mirror of
				https://github.com/containers/podman.git
				synced 2025-10-26 18:54:17 +08:00 
			
		
		
		
	 c819c7a973
			
		
	
	c819c7a973
	
	
	
		
			
			It seems that if some background tasks are queued in libpod's Runtime before the worker's channel is set up (eg. in the refresh phase), they are not executed later on, but the workerGroup's counter is still ticked up. This leads podman to hang when the imageEngine is shutdown, since it waits for the workerGroup to be done. fixes containers/podman#22984 Signed-off-by: Farya Maerten <me@ltow.me>
		
			
				
	
	
		
			1390 lines
		
	
	
		
			44 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			1390 lines
		
	
	
		
			44 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| //go:build !remote
 | |
| 
 | |
| package libpod
 | |
| 
 | |
| import (
 | |
| 	"bufio"
 | |
| 	"context"
 | |
| 	"errors"
 | |
| 	"fmt"
 | |
| 	"io/fs"
 | |
| 	"os"
 | |
| 	"path/filepath"
 | |
| 	"strings"
 | |
| 	"sync"
 | |
| 	"syscall"
 | |
| 	"time"
 | |
| 
 | |
| 	"github.com/containers/buildah/pkg/parse"
 | |
| 	"github.com/containers/common/libimage"
 | |
| 	"github.com/containers/common/libnetwork/network"
 | |
| 	nettypes "github.com/containers/common/libnetwork/types"
 | |
| 	"github.com/containers/common/pkg/cgroups"
 | |
| 	"github.com/containers/common/pkg/config"
 | |
| 	"github.com/containers/common/pkg/secrets"
 | |
| 	systemdCommon "github.com/containers/common/pkg/systemd"
 | |
| 	"github.com/containers/image/v5/pkg/sysregistriesv2"
 | |
| 	is "github.com/containers/image/v5/storage"
 | |
| 	"github.com/containers/image/v5/types"
 | |
| 	"github.com/containers/podman/v5/libpod/define"
 | |
| 	"github.com/containers/podman/v5/libpod/events"
 | |
| 	"github.com/containers/podman/v5/libpod/lock"
 | |
| 	"github.com/containers/podman/v5/libpod/plugin"
 | |
| 	"github.com/containers/podman/v5/libpod/shutdown"
 | |
| 	"github.com/containers/podman/v5/pkg/domain/entities"
 | |
| 	"github.com/containers/podman/v5/pkg/rootless"
 | |
| 	"github.com/containers/podman/v5/pkg/systemd"
 | |
| 	"github.com/containers/podman/v5/pkg/util"
 | |
| 	"github.com/containers/storage"
 | |
| 	"github.com/containers/storage/pkg/fileutils"
 | |
| 	"github.com/containers/storage/pkg/lockfile"
 | |
| 	"github.com/containers/storage/pkg/unshare"
 | |
| 	"github.com/docker/docker/pkg/namesgenerator"
 | |
| 	"github.com/hashicorp/go-multierror"
 | |
| 	jsoniter "github.com/json-iterator/go"
 | |
| 	spec "github.com/opencontainers/runtime-spec/specs-go"
 | |
| 	"github.com/sirupsen/logrus"
 | |
| 	"golang.org/x/exp/slices"
 | |
| )
 | |
| 
 | |
| // Set up the JSON library for all of Libpod
 | |
| var json = jsoniter.ConfigCompatibleWithStandardLibrary
 | |
| 
 | |
| // A RuntimeOption is a functional option which alters the Runtime created by
 | |
| // NewRuntime
 | |
| type RuntimeOption func(*Runtime) error
 | |
| 
 | |
| type storageSet struct {
 | |
| 	RunRootSet         bool
 | |
| 	GraphRootSet       bool
 | |
| 	StaticDirSet       bool
 | |
| 	VolumePathSet      bool
 | |
| 	GraphDriverNameSet bool
 | |
| 	TmpDirSet          bool
 | |
| }
 | |
| 
 | |
| // Runtime is the core libpod runtime
 | |
| type Runtime struct {
 | |
| 	config        *config.Config
 | |
| 	storageConfig storage.StoreOptions
 | |
| 	storageSet    storageSet
 | |
| 
 | |
| 	state                  State
 | |
| 	store                  storage.Store
 | |
| 	storageService         *storageService
 | |
| 	imageContext           *types.SystemContext
 | |
| 	defaultOCIRuntime      OCIRuntime
 | |
| 	ociRuntimes            map[string]OCIRuntime
 | |
| 	runtimeFlags           []string
 | |
| 	network                nettypes.ContainerNetwork
 | |
| 	conmonPath             string
 | |
| 	libimageRuntime        *libimage.Runtime
 | |
| 	libimageEventsShutdown chan bool
 | |
| 	lockManager            lock.Manager
 | |
| 
 | |
| 	// Worker
 | |
| 	workerChannel chan func()
 | |
| 	workerGroup   sync.WaitGroup
 | |
| 
 | |
| 	// syslog describes whenever logrus should log to the syslog as well.
 | |
| 	// Note that the syslog hook will be enabled early in cmd/podman/syslog_linux.go
 | |
| 	// This bool is just needed so that we can set it for netavark interface.
 | |
| 	syslog bool
 | |
| 
 | |
| 	// doReset indicates that the runtime will perform a system reset.
 | |
| 	// A reset will remove all containers, pods, volumes, networks, etc.
 | |
| 	// A number of validation checks are relaxed, or replaced with logic to
 | |
| 	// remove as much of the runtime as possible if they fail. This ensures
 | |
| 	// that even a broken Libpod can still be removed via `system reset`.
 | |
| 	// This does not actually perform a `system reset`. That is done by
 | |
| 	// calling "Reset()" on the returned runtime.
 | |
| 	doReset bool
 | |
| 	// doRenumber indicates that the runtime will perform a system renumber.
 | |
| 	// A renumber will reassign lock numbers for all containers, pods, etc.
 | |
| 	// This will not perform the renumber itself, but will ignore some
 | |
| 	// errors related to lock initialization so a renumber can be performed
 | |
| 	// if something has gone wrong.
 | |
| 	doRenumber bool
 | |
| 
 | |
| 	// valid indicates whether the runtime is ready to use.
 | |
| 	// valid is set to true when a runtime is returned from GetRuntime(),
 | |
| 	// and remains true until the runtime is shut down (rendering its
 | |
| 	// storage unusable). When valid is false, the runtime cannot be used.
 | |
| 	valid bool
 | |
| 
 | |
| 	// mechanism to read and write even logs
 | |
| 	eventer events.Eventer
 | |
| 
 | |
| 	// secretsManager manages secrets
 | |
| 	secretsManager *secrets.SecretsManager
 | |
| }
 | |
| 
 | |
| // SetXdgDirs ensures the XDG_RUNTIME_DIR env and XDG_CONFIG_HOME variables are set.
 | |
| // containers/image uses XDG_RUNTIME_DIR to locate the auth file, XDG_CONFIG_HOME is
 | |
| // use for the containers.conf configuration file.
 | |
| func SetXdgDirs() error {
 | |
| 	if !rootless.IsRootless() {
 | |
| 		return nil
 | |
| 	}
 | |
| 
 | |
| 	// Set up XDG_RUNTIME_DIR
 | |
| 	runtimeDir := os.Getenv("XDG_RUNTIME_DIR")
 | |
| 
 | |
| 	if runtimeDir == "" {
 | |
| 		var err error
 | |
| 		runtimeDir, err = util.GetRootlessRuntimeDir()
 | |
| 		if err != nil {
 | |
| 			return err
 | |
| 		}
 | |
| 	}
 | |
| 	if err := os.Setenv("XDG_RUNTIME_DIR", runtimeDir); err != nil {
 | |
| 		return fmt.Errorf("cannot set XDG_RUNTIME_DIR: %w", err)
 | |
| 	}
 | |
| 
 | |
| 	if rootless.IsRootless() && os.Getenv("DBUS_SESSION_BUS_ADDRESS") == "" {
 | |
| 		sessionAddr := filepath.Join(runtimeDir, "bus")
 | |
| 		if err := fileutils.Exists(sessionAddr); err == nil {
 | |
| 			os.Setenv("DBUS_SESSION_BUS_ADDRESS", fmt.Sprintf("unix:path=%s", sessionAddr))
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	// Set up XDG_CONFIG_HOME
 | |
| 	if cfgHomeDir := os.Getenv("XDG_CONFIG_HOME"); cfgHomeDir == "" {
 | |
| 		cfgHomeDir, err := util.GetRootlessConfigHomeDir()
 | |
| 		if err != nil {
 | |
| 			return err
 | |
| 		}
 | |
| 		if err := os.Setenv("XDG_CONFIG_HOME", cfgHomeDir); err != nil {
 | |
| 			return fmt.Errorf("cannot set XDG_CONFIG_HOME: %w", err)
 | |
| 		}
 | |
| 	}
 | |
| 	return nil
 | |
| }
 | |
| 
 | |
| // NewRuntime creates a new container runtime
 | |
| // Options can be passed to override the default configuration for the runtime
 | |
| func NewRuntime(ctx context.Context, options ...RuntimeOption) (*Runtime, error) {
 | |
| 	conf, err := config.Default()
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	return newRuntimeFromConfig(ctx, conf, options...)
 | |
| }
 | |
| 
 | |
| // NewRuntimeFromConfig creates a new container runtime using the given
 | |
| // configuration file for its default configuration. Passed RuntimeOption
 | |
| // functions can be used to mutate this configuration further.
 | |
| // An error will be returned if the configuration file at the given path does
 | |
| // not exist or cannot be loaded
 | |
| func NewRuntimeFromConfig(ctx context.Context, userConfig *config.Config, options ...RuntimeOption) (*Runtime, error) {
 | |
| 	return newRuntimeFromConfig(ctx, userConfig, options...)
 | |
| }
 | |
| 
 | |
| func newRuntimeFromConfig(ctx context.Context, conf *config.Config, options ...RuntimeOption) (*Runtime, error) {
 | |
| 	runtime := new(Runtime)
 | |
| 
 | |
| 	if conf.Engine.OCIRuntime == "" {
 | |
| 		conf.Engine.OCIRuntime = "runc"
 | |
| 		// If we're running on cgroups v2, default to using crun.
 | |
| 		if onCgroupsv2, _ := cgroups.IsCgroup2UnifiedMode(); onCgroupsv2 {
 | |
| 			conf.Engine.OCIRuntime = "crun"
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	runtime.config = conf
 | |
| 
 | |
| 	if err := SetXdgDirs(); err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 
 | |
| 	storeOpts, err := storage.DefaultStoreOptions()
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	runtime.storageConfig = storeOpts
 | |
| 
 | |
| 	// Overwrite config with user-given configuration options
 | |
| 	for _, opt := range options {
 | |
| 		if err := opt(runtime); err != nil {
 | |
| 			return nil, fmt.Errorf("configuring runtime: %w", err)
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	if err := shutdown.Register("libpod", func(sig os.Signal) error {
 | |
| 		// For `systemctl stop podman.service` support, exit code should be 0
 | |
| 		if sig == syscall.SIGTERM {
 | |
| 			os.Exit(0)
 | |
| 		}
 | |
| 		os.Exit(1)
 | |
| 		return nil
 | |
| 	}); err != nil && !errors.Is(err, shutdown.ErrHandlerExists) {
 | |
| 		logrus.Errorf("Registering shutdown handler for libpod: %v", err)
 | |
| 	}
 | |
| 
 | |
| 	if err := shutdown.Start(); err != nil {
 | |
| 		return nil, fmt.Errorf("starting shutdown signal handler: %w", err)
 | |
| 	}
 | |
| 
 | |
| 	if err := makeRuntime(ctx, runtime); err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 
 | |
| 	runtime.config.CheckCgroupsAndAdjustConfig()
 | |
| 
 | |
| 	return runtime, nil
 | |
| }
 | |
| 
 | |
| func getLockManager(runtime *Runtime) (lock.Manager, error) {
 | |
| 	var err error
 | |
| 	var manager lock.Manager
 | |
| 
 | |
| 	switch runtime.config.Engine.LockType {
 | |
| 	case "file":
 | |
| 		lockPath := filepath.Join(runtime.config.Engine.TmpDir, "locks")
 | |
| 		manager, err = lock.OpenFileLockManager(lockPath)
 | |
| 		if err != nil {
 | |
| 			if errors.Is(err, os.ErrNotExist) {
 | |
| 				manager, err = lock.NewFileLockManager(lockPath)
 | |
| 				if err != nil {
 | |
| 					return nil, fmt.Errorf("failed to get new file lock manager: %w", err)
 | |
| 				}
 | |
| 			} else {
 | |
| 				return nil, err
 | |
| 			}
 | |
| 		}
 | |
| 
 | |
| 	case "", "shm":
 | |
| 		lockPath := define.DefaultSHMLockPath
 | |
| 		if rootless.IsRootless() {
 | |
| 			lockPath = fmt.Sprintf("%s_%d", define.DefaultRootlessSHMLockPath, rootless.GetRootlessUID())
 | |
| 		}
 | |
| 		// Set up the lock manager
 | |
| 		manager, err = lock.OpenSHMLockManager(lockPath, runtime.config.Engine.NumLocks)
 | |
| 		if err != nil {
 | |
| 			switch {
 | |
| 			case errors.Is(err, os.ErrNotExist):
 | |
| 				manager, err = lock.NewSHMLockManager(lockPath, runtime.config.Engine.NumLocks)
 | |
| 				if err != nil {
 | |
| 					return nil, fmt.Errorf("failed to get new shm lock manager: %w", err)
 | |
| 				}
 | |
| 			case errors.Is(err, syscall.ERANGE) && runtime.doRenumber:
 | |
| 				logrus.Debugf("Number of locks does not match - removing old locks")
 | |
| 
 | |
| 				// ERANGE indicates a lock numbering mismatch.
 | |
| 				// Since we're renumbering, this is not fatal.
 | |
| 				// Remove the earlier set of locks and recreate.
 | |
| 				if err := os.Remove(filepath.Join("/dev/shm", lockPath)); err != nil {
 | |
| 					return nil, fmt.Errorf("removing libpod locks file %s: %w", lockPath, err)
 | |
| 				}
 | |
| 
 | |
| 				manager, err = lock.NewSHMLockManager(lockPath, runtime.config.Engine.NumLocks)
 | |
| 				if err != nil {
 | |
| 					return nil, err
 | |
| 				}
 | |
| 			default:
 | |
| 				return nil, err
 | |
| 			}
 | |
| 		}
 | |
| 	default:
 | |
| 		return nil, fmt.Errorf("unknown lock type %s: %w", runtime.config.Engine.LockType, define.ErrInvalidArg)
 | |
| 	}
 | |
| 	return manager, nil
 | |
| }
 | |
| 
 | |
| func getDBState(runtime *Runtime) (State, error) {
 | |
| 	// TODO - if we further break out the state implementation into
 | |
| 	// libpod/state, the config could take care of the code below.  It
 | |
| 	// would further allow to move the types and consts into a coherent
 | |
| 	// package.
 | |
| 	backend, err := config.ParseDBBackend(runtime.config.Engine.DBBackend)
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 
 | |
| 	// get default boltdb path
 | |
| 	baseDir := runtime.config.Engine.StaticDir
 | |
| 	if runtime.storageConfig.TransientStore {
 | |
| 		baseDir = runtime.config.Engine.TmpDir
 | |
| 	}
 | |
| 	boltDBPath := filepath.Join(baseDir, "bolt_state.db")
 | |
| 
 | |
| 	switch backend {
 | |
| 	case config.DBBackendDefault:
 | |
| 		// for backwards compatibility check if boltdb exists, if it does not we use sqlite
 | |
| 		if err := fileutils.Exists(boltDBPath); err != nil {
 | |
| 			if errors.Is(err, fs.ErrNotExist) {
 | |
| 				// need to set DBBackend string so podman info will show the backend name correctly
 | |
| 				runtime.config.Engine.DBBackend = config.DBBackendSQLite.String()
 | |
| 				return NewSqliteState(runtime)
 | |
| 			}
 | |
| 			// Return error here some other problem with the boltdb file, rather than silently
 | |
| 			// switch to sqlite which would be hard to debug for the user return the error back
 | |
| 			// as this likely a real bug.
 | |
| 			return nil, err
 | |
| 		}
 | |
| 		runtime.config.Engine.DBBackend = config.DBBackendBoltDB.String()
 | |
| 		fallthrough
 | |
| 	case config.DBBackendBoltDB:
 | |
| 		return NewBoltState(boltDBPath, runtime)
 | |
| 	case config.DBBackendSQLite:
 | |
| 		return NewSqliteState(runtime)
 | |
| 	default:
 | |
| 		return nil, fmt.Errorf("unrecognized database backend passed (%q): %w", backend.String(), define.ErrInvalidArg)
 | |
| 	}
 | |
| }
 | |
| 
 | |
| // Make a new runtime based on the given configuration
 | |
| // Sets up containers/storage, state store, OCI runtime
 | |
| func makeRuntime(ctx context.Context, runtime *Runtime) (retErr error) {
 | |
| 	// Find a working conmon binary
 | |
| 	cPath, err := runtime.config.FindConmon()
 | |
| 	if err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 	runtime.conmonPath = cPath
 | |
| 
 | |
| 	if runtime.config.Engine.StaticDir == "" {
 | |
| 		runtime.config.Engine.StaticDir = filepath.Join(runtime.storageConfig.GraphRoot, "libpod")
 | |
| 		runtime.storageSet.StaticDirSet = true
 | |
| 	}
 | |
| 
 | |
| 	if runtime.config.Engine.VolumePath == "" {
 | |
| 		runtime.config.Engine.VolumePath = filepath.Join(runtime.storageConfig.GraphRoot, "volumes")
 | |
| 		runtime.storageSet.VolumePathSet = true
 | |
| 	}
 | |
| 
 | |
| 	// Make the static files directory if it does not exist
 | |
| 	if err := os.MkdirAll(runtime.config.Engine.StaticDir, 0700); err != nil {
 | |
| 		// The directory is allowed to exist
 | |
| 		if !errors.Is(err, os.ErrExist) {
 | |
| 			return fmt.Errorf("creating runtime static files directory %q: %w", runtime.config.Engine.StaticDir, err)
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	// Create the TmpDir if needed
 | |
| 	if err := os.MkdirAll(runtime.config.Engine.TmpDir, 0751); err != nil {
 | |
| 		return fmt.Errorf("creating runtime temporary files directory: %w", err)
 | |
| 	}
 | |
| 
 | |
| 	// Set up the state.
 | |
| 	runtime.state, err = getDBState(runtime)
 | |
| 	if err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 
 | |
| 	// Grab config from the database so we can reset some defaults
 | |
| 	dbConfig, err := runtime.state.GetDBConfig()
 | |
| 	if err != nil {
 | |
| 		if runtime.doReset {
 | |
| 			// We can at least delete the DB and the static files
 | |
| 			// directory.
 | |
| 			// Can't safely touch anything else because we aren't
 | |
| 			// sure of other directories.
 | |
| 			if err := runtime.state.Close(); err != nil {
 | |
| 				logrus.Errorf("Closing database connection: %v", err)
 | |
| 			} else {
 | |
| 				if err := os.RemoveAll(runtime.config.Engine.StaticDir); err != nil {
 | |
| 					logrus.Errorf("Removing static files directory %v: %v", runtime.config.Engine.StaticDir, err)
 | |
| 				}
 | |
| 			}
 | |
| 		}
 | |
| 
 | |
| 		return fmt.Errorf("retrieving runtime configuration from database: %w", err)
 | |
| 	}
 | |
| 
 | |
| 	runtime.mergeDBConfig(dbConfig)
 | |
| 
 | |
| 	checkCgroups2UnifiedMode(runtime)
 | |
| 
 | |
| 	logrus.Debugf("Using graph driver %s", runtime.storageConfig.GraphDriverName)
 | |
| 	logrus.Debugf("Using graph root %s", runtime.storageConfig.GraphRoot)
 | |
| 	logrus.Debugf("Using run root %s", runtime.storageConfig.RunRoot)
 | |
| 	logrus.Debugf("Using static dir %s", runtime.config.Engine.StaticDir)
 | |
| 	logrus.Debugf("Using tmp dir %s", runtime.config.Engine.TmpDir)
 | |
| 	logrus.Debugf("Using volume path %s", runtime.config.Engine.VolumePath)
 | |
| 	logrus.Debugf("Using transient store: %v", runtime.storageConfig.TransientStore)
 | |
| 
 | |
| 	// Validate our config against the database, now that we've set our
 | |
| 	// final storage configuration
 | |
| 	if err := runtime.state.ValidateDBConfig(runtime); err != nil {
 | |
| 		// If we are performing a storage reset: continue on with a
 | |
| 		// warning. Otherwise we can't `system reset` after a change to
 | |
| 		// the core paths.
 | |
| 		if !runtime.doReset {
 | |
| 			return err
 | |
| 		}
 | |
| 		logrus.Errorf("Runtime paths differ from those stored in database, storage reset may not remove all files")
 | |
| 	}
 | |
| 
 | |
| 	if runtime.config.Engine.Namespace != "" {
 | |
| 		return fmt.Errorf("namespaces are not supported by this version of Libpod, please unset the `namespace` field in containers.conf: %w", define.ErrNotImplemented)
 | |
| 	}
 | |
| 
 | |
| 	needsUserns := os.Geteuid() != 0
 | |
| 	if !needsUserns {
 | |
| 		hasCapSysAdmin, err := unshare.HasCapSysAdmin()
 | |
| 		if err != nil {
 | |
| 			return err
 | |
| 		}
 | |
| 		needsUserns = !hasCapSysAdmin
 | |
| 	}
 | |
| 	// Set up containers/storage
 | |
| 	var store storage.Store
 | |
| 	if needsUserns {
 | |
| 		logrus.Debug("Not configuring container store")
 | |
| 	} else if err := runtime.configureStore(); err != nil {
 | |
| 		// Make a best-effort attempt to clean up if performing a
 | |
| 		// storage reset.
 | |
| 		if runtime.doReset {
 | |
| 			if err := runtime.removeAllDirs(); err != nil {
 | |
| 				logrus.Errorf("Removing libpod directories: %v", err)
 | |
| 			}
 | |
| 		}
 | |
| 
 | |
| 		return fmt.Errorf("configure storage: %w", err)
 | |
| 	}
 | |
| 	defer func() {
 | |
| 		if retErr != nil && store != nil {
 | |
| 			// Don't forcibly shut down
 | |
| 			// We could be opening a store in use by another libpod
 | |
| 			if _, err := store.Shutdown(false); err != nil {
 | |
| 				logrus.Errorf("Removing store for partially-created runtime: %s", err)
 | |
| 			}
 | |
| 		}
 | |
| 	}()
 | |
| 
 | |
| 	// Set up the eventer
 | |
| 	eventer, err := runtime.newEventer()
 | |
| 	if err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 	runtime.eventer = eventer
 | |
| 
 | |
| 	// Set up containers/image
 | |
| 	if runtime.imageContext == nil {
 | |
| 		runtime.imageContext = &types.SystemContext{
 | |
| 			BigFilesTemporaryDir: parse.GetTempDir(),
 | |
| 		}
 | |
| 	}
 | |
| 	runtime.imageContext.SignaturePolicyPath = runtime.config.Engine.SignaturePolicyPath
 | |
| 
 | |
| 	// Get us at least one working OCI runtime.
 | |
| 	runtime.ociRuntimes = make(map[string]OCIRuntime)
 | |
| 
 | |
| 	// Initialize remaining OCI runtimes
 | |
| 	for name, paths := range runtime.config.Engine.OCIRuntimes {
 | |
| 		ociRuntime, err := newConmonOCIRuntime(name, paths, runtime.conmonPath, runtime.runtimeFlags, runtime.config)
 | |
| 		if err != nil {
 | |
| 			// Don't fatally error.
 | |
| 			// This will allow us to ship configs including optional
 | |
| 			// runtimes that might not be installed (crun, kata).
 | |
| 			// Only an infof so default configs don't spec errors.
 | |
| 			logrus.Debugf("Configured OCI runtime %s initialization failed: %v", name, err)
 | |
| 			continue
 | |
| 		}
 | |
| 
 | |
| 		runtime.ociRuntimes[name] = ociRuntime
 | |
| 	}
 | |
| 
 | |
| 	// Do we have a default OCI runtime?
 | |
| 	if runtime.config.Engine.OCIRuntime != "" {
 | |
| 		// If the string starts with / it's a path to a runtime
 | |
| 		// executable.
 | |
| 		if strings.HasPrefix(runtime.config.Engine.OCIRuntime, "/") {
 | |
| 			ociRuntime, err := newConmonOCIRuntime(runtime.config.Engine.OCIRuntime, []string{runtime.config.Engine.OCIRuntime}, runtime.conmonPath, runtime.runtimeFlags, runtime.config)
 | |
| 			if err != nil {
 | |
| 				return err
 | |
| 			}
 | |
| 
 | |
| 			runtime.ociRuntimes[runtime.config.Engine.OCIRuntime] = ociRuntime
 | |
| 			runtime.defaultOCIRuntime = ociRuntime
 | |
| 		} else {
 | |
| 			ociRuntime, ok := runtime.ociRuntimes[runtime.config.Engine.OCIRuntime]
 | |
| 			if !ok {
 | |
| 				return fmt.Errorf("default OCI runtime %q not found: %w", runtime.config.Engine.OCIRuntime, define.ErrInvalidArg)
 | |
| 			}
 | |
| 			runtime.defaultOCIRuntime = ociRuntime
 | |
| 		}
 | |
| 	}
 | |
| 	logrus.Debugf("Using OCI runtime %q", runtime.defaultOCIRuntime.Path())
 | |
| 
 | |
| 	// Do we have at least one valid OCI runtime?
 | |
| 	if len(runtime.ociRuntimes) == 0 {
 | |
| 		return fmt.Errorf("no OCI runtime has been configured: %w", define.ErrInvalidArg)
 | |
| 	}
 | |
| 
 | |
| 	// Do we have a default runtime?
 | |
| 	if runtime.defaultOCIRuntime == nil {
 | |
| 		return fmt.Errorf("no default OCI runtime was configured: %w", define.ErrInvalidArg)
 | |
| 	}
 | |
| 
 | |
| 	// the store is only set up when we are in the userns so we do the same for the network interface
 | |
| 	if !needsUserns {
 | |
| 		netBackend, netInterface, err := network.NetworkBackend(runtime.store, runtime.config, runtime.syslog)
 | |
| 		if err != nil {
 | |
| 			return err
 | |
| 		}
 | |
| 		runtime.config.Network.NetworkBackend = string(netBackend)
 | |
| 		runtime.network = netInterface
 | |
| 	}
 | |
| 
 | |
| 	// We now need to see if the system has restarted
 | |
| 	// We check for the presence of a file in our tmp directory to verify this
 | |
| 	// This check must be locked to prevent races
 | |
| 	runtimeAliveFile := filepath.Join(runtime.config.Engine.TmpDir, "alive")
 | |
| 	aliveLock, err := runtime.getRuntimeAliveLock()
 | |
| 	if err != nil {
 | |
| 		return fmt.Errorf("acquiring runtime init lock: %w", err)
 | |
| 	}
 | |
| 	// Acquire the lock and hold it until we return
 | |
| 	// This ensures that no two processes will be in runtime.refresh at once
 | |
| 	aliveLock.Lock()
 | |
| 	doRefresh := false
 | |
| 	unLockFunc := aliveLock.Unlock
 | |
| 	defer func() {
 | |
| 		if unLockFunc != nil {
 | |
| 			unLockFunc()
 | |
| 		}
 | |
| 	}()
 | |
| 
 | |
| 	err = fileutils.Exists(runtimeAliveFile)
 | |
| 	if err != nil {
 | |
| 		// If we need to refresh, then it is safe to assume there are
 | |
| 		// no containers running.  Create immediately a namespace, as
 | |
| 		// we will need to access the storage.
 | |
| 		if needsUserns {
 | |
| 			// warn users if mode is rootless and cgroup manager is systemd
 | |
| 			// and no valid systemd session is present
 | |
| 			// warn only whenever new namespace is created
 | |
| 			if runtime.config.Engine.CgroupManager == config.SystemdCgroupsManager {
 | |
| 				unified, _ := cgroups.IsCgroup2UnifiedMode()
 | |
| 				if unified && rootless.IsRootless() && !systemd.IsSystemdSessionValid(rootless.GetRootlessUID()) {
 | |
| 					logrus.Debug("Invalid systemd user session for current user")
 | |
| 				}
 | |
| 			}
 | |
| 			unLockFunc()
 | |
| 			unLockFunc = nil
 | |
| 			pausePid, err := util.GetRootlessPauseProcessPidPath()
 | |
| 			if err != nil {
 | |
| 				return fmt.Errorf("could not get pause process pid file path: %w", err)
 | |
| 			}
 | |
| 
 | |
| 			// create the path in case it does not already exists
 | |
| 			// https://github.com/containers/podman/issues/8539
 | |
| 			if err := os.MkdirAll(filepath.Dir(pausePid), 0o700); err != nil {
 | |
| 				return fmt.Errorf("could not create pause process pid file directory: %w", err)
 | |
| 			}
 | |
| 
 | |
| 			became, ret, err := rootless.BecomeRootInUserNS(pausePid)
 | |
| 			if err != nil {
 | |
| 				return err
 | |
| 			}
 | |
| 			if became {
 | |
| 				// Check if the pause process was created.  If it was created, then
 | |
| 				// move it to its own systemd scope.
 | |
| 				systemdCommon.MovePauseProcessToScope(pausePid)
 | |
| 
 | |
| 				// gocritic complains because defer is not run on os.Exit()
 | |
| 				// However this is fine because the lock is released anyway when the process exits
 | |
| 				//nolint:gocritic
 | |
| 				os.Exit(ret)
 | |
| 			}
 | |
| 		}
 | |
| 		// If the file doesn't exist, we need to refresh the state
 | |
| 		// This will trigger on first use as well, but refreshing an
 | |
| 		// empty state only creates a single file
 | |
| 		// As such, it's not really a performance concern
 | |
| 		if errors.Is(err, os.ErrNotExist) {
 | |
| 			doRefresh = true
 | |
| 		} else {
 | |
| 			return fmt.Errorf("reading runtime status file %s: %w", runtimeAliveFile, err)
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	runtime.lockManager, err = getLockManager(runtime)
 | |
| 	if err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 
 | |
| 	// Mark the runtime as valid - ready to be used, cannot be modified
 | |
| 	// further.
 | |
| 	// Need to do this *before* refresh as we can remove containers there.
 | |
| 	// Should not be a big deal as we don't return it to users until after
 | |
| 	// refresh runs.
 | |
| 	runtime.valid = true
 | |
| 
 | |
| 	// Setup the worker channel early to start accepting jobs from refresh,
 | |
| 	// but do not start to execute the jobs right away. The runtime is not
 | |
| 	// ready at this point.
 | |
| 	runtime.setupWorkerQueue()
 | |
| 
 | |
| 	// If we need to refresh the state, do it now - things are guaranteed to
 | |
| 	// be set up by now.
 | |
| 	if doRefresh {
 | |
| 		// Ensure we have a store before refresh occurs
 | |
| 		if runtime.store == nil {
 | |
| 			if err := runtime.configureStore(); err != nil {
 | |
| 				return fmt.Errorf("configure storage: %w", err)
 | |
| 			}
 | |
| 		}
 | |
| 
 | |
| 		if err2 := runtime.refresh(ctx, runtimeAliveFile); err2 != nil {
 | |
| 			return err2
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	// Check current boot ID - will be written to the alive file.
 | |
| 	if err := runtime.checkBootID(runtimeAliveFile); err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 
 | |
| 	runtime.startWorker()
 | |
| 
 | |
| 	return nil
 | |
| }
 | |
| 
 | |
| // TmpDir gets the current Libpod temporary files directory.
 | |
| func (r *Runtime) TmpDir() (string, error) {
 | |
| 	if !r.valid {
 | |
| 		return "", define.ErrRuntimeStopped
 | |
| 	}
 | |
| 
 | |
| 	return r.config.Engine.TmpDir, nil
 | |
| }
 | |
| 
 | |
| // GetConfig returns the configuration used by the runtime.
 | |
| // Note that the returned value is not a copy and must hence
 | |
| // only be used in a reading fashion.
 | |
| func (r *Runtime) GetConfigNoCopy() (*config.Config, error) {
 | |
| 	if !r.valid {
 | |
| 		return nil, define.ErrRuntimeStopped
 | |
| 	}
 | |
| 	return r.config, nil
 | |
| }
 | |
| 
 | |
| // GetConfig returns a copy of the configuration used by the runtime.
 | |
| // Please use GetConfigNoCopy() in case you only want to read from
 | |
| // but not write to the returned config.
 | |
| func (r *Runtime) GetConfig() (*config.Config, error) {
 | |
| 	rtConfig, err := r.GetConfigNoCopy()
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 
 | |
| 	config := new(config.Config)
 | |
| 
 | |
| 	// Copy so the caller won't be able to modify the actual config
 | |
| 	if err := JSONDeepCopy(rtConfig, config); err != nil {
 | |
| 		return nil, fmt.Errorf("copying config: %w", err)
 | |
| 	}
 | |
| 
 | |
| 	return config, nil
 | |
| }
 | |
| 
 | |
| // libimageEventsMap translates a libimage event type to a libpod event status.
 | |
| var libimageEventsMap = map[libimage.EventType]events.Status{
 | |
| 	libimage.EventTypeImagePull:      events.Pull,
 | |
| 	libimage.EventTypeImagePullError: events.PullError,
 | |
| 	libimage.EventTypeImagePush:      events.Push,
 | |
| 	libimage.EventTypeImageRemove:    events.Remove,
 | |
| 	libimage.EventTypeImageLoad:      events.LoadFromArchive,
 | |
| 	libimage.EventTypeImageSave:      events.Save,
 | |
| 	libimage.EventTypeImageTag:       events.Tag,
 | |
| 	libimage.EventTypeImageUntag:     events.Untag,
 | |
| 	libimage.EventTypeImageMount:     events.Mount,
 | |
| 	libimage.EventTypeImageUnmount:   events.Unmount,
 | |
| }
 | |
| 
 | |
| // libimageEvents spawns a goroutine which will listen for events on
 | |
| // the libimage.Runtime.  The goroutine will be cleaned up implicitly
 | |
| // when the main() exists.
 | |
| func (r *Runtime) libimageEvents() {
 | |
| 	r.libimageEventsShutdown = make(chan bool)
 | |
| 
 | |
| 	toLibpodEventStatus := func(e *libimage.Event) events.Status {
 | |
| 		status, found := libimageEventsMap[e.Type]
 | |
| 		if !found {
 | |
| 			return "Unknown"
 | |
| 		}
 | |
| 		return status
 | |
| 	}
 | |
| 
 | |
| 	eventChannel := r.libimageRuntime.EventChannel()
 | |
| 	go func() {
 | |
| 		sawShutdown := false
 | |
| 		for {
 | |
| 			// Make sure to read and write all events before
 | |
| 			// shutting down.
 | |
| 			for len(eventChannel) > 0 {
 | |
| 				libimageEvent := <-eventChannel
 | |
| 				e := events.Event{
 | |
| 					ID:     libimageEvent.ID,
 | |
| 					Name:   libimageEvent.Name,
 | |
| 					Status: toLibpodEventStatus(libimageEvent),
 | |
| 					Time:   libimageEvent.Time,
 | |
| 					Type:   events.Image,
 | |
| 				}
 | |
| 				if libimageEvent.Error != nil {
 | |
| 					e.Error = libimageEvent.Error.Error()
 | |
| 				}
 | |
| 				if err := r.eventer.Write(e); err != nil {
 | |
| 					logrus.Errorf("Unable to write image event: %q", err)
 | |
| 				}
 | |
| 			}
 | |
| 
 | |
| 			if sawShutdown {
 | |
| 				close(r.libimageEventsShutdown)
 | |
| 				return
 | |
| 			}
 | |
| 
 | |
| 			select {
 | |
| 			case <-r.libimageEventsShutdown:
 | |
| 				sawShutdown = true
 | |
| 			case <-time.After(100 * time.Millisecond):
 | |
| 			}
 | |
| 		}
 | |
| 	}()
 | |
| }
 | |
| 
 | |
| // DeferredShutdown shuts down the runtime without exposing any
 | |
| // errors. This is only meant to be used when the runtime is being
 | |
| // shutdown within a defer statement; else use Shutdown
 | |
| func (r *Runtime) DeferredShutdown(force bool) {
 | |
| 	_ = r.Shutdown(force)
 | |
| }
 | |
| 
 | |
| // Shutdown shuts down the runtime and associated containers and storage
 | |
| // If force is true, containers and mounted storage will be shut down before
 | |
| // cleaning up; if force is false, an error will be returned if there are
 | |
| // still containers running or mounted
 | |
| func (r *Runtime) Shutdown(force bool) error {
 | |
| 	if !r.valid {
 | |
| 		return nil
 | |
| 	}
 | |
| 
 | |
| 	if r.workerChannel != nil {
 | |
| 		r.workerGroup.Wait()
 | |
| 		close(r.workerChannel)
 | |
| 	}
 | |
| 
 | |
| 	r.valid = false
 | |
| 
 | |
| 	// Shutdown all containers if --force is given
 | |
| 	if force {
 | |
| 		ctrs, err := r.state.AllContainers(false)
 | |
| 		if err != nil {
 | |
| 			logrus.Errorf("Retrieving containers from database: %v", err)
 | |
| 		} else {
 | |
| 			for _, ctr := range ctrs {
 | |
| 				if err := ctr.StopWithTimeout(r.config.Engine.StopTimeout); err != nil {
 | |
| 					logrus.Errorf("Stopping container %s: %v", ctr.ID(), err)
 | |
| 				}
 | |
| 			}
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	var lastError error
 | |
| 	// If no store was requested, it can be nil and there is no need to
 | |
| 	// attempt to shut it down
 | |
| 	if r.store != nil {
 | |
| 		// Wait for the events to be written.
 | |
| 		if r.libimageEventsShutdown != nil {
 | |
| 			// Tell loop to shutdown
 | |
| 			r.libimageEventsShutdown <- true
 | |
| 			// Wait for close to signal shutdown
 | |
| 			<-r.libimageEventsShutdown
 | |
| 		}
 | |
| 
 | |
| 		// Note that the libimage runtime shuts down the store.
 | |
| 		if err := r.libimageRuntime.Shutdown(force); err != nil {
 | |
| 			lastError = fmt.Errorf("shutting down container storage: %w", err)
 | |
| 		}
 | |
| 	}
 | |
| 	if err := r.state.Close(); err != nil {
 | |
| 		if lastError != nil {
 | |
| 			logrus.Error(lastError)
 | |
| 		}
 | |
| 		lastError = err
 | |
| 	}
 | |
| 
 | |
| 	return lastError
 | |
| }
 | |
| 
 | |
| // Reconfigures the runtime after a reboot
 | |
| // Refreshes the state, recreating temporary files
 | |
| // Does not check validity as the runtime is not valid until after this has run
 | |
| func (r *Runtime) refresh(ctx context.Context, alivePath string) error {
 | |
| 	logrus.Debugf("Podman detected system restart - performing state refresh")
 | |
| 
 | |
| 	// Clear state of database if not running in container
 | |
| 	if !graphRootMounted() {
 | |
| 		// First clear the state in the database
 | |
| 		if err := r.state.Refresh(); err != nil {
 | |
| 			return err
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	// Next refresh the state of all containers to recreate dirs and
 | |
| 	// namespaces, and all the pods to recreate cgroups.
 | |
| 	// Containers, pods, and volumes must also reacquire their locks.
 | |
| 	ctrs, err := r.state.AllContainers(false)
 | |
| 	if err != nil {
 | |
| 		return fmt.Errorf("retrieving all containers from state: %w", err)
 | |
| 	}
 | |
| 	pods, err := r.state.AllPods()
 | |
| 	if err != nil {
 | |
| 		return fmt.Errorf("retrieving all pods from state: %w", err)
 | |
| 	}
 | |
| 	vols, err := r.state.AllVolumes()
 | |
| 	if err != nil {
 | |
| 		return fmt.Errorf("retrieving all volumes from state: %w", err)
 | |
| 	}
 | |
| 	// No locks are taken during pod, volume, and container refresh.
 | |
| 	// Furthermore, the pod/volume/container refresh() functions are not
 | |
| 	// allowed to take locks themselves.
 | |
| 	// We cannot assume that any pod/volume/container has a valid lock until
 | |
| 	// after this function has returned.
 | |
| 	// The runtime alive lock should suffice to provide mutual exclusion
 | |
| 	// until this has run.
 | |
| 	for _, ctr := range ctrs {
 | |
| 		if err := ctr.refresh(); err != nil {
 | |
| 			logrus.Errorf("Refreshing container %s: %v", ctr.ID(), err)
 | |
| 		}
 | |
| 		// This is the only place it's safe to use ctr.state.State unlocked
 | |
| 		// We're holding the alive lock, guaranteed to be the only Libpod on the system right now.
 | |
| 		if (ctr.AutoRemove() && ctr.state.State == define.ContainerStateExited) || ctr.state.State == define.ContainerStateRemoving {
 | |
| 			opts := ctrRmOpts{
 | |
| 				// Don't force-remove, we're supposed to be fresh off a reboot
 | |
| 				// If we have to force something is seriously wrong
 | |
| 				Force:        false,
 | |
| 				RemoveVolume: true,
 | |
| 			}
 | |
| 			// This container should have autoremoved before the
 | |
| 			// reboot but did not.
 | |
| 			// Get rid of it.
 | |
| 			if _, _, err := r.removeContainer(ctx, ctr, opts); err != nil {
 | |
| 				logrus.Errorf("Unable to remove container %s which should have autoremoved: %v", ctr.ID(), err)
 | |
| 			}
 | |
| 		}
 | |
| 	}
 | |
| 	for _, pod := range pods {
 | |
| 		if err := pod.refresh(); err != nil {
 | |
| 			logrus.Errorf("Refreshing pod %s: %v", pod.ID(), err)
 | |
| 		}
 | |
| 	}
 | |
| 	for _, vol := range vols {
 | |
| 		if err := vol.refresh(); err != nil {
 | |
| 			logrus.Errorf("Refreshing volume %s: %v", vol.Name(), err)
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	// Create a file indicating the runtime is alive and ready
 | |
| 	file, err := os.OpenFile(alivePath, os.O_RDONLY|os.O_CREATE, 0644)
 | |
| 	if err != nil {
 | |
| 		return fmt.Errorf("creating runtime status file: %w", err)
 | |
| 	}
 | |
| 	defer file.Close()
 | |
| 
 | |
| 	r.NewSystemEvent(events.Refresh)
 | |
| 
 | |
| 	return nil
 | |
| }
 | |
| 
 | |
| // Info returns the store and host information
 | |
| func (r *Runtime) Info() (*define.Info, error) {
 | |
| 	return r.info()
 | |
| }
 | |
| 
 | |
| // generateName generates a unique name for a container or pod.
 | |
| func (r *Runtime) generateName() (string, error) {
 | |
| 	for {
 | |
| 		name := namesgenerator.GetRandomName(0)
 | |
| 		// Make sure container with this name does not exist
 | |
| 		if _, err := r.state.LookupContainer(name); err == nil {
 | |
| 			continue
 | |
| 		} else if !errors.Is(err, define.ErrNoSuchCtr) {
 | |
| 			return "", err
 | |
| 		}
 | |
| 		// Make sure pod with this name does not exist
 | |
| 		if _, err := r.state.LookupPod(name); err == nil {
 | |
| 			continue
 | |
| 		} else if !errors.Is(err, define.ErrNoSuchPod) {
 | |
| 			return "", err
 | |
| 		}
 | |
| 		return name, nil
 | |
| 	}
 | |
| 	// The code should never reach here.
 | |
| }
 | |
| 
 | |
| // Configure store and image runtime
 | |
| func (r *Runtime) configureStore() error {
 | |
| 	store, err := storage.GetStore(r.storageConfig)
 | |
| 	if err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 
 | |
| 	r.store = store
 | |
| 	is.Transport.SetStore(store)
 | |
| 
 | |
| 	// Set up a storage service for creating container root filesystems from
 | |
| 	// images
 | |
| 	r.storageService = getStorageService(r.store)
 | |
| 
 | |
| 	runtimeOptions := &libimage.RuntimeOptions{
 | |
| 		SystemContext: r.imageContext,
 | |
| 	}
 | |
| 	libimageRuntime, err := libimage.RuntimeFromStore(store, runtimeOptions)
 | |
| 	if err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 	r.libimageRuntime = libimageRuntime
 | |
| 	// Run the libimage events routine.
 | |
| 	r.libimageEvents()
 | |
| 
 | |
| 	return nil
 | |
| }
 | |
| 
 | |
| // LibimageRuntime ... to allow for a step-by-step migration to libimage.
 | |
| func (r *Runtime) LibimageRuntime() *libimage.Runtime {
 | |
| 	return r.libimageRuntime
 | |
| }
 | |
| 
 | |
| // SystemContext returns the imagecontext
 | |
| func (r *Runtime) SystemContext() *types.SystemContext {
 | |
| 	// Return the context from the libimage runtime.  libimage is sensitive
 | |
| 	// to a number of env vars.
 | |
| 	return r.libimageRuntime.SystemContext()
 | |
| }
 | |
| 
 | |
| // GetOCIRuntimePath retrieves the path of the default OCI runtime.
 | |
| func (r *Runtime) GetOCIRuntimePath() string {
 | |
| 	return r.defaultOCIRuntime.Path()
 | |
| }
 | |
| 
 | |
| // DefaultOCIRuntime return copy of Default OCI Runtime
 | |
| func (r *Runtime) DefaultOCIRuntime() OCIRuntime {
 | |
| 	return r.defaultOCIRuntime
 | |
| }
 | |
| 
 | |
| // StorageConfig retrieves the storage options for the container runtime
 | |
| func (r *Runtime) StorageConfig() storage.StoreOptions {
 | |
| 	return r.storageConfig
 | |
| }
 | |
| 
 | |
| func (r *Runtime) GarbageCollect() error {
 | |
| 	return r.store.GarbageCollect()
 | |
| }
 | |
| 
 | |
| // RunRoot retrieves the current c/storage temporary directory in use by Libpod.
 | |
| func (r *Runtime) RunRoot() string {
 | |
| 	if r.store == nil {
 | |
| 		return ""
 | |
| 	}
 | |
| 	return r.store.RunRoot()
 | |
| }
 | |
| 
 | |
| // GraphRoot retrieves the current c/storage directory in use by Libpod.
 | |
| func (r *Runtime) GraphRoot() string {
 | |
| 	if r.store == nil {
 | |
| 		return ""
 | |
| 	}
 | |
| 	return r.store.GraphRoot()
 | |
| }
 | |
| 
 | |
| // GetPodName retrieves the pod name associated with a given full ID.
 | |
| // If the given ID does not correspond to any existing Pod or Container,
 | |
| // ErrNoSuchPod is returned.
 | |
| func (r *Runtime) GetPodName(id string) (string, error) {
 | |
| 	if !r.valid {
 | |
| 		return "", define.ErrRuntimeStopped
 | |
| 	}
 | |
| 
 | |
| 	return r.state.GetPodName(id)
 | |
| }
 | |
| 
 | |
| // DBConfig is a set of Libpod runtime configuration settings that are saved in
 | |
| // a State when it is first created, and can subsequently be retrieved.
 | |
| type DBConfig struct {
 | |
| 	LibpodRoot  string
 | |
| 	LibpodTmp   string
 | |
| 	StorageRoot string
 | |
| 	StorageTmp  string
 | |
| 	GraphDriver string
 | |
| 	VolumePath  string
 | |
| }
 | |
| 
 | |
| // mergeDBConfig merges the configuration from the database.
 | |
| func (r *Runtime) mergeDBConfig(dbConfig *DBConfig) {
 | |
| 	c := &r.config.Engine
 | |
| 	if !r.storageSet.RunRootSet && dbConfig.StorageTmp != "" {
 | |
| 		if r.storageConfig.RunRoot != dbConfig.StorageTmp &&
 | |
| 			r.storageConfig.RunRoot != "" {
 | |
| 			logrus.Debugf("Overriding run root %q with %q from database",
 | |
| 				r.storageConfig.RunRoot, dbConfig.StorageTmp)
 | |
| 		}
 | |
| 		r.storageConfig.RunRoot = dbConfig.StorageTmp
 | |
| 	}
 | |
| 
 | |
| 	if !r.storageSet.GraphRootSet && dbConfig.StorageRoot != "" {
 | |
| 		if r.storageConfig.GraphRoot != dbConfig.StorageRoot &&
 | |
| 			r.storageConfig.GraphRoot != "" {
 | |
| 			logrus.Debugf("Overriding graph root %q with %q from database",
 | |
| 				r.storageConfig.GraphRoot, dbConfig.StorageRoot)
 | |
| 		}
 | |
| 		r.storageConfig.GraphRoot = dbConfig.StorageRoot
 | |
| 	}
 | |
| 
 | |
| 	if !r.storageSet.GraphDriverNameSet && dbConfig.GraphDriver != "" {
 | |
| 		if r.storageConfig.GraphDriverName != dbConfig.GraphDriver &&
 | |
| 			r.storageConfig.GraphDriverName != "" {
 | |
| 			logrus.Errorf("User-selected graph driver %q overwritten by graph driver %q from database - delete libpod local files (%q) to resolve.  May prevent use of images created by other tools",
 | |
| 				r.storageConfig.GraphDriverName, dbConfig.GraphDriver, r.storageConfig.GraphRoot)
 | |
| 		}
 | |
| 		r.storageConfig.GraphDriverName = dbConfig.GraphDriver
 | |
| 	}
 | |
| 
 | |
| 	if !r.storageSet.StaticDirSet && dbConfig.LibpodRoot != "" {
 | |
| 		if c.StaticDir != dbConfig.LibpodRoot && c.StaticDir != "" {
 | |
| 			logrus.Debugf("Overriding static dir %q with %q from database", c.StaticDir, dbConfig.LibpodRoot)
 | |
| 		}
 | |
| 		c.StaticDir = dbConfig.LibpodRoot
 | |
| 	}
 | |
| 
 | |
| 	if !r.storageSet.TmpDirSet && dbConfig.LibpodTmp != "" {
 | |
| 		if c.TmpDir != dbConfig.LibpodTmp && c.TmpDir != "" {
 | |
| 			logrus.Debugf("Overriding tmp dir %q with %q from database", c.TmpDir, dbConfig.LibpodTmp)
 | |
| 		}
 | |
| 		c.TmpDir = dbConfig.LibpodTmp
 | |
| 	}
 | |
| 
 | |
| 	if !r.storageSet.VolumePathSet && dbConfig.VolumePath != "" {
 | |
| 		if c.VolumePath != dbConfig.VolumePath && c.VolumePath != "" {
 | |
| 			logrus.Debugf("Overriding volume path %q with %q from database", c.VolumePath, dbConfig.VolumePath)
 | |
| 		}
 | |
| 		c.VolumePath = dbConfig.VolumePath
 | |
| 	}
 | |
| }
 | |
| 
 | |
| func (r *Runtime) EnableLabeling() bool {
 | |
| 	return r.config.Containers.EnableLabeling
 | |
| }
 | |
| 
 | |
| // Reload reloads the configurations files
 | |
| func (r *Runtime) Reload() error {
 | |
| 	if err := r.reloadContainersConf(); err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 	if err := r.reloadStorageConf(); err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 	// Invalidate the registries.conf cache. The next invocation will
 | |
| 	// reload all data.
 | |
| 	sysregistriesv2.InvalidateCache()
 | |
| 	return nil
 | |
| }
 | |
| 
 | |
| // reloadContainersConf reloads the containers.conf
 | |
| func (r *Runtime) reloadContainersConf() error {
 | |
| 	config, err := config.Reload()
 | |
| 	if err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 	r.config = config
 | |
| 	logrus.Infof("Applied new containers configuration: %v", config)
 | |
| 	return nil
 | |
| }
 | |
| 
 | |
| // reloadStorageConf reloads the storage.conf
 | |
| func (r *Runtime) reloadStorageConf() error {
 | |
| 	configFile, err := storage.DefaultConfigFile()
 | |
| 	if err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 	storage.ReloadConfigurationFile(configFile, &r.storageConfig)
 | |
| 	logrus.Infof("Applied new storage configuration: %v", r.storageConfig)
 | |
| 	return nil
 | |
| }
 | |
| 
 | |
| // getVolumePlugin gets a specific volume plugin.
 | |
| func (r *Runtime) getVolumePlugin(volConfig *VolumeConfig) (*plugin.VolumePlugin, error) {
 | |
| 	// There is no plugin for local.
 | |
| 	name := volConfig.Driver
 | |
| 	timeout := volConfig.Timeout
 | |
| 	if name == define.VolumeDriverLocal || name == "" {
 | |
| 		return nil, nil
 | |
| 	}
 | |
| 
 | |
| 	pluginPath, ok := r.config.Engine.VolumePlugins[name]
 | |
| 	if !ok {
 | |
| 		if name == define.VolumeDriverImage {
 | |
| 			return nil, nil
 | |
| 		}
 | |
| 		return nil, fmt.Errorf("no volume plugin with name %s available: %w", name, define.ErrMissingPlugin)
 | |
| 	}
 | |
| 
 | |
| 	return plugin.GetVolumePlugin(name, pluginPath, timeout, r.config)
 | |
| }
 | |
| 
 | |
| // GetSecretsStorageDir returns the directory that the secrets manager should take
 | |
| func (r *Runtime) GetSecretsStorageDir() string {
 | |
| 	return filepath.Join(r.store.GraphRoot(), "secrets")
 | |
| }
 | |
| 
 | |
| // SecretsManager returns the directory that the secrets manager should take
 | |
| func (r *Runtime) SecretsManager() (*secrets.SecretsManager, error) {
 | |
| 	if r.secretsManager == nil {
 | |
| 		manager, err := secrets.NewManager(r.GetSecretsStorageDir())
 | |
| 		if err != nil {
 | |
| 			return nil, err
 | |
| 		}
 | |
| 		r.secretsManager = manager
 | |
| 	}
 | |
| 	return r.secretsManager, nil
 | |
| }
 | |
| 
 | |
| func graphRootMounted() bool {
 | |
| 	f, err := os.OpenFile("/run/.containerenv", os.O_RDONLY, os.ModePerm)
 | |
| 	if err != nil {
 | |
| 		return false
 | |
| 	}
 | |
| 	defer f.Close()
 | |
| 
 | |
| 	scanner := bufio.NewScanner(f)
 | |
| 	for scanner.Scan() {
 | |
| 		if scanner.Text() == "graphRootMounted=1" {
 | |
| 			return true
 | |
| 		}
 | |
| 	}
 | |
| 	return false
 | |
| }
 | |
| 
 | |
| func (r *Runtime) graphRootMountedFlag(mounts []spec.Mount) string {
 | |
| 	root := r.store.GraphRoot()
 | |
| 	for _, val := range mounts {
 | |
| 		if strings.HasPrefix(root, val.Source) {
 | |
| 			return "graphRootMounted=1"
 | |
| 		}
 | |
| 	}
 | |
| 	return ""
 | |
| }
 | |
| 
 | |
| // Returns a copy of the runtime alive lock
 | |
| func (r *Runtime) getRuntimeAliveLock() (*lockfile.LockFile, error) {
 | |
| 	return lockfile.GetLockFile(filepath.Join(r.config.Engine.TmpDir, "alive.lck"))
 | |
| }
 | |
| 
 | |
| // Network returns the network interface which is used by the runtime
 | |
| func (r *Runtime) Network() nettypes.ContainerNetwork {
 | |
| 	return r.network
 | |
| }
 | |
| 
 | |
| // GetDefaultNetworkName returns the network interface which is used by the runtime
 | |
| func (r *Runtime) GetDefaultNetworkName() string {
 | |
| 	return r.config.Network.DefaultNetwork
 | |
| }
 | |
| 
 | |
| // RemoteURI returns the API server URI
 | |
| func (r *Runtime) RemoteURI() string {
 | |
| 	return r.config.Engine.RemoteURI
 | |
| }
 | |
| 
 | |
| // SetRemoteURI records the API server URI
 | |
| func (r *Runtime) SetRemoteURI(uri string) {
 | |
| 	r.config.Engine.RemoteURI = uri
 | |
| }
 | |
| 
 | |
| // Get information on potential lock conflicts.
 | |
| // Returns a map of lock number to object(s) using the lock, formatted as
 | |
| // "container <id>" or "volume <id>" or "pod <id>", and an array of locks that
 | |
| // are currently being held, formatted as []uint32.
 | |
| // If the map returned is not empty, you should immediately renumber locks on
 | |
| // the runtime, because you have a deadlock waiting to happen.
 | |
| func (r *Runtime) LockConflicts() (map[uint32][]string, []uint32, error) {
 | |
| 	// Make an internal map to store what lock is associated with what
 | |
| 	locksInUse := make(map[uint32][]string)
 | |
| 
 | |
| 	ctrs, err := r.state.AllContainers(false)
 | |
| 	if err != nil {
 | |
| 		return nil, nil, err
 | |
| 	}
 | |
| 	for _, ctr := range ctrs {
 | |
| 		lockNum := ctr.lock.ID()
 | |
| 		ctrString := fmt.Sprintf("container %s", ctr.ID())
 | |
| 		locksInUse[lockNum] = append(locksInUse[lockNum], ctrString)
 | |
| 	}
 | |
| 
 | |
| 	pods, err := r.state.AllPods()
 | |
| 	if err != nil {
 | |
| 		return nil, nil, err
 | |
| 	}
 | |
| 	for _, pod := range pods {
 | |
| 		lockNum := pod.lock.ID()
 | |
| 		podString := fmt.Sprintf("pod %s", pod.ID())
 | |
| 		locksInUse[lockNum] = append(locksInUse[lockNum], podString)
 | |
| 	}
 | |
| 
 | |
| 	volumes, err := r.state.AllVolumes()
 | |
| 	if err != nil {
 | |
| 		return nil, nil, err
 | |
| 	}
 | |
| 	for _, vol := range volumes {
 | |
| 		lockNum := vol.lock.ID()
 | |
| 		volString := fmt.Sprintf("volume %s", vol.Name())
 | |
| 		locksInUse[lockNum] = append(locksInUse[lockNum], volString)
 | |
| 	}
 | |
| 
 | |
| 	// Now go through and find any entries with >1 item associated
 | |
| 	toReturn := make(map[uint32][]string)
 | |
| 	for lockNum, objects := range locksInUse {
 | |
| 		// If debug logging is requested, just spit out *every* lock in
 | |
| 		// use.
 | |
| 		logrus.Debugf("Lock number %d is in use by %v", lockNum, objects)
 | |
| 
 | |
| 		if len(objects) > 1 {
 | |
| 			toReturn[lockNum] = objects
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	locksHeld, err := r.lockManager.LocksHeld()
 | |
| 	if err != nil {
 | |
| 		if errors.Is(err, define.ErrNotImplemented) {
 | |
| 			logrus.Warnf("Could not retrieve currently taken locks as the lock backend does not support this operation")
 | |
| 			return toReturn, []uint32{}, nil
 | |
| 		}
 | |
| 
 | |
| 		return nil, nil, err
 | |
| 	}
 | |
| 
 | |
| 	return toReturn, locksHeld, nil
 | |
| }
 | |
| 
 | |
| // SystemCheck checks our storage for consistency, and depending on the options
 | |
| // specified, will attempt to remove anything which fails consistency checks.
 | |
| func (r *Runtime) SystemCheck(ctx context.Context, options entities.SystemCheckOptions) (entities.SystemCheckReport, error) {
 | |
| 	what := storage.CheckEverything()
 | |
| 	if options.Quick {
 | |
| 		what = storage.CheckMost()
 | |
| 	}
 | |
| 	if options.UnreferencedLayerMaximumAge != nil {
 | |
| 		tmp := *options.UnreferencedLayerMaximumAge
 | |
| 		what.LayerUnreferencedMaximumAge = &tmp
 | |
| 	}
 | |
| 	storageReport, err := r.store.Check(what)
 | |
| 	if err != nil {
 | |
| 		return entities.SystemCheckReport{}, err
 | |
| 	}
 | |
| 	if len(storageReport.Containers) == 0 &&
 | |
| 		len(storageReport.Layers) == 0 &&
 | |
| 		len(storageReport.ROLayers) == 0 &&
 | |
| 		len(storageReport.Images) == 0 &&
 | |
| 		len(storageReport.ROImages) == 0 {
 | |
| 		// no errors detected
 | |
| 		return entities.SystemCheckReport{}, nil
 | |
| 	}
 | |
| 	mapErrorSlicesToStringSlices := func(m map[string][]error) map[string][]string {
 | |
| 		if len(m) == 0 {
 | |
| 			return nil
 | |
| 		}
 | |
| 		mapped := make(map[string][]string, len(m))
 | |
| 		for k, errs := range m {
 | |
| 			strs := make([]string, len(errs))
 | |
| 			for i, e := range errs {
 | |
| 				strs[i] = e.Error()
 | |
| 			}
 | |
| 			mapped[k] = strs
 | |
| 		}
 | |
| 		return mapped
 | |
| 	}
 | |
| 
 | |
| 	report := entities.SystemCheckReport{
 | |
| 		Errors:     true,
 | |
| 		Layers:     mapErrorSlicesToStringSlices(storageReport.Layers),
 | |
| 		ROLayers:   mapErrorSlicesToStringSlices(storageReport.ROLayers),
 | |
| 		Images:     mapErrorSlicesToStringSlices(storageReport.Images),
 | |
| 		ROImages:   mapErrorSlicesToStringSlices(storageReport.ROImages),
 | |
| 		Containers: mapErrorSlicesToStringSlices(storageReport.Containers),
 | |
| 	}
 | |
| 	if !options.Repair && report.Errors {
 | |
| 		// errors detected, no corrective measures to be taken
 | |
| 		return report, err
 | |
| 	}
 | |
| 
 | |
| 	// get a list of images that we knew of before we tried to clean up any
 | |
| 	// that were damaged
 | |
| 	imagesBefore, err := r.store.Images()
 | |
| 	if err != nil {
 | |
| 		return report, fmt.Errorf("getting a list of images before attempting repairs: %w", err)
 | |
| 	}
 | |
| 
 | |
| 	repairOptions := storage.RepairOptions{
 | |
| 		RemoveContainers: options.RepairLossy,
 | |
| 	}
 | |
| 	var containers []*Container
 | |
| 	if repairOptions.RemoveContainers {
 | |
| 		// build a list of the containers that we claim as ours that we
 | |
| 		// expect to be removing in a bit
 | |
| 		for containerID := range storageReport.Containers {
 | |
| 			ctr, lookupErr := r.state.LookupContainer(containerID)
 | |
| 			if lookupErr != nil {
 | |
| 				// we're about to remove it, so it's okay that
 | |
| 				// it isn't even one of ours
 | |
| 				continue
 | |
| 			}
 | |
| 			containers = append(containers, ctr)
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	// run the cleanup
 | |
| 	merr := multierror.Append(nil, r.store.Repair(storageReport, &repairOptions)...)
 | |
| 
 | |
| 	if repairOptions.RemoveContainers {
 | |
| 		// get the list of containers that storage will still admit to knowing about
 | |
| 		containersAfter, err := r.store.Containers()
 | |
| 		if err != nil {
 | |
| 			merr = multierror.Append(merr, fmt.Errorf("getting a list of containers after attempting repairs: %w", err))
 | |
| 		}
 | |
| 		for _, ctr := range containers {
 | |
| 			// if one of our containers that we tried to remove is
 | |
| 			// still on disk, report an error
 | |
| 			if slices.IndexFunc(containersAfter, func(containerAfter storage.Container) bool {
 | |
| 				return containerAfter.ID == ctr.ID()
 | |
| 			}) != -1 {
 | |
| 				merr = multierror.Append(merr, fmt.Errorf("clearing storage for container %s: %w", ctr.ID(), err))
 | |
| 				continue
 | |
| 			}
 | |
| 			// remove the container from our database
 | |
| 			if removeErr := r.state.RemoveContainer(ctr); removeErr != nil {
 | |
| 				merr = multierror.Append(merr, fmt.Errorf("updating state database to reflect removal of container %s: %w", ctr.ID(), removeErr))
 | |
| 				continue
 | |
| 			}
 | |
| 			if report.RemovedContainers == nil {
 | |
| 				report.RemovedContainers = make(map[string]string)
 | |
| 			}
 | |
| 			report.RemovedContainers[ctr.ID()] = ctr.config.Name
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	// get a list of images that are still around after we clean up any
 | |
| 	// that were damaged
 | |
| 	imagesAfter, err := r.store.Images()
 | |
| 	if err != nil {
 | |
| 		merr = multierror.Append(merr, fmt.Errorf("getting a list of images after attempting repairs: %w", err))
 | |
| 	}
 | |
| 	for _, imageBefore := range imagesBefore {
 | |
| 		if slices.IndexFunc(imagesAfter, func(imageAfter storage.Image) bool {
 | |
| 			return imageAfter.ID == imageBefore.ID
 | |
| 		}) == -1 {
 | |
| 			if report.RemovedImages == nil {
 | |
| 				report.RemovedImages = make(map[string][]string)
 | |
| 			}
 | |
| 			report.RemovedImages[imageBefore.ID] = slices.Clone(imageBefore.Names)
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	if merr != nil {
 | |
| 		err = merr.ErrorOrNil()
 | |
| 	}
 | |
| 
 | |
| 	return report, err
 | |
| }
 |