From 55cc80d3c9bfd96225db179b96427aa377ecb9dc Mon Sep 17 00:00:00 2001
From: baude <bbaude@redhat.com>
Date: Wed, 7 Aug 2019 09:53:59 -0500
Subject: varlink endpoint for containerstats requires root

obtaining containerstats requires the use of cgroups. at present,
rootless users do not have privileges to create cgroups.  add an error
message that catches this for the varlink endpoint and return a proper
error.

Fixes: #3749

Signed-off-by: baude <bbaude@redhat.com>
---
 pkg/varlinkapi/containers.go | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'pkg/varlinkapi/containers.go')

diff --git a/pkg/varlinkapi/containers.go b/pkg/varlinkapi/containers.go
index bb66ff962..c7aa5233f 100644
--- a/pkg/varlinkapi/containers.go
+++ b/pkg/varlinkapi/containers.go
@@ -19,6 +19,8 @@ import (
 	"github.com/containers/libpod/libpod/define"
 	"github.com/containers/libpod/libpod/logs"
 	"github.com/containers/libpod/pkg/adapter/shortcuts"
+	"github.com/containers/libpod/pkg/cgroups"
+	"github.com/containers/libpod/pkg/rootless"
 	"github.com/containers/libpod/pkg/varlinkapi/virtwriter"
 	"github.com/containers/storage/pkg/archive"
 	"github.com/pkg/errors"
@@ -317,6 +319,13 @@ func (i *LibpodAPI) ExportContainer(call iopodman.VarlinkCall, name, outPath str
 
 // GetContainerStats ...
 func (i *LibpodAPI) GetContainerStats(call iopodman.VarlinkCall, name string) error {
+	cgroupv2, err := cgroups.IsCgroup2UnifiedMode()
+	if err != nil {
+		return call.ReplyErrorOccurred(err.Error())
+	}
+	if rootless.IsRootless() && !cgroupv2 {
+		return call.ReplyErrRequiresCgroupsV2ForRootless("rootless containers cannot report container stats")
+	}
 	ctr, err := i.Runtime.LookupContainer(name)
 	if err != nil {
 		return call.ReplyContainerNotFound(name, err.Error())
-- 
cgit v1.2.3-54-g00ecf