From bf8fd943ef61941b7ffe10cd389615256b381e2f Mon Sep 17 00:00:00 2001 From: Adrian Reber Date: Mon, 25 Oct 2021 15:00:22 +0000 Subject: Allow 'container restore' with '--ipc host' Trying to restore a container that was started with '--ipc host' fails with: Error: error creating container storage: ProcessLabel and Mountlabel must either not be specified or both specified We already fixed this exact same error message for containers started with '--privileged'. The previous fix was to check if the to be restored container is a privileged container (c.config.Privileged). Unfortunately this does not work for containers started with '--ipc host'. This commit changes the check for a privileged container to check if both the ProcessLabel and the MountLabel is actually set and only then re-uses those labels. Signed-off-by: Adrian Reber --- libpod/container_internal.go | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'libpod') diff --git a/libpod/container_internal.go b/libpod/container_internal.go index 994ffeec7..d4384b791 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -457,10 +457,12 @@ func (c *Container) setupStorage(ctx context.Context) error { options.StorageOpt[split2[0]] = split2[1] } } - if c.restoreFromCheckpoint && !c.config.Privileged { - // If restoring from a checkpoint, the root file-system - // needs to be mounted with the same SELinux labels as - // it was mounted previously. + if c.restoreFromCheckpoint && c.config.ProcessLabel != "" && c.config.MountLabel != "" { + // If restoring from a checkpoint, the root file-system needs + // to be mounted with the same SELinux labels as it was mounted + // previously. But only if both labels have been set. For + // privileged containers or '--ipc host' only ProcessLabel will + // be set and so we will skip it for cases like that. if options.Flags == nil { options.Flags = make(map[string]interface{}) } -- cgit v1.2.3-54-g00ecf