summaryrefslogtreecommitdiff
path: root/libpod/container_internal.go
diff options
context:
space:
mode:
Diffstat (limited to 'libpod/container_internal.go')
-rw-r--r--libpod/container_internal.go286
1 files changed, 140 insertions, 146 deletions
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index 0e883588c..4e18819b8 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -142,92 +142,6 @@ func (c *Container) exitFilePath() (string, error) {
return c.ociRuntime.ExitFilePath(c)
}
-// create a bundle path and associated files for an exec session
-func (c *Container) createExecBundle(sessionID string) (err error) {
- bundlePath := c.execBundlePath(sessionID)
- if createErr := os.MkdirAll(bundlePath, execDirPermission); createErr != nil {
- return createErr
- }
- defer func() {
- if err != nil {
- if err2 := os.RemoveAll(bundlePath); err != nil {
- logrus.Warnf("error removing exec bundle after creation caused another error: %v", err2)
- }
- }
- }()
- if err2 := os.MkdirAll(c.execExitFileDir(sessionID), execDirPermission); err2 != nil {
- // The directory is allowed to exist
- if !os.IsExist(err2) {
- err = errors.Wrapf(err2, "error creating OCI runtime exit file path %s", c.execExitFileDir(sessionID))
- }
- }
- return
-}
-
-// cleanup an exec session after its done
-func (c *Container) cleanupExecBundle(sessionID string) error {
- if err := os.RemoveAll(c.execBundlePath(sessionID)); err != nil && !os.IsNotExist(err) {
- return err
- }
-
- return c.ociRuntime.ExecContainerCleanup(c, sessionID)
-}
-
-// the path to a containers exec session bundle
-func (c *Container) execBundlePath(sessionID string) string {
- return filepath.Join(c.bundlePath(), sessionID)
-}
-
-// Get PID file path for a container's exec session
-func (c *Container) execPidPath(sessionID string) string {
- return filepath.Join(c.execBundlePath(sessionID), "exec_pid")
-}
-
-// the log path for an exec session
-func (c *Container) execLogPath(sessionID string) string {
- return filepath.Join(c.execBundlePath(sessionID), "exec_log")
-}
-
-// the socket conmon creates for an exec session
-func (c *Container) execAttachSocketPath(sessionID string) (string, error) {
- return c.ociRuntime.ExecAttachSocketPath(c, sessionID)
-}
-
-// execExitFileDir gets the path to the container's exit file
-func (c *Container) execExitFileDir(sessionID string) string {
- return filepath.Join(c.execBundlePath(sessionID), "exit")
-}
-
-// execOCILog returns the file path for the exec sessions oci log
-func (c *Container) execOCILog(sessionID string) string {
- if !c.ociRuntime.SupportsJSONErrors() {
- return ""
- }
- return filepath.Join(c.execBundlePath(sessionID), "oci-log")
-}
-
-// readExecExitCode reads the exit file for an exec session and returns
-// the exit code
-func (c *Container) readExecExitCode(sessionID string) (int, error) {
- exitFile := filepath.Join(c.execExitFileDir(sessionID), c.ID())
- chWait := make(chan error)
- defer close(chWait)
-
- _, err := WaitForFile(exitFile, chWait, time.Second*5)
- if err != nil {
- return -1, err
- }
- ec, err := ioutil.ReadFile(exitFile)
- if err != nil {
- return -1, err
- }
- ecInt, err := strconv.Atoi(string(ec))
- if err != nil {
- return -1, err
- }
- return ecInt, nil
-}
-
// Wait for the container's exit file to appear.
// When it does, update our state based on it.
func (c *Container) waitForExitFileAndSync() error {
@@ -556,9 +470,9 @@ func (c *Container) teardownStorage() error {
return nil
}
-// Reset resets state fields to default values
-// It is performed before a refresh and clears the state after a reboot
-// It does not save the results - assumes the database will do that for us
+// Reset resets state fields to default values.
+// It is performed before a refresh and clears the state after a reboot.
+// It does not save the results - assumes the database will do that for us.
func resetState(state *ContainerState) error {
state.PID = 0
state.ConmonPID = 0
@@ -568,7 +482,7 @@ func resetState(state *ContainerState) error {
state.State = define.ContainerStateConfigured
}
state.ExecSessions = make(map[string]*ExecSession)
- state.NetworkStatus = nil
+ state.LegacyExecSessions = nil
state.BindMounts = make(map[string]string)
state.StoppedByUser = false
state.RestartPolicyMatch = false
@@ -601,14 +515,14 @@ func (c *Container) refresh() error {
c.state.RunDir = dir
if len(c.config.IDMappings.UIDMap) != 0 || len(c.config.IDMappings.GIDMap) != 0 {
- info, err := os.Stat(c.runtime.config.TmpDir)
+ info, err := os.Stat(c.runtime.config.Engine.TmpDir)
if err != nil {
- return errors.Wrapf(err, "cannot stat `%s`", c.runtime.config.TmpDir)
+ return errors.Wrapf(err, "cannot stat `%s`", c.runtime.config.Engine.TmpDir)
}
- if err := os.Chmod(c.runtime.config.TmpDir, info.Mode()|0111); err != nil {
- return errors.Wrapf(err, "cannot chmod `%s`", c.runtime.config.TmpDir)
+ if err := os.Chmod(c.runtime.config.Engine.TmpDir, info.Mode()|0111); err != nil {
+ return errors.Wrapf(err, "cannot chmod `%s`", c.runtime.config.Engine.TmpDir)
}
- root := filepath.Join(c.runtime.config.TmpDir, "containers-root", c.ID())
+ root := filepath.Join(c.runtime.config.Engine.TmpDir, "containers-root", c.ID())
if err := os.MkdirAll(root, 0755); err != nil {
return errors.Wrapf(err, "error creating userNS tmpdir for container %s", c.ID())
}
@@ -624,6 +538,18 @@ func (c *Container) refresh() error {
}
c.lock = lock
+ // Try to delete any lingering IP allocations.
+ // If this fails, just log and ignore.
+ // I'm a little concerned that this is so far down in refresh() and we
+ // could fail before getting to it - but the worst that would happen is
+ // that Inspect() would return info on IPs we no longer own.
+ if len(c.state.NetworkStatus) > 0 {
+ if err := c.removeIPv4Allocations(); err != nil {
+ logrus.Errorf("Error removing IP allocations for container %s: %v", c.ID(), err)
+ }
+ }
+ c.state.NetworkStatus = nil
+
if err := c.save(); err != nil {
return errors.Wrapf(err, "error refreshing state for container %s", c.ID())
}
@@ -633,11 +559,58 @@ func (c *Container) refresh() error {
return err
}
- if rootless.IsRootless() {
+ return nil
+}
+
+// Try and remove IP address allocations. Presently IPv4 only.
+// Should be safe as rootless because NetworkStatus should only be populated if
+// CNI is running.
+func (c *Container) removeIPv4Allocations() error {
+ cniNetworksDir, err := getCNINetworksDir()
+ if err != nil {
+ return err
+ }
+
+ if len(c.state.NetworkStatus) == 0 {
return nil
}
- return c.refreshCNI()
+ cniDefaultNetwork := ""
+ if c.runtime.netPlugin != nil {
+ cniDefaultNetwork = c.runtime.netPlugin.GetDefaultNetworkName()
+ }
+
+ switch {
+ case len(c.config.Networks) > 0 && len(c.config.Networks) != len(c.state.NetworkStatus):
+ return errors.Wrapf(define.ErrInternal, "network mismatch: asked to join %d CNI networks but got %d CNI results", len(c.config.Networks), len(c.state.NetworkStatus))
+ case len(c.config.Networks) == 0 && len(c.state.NetworkStatus) != 1:
+ return errors.Wrapf(define.ErrInternal, "network mismatch: did not specify CNI networks but joined more than one (%d)", len(c.state.NetworkStatus))
+ case len(c.config.Networks) == 0 && cniDefaultNetwork == "":
+ return errors.Wrapf(define.ErrInternal, "could not retrieve name of CNI default network")
+ }
+
+ for index, result := range c.state.NetworkStatus {
+ for _, ctrIP := range result.IPs {
+ if ctrIP.Version != "4" {
+ continue
+ }
+ candidate := ""
+ if len(c.config.Networks) > 0 {
+ // CNI returns networks in order we passed them.
+ // So our index into results should be our index
+ // into networks.
+ candidate = filepath.Join(cniNetworksDir, c.config.Networks[index], ctrIP.Address.IP.String())
+ } else {
+ candidate = filepath.Join(cniNetworksDir, cniDefaultNetwork, ctrIP.Address.IP.String())
+ }
+ logrus.Debugf("Going to try removing IP address reservation file %q for container %s", candidate, c.ID())
+ if err := os.Remove(candidate); err != nil && !os.IsNotExist(err) {
+ return errors.Wrapf(err, "error removing CNI IP reservation file %q for container %s", candidate, c.ID())
+ }
+ }
+ }
+
+ return nil
}
// Remove conmon attach socket and terminal resize FIFO
@@ -914,6 +887,7 @@ func (c *Container) checkDependenciesRunning() ([]string, error) {
}
func (c *Container) completeNetworkSetup() error {
+ var outResolvConf []string
netDisabled, err := c.NetworkDisabled()
if err != nil {
return err
@@ -924,10 +898,40 @@ func (c *Container) completeNetworkSetup() error {
if err := c.syncContainer(); err != nil {
return err
}
- if c.config.NetMode == "slirp4netns" {
+ if c.config.NetMode.IsSlirp4netns() {
return c.runtime.setupRootlessNetNS(c)
}
- return c.runtime.setupNetNS(c)
+ if err := c.runtime.setupNetNS(c); err != nil {
+ return err
+ }
+ state := c.state
+ // collect any dns servers that cni tells us to use (dnsname)
+ for _, cni := range state.NetworkStatus {
+ if cni.DNS.Nameservers != nil {
+ for _, server := range cni.DNS.Nameservers {
+ outResolvConf = append(outResolvConf, fmt.Sprintf("nameserver %s", server))
+ }
+ }
+ }
+ // check if we have a bindmount for resolv.conf
+ resolvBindMount := state.BindMounts["/etc/resolv.conf"]
+ if len(outResolvConf) < 1 || resolvBindMount == "" || len(c.config.NetNsCtr) > 0 {
+ return nil
+ }
+ // read the existing resolv.conf
+ b, err := ioutil.ReadFile(resolvBindMount)
+ if err != nil {
+ return err
+ }
+ for _, line := range strings.Split(string(b), "\n") {
+ // only keep things that don't start with nameserver from the old
+ // resolv.conf file
+ if !strings.HasPrefix(line, "nameserver") {
+ outResolvConf = append([]string{line}, outResolvConf...)
+ }
+ }
+ // write and return
+ return ioutil.WriteFile(resolvBindMount, []byte(strings.Join(outResolvConf, "\n")), 0644)
}
// Initialize a container, creating it in the runtime
@@ -1254,6 +1258,12 @@ func (c *Container) restartWithTimeout(ctx context.Context, timeout uint) (err e
}
}
}
+ // Ensure we tear down the container network so it will be
+ // recreated - otherwise, behavior of restart differs from stop
+ // and start
+ if err := c.cleanupNetwork(); err != nil {
+ return err
+ }
}
defer func() {
if err != nil {
@@ -1364,6 +1374,9 @@ func (c *Container) mountNamedVolume(v *ContainerNamedVolume, mountpoint string)
return nil, errors.Wrapf(err, "error retrieving named volume %s for container %s", v.Name, c.ID())
}
+ if vol.config.LockID == c.config.LockID {
+ return nil, errors.Wrapf(define.ErrWillDeadlock, "container %s and volume %s share lock ID %d", c.ID(), vol.Name(), c.config.LockID)
+ }
vol.lock.Lock()
defer vol.lock.Unlock()
if vol.needsMount() {
@@ -1377,18 +1390,34 @@ func (c *Container) mountNamedVolume(v *ContainerNamedVolume, mountpoint string)
}
if vol.state.NeedsCopyUp {
logrus.Debugf("Copying up contents from container %s to volume %s", c.ID(), vol.Name())
+
+ // Set NeedsCopyUp to false immediately, so we don't try this
+ // again when there are already files copied.
+ vol.state.NeedsCopyUp = false
+ if err := vol.save(); err != nil {
+ return nil, err
+ }
+
+ // If the volume is not empty, we should not copy up.
+ volMount := vol.MountPoint()
+ contents, err := ioutil.ReadDir(volMount)
+ if err != nil {
+ return nil, errors.Wrapf(err, "error listing contents of volume %s mountpoint when copying up from container %s", vol.Name(), c.ID())
+ }
+ if len(contents) > 0 {
+ // The volume is not empty. It was likely modified
+ // outside of Podman. For safety, let's not copy up into
+ // it. Fixes CVE-2020-1726.
+ return vol, nil
+ }
+
srcDir, err := securejoin.SecureJoin(mountpoint, v.Dest)
if err != nil {
return nil, errors.Wrapf(err, "error calculating destination path to copy up container %s volume %s", c.ID(), vol.Name())
}
- if err := c.copyWithTarFromImage(srcDir, vol.MountPoint()); err != nil && !os.IsNotExist(err) {
+ if err := c.copyWithTarFromImage(srcDir, volMount); err != nil && !os.IsNotExist(err) {
return nil, errors.Wrapf(err, "error copying content from container %s into volume %s", c.ID(), vol.Name())
}
-
- vol.state.NeedsCopyUp = false
- if err := vol.save(); err != nil {
- return nil, err
- }
}
return vol, nil
}
@@ -1660,7 +1689,7 @@ func (c *Container) saveSpec(spec *spec.Spec) error {
// Warning: precreate hooks may alter 'config' in place.
func (c *Container) setupOCIHooks(ctx context.Context, config *spec.Spec) (extensionStageHooks map[string][]spec.Hook, err error) {
allHooks := make(map[string][]spec.Hook)
- if c.runtime.config.HooksDir == nil {
+ if c.runtime.config.Engine.HooksDir == nil {
if rootless.IsRootless() {
return nil, nil
}
@@ -1684,7 +1713,7 @@ func (c *Container) setupOCIHooks(ctx context.Context, config *spec.Spec) (exten
}
}
} else {
- manager, err := hooks.New(ctx, c.runtime.config.HooksDir, []string{"precreate", "poststop"})
+ manager, err := hooks.New(ctx, c.runtime.config.Engine.HooksDir, []string{"precreate", "poststop"})
if err != nil {
return nil, err
}
@@ -1758,12 +1787,12 @@ func (c *Container) checkReadyForRemoval() error {
return errors.Wrapf(define.ErrCtrStateInvalid, "cannot remove container %s as it is %s - running or paused containers cannot be removed without force", c.ID(), c.state.State.String())
}
- // Reap exec sessions
- if err := c.reapExecSessions(); err != nil {
+ // Check exec sessions
+ sessions, err := c.getActiveExecSessions()
+ if err != nil {
return err
}
-
- if len(c.state.ExecSessions) != 0 {
+ if len(sessions) != 0 {
return errors.Wrapf(define.ErrCtrStateInvalid, "cannot remove container %s as it has active exec sessions", c.ID())
}
@@ -1870,41 +1899,6 @@ func (c *Container) checkExitFile() error {
return c.handleExitFile(exitFile, info)
}
-// Reap dead exec sessions
-func (c *Container) reapExecSessions() error {
- // Instead of saving once per iteration, use a defer to do it once at
- // the end.
- var lastErr error
- needSave := false
- for id := range c.state.ExecSessions {
- alive, err := c.ociRuntime.ExecUpdateStatus(c, id)
- if err != nil {
- if lastErr != nil {
- logrus.Errorf("Error reaping exec sessions for container %s: %v", c.ID(), lastErr)
- }
- lastErr = err
- continue
- }
- if !alive {
- // Clean up lingering files and remove the exec session
- if err := c.ociRuntime.ExecContainerCleanup(c, id); err != nil {
- return errors.Wrapf(err, "error cleaning up container %s exec session %s files", c.ID(), id)
- }
- delete(c.state.ExecSessions, id)
- needSave = true
- }
- }
- if needSave {
- if err := c.save(); err != nil {
- if lastErr != nil {
- logrus.Errorf("Error reaping exec sessions for container %s: %v", c.ID(), lastErr)
- }
- lastErr = err
- }
- }
- return lastErr
-}
-
func (c *Container) hasNamespace(namespace spec.LinuxNamespaceType) bool {
if c.config.Spec == nil || c.config.Spec.Linux == nil {
return false