mirror of https://github.com/containers/podman.git
libpod: Move socket label handling from oci_conmon_common.go to oci_conmon_linux.go
[NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
This commit is contained in:
Doug Rabson
parent
6791cdbdf1
commit
93bad90486
|
|
@ -16,7 +16,6 @@ import (
|
|||
"os"
|
||||
"os/exec"
|
||||
"path/filepath"
|
||||
"runtime"
|
||||
"strconv"
|
||||
"strings"
|
||||
"sync"
|
||||
|
|
@ -42,7 +41,6 @@ import (
|
|||
"github.com/containers/podman/v4/utils"
|
||||
"github.com/containers/storage/pkg/homedir"
|
||||
spec "github.com/opencontainers/runtime-spec/specs-go"
|
||||
"github.com/opencontainers/selinux/go-selinux/label"
|
||||
"github.com/sirupsen/logrus"
|
||||
"golang.org/x/sys/unix"
|
||||
)
|
||||
|
|
@ -763,23 +761,11 @@ func (r *ConmonOCIRuntime) CheckpointContainer(ctr *Container, options Container
|
|||
env = append(env, fmt.Sprintf("PATH=%s", path))
|
||||
}
|
||||
|
||||
runtime.LockOSThread()
|
||||
if err := label.SetSocketLabel(ctr.ProcessLabel()); err != nil {
|
||||
return 0, err
|
||||
}
|
||||
|
||||
runtimeCheckpointStarted := time.Now()
|
||||
err = utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, env, r.path, args...)
|
||||
// Ignore error returned from SetSocketLabel("") call,
|
||||
// can't recover.
|
||||
if labelErr := label.SetSocketLabel(""); labelErr == nil {
|
||||
// Unlock the thread only if the process label could be restored
|
||||
// successfully. Otherwise leave the thread locked and the Go runtime
|
||||
// will terminate it once it returns to the threads pool.
|
||||
runtime.UnlockOSThread()
|
||||
} else {
|
||||
logrus.Errorf("Unable to reset socket label: %q", labelErr)
|
||||
}
|
||||
var runtimeCheckpointStarted time.Time
|
||||
err = r.withContainerSocketLabel(ctr, func() error {
|
||||
runtimeCheckpointStarted = time.Now()
|
||||
return utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, env, r.path, args...)
|
||||
})
|
||||
|
||||
runtimeCheckpointDuration := func() int64 {
|
||||
if options.PrintStats {
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@ import (
|
|||
|
||||
"github.com/containers/podman/v4/pkg/errorhandling"
|
||||
pmount "github.com/containers/storage/pkg/mount"
|
||||
"github.com/opencontainers/selinux/go-selinux/label"
|
||||
"github.com/sirupsen/logrus"
|
||||
"golang.org/x/sys/unix"
|
||||
)
|
||||
|
|
@ -68,3 +69,23 @@ func (r *ConmonOCIRuntime) createRootlessContainer(ctr *Container, restoreOption
|
|||
res := <-ch
|
||||
return res.restoreDuration, res.err
|
||||
}
|
||||
|
||||
// Run the closure with the container's socket label set
|
||||
func (r *ConmonOCIRuntime) withContainerSocketLabel(ctr *Container, closure func() error) error {
|
||||
runtime.LockOSThread()
|
||||
if err := label.SetSocketLabel(ctr.ProcessLabel()); err != nil {
|
||||
return err
|
||||
}
|
||||
err := closure()
|
||||
// Ignore error returned from SetSocketLabel("") call,
|
||||
// can't recover.
|
||||
if labelErr := label.SetSocketLabel(""); labelErr == nil {
|
||||
// Unlock the thread only if the process label could be restored
|
||||
// successfully. Otherwise leave the thread locked and the Go runtime
|
||||
// will terminate it once it returns to the threads pool.
|
||||
runtime.UnlockOSThread()
|
||||
} else {
|
||||
logrus.Errorf("Unable to reset socket label: %q", labelErr)
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue