1 files changed, 87 insertions, 14 deletions
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index 74a3fec32..ea52d7ba0 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -909,14 +909,15 @@ func (c *Container) exportCheckpoint(options ContainerCheckpointOptions) error {
 	includeFiles := []string{
 		"artifacts",
 		"ctr.log",
-		metadata.CheckpointDirectory,
 		metadata.ConfigDumpFile,
 		metadata.SpecDumpFile,
 		metadata.NetworkStatusFile,
 	}
 
 	if options.PreCheckPoint {
-		includeFiles[0] = "pre-checkpoint"
+		includeFiles = append(includeFiles, preCheckpointDir)
+	} else {
+		includeFiles = append(includeFiles, metadata.CheckpointDirectory)
 	}
 	// Get root file-system changes included in the checkpoint archive
 	var addToTarFiles []string
@@ -985,7 +986,7 @@ func (c *Container) exportCheckpoint(options ContainerCheckpointOptions) error {
 	}
 
 	input, err := archive.TarWithOptions(c.bundlePath(), &archive.TarOptions{
-		Compression:      archive.Gzip,
+		Compression:      options.Compression,
 		IncludeSourceDir: true,
 		IncludeFiles:     includeFiles,
 	})
@@ -1650,22 +1651,20 @@ func (c *Container) generateResolvConf() (string, error) {
 		}
 	}
 
-	// Determine the endpoint for resolv.conf in case it is a symlink
-	resolvPath, err := filepath.EvalSymlinks(resolvConf)
+	contents, err := ioutil.ReadFile(resolvConf)
 	// resolv.conf doesn't have to exists
 	if err != nil && !os.IsNotExist(err) {
 		return "", err
 	}
 
-	// Determine if symlink points to any of the systemd-resolved files
-	if strings.HasPrefix(resolvPath, "/run/systemd/resolve/") {
-		resolvPath = "/run/systemd/resolve/resolv.conf"
-	}
-
-	contents, err := ioutil.ReadFile(resolvPath)
-	// resolv.conf doesn't have to exists
-	if err != nil && !os.IsNotExist(err) {
-		return "", err
+	ns := resolvconf.GetNameservers(contents)
+	// check if systemd-resolved is used, assume it is used when 127.0.0.53 is the only nameserver
+	if len(ns) == 1 && ns[0] == "127.0.0.53" {
+		// read the actual resolv.conf file for systemd-resolved
+		contents, err = ioutil.ReadFile("/run/systemd/resolve/resolv.conf")
+		if err != nil {
+			return "", errors.Wrapf(err, "detected that systemd-resolved is in use, but could not locate real resolv.conf")
+		}
 	}
 
 	ipv6 := false
@@ -2427,3 +2426,77 @@ func (c *Container) createSecretMountDir() error {
 
 	return err
 }
+
+// Fix ownership and permissions of the specified volume if necessary.
+func (c *Container) fixVolumePermissions(v *ContainerNamedVolume) error {
+	vol, err := c.runtime.state.Volume(v.Name)
+	if err != nil {
+		return errors.Wrapf(err, "error retrieving named volume %s for container %s", v.Name, c.ID())
+	}
+
+	vol.lock.Lock()
+	defer vol.lock.Unlock()
+
+	// The volume may need a copy-up. Check the state.
+	if err := vol.update(); err != nil {
+		return err
+	}
+
+	// TODO: For now, I've disabled chowning volumes owned by non-Podman
+	// drivers. This may be safe, but it's really going to be a case-by-case
+	// thing, I think - safest to leave disabled now and re-enable later if
+	// there is a demand.
+	if vol.state.NeedsChown && !vol.UsesVolumeDriver() {
+		vol.state.NeedsChown = false
+
+		uid := int(c.config.Spec.Process.User.UID)
+		gid := int(c.config.Spec.Process.User.GID)
+
+		if c.config.IDMappings.UIDMap != nil {
+			p := idtools.IDPair{
+				UID: uid,
+				GID: gid,
+			}
+			mappings := idtools.NewIDMappingsFromMaps(c.config.IDMappings.UIDMap, c.config.IDMappings.GIDMap)
+			newPair, err := mappings.ToHost(p)
+			if err != nil {
+				return errors.Wrapf(err, "error mapping user %d:%d", uid, gid)
+			}
+			uid = newPair.UID
+			gid = newPair.GID
+		}
+
+		vol.state.UIDChowned = uid
+		vol.state.GIDChowned = gid
+
+		if err := vol.save(); err != nil {
+			return err
+		}
+
+		mountPoint, err := vol.MountPoint()
+		if err != nil {
+			return err
+		}
+
+		if err := os.Lchown(mountPoint, uid, gid); err != nil {
+			return err
+		}
+
+		// Make sure the new volume matches the permissions of the target directory.
+		// https://github.com/containers/podman/issues/10188
+		st, err := os.Lstat(filepath.Join(c.state.Mountpoint, v.Dest))
+		if err == nil {
+			if err := os.Chmod(mountPoint, st.Mode()|0111); err != nil {
+				return err
+			}
+			stat := st.Sys().(*syscall.Stat_t)
+			atime := time.Unix(int64(stat.Atim.Sec), int64(stat.Atim.Nsec))
+			if err := os.Chtimes(mountPoint, atime, st.ModTime()); err != nil {
+				return err
+			}
+		} else if !os.IsNotExist(err) {
+			return err
+		}
+	}
+	return nil
+}