The code currently tried to avoid joining the userns from conmon
directly and rather joined to only read the pid file and then send this
back to use so we could join the userns. From the comment this was done
because we could not read the pid file. However this is no longer true
as of commit 49eb5af301 and file is no always owned by the real user.
This means we can just remove this special logic and join the namespace
directly there. A test has been added to check the rejoin logic with a
custom uidmapping.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Moving from Go module v4 to v5 prepares us for public releases.
Move done using gomove [1] as with the v3 and v4 moves.
[1] https://github.com/KSubedi/gomove
Signed-off-by: Matt Heon <mheon@redhat.com>
There are quite a lot of places in podman were we have some signal
handlers, most notably libpod/shutdown/handler.go.
However when we rexec we do not want any of that and just send all
signals we get down to the child obviously. So before we install our
signal handler we must first reset all others with signal.Reset().
Also while at it fix a problem were the joinUserAndMountNS() code path
would not forward signals at all. This code path is used when you have
running containers but the pause process was killed.
Fixes#16091
Given that signal handlers run in different goroutines parallel it would
explain why it flakes sometimes in CI. However to my understanding this
flake can only happen when the pause process is dead before we run the
podman command. So the question still is what kills the pause process?
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
always create a user namespace when running with euid != 0 since the
user is not owning the current mount namespace.
This issue happened on a Kubernetes cluster, where the pod was running
privileged but the UID was not 0, as it was configured in the image
itself.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
when running with euid != 0, inhibit the copy of the current mappings,
even if the kernel allows that. This seems to be the expectation when
running in a Kubernetes cluster with a non-root user.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Package `io/ioutil` was deprecated in golang 1.16, preventing podman from
building under Fedora 37. Fortunately, functionality identical
replacements are provided by the packages `io` and `os`. Replace all
usage of all `io/ioutil` symbols with appropriate substitutions
according to the golang docs.
Signed-off-by: Chris Evich <cevich@redhat.com>
Podman adds an Error: to every error message. So starting an error
message with "error" ends up being reported to the user as
Error: error ...
This patch removes the stutter.
Also ioutil.ReadFile errors report the Path, so wrapping the err message
with the path causes a stutter.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We now use the golang error wrapping format specifier `%w` instead of
the deprecated github.com/pkg/errors package.
[NO NEW TESTS NEEDED]
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
* Replace "setup", "lookup", "cleanup", "backup" with
"set up", "look up", "clean up", "back up"
when used as verbs. Replace also variations of those.
* Improve language in a few places.
Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
when there are multiple paths specified, attempt to join them all
before returning an error. Previously we were failing on the first
pid found.
[NO NEW TESTS NEEDED]
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
As noticed while debugging #13992, do not join the rootless user NS as a
Linux remote client.
[NO NEW TESTS NEEDED] as existing tests should continue to work.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Often distributions to not have newuidmap and netgidmap configured
to be setuid. If Podman fails to setup the user namespace, check to
see if these files doe not have the proper protection and tell the user.
[NO NEW TESTS NEEDED]
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When podman gets an error it prints out "Error: " before
printing the error string. If the error message starts with
error, we end up with
Error: error ...
This PR Removes all of these stutters.
logrus.Error() also prints out that this is an error, so no need for the
error stutter.
[NO NEW TESTS NEEDED]
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
`err` is nil at this point, so errors.Wrapf() would return nil
ignoring the remaining arguments. This would prevent SetupRootless()
to fail causing podman to run without capabilities but believing so,
and it would end up in a crash when accessing the local store.
Closes: https://github.com/containers/podman/discussions/12923
[NO NEW TESTS NEEDED] it requires running in the environment created
by bazel linux-sandbox.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
include the arguments used to create the user namespace to help
debugging.
[NO NEW TESTS NEEDED] it changes a debug message
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
since we now support reading additional IDs with libsubid, clarify
that the /etc/subuid and /etc/subgid files are honored only when
shadow-utils is configured to use them.
[NO TESTS NEEDED]
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Dealing with os.Signal channels seems more like an art than science
since signals may get lost. os.Notify doesn't block on an unbuffered
channel, so users are expected to know what they're doing or hope for
the best.
In the recent past, I've seen a number of flakes and BZs on non-amd64
architectures where I was under the impression that signals may got
lost, for instance, during stop and exec.
[NO TESTS NEEDED] since this is art.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
if the root mount '/' is not mounted as MS_SHARED, print a
warning, otherwise new mounts that are created in the host won't be
propagated to the rootless mount namespace.
Closes: https://github.com/containers/podman/issues/10946
[NO TESTS NEEDED]
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Users coming e.g. from Docker do not always read the manual and
expect podman to not require sudo or uidmap, for them the default
message is not very helpful:
Error: Cannot connect to the Podman socket, make sure there is a Podman REST API service running.:
cannot find newuidmap: exec: "newuidmap": executable file not found in $PATH
Adding a bit more context to this would help to nudge them into the
right direction and tell them what to look for in the documentation:
command required for rootless mode with multiple IDs: exec: "newuidmap": executable file not found in $PATH
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
[NO TESTS NEEDED]
when creating a user namespace, attempt to create it first by copying
the current mappings and then fallback to the other methods:
1) use newidmap tools and ...
2) create a user namespace with a single user mapped.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
We missed bumping the go module, so let's do it now :)
* Automated go code with github.com/sirkon/go-imports-rename
* Manually via `vgrep podman/v2` the rest
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
In case os.Open[File], os.Mkdir[All], ioutil.ReadFile and the like
fails, the error message already contains the file name and the
operation that fails, so there is no need to wrap the error with
something like "open %s failed".
While at it
- replace a few places with os.Open, ioutil.ReadAll with
ioutil.ReadFile.
- replace errors.Wrapf with errors.Wrap for cases where there
are no %-style arguments.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
when newidmap is not installed the code would hit the
reexec_in_user_namespace_wait code and wait for the child process to
be terminated. The child process is blocked waiting on the w pipe.
So make sure to unblock the child process first and then clean it up.
Closes: https://github.com/containers/podman/issues/7776
Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
Currently, we're not cleanup up after ourselves when fileOutput is nil.
This patch fixes that.
Signed-off-by: Jonathan Dieter <jonathan.dieter@spearline.com>
I'm not sure if this is an OS-specific issue, but on CentOS 8, if `path`
doesn't exist, this hangs while waiting to read from this socket, even
though the socket is closed by the `reexec_in_user_namespace`. Switching
to a pipe fixes the problem, and pipes shouldn't be an issue since this is
Linux-specific code.
Signed-off-by: Jonathan Dieter <jonathan.dieter@spearline.com>
when setting up the user namespace do not ignore errors from
newuidmap/newgidmap if there are mappings configured.
The single user mapping is a fallback only when there are not mappings
specified for the user.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
With the advent of Podman 2.0.0 we crossed the magical barrier of go
modules. While we were able to continue importing all packages inside
of the project, the project could not be vendored anymore from the
outside.
Move the go module to new major version and change all imports to
`github.com/containers/libpod/v2`. The renaming of the imports
was done via `gomove` [1].
[1] https://github.com/KSubedi/gomove
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
since we join directly the conmon user namespace, there is no need to
look up its parent user namespace, as we can safely assume it is the
init namespace.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
we need to store the pause process PID file so that it can be re-used
later.
commit e9dc212092 introduced this
regression.
Closes: https://github.com/containers/libpod/issues/5246
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Giuseppe Scrivano
Paul Holzinger
Matt Heon
Oleksandr Redko
Valentin Rothberg
Chris Evich
Daniel J Walsh
Sascha Grunert
Erik Sjölund
Valentin Rothberg
Andrej Shadura
Josh Soref
Kir Kolyshkin
Giuseppe Scrivano
Jonathan Dieter
Qi Wang
Douglas Schilling Landgraf