opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-09-27 00:34:32 +08:00
Code Issues Packages Projects Releases Wiki Activity

build(deps): bump github.com/rootless-containers/rootlesskit

Browse Source 
Bumps [github.com/rootless-containers/rootlesskit](https://github.com/rootless-containers/rootlesskit) from 0.9.3 to 0.9.4.
- [Release notes](https://github.com/rootless-containers/rootlesskit/releases)
- [Commits](https://github.com/rootless-containers/rootlesskit/compare/v0.9.3...v0.9.4)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
This commit is contained in:
dependabot-preview[bot]
2020-04-27 10:23:05 +00:00
committed by Valentin Rothberg
parent c2a33b7bf9
commit ddbe1aef17
4 changed files with 43 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/parent.go generated vendored
View File

@ -2,11 +2,14 @@ package parent
import (
"context"
"fmt"
"io"
"io/ioutil"
"net"
"os"
"path/filepath"
"strconv"
"strings"
"sync"
"syscall"
@ -84,6 +87,39 @@ func (d *driver) RunParentDriver(initComplete chan struct{}, quit <-chan struct{
return nil
}
func isEPERM(err error) bool {
k := "permission denied"
// As of Go 1.14, errors.Is(err, syscall.EPERM) does not seem to work for
// "listen tcp 0.0.0.0:80: bind: permission denied" error from net.ListenTCP().
return errors.Is(err, syscall.EPERM) || strings.Contains(err.Error(), k)
}
// annotateEPERM annotates origErr for human-readability
func annotateEPERM(origErr error, spec port.Spec) error {
// Read "net.ipv4.ip_unprivileged_port_start" value (typically 1024)
// TODO: what for IPv6?
// NOTE: sync.Once should not be used here
b, e := ioutil.ReadFile("/proc/sys/net/ipv4/ip_unprivileged_port_start")
if e != nil {
return origErr
}
start, e := strconv.Atoi(strings.TrimSpace(string(b)))
if e != nil {
return origErr
}
if spec.ParentPort >= start {
// origErr is unrelated to ip_unprivileged_port_start
return origErr
}
text := fmt.Sprintf("cannot expose privileged port %d, you might need to add \"net.ipv4.ip_unprivileged_port_start=0\" (currently %d) to /etc/sysctl.conf", spec.ParentPort, start)
if filepath.Base(os.Args[0]) == "rootlesskit" {
// NOTE: The following sentence is appended only if Args[0] == "rootlesskit", because it does not apply to Podman (as of Podman v1.9).
// Podman launches the parent driver in the child user namespace (but in the parent network namespace), which disables the file capability.
text += ", or set CAP_NET_BIND_SERVICE on rootlesskit binary"
}
return errors.Wrap(origErr, text)
}
func (d *driver) AddPort(ctx context.Context, spec port.Spec) (*port.Status, error) {
d.mu.Lock()
err := portutil.ValidatePortSpec(spec, d.ports)
@ -106,6 +142,9 @@ func (d *driver) AddPort(ctx context.Context, spec port.Spec) (*port.Status, err
return nil, errors.New("spec was not validated?")
}
if err != nil {
if isEPERM(err) {
err = annotateEPERM(err, spec)
}
return nil, err
}
d.mu.Lock()