mirror of
https://github.com/containers/podman.git
synced 2025-10-20 04:34:01 +08:00
use rootless netns from c/common
Use the new rootlessnetns logic from c/common, drop the podman code here and make use of the new much simpler API. ref: https://github.com/containers/common/pull/1761 [NO NEW TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This commit is contained in:
Paul Holzinger
119
utils/utils.go
119
utils/utils.go
@ -2,20 +2,16 @@ package utils
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/rand"
|
||||
"fmt"
|
||||
"io"
|
||||
"os"
|
||||
"os/exec"
|
||||
"strconv"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/containers/common/pkg/cgroups"
|
||||
"github.com/containers/storage/pkg/archive"
|
||||
"github.com/containers/storage/pkg/chrootarchive"
|
||||
"github.com/godbus/dbus/v5"
|
||||
"github.com/sirupsen/logrus"
|
||||
"github.com/vbauerster/mpb/v8"
|
||||
"github.com/vbauerster/mpb/v8/decor"
|
||||
@ -133,121 +129,6 @@ func RemoveScientificNotationFromFloat(x float64) (float64, error) {
|
||||
return result, nil
|
||||
}
|
||||
|
||||
var (
|
||||
runsOnSystemdOnce sync.Once
|
||||
runsOnSystemd bool
|
||||
)
|
||||
|
||||
// RunsOnSystemd returns whether the system is using systemd
|
||||
func RunsOnSystemd() bool {
|
||||
runsOnSystemdOnce.Do(func() {
|
||||
// per sd_booted(3), check for this dir
|
||||
fd, err := os.Stat("/run/systemd/system")
|
||||
runsOnSystemd = err == nil && fd.IsDir()
|
||||
})
|
||||
return runsOnSystemd
|
||||
}
|
||||
|
||||
func moveProcessPIDFileToScope(pidPath, slice, scope string) error {
|
||||
data, err := os.ReadFile(pidPath)
|
||||
if err != nil {
|
||||
// do not raise an error if the file doesn't exist
|
||||
if os.IsNotExist(err) {
|
||||
return nil
|
||||
}
|
||||
return fmt.Errorf("cannot read pid file: %w", err)
|
||||
}
|
||||
pid, err := strconv.ParseUint(string(data), 10, 0)
|
||||
if err != nil {
|
||||
return fmt.Errorf("cannot parse pid file %s: %w", pidPath, err)
|
||||
}
|
||||
|
||||
return moveProcessToScope(int(pid), slice, scope)
|
||||
}
|
||||
|
||||
func moveProcessToScope(pid int, slice, scope string) error {
|
||||
err := RunUnderSystemdScope(pid, slice, scope)
|
||||
// If the PID is not valid anymore, do not return an error.
|
||||
if dbusErr, ok := err.(dbus.Error); ok {
|
||||
if dbusErr.Name == "org.freedesktop.DBus.Error.UnixProcessIdUnknown" {
|
||||
return nil
|
||||
}
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
||||
// MoveRootlessNetnsSlirpProcessToUserSlice moves the slirp4netns process for the rootless netns
|
||||
// into a different scope so that systemd does not kill it with a container.
|
||||
func MoveRootlessNetnsSlirpProcessToUserSlice(pid int) error {
|
||||
randBytes := make([]byte, 4)
|
||||
_, err := rand.Read(randBytes)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return moveProcessToScope(pid, "user.slice", fmt.Sprintf("rootless-netns-%x.scope", randBytes))
|
||||
}
|
||||
|
||||
// MovePauseProcessToScope moves the pause process used for rootless mode to keep the namespaces alive to
|
||||
// a separate scope.
|
||||
func MovePauseProcessToScope(pausePidPath string) {
|
||||
var err error
|
||||
|
||||
for i := 0; i < 10; i++ {
|
||||
randBytes := make([]byte, 4)
|
||||
_, err = rand.Read(randBytes)
|
||||
if err != nil {
|
||||
logrus.Errorf("failed to read random bytes: %v", err)
|
||||
continue
|
||||
}
|
||||
err = moveProcessPIDFileToScope(pausePidPath, "user.slice", fmt.Sprintf("podman-pause-%x.scope", randBytes))
|
||||
if err == nil {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
unified, err2 := cgroups.IsCgroup2UnifiedMode()
|
||||
if err2 != nil {
|
||||
logrus.Warnf("Failed to detect if running with cgroup unified: %v", err)
|
||||
}
|
||||
if RunsOnSystemd() && unified {
|
||||
logrus.Warnf("Failed to add pause process to systemd sandbox cgroup: %v", err)
|
||||
} else {
|
||||
logrus.Debugf("Failed to add pause process to systemd sandbox cgroup: %v", err)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
var (
|
||||
maybeMoveToSubCgroupSync sync.Once
|
||||
maybeMoveToSubCgroupSyncErr error
|
||||
)
|
||||
|
||||
// MaybeMoveToSubCgroup moves the current process in a sub cgroup when
|
||||
// it is running in the root cgroup on a system that uses cgroupv2.
|
||||
func MaybeMoveToSubCgroup() error {
|
||||
maybeMoveToSubCgroupSync.Do(func() {
|
||||
unifiedMode, err := cgroups.IsCgroup2UnifiedMode()
|
||||
if err != nil {
|
||||
maybeMoveToSubCgroupSyncErr = err
|
||||
return
|
||||
}
|
||||
if !unifiedMode {
|
||||
maybeMoveToSubCgroupSyncErr = nil
|
||||
return
|
||||
}
|
||||
cgroup, err := GetOwnCgroup()
|
||||
if err != nil {
|
||||
maybeMoveToSubCgroupSyncErr = err
|
||||
return
|
||||
}
|
||||
if cgroup == "/" {
|
||||
maybeMoveToSubCgroupSyncErr = MoveUnderCgroupSubtree("init")
|
||||
}
|
||||
})
|
||||
return maybeMoveToSubCgroupSyncErr
|
||||
}
|
||||
|
||||
// GuardedRemoveAll functions much like os.RemoveAll but
|
||||
// will not delete certain catastrophic paths.
|
||||
func GuardedRemoveAll(path string) error {
|
||||
|
||||
Reference in New Issue
Block a user