From 9faa6456da8f1a0bb647148802f89d498348a570 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 30 Sep 2019 09:32:03 +0200 Subject: networking: fix segfault when slirp4netns is missing fixes a segfault when slirp4netns is not installed and the slirp sync pipe is not created. Closes: https://github.com/containers/libpod/issues/4113 Signed-off-by: Giuseppe Scrivano --- libpod/oci_internal_linux.go | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libpod/oci_internal_linux.go b/libpod/oci_internal_linux.go index a5cce795b..437b7cf4d 100644 --- a/libpod/oci_internal_linux.go +++ b/libpod/oci_internal_linux.go @@ -137,8 +137,12 @@ func (r *OCIRuntime) createOCIContainer(ctr *Container, restoreOptions *Containe return errors.Wrapf(err, "failed to create rootless network sync pipe") } } else { - defer errorhandling.CloseQuiet(ctr.rootlessSlirpSyncR) - defer errorhandling.CloseQuiet(ctr.rootlessSlirpSyncW) + if ctr.rootlessSlirpSyncR != nil { + defer errorhandling.CloseQuiet(ctr.rootlessSlirpSyncR) + } + if ctr.rootlessSlirpSyncW != nil { + defer errorhandling.CloseQuiet(ctr.rootlessSlirpSyncW) + } } // Leak one end in conmon, the other one will be leaked into slirp4netns cmd.ExtraFiles = append(cmd.ExtraFiles, ctr.rootlessSlirpSyncW) -- cgit v1.2.3-54-g00ecf From fc13aa1f6aa514eb02f99ec092e0f479b487b001 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 30 Sep 2019 10:01:52 +0200 Subject: network: hide EPERM warning when rootless if running rootless do not print a warning message when podman cannot rejoin the initial network namespace. The first network namespace is owned by root on the host, a rootless user cannot re-join it once it moves to a new network namespace. Signed-off-by: Giuseppe Scrivano --- pkg/netns/netns_linux.go | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/pkg/netns/netns_linux.go b/pkg/netns/netns_linux.go index a62296549..e765bd46f 100644 --- a/pkg/netns/netns_linux.go +++ b/pkg/netns/netns_linux.go @@ -126,9 +126,12 @@ func NewNS() (ns.NetNS, error) { // Don't unlock. By not unlocking, golang will kill the OS thread when the // goroutine is done (for go1.10+) + threadNsPath := getCurrentThreadNetNSPath() + var origNS ns.NetNS - origNS, err = ns.GetNS(getCurrentThreadNetNSPath()) + origNS, err = ns.GetNS(threadNsPath) if err != nil { + logrus.Warnf("cannot open current network namespace %s: %q", threadNsPath, err) return } defer func() { @@ -140,13 +143,19 @@ func NewNS() (ns.NetNS, error) { // create a new netns on the current thread err = unix.Unshare(unix.CLONE_NEWNET) if err != nil { + logrus.Warnf("cannot create a new network namespace: %q", err) return } // Put this thread back to the orig ns, since it might get reused (pre go1.10) defer func() { if err := origNS.Set(); err != nil { - logrus.Warnf("unable to set namespace: %q", err) + if rootless.IsRootless() && strings.Contains(err.Error(), "operation not permitted") { + // When running in rootless mode it will fail to re-join + // the network namespace owned by root on the host. + return + } + logrus.Warnf("unable to reset namespace: %q", err) } }() @@ -154,7 +163,7 @@ func NewNS() (ns.NetNS, error) { // mount point. This causes the namespace to persist, even when there // are no threads in the ns. Make this a shared mount; it needs to be // back-propogated to the host - err = unix.Mount(getCurrentThreadNetNSPath(), nsPath, "none", unix.MS_BIND|unix.MS_SHARED|unix.MS_REC, "") + err = unix.Mount(threadNsPath, nsPath, "none", unix.MS_BIND|unix.MS_SHARED|unix.MS_REC, "") if err != nil { err = fmt.Errorf("failed to bind mount ns at %s: %v", nsPath, err) } -- cgit v1.2.3-54-g00ecf From ec940b08c6149d91cf969cb9b56299058c739735 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Tue, 1 Oct 2019 14:10:04 +0200 Subject: rootless: do not attempt a CNI refresh Signed-off-by: Giuseppe Scrivano --- libpod/container_internal.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libpod/container_internal.go b/libpod/container_internal.go index f1456548b..a4dcd23be 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -622,6 +622,10 @@ func (c *Container) refresh() error { return err } + if rootless.IsRootless() { + return nil + } + return c.refreshCNI() } -- cgit v1.2.3-54-g00ecf