3 files changed, 181 insertions, 36 deletions
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index cef9e2c04..1517a7df7 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -173,6 +173,57 @@ func (c *Container) prepare() error {
 	return nil
 }
 
+// isWorkDirSymlink returns true if resolved workdir is symlink or a chain of symlinks,
+// and final resolved target is present either on  volume, mount or inside of container
+// otherwise it returns false. Following function is meant for internal use only and
+// can change at any point of time.
+func (c *Container) isWorkDirSymlink(resolvedPath string) bool {
+	// We cannot create workdir since explicit --workdir is
+	// set in config but workdir could also be a symlink.
+	// If its a symlink lets check if resolved link is present
+	// on the container or not.
+
+	// If we can resolve symlink and resolved link is present on the container
+	// then return nil cause its a valid use-case.
+
+	maxSymLinks := 0
+	for {
+		// Linux only supports a chain of 40 links.
+		// Reference: https://github.com/torvalds/linux/blob/master/include/linux/namei.h#L13
+		if maxSymLinks > 40 {
+			break
+		}
+		resolvedSymlink, err := os.Readlink(resolvedPath)
+		if err != nil {
+			// End sym-link resolution loop.
+			break
+		}
+		if resolvedSymlink != "" {
+			_, resolvedSymlinkWorkdir, err := c.resolvePath(c.state.Mountpoint, resolvedSymlink)
+			if isPathOnVolume(c, resolvedSymlinkWorkdir) || isPathOnBindMount(c, resolvedSymlinkWorkdir) {
+				// Resolved symlink exists on external volume or mount
+				return true
+			}
+			if err != nil {
+				// Could not resolve path so end sym-link resolution loop.
+				break
+			}
+			if resolvedSymlinkWorkdir != "" {
+				resolvedPath = resolvedSymlinkWorkdir
+				_, err := os.Stat(resolvedSymlinkWorkdir)
+				if err == nil {
+					// Symlink resolved successfully and resolved path exists on container,
+					// this is a valid use-case so return nil.
+					logrus.Debugf("Workdir is a symlink with target to %q and resolved symlink exists on container", resolvedSymlink)
+					return true
+				}
+			}
+		}
+		maxSymLinks++
+	}
+	return false
+}
+
 // resolveWorkDir resolves the container's workdir and, depending on the
 // configuration, will create it, or error out if it does not exist.
 // Note that the container must be mounted before.
@@ -205,6 +256,11 @@ func (c *Container) resolveWorkDir() error {
 		// the path exists on the container.
 		if err != nil {
 			if os.IsNotExist(err) {
+				// If resolved Workdir path gets marked as a valid symlink,
+				// return nil cause this is valid use-case.
+				if c.isWorkDirSymlink(resolvedWorkdir) {
+					return nil
+				}
 				return errors.Errorf("workdir %q does not exist on container %s", workdir, c.ID())
 			}
 			// This might be a serious error (e.g., permission), so
diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go
index 29b9941fe..7fd80927b 100644
--- a/libpod/networking_linux.go
+++ b/libpod/networking_linux.go
@@ -30,6 +30,7 @@ import (
 	"github.com/containers/podman/v4/pkg/util"
 	"github.com/containers/podman/v4/utils"
 	"github.com/containers/storage/pkg/lockfile"
+	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -990,8 +991,20 @@ func (c *Container) getContainerNetworkInfo() (*define.InspectNetworkSettings, e
 		return nil, err
 	}
 
-	// We can't do more if the network is down.
 	if c.state.NetNS == nil {
+		if networkNSPath := c.joinedNetworkNSPath(); networkNSPath != "" {
+			if result, err := c.inspectJoinedNetworkNS(networkNSPath); err == nil {
+				if basicConfig, err := resultToBasicNetworkConfig(result); err == nil {
+					// fallback to dummy configuration
+					settings.InspectBasicNetworkConfig = basicConfig
+					return settings, nil
+				}
+			}
+			// do not propagate error inspecting a joined network ns
+			logrus.Errorf("Error inspecting network namespace: %s of container %s: %v", networkNSPath, c.ID(), err)
+		}
+		// We can't do more if the network is down.
+
 		// We still want to make dummy configurations for each CNI net
 		// the container joined.
 		if len(networks) > 0 {
@@ -1065,11 +1078,84 @@ func (c *Container) getContainerNetworkInfo() (*define.InspectNetworkSettings, e
 	return settings, nil
 }
 
+func (c *Container) joinedNetworkNSPath() string {
+	for _, namespace := range c.config.Spec.Linux.Namespaces {
+		if namespace.Type == spec.NetworkNamespace {
+			return namespace.Path
+		}
+	}
+	return ""
+}
+
+func (c *Container) inspectJoinedNetworkNS(networkns string) (q types.StatusBlock, retErr error) {
+	var result types.StatusBlock
+	err := ns.WithNetNSPath(networkns, func(_ ns.NetNS) error {
+		ifaces, err := net.Interfaces()
+		if err != nil {
+			return err
+		}
+		routes, err := netlink.RouteList(nil, netlink.FAMILY_ALL)
+		if err != nil {
+			return err
+		}
+		var gateway net.IP
+		for _, route := range routes {
+			// default gateway
+			if route.Dst == nil {
+				gateway = route.Gw
+			}
+		}
+		result.Interfaces = make(map[string]types.NetInterface)
+		for _, iface := range ifaces {
+			if iface.Flags&net.FlagLoopback != 0 {
+				continue
+			}
+			addrs, err := iface.Addrs()
+			if err != nil {
+				continue
+			}
+			if len(addrs) == 0 {
+				continue
+			}
+			subnets := make([]types.NetAddress, 0, len(addrs))
+			for _, address := range addrs {
+				if ipnet, ok := address.(*net.IPNet); ok {
+					if ipnet.IP.IsLinkLocalMulticast() || ipnet.IP.IsLinkLocalUnicast() {
+						continue
+					}
+					subnet := types.NetAddress{
+						IPNet: types.IPNet{
+							IPNet: *ipnet,
+						},
+					}
+					if ipnet.Contains(gateway) {
+						subnet.Gateway = gateway
+					}
+					subnets = append(subnets, subnet)
+				}
+			}
+			result.Interfaces[iface.Name] = types.NetInterface{
+				Subnets:    subnets,
+				MacAddress: types.HardwareAddr(iface.HardwareAddr),
+			}
+		}
+		return nil
+	})
+	return result, err
+}
+
 // resultToBasicNetworkConfig produces an InspectBasicNetworkConfig from a CNI
 // result
 func resultToBasicNetworkConfig(result types.StatusBlock) (define.InspectBasicNetworkConfig, error) {
 	config := define.InspectBasicNetworkConfig{}
-	for _, netInt := range result.Interfaces {
+	interfaceNames := make([]string, len(result.Interfaces))
+	for interfaceName := range result.Interfaces {
+		interfaceNames = append(interfaceNames, interfaceName)
+	}
+	// ensure consistent inspect results by sorting
+	sort.Strings(interfaceNames)
+	for _, interfaceName := range interfaceNames {
+		netInt := result.Interfaces[interfaceName]
 		for _, netAddress := range netInt.Subnets {
 			size, _ := netAddress.IPNet.Mask.Size()
 			if netAddress.IPNet.IP.To4() != nil {
diff --git a/libpod/runtime_pod_linux.go b/libpod/runtime_pod_linux.go
index 155ad5c2d..230491c1a 100644
--- a/libpod/runtime_pod_linux.go
+++ b/libpod/runtime_pod_linux.go
@@ -1,3 +1,4 @@
+//go:build linux
 // +build linux
 
 package libpod
@@ -59,50 +60,52 @@ func (r *Runtime) NewPod(ctx context.Context, p specgen.PodSpecGenerator, option
 	pod.valid = true
 
 	// Check Cgroup parent sanity, and set it if it was not set
-	switch r.config.Engine.CgroupManager {
-	case config.CgroupfsCgroupsManager:
-		canUseCgroup := !rootless.IsRootless() || isRootlessCgroupSet(pod.config.CgroupParent)
-		if canUseCgroup {
+	if r.config.Cgroups() != "disabled" {
+		switch r.config.Engine.CgroupManager {
+		case config.CgroupfsCgroupsManager:
+			canUseCgroup := !rootless.IsRootless() || isRootlessCgroupSet(pod.config.CgroupParent)
+			if canUseCgroup {
+				if pod.config.CgroupParent == "" {
+					pod.config.CgroupParent = CgroupfsDefaultCgroupParent
+				} else if strings.HasSuffix(path.Base(pod.config.CgroupParent), ".slice") {
+					return nil, errors.Wrapf(define.ErrInvalidArg, "systemd slice received as cgroup parent when using cgroupfs")
+				}
+				// If we are set to use pod cgroups, set the cgroup parent that
+				// all containers in the pod will share
+				// No need to create it with cgroupfs - the first container to
+				// launch should do it for us
+				if pod.config.UsePodCgroup {
+					pod.state.CgroupPath = filepath.Join(pod.config.CgroupParent, pod.ID())
+					if p.InfraContainerSpec != nil {
+						p.InfraContainerSpec.CgroupParent = pod.state.CgroupPath
+					}
+				}
+			}
+		case config.SystemdCgroupsManager:
 			if pod.config.CgroupParent == "" {
-				pod.config.CgroupParent = CgroupfsDefaultCgroupParent
-			} else if strings.HasSuffix(path.Base(pod.config.CgroupParent), ".slice") {
-				return nil, errors.Wrapf(define.ErrInvalidArg, "systemd slice received as cgroup parent when using cgroupfs")
+				if rootless.IsRootless() {
+					pod.config.CgroupParent = SystemdDefaultRootlessCgroupParent
+				} else {
+					pod.config.CgroupParent = SystemdDefaultCgroupParent
+				}
+			} else if len(pod.config.CgroupParent) < 6 || !strings.HasSuffix(path.Base(pod.config.CgroupParent), ".slice") {
+				return nil, errors.Wrapf(define.ErrInvalidArg, "did not receive systemd slice as cgroup parent when using systemd to manage cgroups")
 			}
 			// If we are set to use pod cgroups, set the cgroup parent that
 			// all containers in the pod will share
-			// No need to create it with cgroupfs - the first container to
-			// launch should do it for us
 			if pod.config.UsePodCgroup {
-				pod.state.CgroupPath = filepath.Join(pod.config.CgroupParent, pod.ID())
+				cgroupPath, err := systemdSliceFromPath(pod.config.CgroupParent, fmt.Sprintf("libpod_pod_%s", pod.ID()))
+				if err != nil {
+					return nil, errors.Wrapf(err, "unable to create pod cgroup for pod %s", pod.ID())
+				}
+				pod.state.CgroupPath = cgroupPath
 				if p.InfraContainerSpec != nil {
 					p.InfraContainerSpec.CgroupParent = pod.state.CgroupPath
 				}
 			}
+		default:
+			return nil, errors.Wrapf(define.ErrInvalidArg, "unsupported Cgroup manager: %s - cannot validate cgroup parent", r.config.Engine.CgroupManager)
 		}
-	case config.SystemdCgroupsManager:
-		if pod.config.CgroupParent == "" {
-			if rootless.IsRootless() {
-				pod.config.CgroupParent = SystemdDefaultRootlessCgroupParent
-			} else {
-				pod.config.CgroupParent = SystemdDefaultCgroupParent
-			}
-		} else if len(pod.config.CgroupParent) < 6 || !strings.HasSuffix(path.Base(pod.config.CgroupParent), ".slice") {
-			return nil, errors.Wrapf(define.ErrInvalidArg, "did not receive systemd slice as cgroup parent when using systemd to manage cgroups")
-		}
-		// If we are set to use pod cgroups, set the cgroup parent that
-		// all containers in the pod will share
-		if pod.config.UsePodCgroup {
-			cgroupPath, err := systemdSliceFromPath(pod.config.CgroupParent, fmt.Sprintf("libpod_pod_%s", pod.ID()))
-			if err != nil {
-				return nil, errors.Wrapf(err, "unable to create pod cgroup for pod %s", pod.ID())
-			}
-			pod.state.CgroupPath = cgroupPath
-			if p.InfraContainerSpec != nil {
-				p.InfraContainerSpec.CgroupParent = pod.state.CgroupPath
-			}
-		}
-	default:
-		return nil, errors.Wrapf(define.ErrInvalidArg, "unsupported Cgroup manager: %s - cannot validate cgroup parent", r.config.Engine.CgroupManager)
 	}
 
 	if pod.config.UsePodCgroup {