summaryrefslogtreecommitdiff
path: root/pkg
diff options
context:
space:
mode:
Diffstat (limited to 'pkg')
-rw-r--r--pkg/api/handlers/compat/containers_create.go2
-rw-r--r--pkg/bindings/images/build.go44
-rw-r--r--pkg/bindings/images/build_unix.go16
-rw-r--r--pkg/bindings/images/build_windows.go9
-rw-r--r--pkg/cgroups/cgroups.go106
-rw-r--r--pkg/machine/qemu/machine.go2
-rw-r--r--pkg/specgen/generate/namespaces.go2
-rw-r--r--pkg/specgen/namespaces.go8
8 files changed, 164 insertions, 25 deletions
diff --git a/pkg/api/handlers/compat/containers_create.go b/pkg/api/handlers/compat/containers_create.go
index 162a98135..8e9e1fb39 100644
--- a/pkg/api/handlers/compat/containers_create.go
+++ b/pkg/api/handlers/compat/containers_create.go
@@ -62,7 +62,7 @@ func CreateContainer(w http.ResponseWriter, r *http.Request) {
}
// Take body structure and convert to cliopts
- cliOpts, args, err := common.ContainerCreateToContainerCLIOpts(body, rtc.Engine.CgroupManager)
+ cliOpts, args, err := common.ContainerCreateToContainerCLIOpts(body, rtc)
if err != nil {
utils.Error(w, "Something went wrong.", http.StatusInternalServerError, errors.Wrap(err, "make cli opts()"))
return
diff --git a/pkg/bindings/images/build.go b/pkg/bindings/images/build.go
index f5e7c0c98..346d55c47 100644
--- a/pkg/bindings/images/build.go
+++ b/pkg/bindings/images/build.go
@@ -28,6 +28,11 @@ import (
"github.com/sirupsen/logrus"
)
+type devino struct {
+ Dev uint64
+ Ino uint64
+}
+
var (
iidRegex = regexp.MustCompile(`^[0-9a-f]{12}`)
)
@@ -402,7 +407,7 @@ func nTar(excludes []string, sources ...string) (io.ReadCloser, error) {
defer pw.Close()
defer gw.Close()
defer tw.Close()
-
+ seen := make(map[devino]string)
for _, src := range sources {
s, err := filepath.Abs(src)
if err != nil {
@@ -431,25 +436,40 @@ func nTar(excludes []string, sources ...string) (io.ReadCloser, error) {
}
if info.Mode().IsRegular() { // add file item
- f, lerr := os.Open(path)
- if lerr != nil {
- return lerr
+ di, isHardLink := checkHardLink(info)
+ if err != nil {
+ return err
}
- hdr, lerr := tar.FileInfoHeader(info, name)
- if lerr != nil {
- f.Close()
- return lerr
+ hdr, err := tar.FileInfoHeader(info, "")
+ if err != nil {
+ return err
+ }
+ orig, ok := seen[di]
+ if ok {
+ hdr.Typeflag = tar.TypeLink
+ hdr.Linkname = orig
+ hdr.Size = 0
+ hdr.Name = name
+ return tw.WriteHeader(hdr)
+ }
+ f, err := os.Open(path)
+ if err != nil {
+ return err
}
+
hdr.Name = name
- if lerr := tw.WriteHeader(hdr); lerr != nil {
+ if err := tw.WriteHeader(hdr); err != nil {
f.Close()
- return lerr
+ return err
}
- _, cerr := io.Copy(tw, f)
+ _, err = io.Copy(tw, f)
f.Close()
- return cerr
+ if err == nil && isHardLink {
+ seen[di] = name
+ }
+ return err
} else if info.Mode().IsDir() { // add folders
hdr, lerr := tar.FileInfoHeader(info, name)
if lerr != nil {
diff --git a/pkg/bindings/images/build_unix.go b/pkg/bindings/images/build_unix.go
new file mode 100644
index 000000000..0afb1deb6
--- /dev/null
+++ b/pkg/bindings/images/build_unix.go
@@ -0,0 +1,16 @@
+// +build !windows
+
+package images
+
+import (
+ "os"
+ "syscall"
+)
+
+func checkHardLink(fi os.FileInfo) (devino, bool) {
+ st := fi.Sys().(*syscall.Stat_t)
+ return devino{
+ Dev: uint64(st.Dev),
+ Ino: uint64(st.Ino),
+ }, st.Nlink > 1
+}
diff --git a/pkg/bindings/images/build_windows.go b/pkg/bindings/images/build_windows.go
new file mode 100644
index 000000000..bd71d1bf0
--- /dev/null
+++ b/pkg/bindings/images/build_windows.go
@@ -0,0 +1,9 @@
+package images
+
+import (
+ "os"
+)
+
+func checkHardLink(fi os.FileInfo) (devino, bool) {
+ return devino{}, false
+}
diff --git a/pkg/cgroups/cgroups.go b/pkg/cgroups/cgroups.go
index aefb5183b..911edeb5b 100644
--- a/pkg/cgroups/cgroups.go
+++ b/pkg/cgroups/cgroups.go
@@ -128,28 +128,118 @@ func init() {
// getAvailableControllers get the available controllers
func getAvailableControllers(exclude map[string]controllerHandler, cgroup2 bool) ([]controller, error) {
if cgroup2 {
- return nil, fmt.Errorf("getAvailableControllers not implemented yet for cgroup v2")
+ controllers := []controller{}
+ subtreeControl := cgroupRoot + "/cgroup.subtree_control"
+ // rootless cgroupv2: check available controllers for current user ,systemd or servicescope will inherit
+ if rootless.IsRootless() {
+ userSlice, err := getCgroupPathForCurrentProcess()
+ if err != nil {
+ return controllers, err
+ }
+ //userSlice already contains '/' so not adding here
+ basePath := cgroupRoot + userSlice
+ subtreeControl = fmt.Sprintf("%s/cgroup.subtree_control", basePath)
+ }
+ subtreeControlBytes, err := ioutil.ReadFile(subtreeControl)
+ if err != nil {
+ return nil, errors.Wrapf(err, "failed while reading controllers for cgroup v2 from %q", subtreeControl)
+ }
+ for _, controllerName := range strings.Fields(string(subtreeControlBytes)) {
+ c := controller{
+ name: controllerName,
+ symlink: false,
+ }
+ controllers = append(controllers, c)
+ }
+ return controllers, nil
}
- infos, err := ioutil.ReadDir(cgroupRoot)
- if err != nil {
- return nil, err
- }
+ subsystems, _ := cgroupV1GetAllSubsystems()
controllers := []controller{}
- for _, i := range infos {
- name := i.Name()
+ // cgroupv1 and rootless: No subsystem is available: delegation is unsafe.
+ if rootless.IsRootless() {
+ return controllers, nil
+ }
+
+ for _, name := range subsystems {
if _, found := exclude[name]; found {
continue
}
+ isSymLink := false
+ fileInfo, err := os.Stat(cgroupRoot + "/" + name)
+ if err != nil {
+ isSymLink = !fileInfo.IsDir()
+ }
c := controller{
name: name,
- symlink: !i.IsDir(),
+ symlink: isSymLink,
}
controllers = append(controllers, c)
}
+
return controllers, nil
}
+// GetAvailableControllers get string:bool map of all the available controllers
+func GetAvailableControllers(exclude map[string]controllerHandler, cgroup2 bool) ([]string, error) {
+ availableControllers, err := getAvailableControllers(exclude, cgroup2)
+ if err != nil {
+ return nil, err
+ }
+ controllerList := []string{}
+ for _, controller := range availableControllers {
+ controllerList = append(controllerList, controller.name)
+ }
+
+ return controllerList, nil
+}
+
+func cgroupV1GetAllSubsystems() ([]string, error) {
+ f, err := os.Open("/proc/cgroups")
+ if err != nil {
+ return nil, err
+ }
+ defer f.Close()
+
+ subsystems := []string{}
+
+ s := bufio.NewScanner(f)
+ for s.Scan() {
+ text := s.Text()
+ if text[0] != '#' {
+ parts := strings.Fields(text)
+ if len(parts) >= 4 && parts[3] != "0" {
+ subsystems = append(subsystems, parts[0])
+ }
+ }
+ }
+ if err := s.Err(); err != nil {
+ return nil, err
+ }
+ return subsystems, nil
+}
+
+func getCgroupPathForCurrentProcess() (string, error) {
+ path := fmt.Sprintf("/proc/%d/cgroup", os.Getpid())
+ f, err := os.Open(path)
+ if err != nil {
+ return "", err
+ }
+ defer f.Close()
+
+ cgroupPath := ""
+ s := bufio.NewScanner(f)
+ for s.Scan() {
+ text := s.Text()
+ procEntries := strings.SplitN(text, "::", 2)
+ cgroupPath = procEntries[1]
+ }
+ if err := s.Err(); err != nil {
+ return cgroupPath, err
+ }
+ return cgroupPath, nil
+}
+
// getCgroupv1Path is a helper function to get the cgroup v1 path
func (c *CgroupControl) getCgroupv1Path(name string) string {
return filepath.Join(cgroupRoot, name, c.path)
diff --git a/pkg/machine/qemu/machine.go b/pkg/machine/qemu/machine.go
index 269a2a2da..0bd711c90 100644
--- a/pkg/machine/qemu/machine.go
+++ b/pkg/machine/qemu/machine.go
@@ -408,7 +408,7 @@ func (v *MachineVM) SSH(name string, opts machine.SSHOptions) error {
sshDestination := v.RemoteUsername + "@localhost"
port := strconv.Itoa(v.Port)
- args := []string{"-i", v.IdentityPath, "-p", port, sshDestination}
+ args := []string{"-i", v.IdentityPath, "-p", port, sshDestination, "-o", "UserKnownHostsFile /dev/null", "-o", "StrictHostKeyChecking no"}
if len(opts.Args) > 0 {
args = append(args, opts.Args...)
} else {
diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go
index 278f35c22..f41186ae4 100644
--- a/pkg/specgen/generate/namespaces.go
+++ b/pkg/specgen/generate/namespaces.go
@@ -66,7 +66,7 @@ func GetDefaultNamespaceMode(nsType string, cfg *config.Config, pod *libpod.Pod)
case "cgroup":
return specgen.ParseCgroupNamespace(cfg.Containers.CgroupNS)
case "net":
- ns, _, err := specgen.ParseNetworkNamespace(cfg.Containers.NetNS)
+ ns, _, err := specgen.ParseNetworkNamespace(cfg.Containers.NetNS, cfg.Containers.RootlessNetworking == "cni")
return ns, err
}
diff --git a/pkg/specgen/namespaces.go b/pkg/specgen/namespaces.go
index f665fc0be..80852930a 100644
--- a/pkg/specgen/namespaces.go
+++ b/pkg/specgen/namespaces.go
@@ -253,7 +253,7 @@ func ParseUserNamespace(ns string) (Namespace, error) {
// ParseNetworkNamespace parses a network namespace specification in string
// form.
// Returns a namespace and (optionally) a list of CNI networks to join.
-func ParseNetworkNamespace(ns string) (Namespace, []string, error) {
+func ParseNetworkNamespace(ns string, rootlessDefaultCNI bool) (Namespace, []string, error) {
toReturn := Namespace{}
var cniNetworks []string
// Net defaults to Slirp on rootless
@@ -264,7 +264,11 @@ func ParseNetworkNamespace(ns string) (Namespace, []string, error) {
toReturn.NSMode = FromPod
case ns == "" || ns == string(Default) || ns == string(Private):
if rootless.IsRootless() {
- toReturn.NSMode = Slirp
+ if rootlessDefaultCNI {
+ toReturn.NSMode = Bridge
+ } else {
+ toReturn.NSMode = Slirp
+ }
} else {
toReturn.NSMode = Bridge
}
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-01-25 22:31:24 +0000