From 55cc80d3c9bfd96225db179b96427aa377ecb9dc Mon Sep 17 00:00:00 2001
From: baude <bbaude@redhat.com>
Date: Wed, 7 Aug 2019 09:53:59 -0500
Subject: varlink endpoint for containerstats requires root

obtaining containerstats requires the use of cgroups. at present,
rootless users do not have privileges to create cgroups.  add an error
message that catches this for the varlink endpoint and return a proper
error.

Fixes: #3749

Signed-off-by: baude <bbaude@redhat.com>
---
 API.md                               | 5 +++++
 cmd/podman/varlink/io.podman.varlink | 3 +++
 pkg/varlinkapi/containers.go         | 9 +++++++++
 3 files changed, 17 insertions(+)

diff --git a/API.md b/API.md
index d468ba53d..336902616 100755
--- a/API.md
+++ b/API.md
@@ -265,6 +265,8 @@ in the [API.md](https://github.com/containers/libpod/blob/master/API.md) file in
 
 [error ErrCtrStopped](#ErrCtrStopped)
 
+[error ErrRequiresCgroupsV2ForRootless](#ErrRequiresCgroupsV2ForRootless)
+
 [error ErrorOccurred](#ErrorOccurred)
 
 [error ImageNotFound](#ImageNotFound)
@@ -2006,6 +2008,9 @@ ContainerNotFound means the container could not be found by the provided name or
 ### <a name="ErrCtrStopped"></a>type ErrCtrStopped
 
 Container is already stopped
+### <a name="ErrRequiresCgroupsV2ForRootless"></a>type ErrRequiresCgroupsV2ForRootless
+
+This function requires CGroupsV2 to run in rootless mode.
 ### <a name="ErrorOccurred"></a>type ErrorOccurred
 
 ErrorOccurred is a generic error for an error that occurs during the execution.  The actual error message
diff --git a/cmd/podman/varlink/io.podman.varlink b/cmd/podman/varlink/io.podman.varlink
index b867dccc1..4a4c97e99 100644
--- a/cmd/podman/varlink/io.podman.varlink
+++ b/cmd/podman/varlink/io.podman.varlink
@@ -1277,3 +1277,6 @@ error WantsMoreRequired (reason: string)
 
 # Container is already stopped
 error ErrCtrStopped (id: string)
+
+# This function requires CGroupsV2 to run in rootless mode.
+error ErrRequiresCgroupsV2ForRootless(reason: string)
\ No newline at end of file
diff --git a/pkg/varlinkapi/containers.go b/pkg/varlinkapi/containers.go
index bb66ff962..c7aa5233f 100644
--- a/pkg/varlinkapi/containers.go
+++ b/pkg/varlinkapi/containers.go
@@ -19,6 +19,8 @@ import (
 	"github.com/containers/libpod/libpod/define"
 	"github.com/containers/libpod/libpod/logs"
 	"github.com/containers/libpod/pkg/adapter/shortcuts"
+	"github.com/containers/libpod/pkg/cgroups"
+	"github.com/containers/libpod/pkg/rootless"
 	"github.com/containers/libpod/pkg/varlinkapi/virtwriter"
 	"github.com/containers/storage/pkg/archive"
 	"github.com/pkg/errors"
@@ -317,6 +319,13 @@ func (i *LibpodAPI) ExportContainer(call iopodman.VarlinkCall, name, outPath str
 
 // GetContainerStats ...
 func (i *LibpodAPI) GetContainerStats(call iopodman.VarlinkCall, name string) error {
+	cgroupv2, err := cgroups.IsCgroup2UnifiedMode()
+	if err != nil {
+		return call.ReplyErrorOccurred(err.Error())
+	}
+	if rootless.IsRootless() && !cgroupv2 {
+		return call.ReplyErrRequiresCgroupsV2ForRootless("rootless containers cannot report container stats")
+	}
 	ctr, err := i.Runtime.LookupContainer(name)
 	if err != nil {
 		return call.ReplyContainerNotFound(name, err.Error())
-- 
cgit v1.2.3-54-g00ecf