From 1d93d212541616135da23bcf01ca49180f113e62 Mon Sep 17 00:00:00 2001 From: Jhon Honce Date: Wed, 15 Apr 2020 10:12:30 -0700 Subject: V2 Enable rootless * Enable running podman V2 rootless * Fixed cobra.PersistentPreRunE usage in all the commands * Leveraged cobra.PersistentPreRunE/cobra.PersistentPostRunE to manage: * rootless * trace (--trace) * profiling (--cpu-profile) * initializing the registry copies of Image/Container engines * Help and Usage templates autoset for all sub-commands Signed-off-by: Jhon Honce --- pkg/domain/entities/engine.go | 219 -------------------------------- pkg/domain/entities/engine_container.go | 4 +- pkg/domain/entities/engine_image.go | 2 +- pkg/domain/infra/abi/containers.go | 4 +- pkg/domain/infra/abi/system.go | 39 +----- pkg/domain/infra/tunnel/system.go | 5 + 6 files changed, 15 insertions(+), 258 deletions(-) (limited to 'pkg/domain') diff --git a/pkg/domain/entities/engine.go b/pkg/domain/entities/engine.go index 3b971a1e8..f45218d14 100644 --- a/pkg/domain/entities/engine.go +++ b/pkg/domain/entities/engine.go @@ -2,17 +2,9 @@ package entities import ( "context" - "fmt" "io" - "os" - "github.com/containers/buildah/pkg/parse" "github.com/containers/common/pkg/config" - "github.com/containers/common/pkg/sysinfo" - "github.com/containers/libpod/pkg/apparmor" - "github.com/containers/libpod/pkg/cgroups" - "github.com/containers/libpod/pkg/rootless" - "github.com/opencontainers/selinux/go-selinux" "github.com/opentracing/opentracing-go" "github.com/spf13/pflag" ) @@ -54,214 +46,3 @@ type PodmanConfig struct { StorageDriver string StorageOpts []string } - -// DefaultSecurityOptions: getter for security options from configuration -func (c PodmanConfig) DefaultSecurityOptions() []string { - securityOpts := []string{} - if c.Containers.SeccompProfile != "" && c.Containers.SeccompProfile != parse.SeccompDefaultPath { - securityOpts = append(securityOpts, fmt.Sprintf("seccomp=%s", c.Containers.SeccompProfile)) - } - if apparmor.IsEnabled() && c.Containers.ApparmorProfile != "" { - securityOpts = append(securityOpts, fmt.Sprintf("apparmor=%s", c.Containers.ApparmorProfile)) - } - if selinux.GetEnabled() && !c.Containers.EnableLabeling { - securityOpts = append(securityOpts, fmt.Sprintf("label=%s", selinux.DisableSecOpt()[0])) - } - return securityOpts -} - -// DefaultSysctls -func (c PodmanConfig) DefaultSysctls() []string { - return c.Containers.DefaultSysctls -} - -func (c PodmanConfig) DefaultVolumes() []string { - return c.Containers.Volumes -} - -func (c PodmanConfig) DefaultDevices() []string { - return c.Containers.Devices -} - -func (c PodmanConfig) DefaultDNSServers() []string { - return c.Containers.DNSServers -} - -func (c PodmanConfig) DefaultDNSSearches() []string { - return c.Containers.DNSSearches -} - -func (c PodmanConfig) DefaultDNSOptions() []string { - return c.Containers.DNSOptions -} - -func (c PodmanConfig) DefaultEnv() []string { - return c.Containers.Env -} - -func (c PodmanConfig) DefaultInitPath() string { - return c.Containers.InitPath -} - -func (c PodmanConfig) DefaultIPCNS() string { - return c.Containers.IPCNS -} - -func (c PodmanConfig) DefaultPidNS() string { - return c.Containers.PidNS -} - -func (c PodmanConfig) DefaultNetNS() string { - if c.Containers.NetNS == "private" && rootless.IsRootless() { - return "slirp4netns" - } - return c.Containers.NetNS -} - -func (c PodmanConfig) DefaultCgroupNS() string { - return c.Containers.CgroupNS -} - -func (c PodmanConfig) DefaultUTSNS() string { - return c.Containers.UTSNS -} - -func (c PodmanConfig) DefaultShmSize() string { - return c.Containers.ShmSize -} - -func (c PodmanConfig) DefaultUlimits() []string { - return c.Containers.DefaultUlimits -} - -func (c PodmanConfig) DefaultUserNS() string { - if v, found := os.LookupEnv("PODMAN_USERNS"); found { - return v - } - return c.Containers.UserNS -} - -func (c PodmanConfig) DefaultPidsLimit() int64 { - if rootless.IsRootless() { - cgroup2, _ := cgroups.IsCgroup2UnifiedMode() - if cgroup2 { - return c.Containers.PidsLimit - } - } - return sysinfo.GetDefaultPidsLimit() -} - -func (c PodmanConfig) DefaultPidsDescription() string { - return "Tune container pids limit (set 0 for unlimited)" -} - -func (c PodmanConfig) DefaultDetachKeys() string { - return c.Engine.DetachKeys -} - -// TODO: Remove in rootless support PR -// // EngineOptions holds the environment for running the engines -// type EngineOptions struct { -// // Introduced with V2 -// Uri string -// Identities []string -// FlagSet *pflag.FlagSet -// EngineMode EngineMode -// CGroupUsage string -// -// // Introduced with V1 -// CGroupManager string // config.EngineConfig -// CniConfigDir string // config.NetworkConfig.NetworkConfigDir -// ConmonPath string // config.EngineConfig -// DefaultMountsFile string // config.ContainersConfig -// EventsBackend string // config.EngineConfig.EventsLogger -// HooksDir []string // config.EngineConfig -// MaxWorks int -// Namespace string // config.EngineConfig -// Root string // -// Runroot string // config.EngineConfig.StorageConfigRunRootSet?? -// Runtime string // config.EngineConfig.OCIRuntime -// StorageDriver string // config.EngineConfig.StorageConfigGraphDriverNameSet?? -// StorageOpts []string -// Syslog bool -// Trace bool -// NetworkCmdPath string // config.EngineConfig -// -// Config string -// CpuProfile string -// LogLevel string -// TmpDir string // config.EngineConfig -// -// RemoteUserName string // deprecated -// RemoteHost string // deprecated -// VarlinkAddress string // deprecated -// ConnectionName string -// RemoteConfigFilePath string -// Port int // deprecated -// IdentityFile string // deprecated -// IgnoreHosts bool -// } -// -// func NewEngineOptions(opts EngineOptions) (EngineOptions, error) { -// ctnrCfg, err := config.Default() -// if err != nil { -// logrus.Error(err) -// os.Exit(1) -// } -// -// cgroupManager := ctnrCfg.Engine.CgroupManager -// cgroupUsage := `Cgroup manager to use ("cgroupfs"|"systemd")` -// cgroupv2, _ := cgroups.IsCgroup2UnifiedMode() -// cniPluginDir := ctnrCfg.Network.CNIPluginDirs[0] -// -// cfg, err := config.NewConfig("") -// if err != nil { -// logrus.Errorf("Error loading container config %v\n", err) -// os.Exit(1) -// } -// cfg.CheckCgroupsAndAdjustConfig() -// -// if rootless.IsRootless() { -// if !cgroupv2 { -// cgroupManager = "" -// cgroupUsage = "Cgroup manager is not supported in rootless mode" -// } -// cniPluginDir = "" -// } -// -// return EngineOptions{ -// CGroupManager: cgroupManager, -// CGroupUsage: cgroupUsage, -// CniConfigDir: cniPluginDir, -// Config: opts.Config, // TODO: deprecate -// ConmonPath: opts.ConmonPath, -// ConnectionName: opts.ConnectionName, -// CpuProfile: opts.CpuProfile, -// DefaultMountsFile: ctnrCfg.Containers.DefaultMountsFile, -// EngineMode: opts.EngineMode, -// EventsBackend: ctnrCfg.Engine.EventsLogger, -// FlagSet: opts.FlagSet, // TODO: deprecate -// HooksDir: append(ctnrCfg.Engine.HooksDir[:0:0], ctnrCfg.Engine.HooksDir...), -// Identities: append(opts.Identities[:0:0], opts.Identities...), -// IdentityFile: opts.IdentityFile, // TODO: deprecate -// IgnoreHosts: opts.IgnoreHosts, -// LogLevel: opts.LogLevel, -// MaxWorks: opts.MaxWorks, -// Namespace: ctnrCfg.Engine.Namespace, -// NetworkCmdPath: ctnrCfg.Engine.NetworkCmdPath, -// Port: opts.Port, -// RemoteConfigFilePath: opts.RemoteConfigFilePath, -// RemoteHost: opts.RemoteHost, // TODO: deprecate -// RemoteUserName: opts.RemoteUserName, // TODO: deprecate -// Root: opts.Root, -// Runroot: opts.Runroot, -// Runtime: opts.Runtime, -// StorageDriver: opts.StorageDriver, -// StorageOpts: append(opts.StorageOpts[:0:0], opts.StorageOpts...), -// Syslog: opts.Syslog, -// TmpDir: opts.TmpDir, -// Trace: opts.Trace, -// Uri: opts.Uri, -// VarlinkAddress: opts.VarlinkAddress, -// }, nil -// } diff --git a/pkg/domain/entities/engine_container.go b/pkg/domain/entities/engine_container.go index c3092a98a..02938413a 100644 --- a/pkg/domain/entities/engine_container.go +++ b/pkg/domain/entities/engine_container.go @@ -6,6 +6,7 @@ import ( "github.com/containers/common/pkg/config" "github.com/containers/libpod/libpod/define" "github.com/containers/libpod/pkg/specgen" + "github.com/spf13/cobra" ) type ContainerEngine interface { @@ -24,9 +25,9 @@ type ContainerEngine interface { ContainerInspect(ctx context.Context, namesOrIds []string, options InspectOptions) ([]*ContainerInspectReport, error) ContainerKill(ctx context.Context, namesOrIds []string, options KillOptions) ([]*KillReport, error) ContainerList(ctx context.Context, options ContainerListOptions) ([]ListContainer, error) + ContainerLogs(ctx context.Context, containers []string, options ContainerLogsOptions) error ContainerMount(ctx context.Context, nameOrIds []string, options ContainerMountOptions) ([]*ContainerMountReport, error) ContainerPause(ctx context.Context, namesOrIds []string, options PauseUnPauseOptions) ([]*PauseUnpauseReport, error) - ContainerLogs(ctx context.Context, containers []string, options ContainerLogsOptions) error ContainerRestart(ctx context.Context, namesOrIds []string, options RestartOptions) ([]*RestartReport, error) ContainerRestore(ctx context.Context, namesOrIds []string, options RestoreOptions) ([]*RestoreReport, error) ContainerRm(ctx context.Context, namesOrIds []string, options RmOptions) ([]*RmReport, error) @@ -53,6 +54,7 @@ type ContainerEngine interface { PodTop(ctx context.Context, options PodTopOptions) (*StringSliceReport, error) PodUnpause(ctx context.Context, namesOrIds []string, options PodunpauseOptions) ([]*PodUnpauseReport, error) RestService(ctx context.Context, opts ServiceOptions) error + SetupRootless(ctx context.Context, cmd *cobra.Command) error VarlinkService(ctx context.Context, opts ServiceOptions) error VolumeCreate(ctx context.Context, opts VolumeCreateOptions) (*IdOrNameResponse, error) VolumeInspect(ctx context.Context, namesOrIds []string, opts VolumeInspectOptions) ([]*VolumeInspectReport, error) diff --git a/pkg/domain/entities/engine_image.go b/pkg/domain/entities/engine_image.go index 3a051ab9b..e3b606550 100644 --- a/pkg/domain/entities/engine_image.go +++ b/pkg/domain/entities/engine_image.go @@ -20,7 +20,7 @@ type ImageEngine interface { Pull(ctx context.Context, rawImage string, opts ImagePullOptions) (*ImagePullReport, error) Push(ctx context.Context, source string, destination string, opts ImagePushOptions) error Save(ctx context.Context, nameOrId string, tags []string, options ImageSaveOptions) error + Search(ctx context.Context, term string, opts ImageSearchOptions) ([]ImageSearchReport, error) Tag(ctx context.Context, nameOrId string, tags []string, options ImageTagOptions) error Untag(ctx context.Context, nameOrId string, tags []string, options ImageUntagOptions) error - Search(ctx context.Context, term string, opts ImageSearchOptions) ([]ImageSearchReport, error) } diff --git a/pkg/domain/infra/abi/containers.go b/pkg/domain/infra/abi/containers.go index 4279fb756..c9df72f2d 100644 --- a/pkg/domain/infra/abi/containers.go +++ b/pkg/domain/infra/abi/containers.go @@ -668,9 +668,6 @@ func (ic *ContainerEngine) ContainerDiff(ctx context.Context, nameOrId string, o } func (ic *ContainerEngine) ContainerRun(ctx context.Context, opts entities.ContainerRunOptions) (*entities.ContainerRunReport, error) { - var ( - joinPod bool - ) if err := generate.CompleteSpec(ctx, ic.Libpod, opts.Spec); err != nil { return nil, err } @@ -679,6 +676,7 @@ func (ic *ContainerEngine) ContainerRun(ctx context.Context, opts entities.Conta return nil, err } + var joinPod bool if len(ctr.PodID()) > 0 { joinPod = true } diff --git a/pkg/domain/infra/abi/system.go b/pkg/domain/infra/abi/system.go index 10872144b..67593b2dd 100644 --- a/pkg/domain/infra/abi/system.go +++ b/pkg/domain/infra/abi/system.go @@ -100,7 +100,7 @@ func (ic *ContainerEngine) VarlinkService(_ context.Context, opts entities.Servi return nil } -func (ic *ContainerEngine) SetupRootless(cmd *cobra.Command) error { +func (ic *ContainerEngine) SetupRootless(_ context.Context, cmd *cobra.Command) error { // do it only after podman has already re-execed and running with uid==0. if os.Geteuid() == 0 { ownsCgroup, err := cgroups.UserOwnsCurrentSystemdCgroup() @@ -123,10 +123,6 @@ func (ic *ContainerEngine) SetupRootless(cmd *cobra.Command) error { } } - if !executeCommandInUserNS(cmd) { - return nil - } - pausePidPath, err := util.GetRootlessPauseProcessPidPath() if err != nil { return errors.Wrapf(err, "could not get pause process pid file path") @@ -143,7 +139,8 @@ func (ic *ContainerEngine) SetupRootless(cmd *cobra.Command) error { // if there is no pid file, try to join existing containers, and create a pause process. ctrs, err := ic.Libpod.GetRunningContainers() if err != nil { - logrus.WithError(err).Fatal("") + logrus.Error(err.Error()) + os.Exit(1) } paths := []string{} @@ -164,7 +161,8 @@ func (ic *ContainerEngine) SetupRootless(cmd *cobra.Command) error { } } if err != nil { - logrus.WithError(err).Fatal("") + logrus.Error(err) + os.Exit(1) } if became { os.Exit(ret) @@ -172,25 +170,6 @@ func (ic *ContainerEngine) SetupRootless(cmd *cobra.Command) error { return nil } -// Most podman commands when run in rootless mode, need to be executed in the -// users usernamespace. This function is updated with a list of commands that -// should NOT be run within the user namespace. -func executeCommandInUserNS(cmd *cobra.Command) bool { - return os.Geteuid() == 0 - // if os.Geteuid() == 0 { - // return false - // } - // switch cmd { - // case _migrateCommand, - // _mountCommand, - // _renumberCommand, - // _searchCommand, - // _versionCommand: - // return false - // } - // return true -} - func movePauseProcessToScope() error { pausePidPath, err := util.GetRootlessPauseProcessPidPath() if err != nil { @@ -234,11 +213,3 @@ func setUMask() { // nolint:deadcode,unused func checkInput() error { // nolint:deadcode,unused return nil } - -// func getCNIPluginsDir() string { -// if rootless.IsRootless() { -// return "" -// } -// -// return registry.PodmanOptions.Network.CNIPluginDirs[0] -// } diff --git a/pkg/domain/infra/tunnel/system.go b/pkg/domain/infra/tunnel/system.go index 7c7a55c05..f373525c5 100644 --- a/pkg/domain/infra/tunnel/system.go +++ b/pkg/domain/infra/tunnel/system.go @@ -7,6 +7,7 @@ import ( "github.com/containers/libpod/libpod/define" "github.com/containers/libpod/pkg/bindings/system" "github.com/containers/libpod/pkg/domain/entities" + "github.com/spf13/cobra" ) func (ic *ContainerEngine) Info(ctx context.Context) (*define.Info, error) { @@ -20,3 +21,7 @@ func (ic *ContainerEngine) RestService(_ context.Context, _ entities.ServiceOpti func (ic *ContainerEngine) VarlinkService(_ context.Context, _ entities.ServiceOptions) error { panic(errors.New("varlink service is not supported when tunneling")) } + +func (ic *ContainerEngine) SetupRootless(_ context.Context, cmd *cobra.Command) error { + panic(errors.New("rootless engine mode is not supported when tunneling")) +} -- cgit v1.2.3-54-g00ecf