mirror of
https://github.com/containers/podman.git
synced 2025-12-08 06:39:05 +08:00
Merge pull request #3959 from giuseppe/rootless-use-systemd-scope
rootless: automatically create a systemd scope
This commit is contained in:
OpenShift Merge Robot
@@ -5,9 +5,12 @@ package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"log/syslog"
|
||||
"os"
|
||||
"runtime/pprof"
|
||||
"strconv"
|
||||
"strings"
|
||||
"syscall"
|
||||
|
||||
@@ -18,6 +21,7 @@ import (
|
||||
"github.com/containers/libpod/pkg/rootless"
|
||||
"github.com/containers/libpod/pkg/tracing"
|
||||
"github.com/containers/libpod/pkg/util"
|
||||
"github.com/containers/libpod/utils"
|
||||
"github.com/opentracing/opentracing-go"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/sirupsen/logrus"
|
||||
@@ -119,7 +123,29 @@ func profileOff(cmd *cobra.Command) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func movePauseProcessToScope() error {
|
||||
pausePidPath, err := util.GetRootlessPauseProcessPidPath()
|
||||
if err != nil {
|
||||
return errors.Wrapf(err, "could not get pause process pid file path")
|
||||
}
|
||||
|
||||
data, err := ioutil.ReadFile(pausePidPath)
|
||||
if err != nil {
|
||||
return errors.Wrapf(err, "cannot read pause pid file")
|
||||
}
|
||||
pid, err := strconv.ParseUint(string(data), 10, 0)
|
||||
if err != nil {
|
||||
return errors.Wrapf(err, "cannot parse pid file %s", pausePidPath)
|
||||
}
|
||||
|
||||
return utils.RunUnderSystemdScope(int(pid), "user.slice", "podman-pause.scope")
|
||||
}
|
||||
|
||||
func setupRootless(cmd *cobra.Command, args []string) error {
|
||||
if !rootless.IsRootless() {
|
||||
return nil
|
||||
}
|
||||
|
||||
matches, err := rootless.ConfigurationMatches()
|
||||
if err != nil {
|
||||
return err
|
||||
@@ -128,9 +154,6 @@ func setupRootless(cmd *cobra.Command, args []string) error {
|
||||
logrus.Warningf("the current user namespace doesn't match the configuration in /etc/subuid or /etc/subgid")
|
||||
logrus.Warningf("you can use `%s system migrate` to recreate the user namespace and restart the containers", os.Args[0])
|
||||
}
|
||||
if os.Geteuid() == 0 || cmd == _searchCommand || cmd == _versionCommand || cmd == _mountCommand || cmd == _migrateCommand || strings.HasPrefix(cmd.Use, "help") {
|
||||
return nil
|
||||
}
|
||||
|
||||
podmanCmd := cliconfig.PodmanCommand{
|
||||
Command: cmd,
|
||||
@@ -139,6 +162,39 @@ func setupRootless(cmd *cobra.Command, args []string) error {
|
||||
Remote: remoteclient,
|
||||
}
|
||||
|
||||
runtime, err := libpodruntime.GetRuntime(getContext(), &podmanCmd)
|
||||
if err != nil {
|
||||
return errors.Wrapf(err, "could not get runtime")
|
||||
}
|
||||
defer runtime.DeferredShutdown(false)
|
||||
|
||||
// do it only after podman has already re-execed and running with uid==0.
|
||||
if os.Geteuid() == 0 {
|
||||
ownsCgroup, err := cgroups.UserOwnsCurrentSystemdCgroup()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if !ownsCgroup {
|
||||
unitName := fmt.Sprintf("podman-%d.scope", os.Getpid())
|
||||
if err := utils.RunUnderSystemdScope(os.Getpid(), "user.slice", unitName); err != nil {
|
||||
conf, err := runtime.GetConfig()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if conf.CgroupManager == libpod.SystemdCgroupsManager {
|
||||
logrus.Warnf("Failed to add podman to systemd sandbox cgroup: %v", err)
|
||||
} else {
|
||||
logrus.Debugf("Failed to add podman to systemd sandbox cgroup: %v", err)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if os.Geteuid() == 0 || cmd == _searchCommand || cmd == _versionCommand || cmd == _mountCommand || cmd == _migrateCommand || strings.HasPrefix(cmd.Use, "help") {
|
||||
return nil
|
||||
}
|
||||
|
||||
pausePidPath, err := util.GetRootlessPauseProcessPidPath()
|
||||
if err != nil {
|
||||
return errors.Wrapf(err, "could not get pause process pid file path")
|
||||
@@ -158,13 +214,6 @@ func setupRootless(cmd *cobra.Command, args []string) error {
|
||||
}
|
||||
|
||||
// if there is no pid file, try to join existing containers, and create a pause process.
|
||||
|
||||
runtime, err := libpodruntime.GetRuntime(getContext(), &podmanCmd)
|
||||
if err != nil {
|
||||
return errors.Wrapf(err, "could not get runtime")
|
||||
}
|
||||
defer runtime.DeferredShutdown(false)
|
||||
|
||||
ctrs, err := runtime.GetRunningContainers()
|
||||
if err != nil {
|
||||
logrus.Errorf(err.Error())
|
||||
@@ -177,6 +226,17 @@ func setupRootless(cmd *cobra.Command, args []string) error {
|
||||
}
|
||||
|
||||
became, ret, err := rootless.TryJoinFromFilePaths(pausePidPath, true, paths)
|
||||
if err := movePauseProcessToScope(); err != nil {
|
||||
conf, err := runtime.GetConfig()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if conf.CgroupManager == libpod.SystemdCgroupsManager {
|
||||
logrus.Warnf("Failed to add pause process to systemd sandbox cgroup: %v", err)
|
||||
} else {
|
||||
logrus.Debugf("Failed to add pause process to systemd sandbox cgroup: %v", err)
|
||||
}
|
||||
}
|
||||
if err != nil {
|
||||
logrus.Errorf(err.Error())
|
||||
os.Exit(1)
|
||||
|
||||
Reference in New Issue
Block a user