libpod: rootful close binded ports

For rootful users ports are forwarded via iptables. To make sure no
other process tries to use them, libpod will bind the ports and pass the
fds to conmon. There seems to be race when a container is restarted
because libpod tries to bind the port before the conmon process exited.

The problem only hapens with the podman service because it keeps the
connection open. Once we have the fd and passed it to conmon the
podman service should close the connection.

To verify run `sudo ss -tulpn` and check that only the conmon process
keeps the port open. Previously you would also see the podman server
process listed.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

libpod/oci_conmon_linux.go

@@ -1140,6 +1140,7 @@ func (r *ConmonOCIRuntime) createOCIContainer(ctr *Container, restoreOptions *Co
 		if err != nil {
 			return err
 		}
+		filesToClose = append(filesToClose, ports...)
 
 		// Leak the port we bound in the conmon process.  These fd's won't be used
 		// by the container and conmon will keep the ports busy so that another

libpod/oci_util.go

@@ -68,6 +68,12 @@ func bindPorts(ports []ocicni.PortMapping) ([]*os.File, error) {
 				return nil, errors.Wrapf(err, "cannot get file for UDP socket")
 			}
 			files = append(files, f)
+			// close the listener
+			// note that this does not affect the fd, see the godoc for server.File()
+			err = server.Close()
+			if err != nil {
+				logrus.Warnf("failed to close connection: %v", err)
+			}
 
 		case "tcp":
 			var (
@@ -96,6 +102,13 @@ func bindPorts(ports []ocicni.PortMapping) ([]*os.File, error) {
 				return nil, errors.Wrapf(err, "cannot get file for TCP socket")
 			}
 			files = append(files, f)
+			// close the listener
+			// note that this does not affect the fd, see the godoc for server.File()
+			err = server.Close()
+			if err != nil {
+				logrus.Warnf("failed to close connection: %v", err)
+			}
+
 		case "sctp":
 			if !notifySCTP {
 				notifySCTP = true