summaryrefslogtreecommitdiff
path: root/cmd/podman
diff options
context:
space:
mode:
Diffstat (limited to 'cmd/podman')
-rw-r--r--cmd/podman/cliconfig/create.go1
-rw-r--r--cmd/podman/cp.go71
-rw-r--r--cmd/podman/platform_linux.go12
3 files changed, 75 insertions, 9 deletions
diff --git a/cmd/podman/cliconfig/create.go b/cmd/podman/cliconfig/create.go
index 49ab3d827..5fb2eed10 100644
--- a/cmd/podman/cliconfig/create.go
+++ b/cmd/podman/cliconfig/create.go
@@ -24,4 +24,5 @@ type BuildValues struct {
type CpValues struct {
PodmanCommand
Extract bool
+ Pause bool
}
diff --git a/cmd/podman/cp.go b/cmd/podman/cp.go
index 8240cc193..907bde4b9 100644
--- a/cmd/podman/cp.go
+++ b/cmd/podman/cp.go
@@ -13,10 +13,12 @@ import (
"github.com/containers/libpod/cmd/podman/cliconfig"
"github.com/containers/libpod/cmd/podman/libpodruntime"
"github.com/containers/libpod/libpod"
+ "github.com/containers/libpod/pkg/rootless"
"github.com/containers/storage"
"github.com/containers/storage/pkg/archive"
"github.com/containers/storage/pkg/chrootarchive"
"github.com/containers/storage/pkg/idtools"
+ securejoin "github.com/cyphar/filepath-securejoin"
digest "github.com/opencontainers/go-digest"
specs "github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
@@ -49,6 +51,7 @@ func init() {
cpCommand.Command = _cpCommand
flags := cpCommand.Flags()
flags.BoolVar(&cpCommand.Extract, "extract", false, "Extract the tar file into the destination directory.")
+ flags.BoolVar(&cpCommand.Pause, "pause", true, "Pause the container while copying")
cpCommand.SetHelpTemplate(HelpTemplate())
cpCommand.SetUsageTemplate(UsageTemplate())
rootCmd.AddCommand(cpCommand.Command)
@@ -66,11 +69,10 @@ func cpCmd(c *cliconfig.CpValues) error {
}
defer runtime.Shutdown(false)
- extract := c.Flag("extract").Changed
- return copyBetweenHostAndContainer(runtime, args[0], args[1], extract)
+ return copyBetweenHostAndContainer(runtime, args[0], args[1], c.Extract, c.Pause)
}
-func copyBetweenHostAndContainer(runtime *libpod.Runtime, src string, dest string, extract bool) error {
+func copyBetweenHostAndContainer(runtime *libpod.Runtime, src string, dest string, extract bool, pause bool) error {
srcCtr, srcPath := parsePath(runtime, src)
destCtr, destPath := parsePath(runtime, dest)
@@ -93,6 +95,38 @@ func copyBetweenHostAndContainer(runtime *libpod.Runtime, src string, dest strin
return err
}
defer ctr.Unmount(false)
+
+ // We can't pause rootless containers.
+ if pause && rootless.IsRootless() {
+ state, err := ctr.State()
+ if err != nil {
+ return err
+ }
+ if state == libpod.ContainerStateRunning {
+ return errors.Errorf("cannot copy into running rootless container with pause set - pass --pause=false to force copying")
+ }
+ }
+
+ if pause && !rootless.IsRootless() {
+ if err := ctr.Pause(); err != nil {
+ // An invalid state error is fine.
+ // The container isn't running or is already paused.
+ // TODO: We can potentially start the container while
+ // the copy is running, which still allows a race where
+ // malicious code could mess with the symlink.
+ if errors.Cause(err) != libpod.ErrCtrStateInvalid {
+ return err
+ }
+ } else if err == nil {
+ // Only add the defer if we actually paused
+ defer func() {
+ if err := ctr.Unpause(); err != nil {
+ logrus.Errorf("Error unpausing container after copying: %v", err)
+ }
+ }()
+ }
+ }
+
user, err := getUser(mountPoint, ctr.User())
if err != nil {
return err
@@ -112,19 +146,38 @@ func copyBetweenHostAndContainer(runtime *libpod.Runtime, src string, dest strin
var glob []string
if isFromHostToCtr {
if filepath.IsAbs(destPath) {
- destPath = filepath.Join(mountPoint, destPath)
-
+ cleanedPath, err := securejoin.SecureJoin(mountPoint, destPath)
+ if err != nil {
+ return err
+ }
+ destPath = cleanedPath
} else {
- if err = idtools.MkdirAllAndChownNew(filepath.Join(mountPoint, ctr.WorkingDir()), 0755, hostOwner); err != nil {
+ ctrWorkDir, err := securejoin.SecureJoin(mountPoint, ctr.WorkingDir())
+ if err != nil {
+ return err
+ }
+ if err = idtools.MkdirAllAndChownNew(ctrWorkDir, 0755, hostOwner); err != nil {
return errors.Wrapf(err, "error creating directory %q", destPath)
}
- destPath = filepath.Join(mountPoint, ctr.WorkingDir(), destPath)
+ cleanedPath, err := securejoin.SecureJoin(mountPoint, filepath.Join(ctr.WorkingDir(), destPath))
+ if err != nil {
+ return err
+ }
+ destPath = cleanedPath
}
} else {
if filepath.IsAbs(srcPath) {
- srcPath = filepath.Join(mountPoint, srcPath)
+ cleanedPath, err := securejoin.SecureJoin(mountPoint, srcPath)
+ if err != nil {
+ return err
+ }
+ srcPath = cleanedPath
} else {
- srcPath = filepath.Join(mountPoint, ctr.WorkingDir(), srcPath)
+ cleanedPath, err := securejoin.SecureJoin(mountPoint, filepath.Join(ctr.WorkingDir(), srcPath))
+ if err != nil {
+ return err
+ }
+ srcPath = cleanedPath
}
}
glob, err = filepath.Glob(srcPath)
diff --git a/cmd/podman/platform_linux.go b/cmd/podman/platform_linux.go
index 2127923ae..eb11867cc 100644
--- a/cmd/podman/platform_linux.go
+++ b/cmd/podman/platform_linux.go
@@ -4,13 +4,25 @@ package main
import (
"os"
+ "path/filepath"
+ "github.com/containers/libpod/pkg/rootless"
"github.com/sirupsen/logrus"
)
+// userRegistriesFile is the path to the per user registry configuration file.
+var userRegistriesFile = filepath.Join(os.Getenv("HOME"), ".config/containers/registries.conf")
+
func CheckForRegistries() {
if _, err := os.Stat("/etc/containers/registries.conf"); err != nil {
if os.IsNotExist(err) {
+ // If it is running in rootless mode, also check the user configuration file
+ if rootless.IsRootless() {
+ if _, err := os.Stat(userRegistriesFile); err != nil {
+ logrus.Warnf("unable to find %s. some podman (image shortnames) commands may be limited", userRegistriesFile)
+ }
+ return
+ }
logrus.Warn("unable to find /etc/containers/registries.conf. some podman (image shortnames) commands may be limited")
}
}