From 2446bdc7bb1bc0f26642af8e3690eeafb3c3e563 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 29 Mar 2021 11:44:41 +0200 Subject: rootless: use is_fd_inherited since we already have an exported function that does the check, refactor the code to use it instead of duplicating the logic. Signed-off-by: Giuseppe Scrivano --- pkg/rootless/rootless_linux.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/pkg/rootless/rootless_linux.c b/pkg/rootless/rootless_linux.c index d93e4c10c..7a2bf0377 100644 --- a/pkg/rootless/rootless_linux.c +++ b/pkg/rootless/rootless_linux.c @@ -233,9 +233,8 @@ int is_fd_inherited(int fd) { if (open_files_set == NULL || fd > open_files_max_fd || fd < 0) - { return 0; - } + return FD_ISSET(fd % FD_SETSIZE, &(open_files_set[fd / FD_SETSIZE])) ? 1 : 0; } @@ -633,9 +632,10 @@ reexec_userns_join (int pid_to_join, char *pause_pid_file_path) close (user_ns); close (mnt_ns); - for (f = 3; f < open_files_max_fd; f++) - if (open_files_set == NULL || FD_ISSET (f % FD_SETSIZE, &(open_files_set[f / FD_SETSIZE]))) + for (f = 3; f <= open_files_max_fd; f++) + if (is_fd_inherited (f)) close (f); + return pid; } @@ -813,13 +813,14 @@ reexec_in_user_namespace (int ready, char *pause_pid_file_path, char *file_to_re if (do_socket_activation) { long num_fds; + num_fds = strtol (listen_fds, NULL, 10); if (num_fds != LONG_MIN && num_fds != LONG_MAX) { int f; for (f = 3; f < num_fds + 3; f++) - if (open_files_set == NULL || FD_ISSET (f % FD_SETSIZE, &(open_files_set[f / FD_SETSIZE]))) + if (is_fd_inherited (f)) close (f); } unsetenv ("LISTEN_PID"); -- cgit v1.2.3-54-g00ecf From c064acd78e418943edae8ec2998f855721157f30 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 29 Mar 2021 11:45:40 +0200 Subject: service: use LISTEN_FDS if LISTEN_FDS is specified by systemd, we need to use the first fd after the std files (so fd=3) to read from the activation socket instead of manually opening the UNIX socket. [NO TESTS NEEDED] Closes: https://github.com/containers/podman/issues/9251 Signed-off-by: Giuseppe Scrivano --- cmd/podman/system/service_abi.go | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/cmd/podman/system/service_abi.go b/cmd/podman/system/service_abi.go index 0e96e1fbb..9e8a9f9b4 100644 --- a/cmd/podman/system/service_abi.go +++ b/cmd/podman/system/service_abi.go @@ -24,16 +24,28 @@ func restService(opts entities.ServiceOptions, flags *pflag.FlagSet, cfg *entiti ) if opts.URI != "" { - fields := strings.Split(opts.URI, ":") - if len(fields) == 1 { - return errors.Errorf("%s is an invalid socket destination", opts.URI) + if os.Getenv("LISTEN_FDS") != "" { + // If it is activated by systemd, use the first LISTEN_FD (3) + // instead of opening the socket file. + f := os.NewFile(uintptr(3), "podman.sock") + l, err := net.FileListener(f) + if err != nil { + return err + } + listener = &l + } else { + fields := strings.Split(opts.URI, ":") + if len(fields) == 1 { + return errors.Errorf("%s is an invalid socket destination", opts.URI) + } + network := fields[0] + address := strings.Join(fields[1:], ":") + l, err := net.Listen(network, address) + if err != nil { + return errors.Wrapf(err, "unable to create socket") + } + listener = &l } - address := strings.Join(fields[1:], ":") - l, err := net.Listen(fields[0], address) - if err != nil { - return errors.Wrapf(err, "unable to create socket") - } - listener = &l } // Close stdin, so shortnames will not prompt -- cgit v1.2.3-54-g00ecf