summaryrefslogtreecommitdiff
path: root/pkg/rootless
Commit message (Collapse)AuthorAge
* podman: ignore ESRCH from killGiuseppe Scrivano2021-07-01
| | | | | | | | Closes: https://github.com/containers/podman/issues/10826 [NO TESTS NEEDED] Fixes a race condition Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: fix fast join userns pathGiuseppe Scrivano2021-06-09
| | | | | | | | | | | | | | commit ab886328357184cd0a8375a5dedf816ba91789f9 changed the path for the pause.pid file but didn't update the same path in the C code. This prevented Podman to take the fast path when the userns is already created and to join it without re-execing itself. Fix the path in the C code as well so we can join the rootless user+mount namespace without having to re-exec Podman. [NO TESTS NEEDED] Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: fix SIGSEGV ,make LISTEN_FDNAMES optional [Closes #10435].flouthoc2021-05-29
| | | | | | [NO TESTS NEEDED] Signed-off-by: flouthoc <flouthoc.git@gmail.com>
* rootless: improve automatic range splitGiuseppe Scrivano2021-05-05
| | | | | | | | | | sort.Search returns the smallest index, so provide the available IDs in decreasing order. It fixes an issue when splitting the current mappings over multiple available IDs. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: Tell the user what was led to the error, not just what it isAndrej Shadura2021-04-27
| | | | | | | | | | | | | | | | | | Users coming e.g. from Docker do not always read the manual and expect podman to not require sudo or uidmap, for them the default message is not very helpful: Error: Cannot connect to the Podman socket, make sure there is a Podman REST API service running.: cannot find newuidmap: exec: "newuidmap": executable file not found in $PATH Adding a bit more context to this would help to nudge them into the right direction and tell them what to look for in the documentation: command required for rootless mode with multiple IDs: exec: "newuidmap": executable file not found in $PATH Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk> [NO TESTS NEEDED]
* rootless: attempt to copy current mappings firstGiuseppe Scrivano2021-04-26
| | | | | | | | | | when creating a user namespace, attempt to create it first by copying the current mappings and then fallback to the other methods: 1) use newidmap tools and ... 2) create a user namespace with a single user mapped. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: if root is not sub?id raise a debug messageGiuseppe Scrivano2021-04-22
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Move socket activation check into init() and set global condition.pendulm2021-04-05
| | | | | | | | | So rootless setup could use this condition in parent and child, child podman should adjust LISTEN_PID to its self PID. Add system test for systemd socket activation Signed-off-by: pendulm <lonependulm@gmail.com>
* Merge pull request #9855 from giuseppe/fix-service-race-conditionOpenShift Merge Robot2021-03-29
|\ | | | | service: use LISTEN_FDS
| * rootless: use is_fd_inheritedGiuseppe Scrivano2021-03-29
| | | | | | | | | | | | | | since we already have an exported function that does the check, refactor the code to use it instead of duplicating the logic. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | [NO TESTS NEEDED] Shrink the size of podman-remoteDaniel J Walsh2021-03-29
|/ | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* bump go module to v3Valentin Rothberg2021-02-22
| | | | | | | | | We missed bumping the go module, so let's do it now :) * Automated go code with github.com/sirkon/go-imports-rename * Manually via `vgrep podman/v2` the rest Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Log working dir when chdir failsJonas Schievink2021-02-19
| | | | Signed-off-by: Jonas Schievink <jonasschievink@gmail.com>
* leak fix in rootless_linux.c fcn can_use_shortcutJakub Guzik2021-02-19
| | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* Enable stylecheck linterPaul Holzinger2021-02-11
| | | | | | | | Use the stylecheck linter and fix the reported problems. [NO TESTS NEEDED] Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* rootless: automatically split userns rangesGiuseppe Scrivano2021-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | writing to the id map fails when an extent overlaps multiple mappings in the parent user namespace: $ cat /proc/self/uid_map 0 1000 1 1 100000 65536 $ unshare -U sleep 100 & [1] 1029703 $ printf "0 0 100\n" | tee /proc/$!/uid_map 0 0 100 tee: /proc/1029703/uid_map: Operation not permitted This limitation is particularly annoying when working with rootless containers as each container runs in the rootless user namespace, so a command like: $ podman run --uidmap 0:0:2 --rm fedora echo hi Error: writing file `/proc/664087/gid_map`: Operation not permitted: OCI permission denied would fail since the specified mapping overlaps the first mapping (where the user id is mapped to root) and the second extent with the additional IDs available. Detect such cases and automatically split the specified mapping with the equivalent of: $ podman run --uidmap 0:0:1 --uidmap 1:1:1 --rm fedora echo hi hi A fix has already been proposed for the kernel[1], but even if it accepted it will take time until it is available in a released kernel, so fix it also in pkg/rootless. [1] https://lkml.kernel.org/lkml/20201203150252.1229077-1-gscrivan@redhat.com/ Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: add function to retrieve uid mappingsGiuseppe Scrivano2021-01-07
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: add function to retrieve gid mappingsGiuseppe Scrivano2021-01-07
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* SpellingJosh Soref2020-12-22
| | | | Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* Remove excessive error wrappingKir Kolyshkin2020-10-05
| | | | | | | | | | | | | | | | | In case os.Open[File], os.Mkdir[All], ioutil.ReadFile and the like fails, the error message already contains the file name and the operation that fails, so there is no need to wrap the error with something like "open %s failed". While at it - replace a few places with os.Open, ioutil.ReadAll with ioutil.ReadFile. - replace errors.Wrapf with errors.Wrap for cases where there are no %-style arguments. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
* rootless: use sync.Once for GetAvailableGids()Giuseppe Scrivano2020-10-02
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: move GetAvailableGids to the rootless pkgGiuseppe Scrivano2020-10-02
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: fix hang when newidmap is not installedGiuseppe Scrivano2020-09-25
| | | | | | | | | | | | when newidmap is not installed the code would hit the reexec_in_user_namespace_wait code and wait for the child process to be terminated. The child process is blocked waiting on the w pipe. So make sure to unblock the child process first and then clean it up. Closes: https://github.com/containers/podman/issues/7776 Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
* Wait for reexec to finish when fileOutput is nilJonathan Dieter2020-08-15
| | | | | | | Currently, we're not cleanup up after ourselves when fileOutput is nil. This patch fixes that. Signed-off-by: Jonathan Dieter <jonathan.dieter@spearline.com>
* Fix hang when `path` doesn't existJonathan Dieter2020-08-11
| | | | | | | | | | I'm not sure if this is an OS-specific issue, but on CentOS 8, if `path` doesn't exist, this hangs while waiting to read from this socket, even though the socket is closed by the `reexec_in_user_namespace`. Switching to a pipe fixes the problem, and pipes shouldn't be an issue since this is Linux-specific code. Signed-off-by: Jonathan Dieter <jonathan.dieter@spearline.com>
* validate fds --preserve-fdsQi Wang2020-08-04
| | | | | | validate file descriptors passed from podman run and podman exec --preserve-fds. Signed-off-by: Qi Wang <qiwan@redhat.com>
* rootless: system service joins immediately the namespacesGiuseppe Scrivano2020-08-03
| | | | | | | | | | when there is a pause process running, let the "system service" podman instance join immediately the existing namespaces. Closes: https://github.com/containers/podman/issues/7180 Closes: https://github.com/containers/podman/issues/6660 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: add a check for the host id included in the rangeGiuseppe Scrivano2020-07-30
| | | | | | | add a check to verify whether the additional IDs also contain the host ID. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: child exits immediately on userns errorsGiuseppe Scrivano2020-07-30
| | | | | | | if the parent process failed to create the user namespace, let the child exit immediately. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: do not ignore errors if mappings are specifiedGiuseppe Scrivano2020-07-30
| | | | | | | | | | when setting up the user namespace do not ignore errors from newuidmap/newgidmap if there are mappings configured. The single user mapping is a fallback only when there are not mappings specified for the user. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Add podman image mountDaniel J Walsh2020-07-28
| | | | | | | | | | | | | There are many use cases where you want to just mount an image without creating a container on it. For example you might want to just examine the content in an image after you pull it for security analysys. Or you might want to just use the executables on the image without running it in a container. The image is mounted readonly since we do not want people changing images. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Switch all references to github.com/containers/libpod -> podmanDaniel J Walsh2020-07-28
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Cleanup handling of podman mount/unmountDaniel J Walsh2020-07-27
| | | | | | | | | | | We should default to the user name unmount rather then the internal name of umount. Also User namespace was not being handled correctly. We want to inform the user that if they do a mount when in rootless mode that they have to be first in the podman unshare state. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* move go module to v2Valentin Rothberg2020-07-06
| | | | | | | | | | | | | | | With the advent of Podman 2.0.0 we crossed the magical barrier of go modules. While we were able to continue importing all packages inside of the project, the project could not be vendored anymore from the outside. Move the go module to new major version and change all imports to `github.com/containers/libpod/v2`. The renaming of the imports was done via `gomove` [1]. [1] https://github.com/KSubedi/gomove Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* rootless_linux: improve error messageDouglas Schilling Landgraf2020-06-21
| | | | | | | Improve the error message for rootless mode. Git-Url: https://github.com/containers/libpod/issues/6572 Signed-off-by: Douglas Schilling Landgraf <dougsland@redhat.com>
* rootless: move ns open before forkGiuseppe Scrivano2020-04-29
| | | | | | | | | | commit 788fdc685b00dee5ccb594bef845204250c4c123 introduced a race where the target process dies before the child process opens the namespace files. Move the open before the fork so if it fails the parent process can attempt to join a different container instead of failing. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: move join namespace inside child processGiuseppe Scrivano2020-04-20
| | | | | | | | open the namespace file descriptors inside of the child process. Closes: https://github.com/containers/libpod/issues/5873 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: skip looking up parent user nsGiuseppe Scrivano2020-04-20
| | | | | | | | since we join directly the conmon user namespace, there is no need to look up its parent user namespace, as we can safely assume it is the init namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: use snprintfGiuseppe Scrivano2020-04-13
| | | | | | use directly snprintf instead of strlen+strcpy. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: fix usage with hidepid=1Giuseppe Scrivano2020-03-19
| | | | | | | | | | | when /proc is mounted with hidepid=1 a process doesn't see processes from the outer user namespace. This causes an issue reading the cmdline from the parent process. To address it, always read the command line from /proc/self instead of using /proc/PARENT_PID. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #5324 from giuseppe/fix-running-no-pauseOpenShift Merge Robot2020-02-25
|\ | | | | rootless: raise error if the process is not found
| * rootless: become root only if the pause file is specifiedGiuseppe Scrivano2020-02-25
| | | | | | | | | | | | | | | | | | | | | | | | we need to store the pause process PID file so that it can be re-used later. commit e9dc2120925d9bc32b87ed3c4122aa40f7413db5 introduced this regression. Closes: https://github.com/containers/libpod/issues/5246 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | rootless: fix segfault when open fd >= FD_SETSIZEGiuseppe Scrivano2020-02-25
|/ | | | | | | | | if there are more than FD_SETSIZE open fds passed down to the Podman process, the initialization code could crash as it attempts to store them into a fd_set. Use an array of fd_set structs, each of them holding only FD_SETSIZE file descriptors. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: check if the conmon process is validGiuseppe Scrivano2020-02-17
| | | | | | | | if the pause process doesn't exist and we try to join a conmon namespace, make sure the process still exists. Otherwise re-create the user namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: enable shortcut only for podmanGiuseppe Scrivano2020-01-29
| | | | | | | disable joining automatically the user namespace if the process is not podman. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: set C variables also on shortcutGiuseppe Scrivano2020-01-20
| | | | | | | | | make sure the rootless env variables are set also when we are joining directly the user+mount namespace without creating a new process. It is required by pkg/unshare in containers/common. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* fix lint in pkg/rootlessValentin Rothberg2020-01-08
| | | | Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* rootless: add fallback for renameat2 at runtimeGiuseppe Scrivano2019-12-04
| | | | | | | | | | | | the renameat2 syscall might be defined in the C library but lacking support in the kernel. In such case, let it fallback to open(O_CREAT)+rename as it does on systems lacking the definition for renameat2. Closes: https://github.com/containers/libpod/issues/4570 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: provide workaround for missing renameat2Giuseppe Scrivano2019-11-06
| | | | | | | | | on RHEL 7.7 renameat2 is not implemented for s390x, provide a workaround. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1768519 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: use SYS_renameat2 instead of __NR_renameat2Giuseppe Scrivano2019-11-06
| | | | | | use the correct definition for the syscall number. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>