aboutsummaryrefslogtreecommitdiff
path: root/cmd/podman
diff options
context:
space:
mode:
Diffstat (limited to 'cmd/podman')
-rw-r--r--cmd/podman/cliconfig/config.go4
-rw-r--r--cmd/podman/commands.go1
-rw-r--r--cmd/podman/main_local.go80
-rw-r--r--cmd/podman/trust.go16
4 files changed, 82 insertions, 19 deletions
diff --git a/cmd/podman/cliconfig/config.go b/cmd/podman/cliconfig/config.go
index 812cc1f51..bf88e853b 100644
--- a/cmd/podman/cliconfig/config.go
+++ b/cmd/podman/cliconfig/config.go
@@ -518,6 +518,10 @@ type SearchValues struct {
TlsVerify bool
}
+type TrustValues struct {
+ PodmanCommand
+}
+
type SignValues struct {
PodmanCommand
Directory string
diff --git a/cmd/podman/commands.go b/cmd/podman/commands.go
index 77c76d1b7..31f1b3ba4 100644
--- a/cmd/podman/commands.go
+++ b/cmd/podman/commands.go
@@ -33,6 +33,7 @@ func getMainCommands() []*cobra.Command {
func getImageSubCommands() []*cobra.Command {
return []*cobra.Command{
_signCommand,
+ _trustCommand,
}
}
diff --git a/cmd/podman/main_local.go b/cmd/podman/main_local.go
index 0feba609b..cad256615 100644
--- a/cmd/podman/main_local.go
+++ b/cmd/podman/main_local.go
@@ -5,9 +5,12 @@ package main
import (
"context"
+ "fmt"
+ "io/ioutil"
"log/syslog"
"os"
"runtime/pprof"
+ "strconv"
"strings"
"syscall"
@@ -18,6 +21,7 @@ import (
"github.com/containers/libpod/pkg/rootless"
"github.com/containers/libpod/pkg/tracing"
"github.com/containers/libpod/pkg/util"
+ "github.com/containers/libpod/utils"
"github.com/opentracing/opentracing-go"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
@@ -119,7 +123,29 @@ func profileOff(cmd *cobra.Command) error {
return nil
}
+func movePauseProcessToScope() error {
+ pausePidPath, err := util.GetRootlessPauseProcessPidPath()
+ if err != nil {
+ return errors.Wrapf(err, "could not get pause process pid file path")
+ }
+
+ data, err := ioutil.ReadFile(pausePidPath)
+ if err != nil {
+ return errors.Wrapf(err, "cannot read pause pid file")
+ }
+ pid, err := strconv.ParseUint(string(data), 10, 0)
+ if err != nil {
+ return errors.Wrapf(err, "cannot parse pid file %s", pausePidPath)
+ }
+
+ return utils.RunUnderSystemdScope(int(pid), "user.slice", "podman-pause.scope")
+}
+
func setupRootless(cmd *cobra.Command, args []string) error {
+ if !rootless.IsRootless() {
+ return nil
+ }
+
matches, err := rootless.ConfigurationMatches()
if err != nil {
return err
@@ -128,9 +154,6 @@ func setupRootless(cmd *cobra.Command, args []string) error {
logrus.Warningf("the current user namespace doesn't match the configuration in /etc/subuid or /etc/subgid")
logrus.Warningf("you can use `%s system migrate` to recreate the user namespace and restart the containers", os.Args[0])
}
- if os.Geteuid() == 0 || cmd == _searchCommand || cmd == _versionCommand || cmd == _mountCommand || cmd == _migrateCommand || strings.HasPrefix(cmd.Use, "help") {
- return nil
- }
podmanCmd := cliconfig.PodmanCommand{
Command: cmd,
@@ -139,6 +162,39 @@ func setupRootless(cmd *cobra.Command, args []string) error {
Remote: remoteclient,
}
+ runtime, err := libpodruntime.GetRuntime(getContext(), &podmanCmd)
+ if err != nil {
+ return errors.Wrapf(err, "could not get runtime")
+ }
+ defer runtime.DeferredShutdown(false)
+
+ // do it only after podman has already re-execed and running with uid==0.
+ if os.Geteuid() == 0 {
+ ownsCgroup, err := cgroups.UserOwnsCurrentSystemdCgroup()
+ if err != nil {
+ return err
+ }
+
+ if !ownsCgroup {
+ unitName := fmt.Sprintf("podman-%d.scope", os.Getpid())
+ if err := utils.RunUnderSystemdScope(os.Getpid(), "user.slice", unitName); err != nil {
+ conf, err := runtime.GetConfig()
+ if err != nil {
+ return err
+ }
+ if conf.CgroupManager == libpod.SystemdCgroupsManager {
+ logrus.Warnf("Failed to add podman to systemd sandbox cgroup: %v", err)
+ } else {
+ logrus.Debugf("Failed to add podman to systemd sandbox cgroup: %v", err)
+ }
+ }
+ }
+ }
+
+ if os.Geteuid() == 0 || cmd == _searchCommand || cmd == _versionCommand || cmd == _mountCommand || cmd == _migrateCommand || strings.HasPrefix(cmd.Use, "help") {
+ return nil
+ }
+
pausePidPath, err := util.GetRootlessPauseProcessPidPath()
if err != nil {
return errors.Wrapf(err, "could not get pause process pid file path")
@@ -158,13 +214,6 @@ func setupRootless(cmd *cobra.Command, args []string) error {
}
// if there is no pid file, try to join existing containers, and create a pause process.
-
- runtime, err := libpodruntime.GetRuntime(getContext(), &podmanCmd)
- if err != nil {
- return errors.Wrapf(err, "could not get runtime")
- }
- defer runtime.DeferredShutdown(false)
-
ctrs, err := runtime.GetRunningContainers()
if err != nil {
logrus.Errorf(err.Error())
@@ -177,6 +226,17 @@ func setupRootless(cmd *cobra.Command, args []string) error {
}
became, ret, err := rootless.TryJoinFromFilePaths(pausePidPath, true, paths)
+ if err := movePauseProcessToScope(); err != nil {
+ conf, err := runtime.GetConfig()
+ if err != nil {
+ return err
+ }
+ if conf.CgroupManager == libpod.SystemdCgroupsManager {
+ logrus.Warnf("Failed to add pause process to systemd sandbox cgroup: %v", err)
+ } else {
+ logrus.Debugf("Failed to add pause process to systemd sandbox cgroup: %v", err)
+ }
+ }
if err != nil {
logrus.Errorf(err.Error())
os.Exit(1)
diff --git a/cmd/podman/trust.go b/cmd/podman/trust.go
index 0a79e1570..f13af96bc 100644
--- a/cmd/podman/trust.go
+++ b/cmd/podman/trust.go
@@ -6,22 +6,20 @@ import (
)
var (
+ trustCommand cliconfig.TrustValues
trustDescription = `Manages which registries you trust as a source of container images based on its location.
-
The location is determined by the transport and the registry host of the image. Using this container image docker://docker.io/library/busybox as an example, docker is the transport and docker.io is the registry host.`
- trustCommand = cliconfig.PodmanCommand{
- Command: &cobra.Command{
- Use: "trust",
- Short: "Manage container image trust policy",
- Long: trustDescription,
- RunE: commandRunE(),
- },
+ _trustCommand = &cobra.Command{
+ Use: "trust",
+ Short: "Manage container image trust policy",
+ Long: trustDescription,
+ RunE: commandRunE(),
}
)
func init() {
+ trustCommand.Command = _trustCommand
trustCommand.SetHelpTemplate(HelpTemplate())
trustCommand.SetUsageTemplate(UsageTemplate())
trustCommand.AddCommand(getTrustSubCommands()...)
- imageCommand.AddCommand(trustCommand.Command)
}