rootless: fix top

join the user namespace used to create the container so that psgo can work in the same way as with root containers. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1371 Approved by: rhatdan
2025-10-26 02:35:43 +08:00 · 2018-08-29 10:02:15 +02:00
parent 1789242933
commit 2ed79f6315
3 changed files with 32 additions and 1 deletions
--- a/cmd/podman/main.go
+++ b/cmd/podman/main.go
@ -34,6 +34,7 @@ var cmdsNotRequiringRootless = map[string]bool{
 	"kill":    true,
 	"search":  true,
 	"stop":    true,
+	"top":     true,
 }

 func main() {
--- a/cmd/podman/top.go
+++ b/cmd/podman/top.go
@ -8,6 +8,7 @@ import (

 	"github.com/containers/libpod/cmd/podman/libpodruntime"
 	"github.com/containers/libpod/libpod"
+	"github.com/containers/libpod/pkg/rootless"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli"
 )
@ -69,6 +70,7 @@ func topCmd(c *cli.Context) error {
 		return err
 	}

+	rootless.SetSkipStorageSetup(true)
 	runtime, err := libpodruntime.GetRuntime(c)
 	if err != nil {
 		return errors.Wrapf(err, "error creating libpod runtime")
@ -96,6 +98,17 @@ func topCmd(c *cli.Context) error {
 		return errors.Errorf("top can only be used on running containers")
 	}

+	pid, err := container.PID()
+	if err != nil {
+		return err
+	}
+	became, ret, err := rootless.JoinNS(uint(pid))
+	if err != nil {
+		return err
+	}
+	if became {
+		os.Exit(ret)
+	}
 	psOutput, err := container.GetContainerPidInformation(descriptors)
 	if err != nil {
 		return err
--- a/test/e2e/rootless_test.go
+++ b/test/e2e/rootless_test.go
@ -71,6 +71,7 @@ var _ = Describe("Podman rootless", func() {
 		if err != nil {
 			Skip("User namespaces not supported.")
 		}
+		canUseExec := canExec()

 		setup := podmanTest.Podman([]string{"create", ALPINE, "ls"})
 		setup.WaitWithDefaultTimeout()
@ -121,6 +122,22 @@ var _ = Describe("Podman rootless", func() {
 			cmd.WaitWithDefaultTimeout()
 			Expect(cmd.ExitCode()).To(Equal(0))

+			allArgs = append([]string{"run", "-d"}, args...)
+			allArgs = append(allArgs, "--security-opt", "seccomp=unconfined", "--rootfs", mountPath, "top")
+			cmd = podmanTest.PodmanAsUser(allArgs, 1000, 1000, env)
+			cmd.WaitWithDefaultTimeout()
+			Expect(cmd.ExitCode()).To(Equal(0))
+
+			if canUseExec {
+				cmd = podmanTest.PodmanAsUser([]string{"top", "-l"}, 1000, 1000, env)
+				cmd.WaitWithDefaultTimeout()
+				Expect(cmd.ExitCode()).To(Equal(0))
+			}
+
+			cmd = podmanTest.PodmanAsUser([]string{"rm", "-l", "-f"}, 1000, 1000, env)
+			cmd.WaitWithDefaultTimeout()
+			Expect(cmd.ExitCode()).To(Equal(0))
+
 			allArgs = append([]string{"run", "-d"}, args...)
 			allArgs = append(allArgs, "--security-opt", "seccomp=unconfined", "--rootfs", mountPath, "unshare", "-r", "unshare", "-r", "top")
 			cmd = podmanTest.PodmanAsUser(allArgs, 1000, 1000, env)
@ -143,7 +160,7 @@ var _ = Describe("Podman rootless", func() {
 			cmd.WaitWithDefaultTimeout()
 			Expect(cmd.ExitCode()).To(Equal(0))

-			if !canExec() {
+			if !canUseExec {
 				Skip("ioctl(NS_GET_PARENT) not supported.")
 			}