From 2ab90f2ed66cd47741e31775459856bd4c5efce9 Mon Sep 17 00:00:00 2001 From: Paul Holzinger <pholzing@redhat.com> Date: Fri, 27 Jan 2023 15:46:50 +0100 Subject: [PATCH 1/2] journald: podman events only show events for current user I noticed this while running some things in parallel, podman events would show events from other users. Because all events are written to the journal everybody can see them. So when we read the journal we must filter events for only the current UID. To reproduce run `podman events` as user then in another window create a container as root for example. After this patch it will correctly ignore these events from other users. [NO NEW TESTS NEEDED] I don't think we can test with two users at the same time. Signed-off-by: Paul Holzinger <pholzing@redhat.com> --- libpod/events/journal_linux.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libpod/events/journal_linux.go b/libpod/events/journal_linux.go index 6c0cc15803..0f472b8d89 100644 --- a/libpod/events/journal_linux.go +++ b/libpod/events/journal_linux.go @@ -11,6 +11,7 @@ import ( "strconv" "time" + "github.com/containers/podman/v4/pkg/rootless" "github.com/containers/podman/v4/pkg/util" "github.com/coreos/go-systemd/v22/journal" "github.com/coreos/go-systemd/v22/sdjournal" @@ -108,7 +109,13 @@ func (e EventJournalD) Read(ctx context.Context, options ReadOptions) error { // match only podman journal entries podmanJournal := sdjournal.Match{Field: "SYSLOG_IDENTIFIER", Value: "podman"} if err := j.AddMatch(podmanJournal.String()); err != nil { - return fmt.Errorf("failed to add journal filter for event log: %w", err) + return fmt.Errorf("failed to add SYSLOG_IDENTIFIER journal filter for event log: %w", err) + } + + // make sure we only read events for the current user + uidMatch := sdjournal.Match{Field: "_UID", Value: strconv.Itoa(rootless.GetRootlessUID())} + if err := j.AddMatch(uidMatch.String()); err != nil { + return fmt.Errorf("failed to add _UID journal filter for event log: %w", err) } if len(options.Since) == 0 && len(options.Until) == 0 && options.Stream { From e519910305e71736493059fd1bd7ddb68ba3904d Mon Sep 17 00:00:00 2001 From: Paul Holzinger <pholzing@redhat.com> Date: Fri, 27 Jan 2023 16:03:59 +0100 Subject: [PATCH 2/2] journald: podman logs only show logs for current user In the super rare case that there are two containers with the same ID for two different users, podman logs with the journald driver would show logs from both containers. [NO NEW TESTS NEEDED] Impossible to reproduce. Signed-off-by: Paul Holzinger <pholzing@redhat.com> --- libpod/container_log_linux.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libpod/container_log_linux.go b/libpod/container_log_linux.go index e8b9a52a7e..de5a66dee1 100644 --- a/libpod/container_log_linux.go +++ b/libpod/container_log_linux.go @@ -7,12 +7,14 @@ import ( "context" "errors" "fmt" + "strconv" "strings" "time" "github.com/containers/podman/v4/libpod/define" "github.com/containers/podman/v4/libpod/events" "github.com/containers/podman/v4/libpod/logs" + "github.com/containers/podman/v4/pkg/rootless" "github.com/coreos/go-systemd/v22/journal" "github.com/coreos/go-systemd/v22/sdjournal" "github.com/sirupsen/logrus" @@ -69,6 +71,12 @@ func (c *Container) readFromJournal(ctx context.Context, options *logs.LogOption if err := journal.AddMatch(match.String()); err != nil { return fmt.Errorf("adding filter to journald logger: %v: %w", match, err) } + // Make sure we only read events for the current user, while it is unlikely that there + // is a container ID duplication for two users, it is better to have it just in case. + uidMatch := sdjournal.Match{Field: "_UID", Value: strconv.Itoa(rootless.GetRootlessUID())} + if err := journal.AddMatch(uidMatch.String()); err != nil { + return fmt.Errorf("adding filter to journald logger: %v: %w", uidMatch, err) + } // Add the filter for logs. Note the disjunction so that we match // either the events or the logs. @@ -79,6 +87,9 @@ func (c *Container) readFromJournal(ctx context.Context, options *logs.LogOption if err := journal.AddMatch(match.String()); err != nil { return fmt.Errorf("adding filter to journald logger: %v: %w", match, err) } + if err := journal.AddMatch(uidMatch.String()); err != nil { + return fmt.Errorf("adding filter to journald logger: %v: %w", uidMatch, err) + } if options.Since.IsZero() { if err := journal.SeekHead(); err != nil {