containers
/
podman
mirror of https://github.com/containers/podman.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

libpod: Move socket label handling from oci_conmon_common.go to oci_conmon_linux.go 

[NO NEW TESTS NEEDED]

Signed-off-by: Doug Rabson <dfr@rabson.org>
This commit is contained in:
Doug Rabson 2022-08-17 10:30:30 +01:00
parent 6791cdbdf1
commit 93bad90486
2 changed files with 26 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
libpod/oci_conmon_common.go
View File

@ -16,7 +16,6 @@ import (
"os" "os"
"os/exec" "os/exec"
"path/filepath" "path/filepath"
"runtime"
"strconv" "strconv"
"strings" "strings"
"sync" "sync"
@ -42,7 +41,6 @@ import (
"github.com/containers/podman/v4/utils" "github.com/containers/podman/v4/utils"
"github.com/containers/storage/pkg/homedir" "github.com/containers/storage/pkg/homedir"
spec "github.com/opencontainers/runtime-spec/specs-go" spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/selinux/go-selinux/label"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
"golang.org/x/sys/unix" "golang.org/x/sys/unix"
) )
@ -763,23 +761,11 @@ func (r *ConmonOCIRuntime) CheckpointContainer(ctr *Container, options Container
env = append(env, fmt.Sprintf("PATH=%s", path)) env = append(env, fmt.Sprintf("PATH=%s", path))
} }
runtime.LockOSThread() var runtimeCheckpointStarted time.Time
if err := label.SetSocketLabel(ctr.ProcessLabel()); err != nil { err = r.withContainerSocketLabel(ctr, func() error {
return 0, err runtimeCheckpointStarted = time.Now()
} return utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, env, r.path, args...)
})
runtimeCheckpointStarted := time.Now()
err = utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, env, r.path, args...)
// Ignore error returned from SetSocketLabel("") call,
// can't recover.
if labelErr := label.SetSocketLabel(""); labelErr == nil {
// Unlock the thread only if the process label could be restored
// successfully. Otherwise leave the thread locked and the Go runtime
// will terminate it once it returns to the threads pool.
runtime.UnlockOSThread()
} else {
logrus.Errorf("Unable to reset socket label: %q", labelErr)
}
runtimeCheckpointDuration := func() int64 { runtimeCheckpointDuration := func() int64 {
if options.PrintStats { if options.PrintStats {

21
libpod/oci_conmon_linux.go
View File

@ -8,6 +8,7 @@ import (
"github.com/containers/podman/v4/pkg/errorhandling" "github.com/containers/podman/v4/pkg/errorhandling"
pmount "github.com/containers/storage/pkg/mount" pmount "github.com/containers/storage/pkg/mount"
"github.com/opencontainers/selinux/go-selinux/label"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
"golang.org/x/sys/unix" "golang.org/x/sys/unix"
) )
@ -68,3 +69,23 @@ func (r *ConmonOCIRuntime) createRootlessContainer(ctr *Container, restoreOption
res := <-ch res := <-ch
return res.restoreDuration, res.err return res.restoreDuration, res.err
} }
// Run the closure with the container's socket label set
func (r *ConmonOCIRuntime) withContainerSocketLabel(ctr *Container, closure func() error) error {
runtime.LockOSThread()
if err := label.SetSocketLabel(ctr.ProcessLabel()); err != nil {
return err
}
err := closure()
// Ignore error returned from SetSocketLabel("") call,
// can't recover.
if labelErr := label.SetSocketLabel(""); labelErr == nil {
// Unlock the thread only if the process label could be restored
// successfully. Otherwise leave the thread locked and the Go runtime
// will terminate it once it returns to the threads pool.
runtime.UnlockOSThread()
} else {
logrus.Errorf("Unable to reset socket label: %q", labelErr)
}
return err
}