The path was missing a slash between the libexec path and the binary
name. This was never noticed because the code already falls back to a
builtt-in pause process.
Fixes: 71f96c2e6f ("rootless: define LIBEXECPODMAN")
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
the exec hooks already print the error message, so there is no need to
print another one.
[NO NEW TESTS NEEDED]
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
to not give a false sense of security since these are not a security
mechanism but a hook to run arbitrary code before executing a
command.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
always create a user namespace when running with euid != 0 since the
user is not owning the current mount namespace.
This issue happened on a Kubernetes cluster, where the pod was running
privileged but the UID was not 0, as it was configured in the image
itself.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
when running with euid != 0, inhibit the copy of the current mappings,
even if the kernel allows that. This seems to be the expectation when
running in a Kubernetes cluster with a non-root user.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
... redirect the user to run with superuser privileges instead of
printing 'this function is not supported'.
[NO NEW TESTS NEEDED]
Signed-off-by: Doug Rabson <dfr@rabson.org>
whenever the podman process is launched, it runs any file found in
these directories:
- /etc/containers/auth-scripts
- /usr/libexec/podman/auth-scripts
The current podman command line is passed as arguments to the
process.
If any of the processes fail, the error is immediately reported back
from podman that exits with the same error code.
[NO NEW TESTS NEEDED] requires a system-wide configuration.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Also fix a number of duplicate words. Yet disable the new `dupword`
linter as it displays too many false positives.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Package `io/ioutil` was deprecated in golang 1.16, preventing podman from
building under Fedora 37. Fortunately, functionality identical
replacements are provided by the packages `io` and `os`. Replace all
usage of all `io/ioutil` symbols with appropriate substitutions
according to the golang docs.
Signed-off-by: Chris Evich <cevich@redhat.com>
Alias
podman --context -> podman --connection
podman context use -> podman system connection default
podman context rm -> podman system connection rm
podman context create -> podman system connection add
podman context ls ->podman system connection ls
podman context inspect ->podman system connection ls --json (For
specified connections)
Podman context is a hidden command, but can be used for existing scripts
that assume Docker under the covers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Podman adds an Error: to every error message. So starting an error
message with "error" ends up being reported to the user as
Error: error ...
This patch removes the stutter.
Also ioutil.ReadFile errors report the Path, so wrapping the err message
with the path causes a stutter.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We now use the golang error wrapping format specifier `%w` instead of
the deprecated github.com/pkg/errors package.
[NO NEW TESTS NEEDED]
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
* Replace "setup", "lookup", "cleanup", "backup" with
"set up", "look up", "clean up", "back up"
when used as verbs. Replace also variations of those.
* Improve language in a few places.
Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
when there are multiple paths specified, attempt to join them all
before returning an error. Previously we were failing on the first
pid found.
[NO NEW TESTS NEEDED]
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The nolintlint linter does not deny the use of `//nolint`
Instead it allows us to enforce a common nolint style:
- force that a linter name must be specified
- do not add a space between `//` and `nolint`
- make sure nolint is only used when there is actually a problem
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
As noticed while debugging #13992, do not join the rootless user NS as a
Linux remote client.
[NO NEW TESTS NEEDED] as existing tests should continue to work.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Often distributions to not have newuidmap and netgidmap configured
to be setuid. If Podman fails to setup the user namespace, check to
see if these files doe not have the proper protection and tell the user.
[NO NEW TESTS NEEDED]
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When podman gets an error it prints out "Error: " before
printing the error string. If the error message starts with
error, we end up with
Error: error ...
This PR Removes all of these stutters.
logrus.Error() also prints out that this is an error, so no need for the
error stutter.
[NO NEW TESTS NEEDED]
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
`err` is nil at this point, so errors.Wrapf() would return nil
ignoring the remaining arguments. This would prevent SetupRootless()
to fail causing podman to run without capabilities but believing so,
and it would end up in a crash when accessing the local store.
Closes: https://github.com/containers/podman/discussions/12923
[NO NEW TESTS NEEDED] it requires running in the environment created
by bazel linux-sandbox.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Podman image scp should never enter the Podman UserNS unless it needs to. This allows for
a sudo exec.Command to transfer images to and from rootful storage. If this command is run using sudo,
the simple sudo podman save/load does not work, machinectl/su is necessary here.
This modification allows for both rootful and rootless transfers, and an overall change of scp to be
more of a wrapper function for different load and save calls as well as the ssh component
Signed-off-by: cdoern <cdoern@redhat.com>
include the arguments used to create the user namespace to help
debugging.
[NO NEW TESTS NEEDED] it changes a debug message
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
if catatonit is present, use it to keep the rootless user+mnt
namespace alive.
[NO NEW TESTS NEEDED] no new features added.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
simplify code using auto cleanup functions
[NO NEW TESTS NEEDED] it is a refactoring of existing code
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
since we now support reading additional IDs with libsubid, clarify
that the /etc/subuid and /etc/subgid files are honored only when
shadow-utils is configured to use them.
[NO TESTS NEEDED]
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The go logic already prevents podman from joining the userns for machine
commands but the c shortcut code did not.
[NO TESTS NEEDED]
Fixes#11731
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Dealing with os.Signal channels seems more like an art than science
since signals may get lost. os.Notify doesn't block on an unbuffered
channel, so users are expected to know what they're doing or hope for
the best.
In the recent past, I've seen a number of flakes and BZs on non-amd64
architectures where I was under the impression that signals may got
lost, for instance, during stop and exec.
[NO TESTS NEEDED] since this is art.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
avoid a zombie process if on the first launch Podman creates a long
living process, such as "podman system service -t 0".
The `r` variable was overriden thus causing the waitpid to fail and
not clean up the intermediate process.
Closes: https://github.com/containers/podman/issues/10575
[NO TESTS NEEDED]
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
if the root mount '/' is not mounted as MS_SHARED, print a
warning, otherwise new mounts that are created in the host won't be
propagated to the rootless mount namespace.
Closes: https://github.com/containers/podman/issues/10946
[NO TESTS NEEDED]
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Paul Holzinger
Giuseppe Scrivano
Daniel J Walsh
Doug Rabson
Valentin Rothberg
Miloslav Trmač
OpenShift Merge Robot
Erik Sjölund
Chris Evich
Sascha Grunert
Valentin Rothberg
cdoern
Marc Nguyen