diff options
Diffstat (limited to 'pkg')
| -rw-r--r-- | pkg/api/server/server.go | 27 | ||||
| -rw-r--r-- | pkg/rootless/rootless_linux.go | 4 | ||||
| -rw-r--r-- | pkg/spec/createconfig.go | 1 | ||||
| -rw-r--r-- | pkg/spec/security.go | 2 | ||||
| -rw-r--r-- | pkg/specgen/generate/oci.go | 14 | ||||
| -rw-r--r-- | pkg/specgen/specgen.go | 2 |
6 files changed, 46 insertions, 4 deletions
diff --git a/pkg/api/server/server.go b/pkg/api/server/server.go index 18b48a3f6..e7c031234 100644 --- a/pkg/api/server/server.go +++ b/pkg/api/server/server.go @@ -2,6 +2,7 @@ package server import ( "context" + "fmt" "log" "net" "net/http" @@ -17,6 +18,7 @@ import ( "github.com/containers/podman/v2/pkg/api/handlers" "github.com/containers/podman/v2/pkg/api/server/idletracker" "github.com/coreos/go-systemd/v22/activation" + "github.com/coreos/go-systemd/v22/daemon" "github.com/gorilla/mux" "github.com/gorilla/schema" "github.com/pkg/errors" @@ -147,8 +149,31 @@ func newServer(runtime *libpod.Runtime, duration time.Duration, listener *net.Li return &server, nil } -// Serve starts responding to HTTP requests +// If the NOTIFY_SOCKET is set, communicate the PID and readiness, and +// further unset NOTIFY_SOCKET to prevent containers from sending +// messages and unset INVOCATION_ID so conmon and containers are in +// the correct cgroup. +func setupSystemd() { + if len(os.Getenv("NOTIFY_SOCKET")) == 0 { + return + } + payload := fmt.Sprintf("MAINPID=%d", os.Getpid()) + payload += "\n" + payload += daemon.SdNotifyReady + if sent, err := daemon.SdNotify(true, payload); err != nil { + logrus.Errorf("Error notifying systemd of Conmon PID: %s", err.Error()) + } else if sent { + logrus.Debugf("Notify sent successfully") + } + + if err := os.Unsetenv("INVOCATION_ID"); err != nil { + logrus.Errorf("Error unsetting INVOCATION_ID: %s", err.Error()) + } +} + +// Serve starts responding to HTTP requests. func (s *APIServer) Serve() error { + setupSystemd() sigChan := make(chan os.Signal, 1) signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM) errChan := make(chan error, 1) diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go index c3f1fc7fa..ecd309d36 100644 --- a/pkg/rootless/rootless_linux.go +++ b/pkg/rootless/rootless_linux.go @@ -389,14 +389,12 @@ func TryJoinFromFilePaths(pausePidPath string, needNewNamespace bool, paths []st lastErr = nil break } else { - fds, err := unix.Socketpair(unix.AF_UNIX, unix.SOCK_DGRAM, 0) + r, w, err := os.Pipe() if err != nil { lastErr = err continue } - r, w := os.NewFile(uintptr(fds[0]), "read file"), os.NewFile(uintptr(fds[1]), "write file") - defer errorhandling.CloseQuiet(r) if _, _, err := becomeRootInUserNS("", path, w); err != nil { diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go index 40f9bc029..c49d51fc5 100644 --- a/pkg/spec/createconfig.go +++ b/pkg/spec/createconfig.go @@ -125,6 +125,7 @@ type SecurityConfig struct { ReadOnlyRootfs bool //read-only ReadOnlyTmpfs bool //read-only-tmpfs Sysctl map[string]string //sysctl + ProcOpts []string } // CreateConfig is a pre OCI spec structure. It represents user input from varlink or the CLI diff --git a/pkg/spec/security.go b/pkg/spec/security.go index fc908b49d..e152e3495 100644 --- a/pkg/spec/security.go +++ b/pkg/spec/security.go @@ -76,6 +76,8 @@ func (c *SecurityConfig) SetSecurityOpts(runtime *libpod.Runtime, securityOpts [ } switch con[0] { + case "proc-opts": + c.ProcOpts = strings.Split(con[1], ",") case "label": c.LabelOpts = append(c.LabelOpts, con[1]) case "apparmor": diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go index ee9f63680..fd324c6e1 100644 --- a/pkg/specgen/generate/oci.go +++ b/pkg/specgen/generate/oci.go @@ -18,6 +18,18 @@ import ( "golang.org/x/sys/unix" ) +func setProcOpts(s *specgen.SpecGenerator, g *generate.Generator) { + if s.ProcOpts == nil { + return + } + for i := range g.Config.Mounts { + if g.Config.Mounts[i].Destination == "/proc" { + g.Config.Mounts[i].Options = s.ProcOpts + return + } + } +} + func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error { var ( isRootless = rootless.IsRootless() @@ -341,6 +353,8 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt configSpec.Annotations[define.InspectAnnotationInit] = define.InspectResponseFalse } + setProcOpts(s, &g) + return configSpec, nil } diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go index 84a6c36a0..a9161071b 100644 --- a/pkg/specgen/specgen.go +++ b/pkg/specgen/specgen.go @@ -289,6 +289,8 @@ type ContainerSecurityConfig struct { ReadOnlyFilesystem bool `json:"read_only_filesystem,omittempty"` // Umask is the umask the init process of the container will be run with. Umask string `json:"umask,omitempty"` + // ProcOpts are the options used for the proc mount. + ProcOpts []string `json:"procfs_opts,omitempty"` } // ContainerCgroupConfig contains configuration information about a container's |