1 files changed, 119 insertions, 54 deletions
diff --git a/libpod/runtime.go b/libpod/runtime.go
index f390824dc..c7000d84a 100644
--- a/libpod/runtime.go
+++ b/libpod/runtime.go
@@ -1,6 +1,7 @@
 package libpod
 
 import (
+	"fmt"
 	"io/ioutil"
 	"os"
 	"os/exec"
@@ -11,6 +12,7 @@ import (
 	is "github.com/containers/image/storage"
 	"github.com/containers/image/types"
 	"github.com/containers/libpod/libpod/image"
+	"github.com/containers/libpod/libpod/lock"
 	"github.com/containers/libpod/pkg/firewall"
 	sysreg "github.com/containers/libpod/pkg/registries"
 	"github.com/containers/libpod/pkg/rootless"
@@ -61,6 +63,14 @@ const (
 	DefaultInfraImage = "k8s.gcr.io/pause:3.1"
 	// DefaultInfraCommand to be run in an infra container
 	DefaultInfraCommand = "/pause"
+
+	// DefaultInitPath is the default path to the container-init binary
+	DefaultInitPath = "/usr/libexec/podman/catatonit"
+
+	// DefaultSHMLockPath is the default path for SHM locks
+	DefaultSHMLockPath = "/libpod_lock"
+	// DefaultRootlessSHMLockPath is the default path for rootless SHM locks
+	DefaultRootlessSHMLockPath = "/libpod_rootless_lock"
 )
 
 // A RuntimeOption is a functional option which alters the Runtime created by
@@ -75,17 +85,25 @@ type Runtime struct {
 	storageService  *storageService
 	imageContext    *types.SystemContext
 	ociRuntime      *OCIRuntime
-	lockDir         string
 	netPlugin       ocicni.CNIPlugin
-	ociRuntimePath  string
+	ociRuntimePath  OCIRuntimePath
 	conmonPath      string
 	valid           bool
 	lock            sync.RWMutex
 	imageRuntime    *image.Runtime
 	firewallBackend firewall.FirewallBackend
+	lockManager     lock.Manager
 	configuredFrom  *runtimeConfiguredFrom
 }
 
+// OCIRuntimePath contains information about an OCI runtime.
+type OCIRuntimePath struct {
+	// Name of the runtime to refer to by the --runtime flag
+	Name string `toml:"name"`
+	// Paths to check for this executable
+	Paths []string `toml:"paths"`
+}
+
 // RuntimeConfig contains configuration options used to set up the runtime
 type RuntimeConfig struct {
 	// StorageConfig is the configuration used by containers/storage
@@ -108,10 +126,10 @@ type RuntimeConfig struct {
 	// cause conflicts in containers/storage
 	// As such this is not exposed via the config file
 	StateType RuntimeStateStore `toml:"-"`
-	// RuntimePath is the path to OCI runtime binary for launching
-	// containers
-	// The first path pointing to a valid file will be used
-	RuntimePath []string `toml:"runtime_path"`
+	// OCIRuntime is the OCI runtime to use.
+	OCIRuntime string `toml:"runtime"`
+	// OCIRuntimes are the set of configured OCI runtimes (default is runc)
+	OCIRuntimes map[string][]string `toml:"runtimes"`
 	// ConmonPath is the path to the Conmon binary used for managing
 	// containers
 	// The first path pointing to a valid file will be used
@@ -122,6 +140,8 @@ type RuntimeConfig struct {
 	// CGroupManager is the CGroup Manager to use
 	// Valid values are "cgroupfs" and "systemd"
 	CgroupManager string `toml:"cgroup_manager"`
+	// InitPath is the path to the container-init binary.
+	InitPath string `toml:"init_path"`
 	// StaticDir is the path to a persistent directory to store container
 	// files
 	StaticDir string `toml:"static_dir"`
@@ -160,6 +180,7 @@ type RuntimeConfig struct {
 	// and all containers and pods will be visible.
 	// The default namespace is "".
 	Namespace string `toml:"namespace,omitempty"`
+
 	// InfraImage is the image a pod infra container will use to manage namespaces
 	InfraImage string `toml:"infra_image"`
 	// InfraCommand is the command run to start up a pod infra container
@@ -174,6 +195,10 @@ type RuntimeConfig struct {
 	EnablePortReservation bool `toml:"enable_port_reservation"`
 	// EnableLabeling indicates wether libpod will support container labeling
 	EnableLabeling bool `toml:"label"`
+
+	// NumLocks is the number of locks to make available for containers and
+	// pods.
+	NumLocks uint32 `toml:"num_locks,omitempty"`
 }
 
 // runtimeConfiguredFrom is a struct used during early runtime init to help
@@ -196,14 +221,17 @@ var (
 		StorageConfig:         storage.StoreOptions{},
 		ImageDefaultTransport: DefaultTransport,
 		StateType:             BoltDBStateStore,
-		RuntimePath: []string{
-			"/usr/bin/runc",
-			"/usr/sbin/runc",
-			"/usr/local/bin/runc",
-			"/usr/local/sbin/runc",
-			"/sbin/runc",
-			"/bin/runc",
-			"/usr/lib/cri-o-runc/sbin/runc",
+		OCIRuntime:            "runc",
+		OCIRuntimes: map[string][]string{
+			"runc": {
+				"/usr/bin/runc",
+				"/usr/sbin/runc",
+				"/usr/local/bin/runc",
+				"/usr/local/sbin/runc",
+				"/sbin/runc",
+				"/bin/runc",
+				"/usr/lib/cri-o-runc/sbin/runc",
+			},
 		},
 		ConmonPath: []string{
 			"/usr/libexec/podman/conmon",
@@ -217,6 +245,7 @@ var (
 		ConmonEnvVars: []string{
 			"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
 		},
+		InitPath:              DefaultInitPath,
 		CgroupManager:         SystemdCgroupsManager,
 		StaticDir:             filepath.Join(storage.DefaultStoreOptions.GraphRoot, "libpod"),
 		TmpDir:                "",
@@ -228,6 +257,7 @@ var (
 		InfraImage:            DefaultInfraImage,
 		EnablePortReservation: true,
 		EnableLabeling:        true,
+		NumLocks:              2048,
 	}
 )
 
@@ -395,8 +425,9 @@ func NewRuntimeFromConfig(configPath string, options ...RuntimeOption) (runtime
 	runtime.config = new(RuntimeConfig)
 	runtime.configuredFrom = new(runtimeConfiguredFrom)
 
-	// Set two fields not in the TOML config
+	// Set three fields not in the TOML config
 	runtime.config.StateType = defaultRuntimeConfig.StateType
+	runtime.config.OCIRuntime = defaultRuntimeConfig.OCIRuntime
 	runtime.config.StorageConfig = storage.StoreOptions{}
 
 	// Check to see if the given configuration file exists
@@ -434,22 +465,35 @@ func NewRuntimeFromConfig(configPath string, options ...RuntimeOption) (runtime
 func makeRuntime(runtime *Runtime) (err error) {
 	// Find a working OCI runtime binary
 	foundRuntime := false
-	for _, path := range runtime.config.RuntimePath {
-		stat, err := os.Stat(path)
-		if err != nil {
-			continue
-		}
-		if stat.IsDir() {
-			continue
-		}
+	// If runtime is an absolute path, then use it as it is.
+	if runtime.config.OCIRuntime[0] == '/' {
 		foundRuntime = true
-		runtime.ociRuntimePath = path
-		break
+		runtime.ociRuntimePath = OCIRuntimePath{Name: filepath.Base(runtime.config.OCIRuntime), Paths: []string{runtime.config.OCIRuntime}}
+	} else {
+		// If not, look it up in the configuration.
+		paths := runtime.config.OCIRuntimes[runtime.config.OCIRuntime]
+		if paths != nil {
+			for _, path := range paths {
+				stat, err := os.Stat(path)
+				if err != nil {
+					if os.IsNotExist(err) {
+						continue
+					}
+					return errors.Wrapf(err, "cannot stat %s", path)
+				}
+				if !stat.Mode().IsRegular() {
+					continue
+				}
+				foundRuntime = true
+				runtime.ociRuntimePath = OCIRuntimePath{Name: runtime.config.OCIRuntime, Paths: []string{path}}
+				break
+			}
+		}
 	}
 	if !foundRuntime {
 		return errors.Wrapf(ErrInvalidArg,
 			"could not find a working binary (configured options: %v)",
-			runtime.config.RuntimePath)
+			runtime.config.OCIRuntimes)
 	}
 
 	// Find a working conmon binary
@@ -605,7 +649,7 @@ func makeRuntime(runtime *Runtime) (err error) {
 	}
 
 	// Make an OCI runtime to perform container operations
-	ociRuntime, err := newOCIRuntime("runc", runtime.ociRuntimePath,
+	ociRuntime, err := newOCIRuntime(runtime.ociRuntimePath,
 		runtime.conmonPath, runtime.config.ConmonEnvVars,
 		runtime.config.CgroupManager, runtime.config.TmpDir,
 		runtime.config.MaxLogSize, runtime.config.NoPivotRoot,
@@ -615,17 +659,6 @@ func makeRuntime(runtime *Runtime) (err error) {
 	}
 	runtime.ociRuntime = ociRuntime
 
-	// Make a directory to hold container lockfiles
-	lockDir := filepath.Join(runtime.config.TmpDir, "lock")
-	if err := os.MkdirAll(lockDir, 0755); err != nil {
-		// The directory is allowed to exist
-		if !os.IsExist(err) {
-			return errors.Wrapf(err, "error creating runtime lockfiles directory %s",
-				lockDir)
-		}
-	}
-	runtime.lockDir = lockDir
-
 	// Make the per-boot files directory if it does not exist
 	if err := os.MkdirAll(runtime.config.TmpDir, 0755); err != nil {
 		// The directory is allowed to exist
@@ -670,6 +703,7 @@ func makeRuntime(runtime *Runtime) (err error) {
 	// and use it to lock important operations
 	aliveLock.Lock()
 	locked := true
+	doRefresh := false
 	defer func() {
 		if locked {
 			aliveLock.Unlock()
@@ -682,22 +716,46 @@ func makeRuntime(runtime *Runtime) (err error) {
 		// empty state only creates a single file
 		// As such, it's not really a performance concern
 		if os.IsNotExist(err) {
-			if os.Geteuid() != 0 {
-				aliveLock.Unlock()
-				locked = false
-				if err2 := runtime.refreshRootless(); err2 != nil {
-					return err2
-				}
-			} else {
-				if err2 := runtime.refresh(runtimeAliveFile); err2 != nil {
-					return err2
-				}
-			}
+			doRefresh = true
 		} else {
 			return errors.Wrapf(err, "error reading runtime status file %s", runtimeAliveFile)
 		}
 	}
 
+	lockPath := DefaultSHMLockPath
+	if rootless.IsRootless() {
+		lockPath = fmt.Sprintf("%s_%d", DefaultRootlessSHMLockPath, rootless.GetRootlessUID())
+	}
+	// Set up the lock manager
+	manager, err := lock.OpenSHMLockManager(lockPath, runtime.config.NumLocks)
+	if err != nil {
+		if os.IsNotExist(errors.Cause(err)) {
+			manager, err = lock.NewSHMLockManager(lockPath, runtime.config.NumLocks)
+			if err != nil {
+				return err
+			}
+		} else {
+			return err
+		}
+	}
+	runtime.lockManager = manager
+
+	// If we need to refresh the state, do it now - things are guaranteed to
+	// be set up by now.
+	if doRefresh {
+		if os.Geteuid() != 0 {
+			aliveLock.Unlock()
+			locked = false
+			if err2 := runtime.refreshRootless(); err2 != nil {
+				return err2
+			}
+		} else {
+			if err2 := runtime.refresh(runtimeAliveFile); err2 != nil {
+				return err2
+			}
+		}
+	}
+
 	// Mark the runtime as valid - ready to be used, cannot be modified
 	// further
 	runtime.valid = true
@@ -771,7 +829,11 @@ func (r *Runtime) refreshRootless() error {
 	// Take advantage of a command that requires a new userns
 	// so that we are running as the root user and able to use refresh()
 	cmd := exec.Command(os.Args[0], "info")
-	return cmd.Run()
+	err := cmd.Run()
+	if err != nil {
+		return errors.Wrapf(err, "Error running %s info while refreshing state", os.Args[0])
+	}
+	return nil
 }
 
 // Reconfigures the runtime after a reboot
@@ -793,19 +855,22 @@ func (r *Runtime) refresh(alivePath string) error {
 	if err != nil {
 		return errors.Wrapf(err, "error retrieving all pods from state")
 	}
+	// No locks are taken during pod and container refresh.
+	// Furthermore, the pod and container refresh() functions are not
+	// allowed to take locks themselves.
+	// We cannot assume that any pod or container has a valid lock until
+	// after this function has returned.
+	// The runtime alive lock should suffice to provide mutual exclusion
+	// until this has run.
 	for _, ctr := range ctrs {
-		ctr.lock.Lock()
 		if err := ctr.refresh(); err != nil {
 			logrus.Errorf("Error refreshing container %s: %v", ctr.ID(), err)
 		}
-		ctr.lock.Unlock()
 	}
 	for _, pod := range pods {
-		pod.lock.Lock()
 		if err := pod.refresh(); err != nil {
 			logrus.Errorf("Error refreshing pod %s: %v", pod.ID(), err)
 		}
-		pod.lock.Unlock()
 	}
 
 	// Create a file indicating the runtime is alive and ready