Merge pull request #9855 from giuseppe/fix-service-race-condition

service: use LISTEN_FDS
2025-06-23 10:38:20 +08:00 · 2021-03-29 17:40:21 +00:00
parent 26b0ebd22f c064acd78e
commit aa96cb6739
2 changed files with 27 additions and 14 deletions
--- a/cmd/podman/system/service_abi.go
+++ b/cmd/podman/system/service_abi.go
@ -24,16 +24,28 @@ func restService(opts entities.ServiceOptions, flags *pflag.FlagSet, cfg *entiti
 	)

 	if opts.URI != "" {
-		fields := strings.Split(opts.URI, ":")
-		if len(fields) == 1 {
-			return errors.Errorf("%s is an invalid socket destination", opts.URI)
+		if os.Getenv("LISTEN_FDS") != "" {
+			// If it is activated by systemd, use the first LISTEN_FD (3)
+			// instead of opening the socket file.
+			f := os.NewFile(uintptr(3), "podman.sock")
+			l, err := net.FileListener(f)
+			if err != nil {
+				return err
+			}
+			listener = &l
+		} else {
+			fields := strings.Split(opts.URI, ":")
+			if len(fields) == 1 {
+				return errors.Errorf("%s is an invalid socket destination", opts.URI)
+			}
+			network := fields[0]
+			address := strings.Join(fields[1:], ":")
+			l, err := net.Listen(network, address)
+			if err != nil {
+				return errors.Wrapf(err, "unable to create socket")
+			}
+			listener = &l
 		}
-		address := strings.Join(fields[1:], ":")
-		l, err := net.Listen(fields[0], address)
-		if err != nil {
-			return errors.Wrapf(err, "unable to create socket")
-		}
-		listener = &l
 	}

 	// Close stdin, so shortnames will not prompt
--- a/pkg/rootless/rootless_linux.c
+++ b/pkg/rootless/rootless_linux.c
@ -233,9 +233,8 @@ int
 is_fd_inherited(int fd)
 {
  if (open_files_set == NULL || fd > open_files_max_fd || fd < 0)
-  {
    return 0;
-  }
+
  return FD_ISSET(fd % FD_SETSIZE, &(open_files_set[fd / FD_SETSIZE])) ? 1 : 0;
 }

@ -633,9 +632,10 @@ reexec_userns_join (int pid_to_join, char *pause_pid_file_path)
      close (user_ns);
      close (mnt_ns);

-      for (f = 3; f < open_files_max_fd; f++)
-        if (open_files_set == NULL || FD_ISSET (f % FD_SETSIZE, &(open_files_set[f / FD_SETSIZE])))
+      for (f = 3; f <= open_files_max_fd; f++)
+        if (is_fd_inherited (f))
          close (f);
+
      return pid;
    }

@ -813,13 +813,14 @@ reexec_in_user_namespace (int ready, char *pause_pid_file_path, char *file_to_re
      if (do_socket_activation)
        {
          long num_fds;
+
          num_fds = strtol (listen_fds, NULL, 10);
          if (num_fds != LONG_MIN && num_fds != LONG_MAX)
            {
              int f;

              for (f = 3; f < num_fds + 3; f++)
-                if (open_files_set == NULL || FD_ISSET (f % FD_SETSIZE, &(open_files_set[f / FD_SETSIZE])))
+                if (is_fd_inherited (f))
                  close (f);
            }
          unsetenv ("LISTEN_PID");