oci: use /proc/self/fd/FD to open unix socket

instead of opening directly the UNIX socket path, grab a reference to it through a O_PATH file descriptor and use the fixed size string "/proc/self/fd/%d" to open the UNIX socket. In this way it won't hit the 108 chars length limit. Closes: https://github.com/containers/podman/issues/8798 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2025-07-15 03:02:52 +08:00 · 2021-01-11 11:25:43 +01:00
parent 41613bdb96
commit fdbc278868
5 changed files with 18 additions and 42 deletions
--- a/libpod/oci_attach_linux.go
+++ b/libpod/oci_attach_linux.go
@ -28,6 +28,15 @@ const (
 	AttachPipeStderr = 3
 )

+func openUnixSocket(path string) (*net.UnixConn, error) {
+	fd, err := unix.Open(path, unix.O_PATH, 0)
+	if err != nil {
+		return nil, err
+	}
+	defer unix.Close(fd)
+	return net.DialUnix("unixpacket", nil, &net.UnixAddr{Name: fmt.Sprintf("/proc/self/fd/%d", fd), Net: "unixpacket"})
+}
+
 // Attach to the given container
 // Does not check if state is appropriate
 // started is only required if startContainer is true
@ -52,11 +61,10 @@ func (c *Container) attach(streams *define.AttachStreams, keys string, resize <-
 	if err != nil {
 		return err
 	}
-	socketPath := buildSocketPath(attachSock)

-	conn, err := net.DialUnix("unixpacket", nil, &net.UnixAddr{Name: socketPath, Net: "unixpacket"})
+	conn, err := openUnixSocket(attachSock)
 	if err != nil {
-		return errors.Wrapf(err, "failed to connect to container's attach socket: %v", socketPath)
+		return errors.Wrapf(err, "failed to connect to container's attach socket: %v", attachSock)
 	}
 	defer func() {
 		if err := conn.Close(); err != nil {
@ -124,7 +132,6 @@ func (c *Container) attachToExec(streams *define.AttachStreams, keys *string, se
 	if err != nil {
 		return err
 	}
-	socketPath := buildSocketPath(sockPath)

 	// 2: read from attachFd that the parent process has set up the console socket
 	if _, err := readConmonPipeData(attachFd, ""); err != nil {
@ -132,9 +139,9 @@ func (c *Container) attachToExec(streams *define.AttachStreams, keys *string, se
 	}

 	// 2: then attach
-	conn, err := net.DialUnix("unixpacket", nil, &net.UnixAddr{Name: socketPath, Net: "unixpacket"})
+	conn, err := openUnixSocket(sockPath)
 	if err != nil {
-		return errors.Wrapf(err, "failed to connect to container's attach socket: %v", socketPath)
+		return errors.Wrapf(err, "failed to connect to container's attach socket: %v", sockPath)
 	}
 	defer func() {
 		if err := conn.Close(); err != nil {
@ -182,16 +189,6 @@ func registerResizeFunc(resize <-chan remotecommand.TerminalSize, bundlePath str
 	})
 }

-func buildSocketPath(socketPath string) string {
-	maxUnixLength := unixPathLength()
-	if maxUnixLength < len(socketPath) {
-		socketPath = socketPath[0:maxUnixLength]
-	}
-
-	logrus.Debug("connecting to socket ", socketPath)
-	return socketPath
-}
-
 func setupStdioChannels(streams *define.AttachStreams, conn *net.UnixConn, detachKeys []byte) (chan error, chan error) {
 	receiveStdoutError := make(chan error)
 	go func() {
--- a/libpod/oci_attach_linux_cgo.go
+++ b/libpod/oci_attach_linux_cgo.go
@ -1,11 +0,0 @@
-//+build linux,cgo
-
-package libpod
-
-//#include <sys/un.h>
-// extern int unix_path_length(){struct sockaddr_un addr; return sizeof(addr.sun_path) - 1;}
-import "C"
-
-func unixPathLength() int {
-	return int(C.unix_path_length())
-}
--- a/libpod/oci_attach_linux_nocgo.go
+++ b/libpod/oci_attach_linux_nocgo.go
@ -1,7 +0,0 @@
-//+build linux,!cgo
-
-package libpod
-
-func unixPathLength() int {
-	return 107
-}
--- a/libpod/oci_conmon_exec_linux.go
+++ b/libpod/oci_conmon_exec_linux.go
@ -2,7 +2,6 @@ package libpod

 import (
 	"fmt"
-	"net"
 	"net/http"
 	"os"
 	"os/exec"
@ -512,7 +511,6 @@ func attachExecHTTP(c *Container, sessionID string, r *http.Request, w http.Resp
 	if err != nil {
 		return err
 	}
-	socketPath := buildSocketPath(sockPath)

 	// 2: read from attachFd that the parent process has set up the console socket
 	if _, err := readConmonPipeData(pipes.attachPipe, ""); err != nil {
@ -520,9 +518,9 @@ func attachExecHTTP(c *Container, sessionID string, r *http.Request, w http.Resp
 	}

 	// 2: then attach
-	conn, err := net.DialUnix("unixpacket", nil, &net.UnixAddr{Name: socketPath, Net: "unixpacket"})
+	conn, err := openUnixSocket(sockPath)
 	if err != nil {
-		return errors.Wrapf(err, "failed to connect to container's attach socket: %v", socketPath)
+		return errors.Wrapf(err, "failed to connect to container's attach socket: %v", sockPath)
 	}
 	defer func() {
 		if err := conn.Close(); err != nil {
--- a/libpod/oci_conmon_linux.go
+++ b/libpod/oci_conmon_linux.go
@ -529,13 +529,12 @@ func (r *ConmonOCIRuntime) HTTPAttach(ctr *Container, req *http.Request, w http.
 	if err != nil {
 		return err
 	}
-	socketPath := buildSocketPath(attachSock)

 	var conn *net.UnixConn
 	if streamAttach {
-		newConn, err := net.DialUnix("unixpacket", nil, &net.UnixAddr{Name: socketPath, Net: "unixpacket"})
+		newConn, err := openUnixSocket(attachSock)
 		if err != nil {
-			return errors.Wrapf(err, "failed to connect to container's attach socket: %v", socketPath)
+			return errors.Wrapf(err, "failed to connect to container's attach socket: %v", attachSock)
 		}
 		conn = newConn
 		defer func() {
@ -544,7 +543,7 @@ func (r *ConmonOCIRuntime) HTTPAttach(ctr *Container, req *http.Request, w http.
 			}
 		}()

-		logrus.Debugf("Successfully connected to container %s attach socket %s", ctr.ID(), socketPath)
+		logrus.Debugf("Successfully connected to container %s attach socket %s", ctr.ID(), attachSock)
 	}

 	detachString := ctr.runtime.config.Engine.DetachKeys