containers
/
automation-tests
mirror of https://github.com/containers/automation-tests.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

libnetwork/{netavark,cni}: add iptables to $PATH 

The old rootlessnetns logic overwrote PATH for the current process to
make sure /usr/sbin (where iptables is normally installed) is in $PATH.

Now instead of adding it for the current process we can just always set
it for the cni/iptables exec only.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This commit is contained in:
Paul Holzinger 2023-11-27 13:31:47 +01:00
parent 8b81a2471f
commit 27584f37d9
2 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
common/libnetwork/cni/cni_exec.go
View File

@ -26,8 +26,10 @@ import (
"context"
"encoding/json"
"fmt"
"os"
"os/exec"
"path/filepath"
"strings"
"github.com/containernetworking/cni/pkg/invoke"
"github.com/containernetworking/cni/pkg/version"
@ -80,6 +82,16 @@ func (e *cniExec) ExecPlugin(ctx context.Context, pluginPath string, stdinData [
c.Env = append(c.Env, "XDG_RUNTIME_DIR=")
}
// The CNI plugins need access to iptables in $PATH. As it turns out debian doesn't put
// /usr/sbin in $PATH for rootless users. This will break rootless networking completely.
// We might break existing users and we cannot expect everyone to change their $PATH so
// let's add /usr/sbin to $PATH ourselves.
path := os.Getenv("PATH")
if !strings.Contains(path, "/usr/sbin") {
path += ":/usr/sbin"
c.Env = append(c.Env, "PATH="+path)
}
err := c.Run()
if err != nil {
return nil, annotatePluginError(err, pluginPath, stdout.Bytes(), stderr.Bytes())

10
common/libnetwork/netavark/exec.go
View File

@ -10,6 +10,7 @@ import (
"os"
"os/exec"
"strconv"
"strings"
"github.com/sirupsen/logrus"
)
@ -79,6 +80,15 @@ func getRustLogEnv() string {
func (n *netavarkNetwork) execNetavark(args []string, needPlugin bool, stdin, result interface{}) error {
// set the netavark log level to the same as the podman
env := append(os.Environ(), getRustLogEnv())
// Netavark need access to iptables in $PATH. As it turns out debian doesn't put
// /usr/sbin in $PATH for rootless users. This will break rootless networking completely.
// We might break existing users and we cannot expect everyone to change their $PATH so
// let's add /usr/sbin to $PATH ourselves.
path := os.Getenv("PATH")
if !strings.Contains(path, "/usr/sbin") {
path += ":/usr/sbin"
env = append(env, "PATH="+path)
}
// if we run with debug log level lets also set RUST_BACKTRACE=1 so we can get the full stack trace in case of panics
if logrus.IsLevelEnabled(logrus.DebugLevel) {
env = append(env, "RUST_BACKTRACE=1")