opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-11-29 09:37:38 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
c3f3dd36c4feac5c77c62cbb6a36d8677e99c7e6
podman/pkg/domain/infra/abi/system_linux.go
Paul Holzinger c3f3dd36c4 use return error handling in SetupRootless 
There is no good reason to use logrus and os.Exit() here, other parts of
this function already return the error so do the same. The main podman
process will exit then with the normal formatted error message.

And also log an error about the last return which should never happen as
we should have exited above if the re-exec worked or errored out.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-11-25 19:51:48 +01:00

112 lines
3.1 KiB
Go
Raw Blame History

//go:build !remote
package abi
import (
"context"
"fmt"
"os"
"github.com/containers/podman/v6/pkg/rootless"
"github.com/containers/podman/v6/pkg/util"
"github.com/sirupsen/logrus"
"go.podman.io/common/pkg/cgroups"
"go.podman.io/common/pkg/config"
"go.podman.io/common/pkg/systemd"
"go.podman.io/storage/pkg/unshare"
)
// Default path for system runtime state
const defaultRunPath = "/run"
func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool, cgroupMode string) error {
runsUnderSystemd := systemd.RunsOnSystemd()
if !runsUnderSystemd {
isPid1 := os.Getpid() == 1
if _, found := os.LookupEnv("container"); isPid1 || found {
if err := cgroups.MaybeMoveToSubCgroup(); err != nil {
// it is a best effort operation, so just print the
// error for debugging purposes.
logrus.Debugf("Could not move to subcgroup: %v", err)
}
}
}
hasCapSysAdmin, err := unshare.HasCapSysAdmin()
if err != nil {
return err
}
// check for both euid == 0 and CAP_SYS_ADMIN because we may be running in a container with CAP_SYS_ADMIN set.
if os.Geteuid() == 0 && hasCapSysAdmin {
// do it only after podman has already re-execed and running with uid==0.
configureCgroup := cgroupMode != "disabled"
if configureCgroup {
ownsCgroup, err := cgroups.UserOwnsCurrentSystemdCgroup()
if err != nil {
logrus.Infof("Failed to detect the owner for the current cgroup: %v", err)
}
if !ownsCgroup {
conf, err := ic.Config(context.Background())
if err != nil {
return err
}
unitName := fmt.Sprintf("podman-%d.scope", os.Getpid())
if runsUnderSystemd || conf.Engine.CgroupManager == config.SystemdCgroupsManager {
if err := systemd.RunUnderSystemdScope(os.Getpid(), "user.slice", unitName); err != nil {
logrus.Debugf("Failed to add podman to systemd sandbox cgroup: %v", err)
}
}
}
}
// return early as we are already re-exec or root here so no need to join the rootless userns.
return nil
}
pausePidPath, err := util.GetRootlessPauseProcessPidPath()
if err != nil {
return fmt.Errorf("could not get pause process pid file path: %w", err)
}
became, ret, err := rootless.TryJoinPauseProcess(pausePidPath)
if err != nil {
return err
}
if became {
os.Exit(ret)
}
if noMoveProcess {
return nil
}
// if there is no pid file, try to join existing containers, and create a pause process.
ctrs, err := ic.Libpod.GetRunningContainers()
if err != nil {
return err
}
paths := []string{}
for _, ctr := range ctrs {
paths = append(paths, ctr.ConfigNoCopy().ConmonPidFile)
}
if len(paths) > 0 {
became, ret, err = rootless.TryJoinFromFilePaths(pausePidPath, paths)
} else {
became, ret, err = rootless.BecomeRootInUserNS(pausePidPath)
if err == nil {
systemd.MovePauseProcessToScope(pausePidPath)
}
}
if err != nil {
return fmt.Errorf("invalid internal status, try resetting the pause process with %q: %w", os.Args[0]+" system migrate", err)
}
if became {
os.Exit(ret)
}
logrus.Error("Internal error, failed to re-exec podman into user namespace without error. This should never happen, if you see this please report a bug")
return nil
}
Reference in New Issue View Git Blame Copy Permalink