mirror of
https://github.com/containers/podman.git
synced 2025-05-21 17:16:22 +08:00
020abbfeab
This creates error objects for runtime errors that might come from the runtime. Thus, indicating to users that the place to debug should be in the security attributes of the container. When creating a container with a SELinux label that doesn't exist, we get a fairly cryptic error message: ``` $ podman run --security-opt label=type:my_container.process -it fedora bash Error: OCI runtime error: write file `/proc/thread-self/attr/exec`: Invalid argument ``` This instead handles any errors coming from LSM's `/proc` API and enhances the error message with a relevant indicator that it's related to the container's security attributes. A sample run looks as follows: ``` $ bin/podman run --security-opt label=type:my_container.process -it fedora bash Error: `/proc/thread-self/attr/exec`: OCI runtime error: unable to assign security attribute ``` With `debug` log level enabled it would be: ``` Error: write file `/proc/thread-self/attr/exec`: Invalid argument: OCI runtime error: unable to assign security attribute ``` Note that these errors wrap ErrOCIRuntime, so it's still possible to to compare these errors with `errors.Is/errors.As`. One advantage of this approach is that we could start handling these errors in a more efficient manner in the future. e.g. If a SELinux label doesn't exist (yet), we could retry until it becomes available. Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>
198 lines
8.8 KiB
Go
198 lines
8.8 KiB
Go
package define
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
)
|
|
|
|
var (
|
|
// ErrNoSuchCtr indicates the requested container does not exist
|
|
ErrNoSuchCtr = errors.New("no such container")
|
|
|
|
// ErrNoSuchPod indicates the requested pod does not exist
|
|
ErrNoSuchPod = errors.New("no such pod")
|
|
|
|
// ErrNoSuchImage indicates the requested image does not exist
|
|
ErrNoSuchImage = errors.New("no such image")
|
|
|
|
// ErrMultipleImages found multiple name and tag matches
|
|
ErrMultipleImages = errors.New("found multiple name and tag matches")
|
|
|
|
// ErrNoSuchTag indicates the requested image tag does not exist
|
|
ErrNoSuchTag = errors.New("no such tag")
|
|
|
|
// ErrNoSuchVolume indicates the requested volume does not exist
|
|
ErrNoSuchVolume = errors.New("no such volume")
|
|
|
|
// ErrNoSuchNetwork indicates the requested network does not exist
|
|
ErrNoSuchNetwork = errors.New("network not found")
|
|
|
|
// ErrNoSuchExecSession indicates that the requested exec session does
|
|
// not exist.
|
|
ErrNoSuchExecSession = errors.New("no such exec session")
|
|
|
|
// ErrNoAliases indicates that the container does not have any network
|
|
// aliases.
|
|
ErrNoAliases = errors.New("no aliases for container")
|
|
|
|
// ErrCtrExists indicates a container with the same name or ID already
|
|
// exists
|
|
ErrCtrExists = errors.New("container already exists")
|
|
// ErrPodExists indicates a pod with the same name or ID already exists
|
|
ErrPodExists = errors.New("pod already exists")
|
|
// ErrImageExists indicates an image with the same ID already exists
|
|
ErrImageExists = errors.New("image already exists")
|
|
// ErrVolumeExists indicates a volume with the same name already exists
|
|
ErrVolumeExists = errors.New("volume already exists")
|
|
// ErrExecSessionExists indicates an exec session with the same ID
|
|
// already exists.
|
|
ErrExecSessionExists = errors.New("exec session already exists")
|
|
// ErrNetworkExists indicates that a network with the given name already
|
|
// exists.
|
|
ErrNetworkExists = errors.New("network already exists")
|
|
|
|
// ErrCtrStateInvalid indicates a container is in an improper state for
|
|
// the requested operation
|
|
ErrCtrStateInvalid = errors.New("container state improper")
|
|
// ErrExecSessionStateInvalid indicates that an exec session is in an
|
|
// improper state for the requested operation
|
|
ErrExecSessionStateInvalid = errors.New("exec session state improper")
|
|
// ErrVolumeBeingUsed indicates that a volume is being used by at least one container
|
|
ErrVolumeBeingUsed = errors.New("volume is being used")
|
|
|
|
// ErrRuntimeFinalized indicates that the runtime has already been
|
|
// created and cannot be modified
|
|
ErrRuntimeFinalized = errors.New("runtime has been finalized")
|
|
// ErrCtrFinalized indicates that the container has already been created
|
|
// and cannot be modified
|
|
ErrCtrFinalized = errors.New("container has been finalized")
|
|
// ErrPodFinalized indicates that the pod has already been created and
|
|
// cannot be modified
|
|
ErrPodFinalized = errors.New("pod has been finalized")
|
|
// ErrVolumeFinalized indicates that the volume has already been created and
|
|
// cannot be modified
|
|
ErrVolumeFinalized = errors.New("volume has been finalized")
|
|
|
|
// ErrInvalidArg indicates that an invalid argument was passed
|
|
ErrInvalidArg = errors.New("invalid argument")
|
|
// ErrEmptyID indicates that an empty ID was passed
|
|
ErrEmptyID = errors.New("name or ID cannot be empty")
|
|
|
|
// ErrInternal indicates an internal library error
|
|
ErrInternal = errors.New("internal libpod error")
|
|
|
|
// ErrPodPartialFail indicates that a pod operation was only partially
|
|
// successful, and some containers within the pod failed.
|
|
ErrPodPartialFail = errors.New("some containers failed")
|
|
|
|
// ErrDetach indicates that an attach session was manually detached by
|
|
// the user.
|
|
ErrDetach = errors.New("detached from container")
|
|
|
|
// ErrWillDeadlock indicates that the requested operation will cause a
|
|
// deadlock. This is usually caused by upgrade issues, and is resolved
|
|
// by renumbering the locks.
|
|
ErrWillDeadlock = errors.New("deadlock due to lock mismatch")
|
|
|
|
// ErrNoCgroups indicates that the container does not have its own
|
|
// CGroup.
|
|
ErrNoCgroups = errors.New("this container does not have a cgroup")
|
|
// ErrNoLogs indicates that this container is not creating a log so log
|
|
// operations cannot be performed on it
|
|
ErrNoLogs = errors.New("this container is not logging output")
|
|
|
|
// ErrRootless indicates that the given command cannot but run without
|
|
// root.
|
|
ErrRootless = errors.New("operation requires root privileges")
|
|
|
|
// ErrRuntimeStopped indicates that the runtime has already been shut
|
|
// down and no further operations can be performed on it
|
|
ErrRuntimeStopped = errors.New("runtime has already been stopped")
|
|
// ErrCtrStopped indicates that the requested container is not running
|
|
// and the requested operation cannot be performed until it is started
|
|
ErrCtrStopped = errors.New("container is stopped")
|
|
|
|
// ErrCtrRemoved indicates that the container has already been removed
|
|
// and no further operations can be performed on it
|
|
ErrCtrRemoved = errors.New("container has already been removed")
|
|
// ErrPodRemoved indicates that the pod has already been removed and no
|
|
// further operations can be performed on it
|
|
ErrPodRemoved = errors.New("pod has already been removed")
|
|
// ErrVolumeRemoved indicates that the volume has already been removed and
|
|
// no further operations can be performed on it
|
|
ErrVolumeRemoved = errors.New("volume has already been removed")
|
|
// ErrExecSessionRemoved indicates that the exec session has already
|
|
// been removed and no further operations can be performed on it.
|
|
ErrExecSessionRemoved = errors.New("exec session has already been removed")
|
|
|
|
// ErrDBClosed indicates that the connection to the state database has
|
|
// already been closed
|
|
ErrDBClosed = errors.New("database connection already closed")
|
|
// ErrDBBadConfig indicates that the database has a different schema or
|
|
// was created by a libpod with a different config
|
|
ErrDBBadConfig = errors.New("database configuration mismatch")
|
|
|
|
// ErrNSMismatch indicates that the requested pod or container is in a
|
|
// different namespace and cannot be accessed or modified.
|
|
ErrNSMismatch = errors.New("target is in a different namespace")
|
|
|
|
// ErrNotImplemented indicates that the requested functionality is not
|
|
// yet present
|
|
ErrNotImplemented = errors.New("not yet implemented")
|
|
|
|
// ErrOSNotSupported indicates the function is not available on the particular
|
|
// OS.
|
|
ErrOSNotSupported = errors.New("no support for this OS yet")
|
|
|
|
// ErrOCIRuntime indicates a generic error from the OCI runtime
|
|
ErrOCIRuntime = errors.New("OCI runtime error")
|
|
|
|
// ErrOCIRuntimePermissionDenied indicates the OCI runtime attempted to invoke a command that returned
|
|
// a permission denied error
|
|
ErrOCIRuntimePermissionDenied = errors.New("OCI permission denied")
|
|
|
|
// ErrOCIRuntimeNotFound indicates the OCI runtime attempted to invoke a command
|
|
// that was not found
|
|
ErrOCIRuntimeNotFound = errors.New("OCI not found")
|
|
|
|
// ErrOCIRuntimeUnavailable indicates that the OCI runtime associated to a container
|
|
// could not be found in the configuration
|
|
ErrOCIRuntimeUnavailable = errors.New("OCI unavailable")
|
|
|
|
// ErrConmonOutdated indicates the version of conmon found (whether via the configuration or $PATH)
|
|
// is out of date for the current podman version
|
|
ErrConmonOutdated = errors.New("outdated conmon version")
|
|
// ErrConmonDead indicates that the container's conmon process has been
|
|
// killed, preventing normal operation.
|
|
ErrConmonDead = errors.New("conmon process killed")
|
|
|
|
// ErrImageInUse indicates the requested operation failed because the image was in use
|
|
ErrImageInUse = errors.New("image is being used")
|
|
|
|
// ErrNetworkOnPodContainer indicates the user wishes to alter network attributes on a container
|
|
// in a pod. This cannot be done as the infra container has all the network information
|
|
ErrNetworkOnPodContainer = errors.New("network cannot be configured when it is shared with a pod")
|
|
|
|
// ErrNetworkInUse indicates the requested operation failed because the network was in use
|
|
ErrNetworkInUse = errors.New("network is being used")
|
|
|
|
// ErrStoreNotInitialized indicates that the container storage was never
|
|
// initialized.
|
|
ErrStoreNotInitialized = errors.New("the container storage was never initialized")
|
|
|
|
// ErrNoNetwork indicates that a container has no net namespace, like network=none
|
|
ErrNoNetwork = errors.New("container has no network namespace")
|
|
|
|
// ErrSetSecurityAttribute indicates that a request to set a container's security attribute
|
|
// was not possible.
|
|
ErrSetSecurityAttribute = fmt.Errorf("%w: unable to assign security attribute", ErrOCIRuntime)
|
|
|
|
// ErrGetSecurityAttribute indicates that a request to get a container's security attribute
|
|
// was not possible.
|
|
ErrGetSecurityAttribute = fmt.Errorf("%w: unable to get security attribute", ErrOCIRuntime)
|
|
|
|
// ErrSecurityAttribute indicates that an error processing security attributes
|
|
// for the container
|
|
ErrSecurityAttribute = fmt.Errorf("%w: unable to process security attribute", ErrOCIRuntime)
|
|
)
|