> pkg/rootless/rootless_freebsd.go:24:20: ST1005: error strings should not be capitalized (staticcheck)
> return false, -1, errors.New("Rootless mode is not supported on FreeBSD - run podman as root")
> ^
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This was added by commit 84e42877a ("make lint: re-enable revive"),
making nolintlint became almost useless.
Remove the ungodly amount of unused nolint annotations.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
avoid using the glibc fork() function after using directly the clone()
syscall, as it confuses glibc causing the fork() to hang in some
cases.
The issue has been observed only on s390x, and the fix was confirmed
in the issue discussion.
Closes: https://github.com/containers/podman/issues/25184
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
`argv[0]`, ie: the full buffer allocated by `get_cmd_line_args`,
was going to be freed only if `can_use_shortcut()` was called.
Instead, let `init()` always manage `argv0` lifecycle.
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
The code currently tried to avoid joining the userns from conmon
directly and rather joined to only read the pid file and then send this
back to use so we could join the userns. From the comment this was done
because we could not read the pid file. However this is no longer true
as of commit 49eb5af301 and file is no always owned by the real user.
This means we can just remove this special logic and join the namespace
directly there. A test has been added to check the rejoin logic with a
custom uidmapping.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This is a bit weird and I admit I don't understand exactly how the init
value is used but this seems wrong. When podman reexec itself it then
gets the wrong init value and because rootless_uid() will be 0 the
init() function in rootless_linux.go will not set it either because of
that. Thus the first reexec has the wrong env.
Now that I make use of it in c/common[1] this turns out top be a real
issue and is failing all first podman commands. To reproduce make sure
to kill the pause process then just run any podman command with the new
c/common vendor and without this patch.
[1] https://github.com/containers/common/pull/2020
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Under some circumstances podman might be executed with a different argv0
than the actual path to the podman binary. This breaks the reexec logic
as it tried to exec argv0 which failed.
This is visible when using podmansh as login shell which get's the
special -podmansh on argv0 to signal the shell it is a login shell.
To fix this we can simply use /proc/self/exe as command path which is
much more robust and the argv array is still passed correctly.
Fixes#22672
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Moving from Go module v4 to v5 prepares us for public releases.
Move done using gomove [1] as with the v3 and v4 moves.
[1] https://github.com/KSubedi/gomove
Signed-off-by: Matt Heon <mheon@redhat.com>
**podman compose** is a thin wrapper around an external compose provider
such as docker-compose or podman-compose. This means that `podman
compose` is executing another tool that implements the compose
functionality but sets up the environment in a way to let the compose
provider communicate transparently with the local Podman socket. The
specified options as well the command and argument are passed directly
to the compose provider.
The default compose providers are `docker-compose` and `podman-compose`.
If installed, `docker-compose` takes precedence since it is the original
implementation of the Compose specification and is widely used on the
supported platforms (i.e., Linux, Mac OS, Windows).
If you want to change the default behavior or have a custom installation
path for your provider of choice, please change the `compose_provider`
field in `containers.conf(5)`. You may also set the
`PODMAN_COMPOSE_PROVIDER` environment variable.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
There are quite a lot of places in podman were we have some signal
handlers, most notably libpod/shutdown/handler.go.
However when we rexec we do not want any of that and just send all
signals we get down to the child obviously. So before we install our
signal handler we must first reset all others with signal.Reset().
Also while at it fix a problem were the joinUserAndMountNS() code path
would not forward signals at all. This code path is used when you have
running containers but the pause process was killed.
Fixes#16091
Given that signal handlers run in different goroutines parallel it would
explain why it flakes sometimes in CI. However to my understanding this
flake can only happen when the pause process is dead before we run the
podman command. So the question still is what kills the pause process?
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The long term goal was to provide the customer a way to turn on the
preexec_hooks processing of script by having some kind of configuration
that could be read. I had tried putting it into containers.conf to
start, but that turned out to be unyieldly quickly and time is of
the essence for this fix. That is mostly due to the fact that this
code is preexecution and in C, the conatiners.conf file is read in
Go much further down the stack.
After first trying this process using an ENVVAR, I have
thought it over and chatted with others and will now look for a
/etc/containers/podman_preexec_hooks.txt file to exist. If the admin
had put one in there, we will then process the files in the
directories `/usr/libexec/podman/pre-exec-hooks`
and `/etc/containers/pre-exec-hooks`.
Thoughts/suggestions gratefully accepted. This will be a 8.8/9.2 ZeroDay
fix and will need to be backported to the v4.4.1-rhel branch.
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
The path was missing a slash between the libexec path and the binary
name. This was never noticed because the code already falls back to a
builtt-in pause process.
Fixes: 71f96c2e6f ("rootless: define LIBEXECPODMAN")
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
the exec hooks already print the error message, so there is no need to
print another one.
[NO NEW TESTS NEEDED]
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
to not give a false sense of security since these are not a security
mechanism but a hook to run arbitrary code before executing a
command.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
always create a user namespace when running with euid != 0 since the
user is not owning the current mount namespace.
This issue happened on a Kubernetes cluster, where the pod was running
privileged but the UID was not 0, as it was configured in the image
itself.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
when running with euid != 0, inhibit the copy of the current mappings,
even if the kernel allows that. This seems to be the expectation when
running in a Kubernetes cluster with a non-root user.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
... redirect the user to run with superuser privileges instead of
printing 'this function is not supported'.
[NO NEW TESTS NEEDED]
Signed-off-by: Doug Rabson <dfr@rabson.org>
whenever the podman process is launched, it runs any file found in
these directories:
- /etc/containers/auth-scripts
- /usr/libexec/podman/auth-scripts
The current podman command line is passed as arguments to the
process.
If any of the processes fail, the error is immediately reported back
from podman that exits with the same error code.
[NO NEW TESTS NEEDED] requires a system-wide configuration.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Also fix a number of duplicate words. Yet disable the new `dupword`
linter as it displays too many false positives.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Package `io/ioutil` was deprecated in golang 1.16, preventing podman from
building under Fedora 37. Fortunately, functionality identical
replacements are provided by the packages `io` and `os`. Replace all
usage of all `io/ioutil` symbols with appropriate substitutions
according to the golang docs.
Signed-off-by: Chris Evich <cevich@redhat.com>
Alias
podman --context -> podman --connection
podman context use -> podman system connection default
podman context rm -> podman system connection rm
podman context create -> podman system connection add
podman context ls ->podman system connection ls
podman context inspect ->podman system connection ls --json (For
specified connections)
Podman context is a hidden command, but can be used for existing scripts
that assume Docker under the covers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Podman adds an Error: to every error message. So starting an error
message with "error" ends up being reported to the user as
Error: error ...
This patch removes the stutter.
Also ioutil.ReadFile errors report the Path, so wrapping the err message
with the path causes a stutter.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We now use the golang error wrapping format specifier `%w` instead of
the deprecated github.com/pkg/errors package.
[NO NEW TESTS NEEDED]
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
* Replace "setup", "lookup", "cleanup", "backup" with
"set up", "look up", "clean up", "back up"
when used as verbs. Replace also variations of those.
* Improve language in a few places.
Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
when there are multiple paths specified, attempt to join them all
before returning an error. Previously we were failing on the first
pid found.
[NO NEW TESTS NEEDED]
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The nolintlint linter does not deny the use of `//nolint`
Instead it allows us to enforce a common nolint style:
- force that a linter name must be specified
- do not add a space between `//` and `nolint`
- make sure nolint is only used when there is actually a problem
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
As noticed while debugging #13992, do not join the rootless user NS as a
Linux remote client.
[NO NEW TESTS NEEDED] as existing tests should continue to work.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Often distributions to not have newuidmap and netgidmap configured
to be setuid. If Podman fails to setup the user namespace, check to
see if these files doe not have the proper protection and tell the user.
[NO NEW TESTS NEEDED]
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When podman gets an error it prints out "Error: " before
printing the error string. If the error message starts with
error, we end up with
Error: error ...
This PR Removes all of these stutters.
logrus.Error() also prints out that this is an error, so no need for the
error stutter.
[NO NEW TESTS NEEDED]
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Kir Kolyshkin
Giuseppe Scrivano
Federico Di Pierro
Paul Holzinger
Matt Heon
Oleksandr Redko
Valentin Rothberg
tomsweeneyredhat
Daniel J Walsh
Doug Rabson
Miloslav Trmač
OpenShift Merge Robot
Erik Sjölund
Chris Evich
Sascha Grunert