Allow 'container restore' with '--ipc host'

Trying to restore a container that was started with '--ipc host' fails with: Error: error creating container storage: ProcessLabel and Mountlabel must either not be specified or both specified We already fixed this exact same error message for containers started with '--privileged'. The previous fix was to check if the to be restored container is a privileged container (c.config.Privileged). Unfortunately this does not work for containers started with '--ipc host'. This commit changes the check for a privileged container to check if both the ProcessLabel and the MountLabel is actually set and only then re-uses those labels. Signed-off-by: Adrian Reber <areber@redhat.com>
2025-08-06 11:32:07 +08:00 · 2021-10-25 15:00:22 +00:00
parent dbe770e3ce
commit bf8fd943ef
2 changed files with 41 additions and 4 deletions
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@ -457,10 +457,12 @@ func (c *Container) setupStorage(ctx context.Context) error {
 			options.StorageOpt[split2[0]] = split2[1]
 		}
 	}
-	if c.restoreFromCheckpoint && !c.config.Privileged {
-		// If restoring from a checkpoint, the root file-system
-		// needs to be mounted with the same SELinux labels as
-		// it was mounted previously.
+	if c.restoreFromCheckpoint && c.config.ProcessLabel != "" && c.config.MountLabel != "" {
+		// If restoring from a checkpoint, the root file-system needs
+		// to be mounted with the same SELinux labels as it was mounted
+		// previously. But only if both labels have been set. For
+		// privileged containers or '--ipc host' only ProcessLabel will
+		// be set and so we will skip it for cases like that.
 		if options.Flags == nil {
 			options.Flags = make(map[string]interface{})
 		}
--- a/test/e2e/checkpoint_test.go
+++ b/test/e2e/checkpoint_test.go
@ -1156,4 +1156,39 @@ var _ = Describe("Podman checkpoint", func() {
 			os.Remove(fileName)
 		})
 	}
+
+	It("podman checkpoint container with export (migration) and --ipc host", func() {
+		localRunString := getRunString([]string{"--rm", "--ipc", "host", ALPINE, "top"})
+		session := podmanTest.Podman(localRunString)
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+		Expect(podmanTest.NumberOfContainersRunning()).To(Equal(1))
+		cid := session.OutputToString()
+		fileName := "/tmp/checkpoint-" + cid + ".tar.gz"
+
+		result := podmanTest.Podman([]string{"container", "checkpoint", "-l", "-e", fileName})
+		result.WaitWithDefaultTimeout()
+
+		// As the container has been started with '--rm' it will be completely
+		// cleaned up after checkpointing.
+		Expect(result).Should(Exit(0))
+		Expect(podmanTest.NumberOfContainersRunning()).To(Equal(0))
+		Expect(podmanTest.NumberOfContainers()).To(Equal(0))
+
+		result = podmanTest.Podman([]string{"container", "restore", "-i", fileName})
+		result.WaitWithDefaultTimeout()
+
+		Expect(result).Should(Exit(0))
+		Expect(podmanTest.NumberOfContainersRunning()).To(Equal(1))
+		Expect(podmanTest.GetContainerStatus()).To(ContainSubstring("Up"))
+
+		result = podmanTest.Podman([]string{"rm", "-t", "0", "-fa"})
+		result.WaitWithDefaultTimeout()
+		Expect(result).Should(Exit(0))
+		Expect(podmanTest.NumberOfContainersRunning()).To(Equal(0))
+		Expect(podmanTest.NumberOfContainers()).To(Equal(0))
+
+		// Remove exported checkpoint
+		os.Remove(fileName)
+	})
 })