aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--cmd/podman/common/completion.go3
-rw-r--r--cmd/podman/root.go3
-rw-r--r--cmd/podman/system/service_abi.go23
-rw-r--r--pkg/domain/infra/abi/system.go17
-rw-r--r--utils/utils.go30
5 files changed, 49 insertions, 27 deletions
diff --git a/cmd/podman/common/completion.go b/cmd/podman/common/completion.go
index 6e6c33f9b..02369c74a 100644
--- a/cmd/podman/common/completion.go
+++ b/cmd/podman/common/completion.go
@@ -18,7 +18,6 @@ import (
"github.com/containers/podman/v4/libpod/define"
"github.com/containers/podman/v4/libpod/events"
"github.com/containers/podman/v4/pkg/domain/entities"
- "github.com/containers/podman/v4/pkg/rootless"
"github.com/containers/podman/v4/pkg/signal"
systemdDefine "github.com/containers/podman/v4/pkg/systemd/define"
"github.com/containers/podman/v4/pkg/util"
@@ -54,7 +53,7 @@ func setupContainerEngine(cmd *cobra.Command) (entities.ContainerEngine, error)
cobra.CompErrorln(err.Error())
return nil, err
}
- if !registry.IsRemote() && rootless.IsRootless() {
+ if !registry.IsRemote() {
_, noMoveProcess := cmd.Annotations[registry.NoMoveProcess]
err := containerEngine.SetupRootless(registry.Context(), noMoveProcess)
diff --git a/cmd/podman/root.go b/cmd/podman/root.go
index f28d92e2f..0520a0784 100644
--- a/cmd/podman/root.go
+++ b/cmd/podman/root.go
@@ -19,7 +19,6 @@ import (
"github.com/containers/podman/v4/pkg/checkpoint/crutils"
"github.com/containers/podman/v4/pkg/domain/entities"
"github.com/containers/podman/v4/pkg/parallel"
- "github.com/containers/podman/v4/pkg/rootless"
"github.com/containers/podman/v4/version"
"github.com/sirupsen/logrus"
"github.com/spf13/cobra"
@@ -265,7 +264,7 @@ func persistentPreRunE(cmd *cobra.Command, args []string) error {
// 2) running as non-root
// 3) command doesn't require Parent Namespace
_, found := cmd.Annotations[registry.ParentNSRequired]
- if !registry.IsRemote() && rootless.IsRootless() && !found {
+ if !registry.IsRemote() && !found {
_, noMoveProcess := cmd.Annotations[registry.NoMoveProcess]
err := registry.ContainerEngine().SetupRootless(registry.Context(), noMoveProcess)
if err != nil {
diff --git a/cmd/podman/system/service_abi.go b/cmd/podman/system/service_abi.go
index 6823d77ba..8d0240a8d 100644
--- a/cmd/podman/system/service_abi.go
+++ b/cmd/podman/system/service_abi.go
@@ -11,7 +11,6 @@ import (
"os"
"path/filepath"
- "github.com/containers/common/pkg/cgroups"
"github.com/containers/podman/v4/cmd/podman/registry"
api "github.com/containers/podman/v4/pkg/api/server"
"github.com/containers/podman/v4/pkg/domain/entities"
@@ -24,26 +23,6 @@ import (
"golang.org/x/sys/unix"
)
-// maybeMoveToSubCgroup moves the current process in a sub cgroup when
-// it is running in the root cgroup on a system that uses cgroupv2.
-func maybeMoveToSubCgroup() error {
- unifiedMode, err := cgroups.IsCgroup2UnifiedMode()
- if err != nil {
- return err
- }
- if !unifiedMode {
- return nil
- }
- cgroup, err := utils.GetOwnCgroup()
- if err != nil {
- return err
- }
- if cgroup == "/" {
- return utils.MoveUnderCgroupSubtree("init")
- }
- return nil
-}
-
func restService(flags *pflag.FlagSet, cfg *entities.PodmanConfig, opts entities.ServiceOptions) error {
var (
listener net.Listener
@@ -125,7 +104,7 @@ func restService(flags *pflag.FlagSet, cfg *entities.PodmanConfig, opts entities
return err
}
- if err := maybeMoveToSubCgroup(); err != nil {
+ if err := utils.MaybeMoveToSubCgroup(); err != nil {
return err
}
diff --git a/pkg/domain/infra/abi/system.go b/pkg/domain/infra/abi/system.go
index 0faae01c8..3389abd88 100644
--- a/pkg/domain/infra/abi/system.go
+++ b/pkg/domain/infra/abi/system.go
@@ -67,6 +67,22 @@ func (ic *ContainerEngine) Info(ctx context.Context) (*define.Info, error) {
}
func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool) error {
+ runsUnderSystemd := utils.RunsOnSystemd()
+ if !runsUnderSystemd {
+ isPid1 := os.Getpid() == 1
+ if _, found := os.LookupEnv("container"); isPid1 || found {
+ if err := utils.MaybeMoveToSubCgroup(); err != nil {
+ // it is a best effort operation, so just print the
+ // error for debugging purposes.
+ logrus.Debugf("Could not move to subcgroup: %v", err)
+ }
+ }
+ }
+
+ if !rootless.IsRootless() {
+ return nil
+ }
+
// do it only after podman has already re-execed and running with uid==0.
hasCapSysAdmin, err := unshare.HasCapSysAdmin()
if err != nil {
@@ -82,7 +98,6 @@ func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool)
if err != nil {
return err
}
- runsUnderSystemd := utils.RunsOnSystemd()
unitName := fmt.Sprintf("podman-%d.scope", os.Getpid())
if runsUnderSystemd || conf.Engine.CgroupManager == config.SystemdCgroupsManager {
if err := utils.RunUnderSystemdScope(os.Getpid(), "user.slice", unitName); err != nil {
diff --git a/utils/utils.go b/utils/utils.go
index 997de150d..aa1c6a958 100644
--- a/utils/utils.go
+++ b/utils/utils.go
@@ -190,3 +190,33 @@ func MovePauseProcessToScope(pausePidPath string) {
}
}
}
+
+var (
+ maybeMoveToSubCgroupSync sync.Once
+ maybeMoveToSubCgroupSyncErr error
+)
+
+// MaybeMoveToSubCgroup moves the current process in a sub cgroup when
+// it is running in the root cgroup on a system that uses cgroupv2.
+func MaybeMoveToSubCgroup() error {
+ maybeMoveToSubCgroupSync.Do(func() {
+ unifiedMode, err := cgroups.IsCgroup2UnifiedMode()
+ if err != nil {
+ maybeMoveToSubCgroupSyncErr = err
+ return
+ }
+ if !unifiedMode {
+ maybeMoveToSubCgroupSyncErr = nil
+ return
+ }
+ cgroup, err := GetOwnCgroup()
+ if err != nil {
+ maybeMoveToSubCgroupSyncErr = err
+ return
+ }
+ if cgroup == "/" {
+ maybeMoveToSubCgroupSyncErr = MoveUnderCgroupSubtree("init")
+ }
+ })
+ return maybeMoveToSubCgroupSyncErr
+}