We implement the securejoin method to make sure the paths to /etc/passwd and
/etc/group are not symlinks to something naughty or outside the container
image. And then instead of actually chrooting, we use the runc functions to
get information about a user. The net result is increased security and
a a performance gain from 41ms to 100us.
Signed-off-by: baude <bbaude@redhat.com>
run prepare() -- which consists of creating a network namespace and
mounting the container image is now run in parallel. This saves 25-40ms.
Signed-off-by: baude <bbaude@redhat.com>
As discussed [1], the runlabel command should execute any command
specified in a label. The reasoning behind is that we cannot restrict
which options are passed to Podman which thereby has full access to the
host (runlabels must be used with care).
With the updated semantics, runlabel will substitute the commands with a
basepath equal to "docker" or "podman" with "/proc/self/exe", and
otherwise leave the command unchanged to execute any other command on
the host.
[1] https://github.com/containers/libpod/pull/1607#issuecomment-428321382
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
prevent opening the same file twice, since we re-exec podman in
rootless mode. While at it, also solve a possible race between the
check for the file and writing to it. Another process could have
created the file in the meanwhile and we would just end up overwriting
it.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
when reading the output from conmon using the JSON methods, it appears that
JSON marshalling is higher in pprof than it really is because the pipe is
"waiting" for a response. this gives us a clearer look at the real CPU/time
consumers.
Signed-off-by: baude <bbaude@redhat.com>
This removes duplicate code paths which has been previously factored out
as getAllOrLatestContainers().
Signed-off-by: Adrian Reber <areber@redhat.com>
Instead of duplicating the same code in multiple commands this uses the
newly added function checkAllAndLatest() instead.
Signed-off-by: Adrian Reber <areber@redhat.com>
Just as the checkAllAndLatest() function the new code in
getAllOrLatestContainers() is used in some commands and duplicated. This
factors out this code to be used in other places without duplicating it.
Signed-off-by: Adrian Reber <areber@redhat.com>
The check about the --all and --latest option is used and repeated and
some commands. Factor it out and put it into common.
Signed-off-by: Adrian Reber <areber@redhat.com>
* Added tox configuration to test python 3.4, 3.5 and 3.6.
Tox testing not enabled on every PR
* Updated MANIFEST.ini to support tox
* Correct comments
Fixes#1641
Signed-off-by: Jhon Honce <jhonce@redhat.com>
We probably won't be able to initialize a firewall plugin when we
are not running as root, so we shouldn't even try. Replace the
less-effect EUID check with the rootless package's better check
to make sure we don't accidentally set up the firewall in these
cases.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Fix the parsing of environment variables to catch invalid ones, such as
`-e = ` or `-e =A`, early in the stack to return meaningful error
messages. Also, instead of erroring out, set unspecified env variables
as empty (e.g., `-e FOO`) to remain compatible with Docker.
Fixes: #1663
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
The newly introduced CRIU version check is now used to make sure
checkpointing and restoring is only used if the CRIU version is new
enough.
Signed-off-by: Adrian Reber <areber@redhat.com>
