From d3f0f09ad94af1d67b4f7baa83036dc851edee18 Mon Sep 17 00:00:00 2001
From: Paul Holzinger <pholzing@redhat.com>
Date: Tue, 14 Sep 2021 11:13:28 +0200
Subject: libpod: rootful close binded ports

For rootful users ports are forwarded via iptables. To make sure no
other process tries to use them, libpod will bind the ports and pass the
fds to conmon. There seems to be race when a container is restarted
because libpod tries to bind the port before the conmon process exited.

The problem only hapens with the podman service because it keeps the
connection open. Once we have the fd and passed it to conmon the
podman service should close the connection.

To verify run `sudo ss -tulpn` and check that only the conmon process
keeps the port open. Previously you would also see the podman server
process listed.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
---
 libpod/oci_conmon_linux.go | 1 +
 1 file changed, 1 insertion(+)

(limited to 'libpod/oci_conmon_linux.go')

diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
index c00d83f95..831e89223 100644
--- a/libpod/oci_conmon_linux.go
+++ b/libpod/oci_conmon_linux.go
@@ -1140,6 +1140,7 @@ func (r *ConmonOCIRuntime) createOCIContainer(ctr *Container, restoreOptions *Co
 		if err != nil {
 			return err
 		}
+		filesToClose = append(filesToClose, ports...)
 
 		// Leak the port we bound in the conmon process.  These fd's won't be used
 		// by the container and conmon will keep the ports busy so that another
-- 
cgit v1.2.3-54-g00ecf