From 94e2a0cd63935708815bfaa3399fb57210d94065 Mon Sep 17 00:00:00 2001 From: Adrian Reber Date: Tue, 25 Jun 2019 12:22:33 +0000 Subject: Track if a container is restored from an exported checkpoint Instead of only tracking that a container is restored from a checkpoint locally in runtime_ctr.go this adds a flag to the Container structure. Upcoming patches to correctly label the root file-system mount-point need also to know if a container is restored from a checkpoint. Instead of passing a parameter around a lot of functions, this adds that information to the Container structure. Signed-off-by: Adrian Reber --- libpod/container.go | 3 +++ libpod/runtime_ctr.go | 9 +++++---- 2 files changed, 8 insertions(+), 4 deletions(-) (limited to 'libpod') diff --git a/libpod/container.go b/libpod/container.go index 464b233d1..3a0f60fd9 100644 --- a/libpod/container.go +++ b/libpod/container.go @@ -157,6 +157,9 @@ type Container struct { // being checkpointed. If requestedIP is set it will be used instead // of config.StaticIP. requestedIP net.IP + + // This is true if a container is restored from a checkpoint. + restoreFromCheckpoint bool } // ContainerState contains the current state of the container diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go index 271d4160d..a169d30f7 100644 --- a/libpod/runtime_ctr.go +++ b/libpod/runtime_ctr.go @@ -55,7 +55,7 @@ func (r *Runtime) RestoreContainer(ctx context.Context, rSpec *spec.Spec, config if err != nil { return nil, errors.Wrapf(err, "error initializing container variables") } - return r.setupContainer(ctx, ctr, true) + return r.setupContainer(ctx, ctr) } func (r *Runtime) initContainerVariables(rSpec *spec.Spec, config *ContainerConfig) (c *Container, err error) { @@ -71,6 +71,7 @@ func (r *Runtime) initContainerVariables(rSpec *spec.Spec, config *ContainerConf ctr.config.ShmSize = DefaultShmSize } else { // This is a restore from an imported checkpoint + ctr.restoreFromCheckpoint = true if err := JSONDeepCopy(config, ctr.config); err != nil { return nil, errors.Wrapf(err, "error copying container config for restore") } @@ -122,10 +123,10 @@ func (r *Runtime) newContainer(ctx context.Context, rSpec *spec.Spec, options .. return nil, errors.Wrapf(err, "error running container create option") } } - return r.setupContainer(ctx, ctr, false) + return r.setupContainer(ctx, ctr) } -func (r *Runtime) setupContainer(ctx context.Context, ctr *Container, restore bool) (c *Container, err error) { +func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (c *Container, err error) { // Allocate a lock for the container lock, err := r.lockManager.AllocateLock() if err != nil { @@ -204,7 +205,7 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container, restore bo return nil, errors.Wrapf(ErrInvalidArg, "unsupported CGroup manager: %s - cannot validate cgroup parent", r.config.CgroupManager) } - if restore { + if ctr.restoreFromCheckpoint { // Remove information about bind mount // for new container from imported checkpoint g := generate.Generator{Config: ctr.config.Spec} -- cgit v1.2.3-54-g00ecf From 220e169cc1f04a17b25d7af0994715f75be0d249 Mon Sep 17 00:00:00 2001 From: Adrian Reber Date: Tue, 25 Jun 2019 12:36:05 +0000 Subject: Provide correct SELinux mount-label for restored container Restoring a container from a checkpoint archive creates a complete new root file-system. This file-system needs to have the correct SELinux label or most things in that restored container will fail. Running processes are not as problematic as newly exec()'d process (internally or via 'podman exec'). This patch tells the storage setup which label should be used to mount the container's root file-system. Signed-off-by: Adrian Reber --- libpod/container_internal.go | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'libpod') diff --git a/libpod/container_internal.go b/libpod/container_internal.go index 56fd27afb..5d824908c 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -351,6 +351,16 @@ func (c *Container) setupStorage(ctx context.Context) error { }, LabelOpts: c.config.LabelOpts, } + if c.restoreFromCheckpoint { + // If restoring from a checkpoint, the root file-system + // needs to be mounted with the same SELinux labels as + // it was mounted previously. + if options.Flags == nil { + options.Flags = make(map[string]interface{}) + } + options.Flags["ProcessLabel"] = c.config.ProcessLabel + options.Flags["MountLabel"] = c.config.MountLabel + } if c.config.Privileged { privOpt := func(opt string) bool { for _, privopt := range []string{"nodev", "nosuid", "noexec"} { -- cgit v1.2.3-54-g00ecf