This PR consolidates common functionality used by CRI-O and Podman
in one central location. I aimed to keep this change more generic,
considering that CRI-O and Podman have different ways for the file
mounting and applying security labels.
Signed-off-by: Sohan Kunkerkar <sohank2602@gmail.com>
glibc supports the environment variable as additional search path. We
now add this to the config validation to allow runtimes to search that
path as well.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
The cni code is used by freebsd so this package must build for it as
well. Given the logic is linux specific and not called by freebsd just
return an error.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Just pass down the full containers.conf as this is needed by
rootlessnetns code, also remove the now duplicated fields and read the
options directly from the config struct.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Make sure we correctly cleanup the netns if there was an error and the
netns was just created. Also make sure the parent dir for the netns is
always created because a previous cleanup() may have it deleted.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The old rootlessnetns logic overwrote PATH for the current process to
make sure /usr/sbin (where iptables is normally installed) is in $PATH.
Now instead of adding it for the current process we can just always set
it for the cni/iptables exec only.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
In podman we have code to move a process into a new systemd cgroup. This
code lived in the podman utils package. Because the new rootlessnetns
must call into that move this code to c/common.
Instead of dumping this again into a "util" package create a systemd
package which should have a better name. Also move the cgroup code
directly into pkg/cgroup. I am sure we can do some cleanup there in a
followup to prevent duplication.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
With the new NewNSAtPath function it is possible to create netns files
outside the normal netns directory. We need to make sure they can get
unmounted as well. We can check the the path is not under /proc.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Integrate the new rootlessnetns package into netavark. This means when
this is vendored into podman we need to drop the rootless netns code
there.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add a new rootlessnetns package based on the rootless netns code from
podman. It however makes some significant changes:
- First it uses a directory in the runroot and not tmpdir.
- The netns mount is stored in the directoy and not the global netns
runtime dir to prevent name collisions. The old code used the sha256
to do that.
- The teardown and setup logic has been made more robust and now used a
reference counter to keep track on when to cleanup. The podman
cleanup logic was racy and tied to running podman containers. Given
the plan to allow buildah to use this as well we need this.
- There is no lock for this code, the goal is to have this called
through the network interface which is already locked so there is no
need for another lock here.
Future work:
- add pasta support
- add port forwarding logic here
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add new function to create a netns bind mounted to a specific path. This
is useful for the new rootless netns logic were I intend to mount the
netns at a different directory to avoid naming conflicts.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Logging the error and returning it makes no sense, instead add the
context to the error before returning it.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We never use the origNS other than closing it again so we can just
remove this code as it does nothing useful.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This link was added in kernel 3.17 so it should be safe to use now as we
do not support running on such old kernels anyway.
This makes the code a bit simpler and safes two syscalls.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
openshift-merge-bot[bot]
Oleksandr Redko
Daniel J Walsh
Sohan Kunkerkar
renovate[bot]
Sascha Grunert
Giuseppe Scrivano
Paul Holzinger
Ygal Blum