containers
/
automation-tests
mirror of https://github.com/containers/automation-tests.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

system service: unset listen fds on tcp 

Disable leaking the LISTEN_* variables into containers which are
observed to be passed by systemd even without being socket activated as
described in https://access.redhat.com/solutions/6512011.

[NO NEW TESTS NEEDED] - Ultimately, the solution 6512011 should be updated.

Fixes: bugzilla.redhat.com/show_bug.cgi?id=2180483
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This commit is contained in:
Valentin Rothberg 2023-07-11 15:40:12 +02:00
parent 77b36ca35e
commit 3ad55f48bb
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
cmd/podman/system/service_abi.go
View File

@ -96,6 +96,18 @@ func restService(flags *pflag.FlagSet, cfg *entities.PodmanConfig, opts entities
libpodRuntime.SetRemoteURI(uri.String()) libpodRuntime.SetRemoteURI(uri.String())
} }
// bugzilla.redhat.com/show_bug.cgi?id=2180483:
//
// Disable leaking the LISTEN_* into containers which
// are observed to be passed by systemd even without
// being socket activated as described in
// https://access.redhat.com/solutions/6512011.
for _, val := range []string{"LISTEN_FDS", "LISTEN_PID", "LISTEN_FDNAMES"} {
if err := os.Unsetenv(val); err != nil {
return fmt.Errorf("unsetting %s: %v", val, err)
}
}
// Set stdin to /dev/null, so shortnames will not prompt // Set stdin to /dev/null, so shortnames will not prompt
devNullfile, err := os.Open(os.DevNull) devNullfile, err := os.Open(os.DevNull)
if err != nil { if err != nil {