summaryrefslogtreecommitdiff
path: root/pkg/rootless/rootless_linux.go
Commit message (Collapse)AuthorAge
* make sure that signal buffers are sufficiently bigValentin Rothberg2021-08-17
| | | | | | | | | | | | | | | Dealing with os.Signal channels seems more like an art than science since signals may get lost. os.Notify doesn't block on an unbuffered channel, so users are expected to know what they're doing or hope for the best. In the recent past, I've seen a number of flakes and BZs on non-amd64 architectures where I was under the impression that signals may got lost, for instance, during stop and exec. [NO TESTS NEEDED] since this is art. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* rootless: check that / is mounted as sharedGiuseppe Scrivano2021-07-28
| | | | | | | | | | | | if the root mount '/' is not mounted as MS_SHARED, print a warning, otherwise new mounts that are created in the host won't be propagated to the rootless mount namespace. Closes: https://github.com/containers/podman/issues/10946 [NO TESTS NEEDED] Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* podman: ignore ESRCH from killGiuseppe Scrivano2021-07-01
| | | | | | | | Closes: https://github.com/containers/podman/issues/10826 [NO TESTS NEEDED] Fixes a race condition Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: Tell the user what was led to the error, not just what it isAndrej Shadura2021-04-27
| | | | | | | | | | | | | | | | | | Users coming e.g. from Docker do not always read the manual and expect podman to not require sudo or uidmap, for them the default message is not very helpful: Error: Cannot connect to the Podman socket, make sure there is a Podman REST API service running.: cannot find newuidmap: exec: "newuidmap": executable file not found in $PATH Adding a bit more context to this would help to nudge them into the right direction and tell them what to look for in the documentation: command required for rootless mode with multiple IDs: exec: "newuidmap": executable file not found in $PATH Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk> [NO TESTS NEEDED]
* rootless: attempt to copy current mappings firstGiuseppe Scrivano2021-04-26
| | | | | | | | | | when creating a user namespace, attempt to create it first by copying the current mappings and then fallback to the other methods: 1) use newidmap tools and ... 2) create a user namespace with a single user mapped. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: if root is not sub?id raise a debug messageGiuseppe Scrivano2021-04-22
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* bump go module to v3Valentin Rothberg2021-02-22
| | | | | | | | | We missed bumping the go module, so let's do it now :) * Automated go code with github.com/sirkon/go-imports-rename * Manually via `vgrep podman/v2` the rest Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* SpellingJosh Soref2020-12-22
| | | | Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* Remove excessive error wrappingKir Kolyshkin2020-10-05
| | | | | | | | | | | | | | | | | In case os.Open[File], os.Mkdir[All], ioutil.ReadFile and the like fails, the error message already contains the file name and the operation that fails, so there is no need to wrap the error with something like "open %s failed". While at it - replace a few places with os.Open, ioutil.ReadAll with ioutil.ReadFile. - replace errors.Wrapf with errors.Wrap for cases where there are no %-style arguments. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
* rootless: fix hang when newidmap is not installedGiuseppe Scrivano2020-09-25
| | | | | | | | | | | | when newidmap is not installed the code would hit the reexec_in_user_namespace_wait code and wait for the child process to be terminated. The child process is blocked waiting on the w pipe. So make sure to unblock the child process first and then clean it up. Closes: https://github.com/containers/podman/issues/7776 Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
* Wait for reexec to finish when fileOutput is nilJonathan Dieter2020-08-15
| | | | | | | Currently, we're not cleanup up after ourselves when fileOutput is nil. This patch fixes that. Signed-off-by: Jonathan Dieter <jonathan.dieter@spearline.com>
* Fix hang when `path` doesn't existJonathan Dieter2020-08-11
| | | | | | | | | | I'm not sure if this is an OS-specific issue, but on CentOS 8, if `path` doesn't exist, this hangs while waiting to read from this socket, even though the socket is closed by the `reexec_in_user_namespace`. Switching to a pipe fixes the problem, and pipes shouldn't be an issue since this is Linux-specific code. Signed-off-by: Jonathan Dieter <jonathan.dieter@spearline.com>
* validate fds --preserve-fdsQi Wang2020-08-04
| | | | | | validate file descriptors passed from podman run and podman exec --preserve-fds. Signed-off-by: Qi Wang <qiwan@redhat.com>
* rootless: add a check for the host id included in the rangeGiuseppe Scrivano2020-07-30
| | | | | | | add a check to verify whether the additional IDs also contain the host ID. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: child exits immediately on userns errorsGiuseppe Scrivano2020-07-30
| | | | | | | if the parent process failed to create the user namespace, let the child exit immediately. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: do not ignore errors if mappings are specifiedGiuseppe Scrivano2020-07-30
| | | | | | | | | | when setting up the user namespace do not ignore errors from newuidmap/newgidmap if there are mappings configured. The single user mapping is a fallback only when there are not mappings specified for the user. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Switch all references to github.com/containers/libpod -> podmanDaniel J Walsh2020-07-28
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* move go module to v2Valentin Rothberg2020-07-06
| | | | | | | | | | | | | | | With the advent of Podman 2.0.0 we crossed the magical barrier of go modules. While we were able to continue importing all packages inside of the project, the project could not be vendored anymore from the outside. Move the go module to new major version and change all imports to `github.com/containers/libpod/v2`. The renaming of the imports was done via `gomove` [1]. [1] https://github.com/KSubedi/gomove Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* rootless_linux: improve error messageDouglas Schilling Landgraf2020-06-21
| | | | | | | Improve the error message for rootless mode. Git-Url: https://github.com/containers/libpod/issues/6572 Signed-off-by: Douglas Schilling Landgraf <dougsland@redhat.com>
* rootless: move join namespace inside child processGiuseppe Scrivano2020-04-20
| | | | | | | | open the namespace file descriptors inside of the child process. Closes: https://github.com/containers/libpod/issues/5873 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: skip looking up parent user nsGiuseppe Scrivano2020-04-20
| | | | | | | | since we join directly the conmon user namespace, there is no need to look up its parent user namespace, as we can safely assume it is the init namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: become root only if the pause file is specifiedGiuseppe Scrivano2020-02-25
| | | | | | | | | | | | we need to store the pause process PID file so that it can be re-used later. commit e9dc2120925d9bc32b87ed3c4122aa40f7413db5 introduced this regression. Closes: https://github.com/containers/libpod/issues/5246 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: check if the conmon process is validGiuseppe Scrivano2020-02-17
| | | | | | | | if the pause process doesn't exist and we try to join a conmon namespace, make sure the process still exists. Otherwise re-create the user namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* fix lint in pkg/rootlessValentin Rothberg2020-01-08
| | | | Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* rootless: do not enable lingering modeGiuseppe Scrivano2019-10-17
| | | | | | | | do not automatically enable lingering mode. Closes: https://github.com/containers/libpod/issues/4224 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: drop dependency on dockerGiuseppe Scrivano2019-10-16
| | | | | | use the definition from "golang.org/x/sys/unix". Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* show uid_map in podman infoQi Wang2019-10-09
| | | | | | show uid_map gid_map in podman info Signed-off-by: Qi Wang <qiwan@redhat.com>
* rootless: do not close files twiceGiuseppe Scrivano2019-10-09
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Set log-level immediately, before rootless setupMatthew Heon2019-09-26
| | | | | | | | | | | | If we don't do this, we print WARN level messages that we should not be printing by default. Up one WARN message to ERROR so it still shows up by default. Fixes: #4115 Fixes: #4012 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* pkg/util: use rootless function to read additional usersGiuseppe Scrivano2019-09-03
| | | | | | | make pkg/rootless.GetConfiguredMappings public so that it can be used from pkg/util. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: detect user namespace configuration changesGiuseppe Scrivano2019-09-03
| | | | | | | | | | | detect if the current user namespace doesn't match the configuration in the /etc/subuid and /etc/subgid files. If there is a mismatch, raise a warning and suggest the user to recreate the user namespace with "system migrate", that also restarts the containers. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* golangci-lint round #3baude2019-07-21
| | | | | | | this is the third round of preparing to use the golangci-lint on our code base. Signed-off-by: baude <bbaude@redhat.com>
* golangci-lint pass number 2baude2019-07-11
| | | | | | clean up and prepare to migrate to the golangci-linter Signed-off-by: baude <bbaude@redhat.com>
* first pass of corrections for golangci-lintbaude2019-07-10
| | | | Signed-off-by: baude <bbaude@redhat.com>
* trivial cleanups from golangbaude2019-07-03
| | | | | | the results of a code cleanup performed by the goland IDE. Signed-off-by: baude <bbaude@redhat.com>
* rootless: allow to build without cgoGiuseppe Scrivano2019-07-02
| | | | | | | unfortunately rootless won't work without cgo, as most of the implementation is in C, but at least allow to build libpod. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: enable linger if /run/user/UID not existsGiuseppe Scrivano2019-06-27
| | | | | | | | | | | | | at least on Fedora 30 it creates the /run/user/UID directory for the user logged in via ssh. This needs to be done very early so that every other check when we create the default configuration file will point to the correct location. Closes: https://github.com/containers/libpod/issues/3410 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Build cgo files with -Wall -WerrorSascha Grunert2019-06-21
| | | | | | | | To avoid unnecessary warnings and errors in the future I'd like to propose building all cgo related sources with `-Wall -Werror`. This commit fixes some warnings which came up in `shm_lock.c`, too. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* Fix cgo includes for muslCameron Nemo2019-06-08
| | | | | | closes #3284 Signed-off-by: Cameron Nemo <cnemo@tutanota.com>
* rootless: skip NS_GET_PARENT on old kernelsGiuseppe Scrivano2019-06-06
| | | | | | | | | | | | on old kernels the ioctl NS_GET_PARENT is not available. Handle the error code and immediately return the same fd. It should be fine now that we use the namespace resolution using the conmon pid, so the namespace parent resolution is just a safety measure. Closes: https://github.com/containers/libpod/issues/2968 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: make JoinUserAndMountNS privateGiuseppe Scrivano2019-05-25
| | | | | | as it is used only by the rootless package now. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: enable loginctl lingerGiuseppe Scrivano2019-05-25
| | | | | | | otherwise the processes we leave around will be killed once the session terminates. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: new function to join existing conmon processesGiuseppe Scrivano2019-05-25
| | | | | | | | | | | | | | | move the logic for joining existing namespaces down to the rootless package. In main_local we still retrieve the list of conmon pid files and use it from the rootless package. In addition, create a temporary user namespace for reading these files, as the unprivileged user might not have enough privileges for reading the conmon pid file, for example when running with a different uidmap and root in the container is different than the rootless user. Closes: https://github.com/containers/libpod/issues/3187 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: store also the original GID in the hostGiuseppe Scrivano2019-05-23
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: join namespace immediately when possibleGiuseppe Scrivano2019-05-17
| | | | | | | | | | | add a shortcut for joining immediately the namespace so we don't need to re-exec Podman. With the pause process simplificaton, we can now attempt to join the namespaces as soon as Podman starts (and before the Go runtime kicks in), so that we don't need to re-exec and use just one process. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: use a pause processGiuseppe Scrivano2019-05-17
| | | | | | | | | | | | | | | | | use a pause process to keep the user and mount namespace alive. The pause process is created immediately on reload, and all successive Podman processes will refer to it for joining the user&mount namespace. This solves all the race conditions we had on joining the correct namespaces using the conmon processes. As a fallback if the join fails for any reason (e.g. the pause process was killed), then we try to join the running containers as we were doing before. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: do not block SIGTSTPGiuseppe Scrivano2019-04-12
| | | | | | | | | we were previously proxying all the signals, but doing that for SIGTSTP prevented the main process to be stopped by the tty. Closes: https://github.com/containers/libpod/issues/2775 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: use a single user namespaceGiuseppe Scrivano2019-04-01
| | | | | | | | | | | | | | | | | | | | | simplify the rootless implementation to use a single user namespace for all the running containers. This makes the rootless implementation behave more like root Podman, where each container is created in the host environment. There are multiple advantages to it: 1) much simpler implementation as there is only one namespace to join. 2) we can join namespaces owned by different containers. 3) commands like ps won't be limited to what container they can access as previously we either had access to the storage from a new namespace or access to /proc when running from the host. 4) rootless varlink works. 5) there are only two ways to enter in a namespace, either by creating a new one if no containers are running or joining the existing one from any container. Containers created by older Podman versions must be restarted. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: remove SkipStorageSetup()Giuseppe Scrivano2019-04-01
| | | | | | | | in the few places where we care about skipping the storage initialization, we can simply use the process effective UID, instead of relying on a global boolean flag. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: change env prefixGiuseppe Scrivano2019-03-28
| | | | | | | | | | from _LIBPOD to _CONTAINERS. The same change was done in buildah unshare. This is necessary for podman to detect we are running in a rootless environment and work properly from a "buildah unshare" session. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>