespace") - } - - for { - nextFd, err := getParentUserNs(fd) - if err != nil { - if err == unix.ENOTTY { - return os.NewFile(fd, "userns child"), nil - } - return nil, errors.Wrapf(err, "cannot get parent user namespace") - } - - ns, err = readUserNsFd(nextFd) - if err != nil { - return nil, errors.Wrapf(err, "cannot read user namespace") - } - - if ns == currentNS { - if err := unix.Close(int(nextFd)); err != nil { - return nil, err - } - - // Drop O_CLOEXEC for the fd. - _, _, errno := unix.Syscall(unix.SYS_FCNTL, fd, unix.F_SETFD, 0) - if errno != 0 { - if err := unix.Close(int(fd)); err != nil { - logrus.Errorf("failed to close file descriptor %d", fd) - } - return nil, errno - } - - return os.NewFile(fd, "userns child"), nil - } - if err := unix.Close(int(fd)); err != nil { - return nil, err - } - fd = nextFd - } -} - // joinUserAndMountNS re-exec podman in a new userNS and join the user and mount // namespace of the specified PID without looking up its parent. Useful to join directly // the conmon process. @@ -220,31 +135,7 @@ func joinUserAndMountNS(pid uint, pausePid string) (bool, int, error) { cPausePid := C.CString(pausePid) defer C.free(unsafe.Pointer(cPausePid)) - userNS, err := os.Open(fmt.Sprintf("/proc/%d/ns/user", pid)) - if err != nil { - return false, -1, err - } - defer func() { - if err := userNS.Close(); err != nil { - logrus.Errorf("unable to close namespace: %q", err) - } - }() - - mountNS, err := os.Open(fmt.Sprintf("/proc/%d/ns/mnt", pid)) - if err != nil { - return false, -1, err - } - defer func() { - if err := mountNS.Close(); err != nil { - logrus.Errorf("unable to close namespace: %q", err) - } - }() - - fd, err := getUserNSFirstChild(userNS.Fd()) - if err != nil { - return false, -1, err - } - pidC := C.reexec_userns_join(C.int(fd.Fd()), C.int(mountNS.Fd()), cPausePid) + pidC := C.reexec_userns_join(C.int(pid), cPausePid) if int(pidC) < 0 { return false, -1, errors.Errorf("cannot re-exec process") } |