containers
/
podman
mirror of https://github.com/containers/podman.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
podman/libpod
History
Paul Holzinger 597ebeb60f
top: do not depend on ps(1) in container 
This ended up more complicated then expected. Lets start first with the
problem to show why I am doing this:

Currently we simply execute ps(1) in the container. This has some
drawbacks. First, obviously you need to have ps(1) in the container
image. That is no always the case especially in small images. Second,
even if you do it will often be only busybox's ps which supports far
less options.

Now we also have psgo which is used by default but that only supports a
small subset of ps(1) options. Implementing all options there is way to
much work.

Docker on the other hand executes ps(1) directly on the host and tries
to filter pids with `-q` an option which is not supported by busybox's
ps and conflicts with other ps(1) arguments. That means they fall back
to full ps(1) on the host and then filter based on the pid in the
output. This is kinda ugly and fails short because users can modify the
ps output and it may not even include the pid in the output which causes
an error.

So every solution has a different drawback, but what if we can combine
them somehow?! This commit tries exactly that.

We use ps(1) from the host and execute that in the container's pid
namespace.
There are some security concerns that must be addressed:
- mount the executable paths for ps and podman itself readonly to
  prevent the container from overwriting it via /proc/self/exe.
- set NO_NEW_PRIVS, SET_DUMPABLE and PDEATHSIG
- close all non std fds to prevent leaking files in that the caller had
  open
- unset all environment variables to not leak any into the contianer

Technically this could be a breaking change if somebody does not
have ps on the host and only in the container but I find that very
unlikely, we still have the exec in container fallback.

Because this can be insecure when the contianer has CAP_SYS_PTRACE we
still only use the podman exec version in that case.

This updates the docs accordingly, note that podman pod top never falls
back to executing ps in the container as this makes no sense with
multiple containers so I fixed the docs there as well.

Fixes #19001
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2215572

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
 		2023-07-10 13:32:55 +02:00
..
define pkg/specgen: add support for 'podman run --init' on FreeBSD 2023-06-28 14:43:50 +01:00
driver bump go module to version 4 2022-01-18 12:47:07 +01:00
events fix: podman event --filter volume=vol-name should compare the event name with volume name 2023-05-22 19:11:15 +05:30
layers
linkmode go fmt: use go 1.18 conditional-build syntax 2022-03-18 09:11:53 +01:00
lock Merge pull request #18507 from mheon/fix_rm_depends 2023-06-12 13:27:34 -04:00
logs source code comments and docs: fix typos, language, Markdown layout 2023-05-22 07:52:16 +02:00
plugin bump golangci-lint to v1.49.0 2022-10-17 09:19:41 +02:00
shutdown play kube: Add --wait option 2023-02-28 13:45:36 -05:00
boltdb_state.go prune exit codes only when container doesn't exist 2023-05-25 13:14:27 +02:00
boltdb_state_internal.go source code comments and docs: fix typos, language, Markdown layout 2023-05-22 07:52:16 +02:00
boltdb_state_unsupported.go libpod: Add definition of containerPlatformState for FreeBSD 2022-08-23 15:31:00 +01:00
common_test.go bump go module to version 4 2022-01-18 12:47:07 +01:00
container.go remote: exec inspect update exec session status 2023-05-03 14:54:00 +02:00
container_api.go container wait: support health states 2023-06-23 14:16:32 +02:00
container_commit.go Specify format to buildah before commit 2023-04-20 06:24:35 -04:00
container_config.go kube play: exit-code propagation 2023-05-25 14:46:34 +02:00
container_copy_common.go libpod: Implement 'podman cp' for FreeBSD 2022-09-20 08:36:23 +01:00
container_copy_freebsd.go libpod: Implement 'podman cp' for FreeBSD 2022-09-20 08:36:23 +01:00
container_copy_linux.go libpod: Move jointMountAndExec to container_copy_linux.go 2022-09-20 08:36:23 +01:00
container_copy_unsupported.go libpod: Implement 'podman cp' for FreeBSD 2022-09-20 08:36:23 +01:00
container_exec.go use libnetwork/slirp4netns from c/common 2023-06-22 11:16:13 +02:00
container_freebsd.go libpod: move NetNS into state db instead of extra bucket 2022-12-16 18:30:12 +01:00
container_graph.go The removeContainer function now accepts a struct 2023-06-01 16:27:27 -04:00
container_graph_test.go bump go module to version 4 2022-01-18 12:47:07 +01:00
container_inspect.go Include lock number in pod/container/volume inspect 2023-06-05 12:28:50 -04:00
container_inspect_freebsd.go libpod: Factor out platform-specfic code from generateInspectContainerHostConfig 2022-09-15 08:10:34 +01:00
container_inspect_linux.go build(deps): bump github.com/container-orchestrated-devices/container-device-interface 2023-02-20 14:51:04 +01:00
container_internal.go Pass in correct cwd value for hooks exe 2023-06-26 23:49:08 -07:00
container_internal_common.go bugfix: do not try to parse empty ranges 2023-07-06 11:16:34 +02:00
container_internal_freebsd.go use libnetwork/slirp4netns from c/common 2023-06-22 11:16:13 +02:00
container_internal_linux.go use libnetwork/slirp4netns from c/common 2023-06-22 11:16:13 +02:00
container_internal_linux_test.go Fix a potential UID/GID collision in unit tests 2023-02-07 09:34:15 -05:00
container_internal_test.go bugfix: do not try to parse empty ranges 2023-07-06 11:16:34 +02:00
container_internal_unsupported.go libpod: Add FreeBSD implementation of container internals 2022-09-05 10:12:12 +01:00
container_linux.go libpod: move NetNS into state db instead of extra bucket 2022-12-16 18:30:12 +01:00
container_log.go podman logs passthrough driver support --cgroups=split 2023-02-20 13:58:16 +01:00
container_log_linux.go podman logs passthrough driver support --cgroups=split 2023-02-20 13:58:16 +01:00
container_log_unsupported.go podman logs passthrough driver support --cgroups=split 2023-02-20 13:58:16 +01:00
container_path_resolution.go bump golangci-lint to v1.49.0 2022-10-17 09:19:41 +02:00
container_path_resolution_test.go libpod: fix lookup for subpath in volumes 2022-09-14 17:09:04 +02:00
container_stat_common.go Fix typos. Improve language. 2023-02-09 21:56:27 +01:00
container_stat_freebsd.go libpod: Implement 'podman cp' for FreeBSD 2022-09-20 08:36:23 +01:00
container_stat_linux.go libpod: Move part of (*Container).stat to container_stat_linux.go 2022-09-20 08:36:23 +01:00
container_stat_unsupported.go libpod: Implement 'podman cp' for FreeBSD 2022-09-20 08:36:23 +01:00
container_top_freebsd.go libpod: Add support for 'podman top' on FreeBSD 2022-10-17 16:43:53 +01:00
container_top_linux.c top: do not depend on ps(1) in container 2023-07-10 13:32:55 +02:00
container_top_linux.go top: do not depend on ps(1) in container 2023-07-10 13:32:55 +02:00
container_top_unsupported.go top: do not depend on ps(1) in container 2023-07-10 13:32:55 +02:00
container_unsupported.go libpod: Add definition of containerPlatformState for FreeBSD 2022-08-23 15:31:00 +01:00
container_validate.go libpod: remove CNI word were no longer applicable 2022-12-16 14:20:14 +01:00
diff.go libpod: switch to golang native error wrapping 2022-07-05 16:06:32 +02:00
doc.go document that using libpod package directly is not supported 2022-03-23 19:05:29 +01:00
events.go container create: add inspect data to event 2022-11-29 10:40:24 +01:00
healthcheck.go fix --health-on-failure=restart in transient unit 2023-03-20 13:56:00 +01:00
healthcheck_linux.go health check: ignore dependencies of transient systemd units/timers 2022-12-08 15:01:57 +01:00
healthcheck_nosystemd_linux.go disable healthchecks automatically on non systemd systems 2022-12-05 20:58:30 +01:00
healthcheck_unsupported.go libpod: Track healthcheck API changes in healthcheck_unsupported.go 2022-12-02 16:41:21 +00:00
info.go libpod: Podman info output more network information 2023-06-13 11:19:29 +09:00
info_freebsd.go Fix stutters 2022-09-10 07:52:00 -04:00
info_linux.go use libnetwork/slirp4netns from c/common 2023-06-22 11:16:13 +02:00
info_test.go libpod: Make unit test for statToPercent Linux only 2022-11-13 10:56:15 +00:00
info_unsupported.go libpod: Enable 'podman info' for FreeBSD 2022-08-24 10:55:52 +01:00
kube.go source code comments and docs: fix typos, language, Markdown layout 2023-05-22 07:52:16 +02:00
mounts_linux.go go fmt: use go 1.18 conditional-build syntax 2022-03-18 09:11:53 +01:00
networking_common.go use libnetwork/slirp4netns from c/common 2023-06-22 11:16:13 +02:00
networking_freebsd.go pasta: Create /etc/hosts entries for pods using pasta networking 2023-06-30 13:04:02 +10:00
networking_linux.go pasta: Create /etc/hosts entries for pods using pasta networking 2023-06-30 13:04:02 +10:00
networking_linux_test.go enable unparam linter 2022-04-25 13:23:20 +02:00
networking_machine.go Replace deprecated ioutil 2022-09-20 15:34:27 -04:00
networking_pasta_linux.go pasta: use code from c/common 2023-06-15 16:14:49 +02:00
networking_slirp4netns.go use libnetwork/slirp4netns from c/common 2023-06-22 11:16:13 +02:00
networking_unsupported.go use libnetwork/slirp4netns from c/common 2023-06-22 11:16:13 +02:00
oci.go bump golangci-lint to v1.49.0 2022-10-17 09:19:41 +02:00
oci_conmon.go podman: add new cgroup mode split 2020-06-25 17:16:12 +02:00
oci_conmon_attach_common.go bump golangci-lint to v1.49.0 2022-10-17 09:19:41 +02:00
oci_conmon_attach_freebsd.go libpod: Build oci_conmon_common.go and oci_conmon_attach_common on FreeBSD 2022-08-18 08:07:30 +01:00
oci_conmon_attach_linux.go libpod: Move openUnixSocket to oci_conmon_attach_linux.go 2022-08-18 08:05:42 +01:00
oci_conmon_common.go Merge pull request #18946 from Luap99/slirp4netns 2023-06-22 16:15:18 +02:00
oci_conmon_exec_common.go Replace deprecated ioutil 2022-09-20 15:34:27 -04:00
oci_conmon_exec_freebsd.go libpod: Factor out capabilites code from prepareProcessExec 2022-09-07 07:58:37 +01:00
oci_conmon_exec_linux.go libpod: Factor out capabilites code from prepareProcessExec 2022-09-07 07:58:37 +01:00
oci_conmon_freebsd.go libpod: Make sure writeConmonPipeData is called on FreeBSD 2022-08-29 13:04:04 +01:00
oci_conmon_linux.go libpod: use new libcontainer BlockIO constructors 2023-07-03 15:11:35 -04:00
oci_conmon_unsupported.go libpod: Build oci_conmon_common.go and oci_conmon_attach_common on FreeBSD 2022-08-18 08:07:30 +01:00
oci_missing.go implement podman update 2022-09-01 13:02:01 -04:00
oci_util.go libpod: switch to golang native error wrapping 2022-07-05 16:06:32 +02:00
options.go podman: add support for splitting imagestore 2023-06-17 08:51:08 +05:30
pod.go Add --restart flag to pod create 2023-05-02 10:29:58 -04:00
pod_api.go Merge pull request #18507 from mheon/fix_rm_depends 2023-06-12 13:27:34 -04:00
pod_internal.go Add initial SQLite-backed state implementation 2023-02-22 11:00:50 -05:00
pod_internal_freebsd.go libpod: Factor out cgroups handling from (*Pod).refresh 2022-10-07 08:26:10 +01:00
pod_internal_linux.go libpod: Factor out cgroups handling from (*Pod).refresh 2022-10-07 08:26:10 +01:00
pod_status.go bump go module to version 4 2022-01-18 12:47:07 +01:00
pod_top_linux.go libpod/pod_top_linux.go: s/TODO/NOTE/ 2022-05-25 12:30:19 +02:00
pod_top_unsupported.go libpod: Add stubs for non-linux builds 2022-08-17 11:45:07 +01:00
reset.go Pods now return what containers were removed with them 2023-06-01 16:24:59 -04:00
rlimit_int64.go set max ulimits for rootless on each start 2023-05-31 09:20:31 +00:00
rlimit_uint64.go set max ulimits for rootless on each start 2023-05-31 09:20:31 +00:00
runtime.go Address review feedback and add manpage notes 2023-06-06 11:04:59 -04:00
runtime_cstorage.go Add support for 'image' volume driver 2022-09-22 13:07:40 -04:00
runtime_ctr.go Fix a race removing multiple containers in the same pod 2023-06-07 14:09:12 -04:00
runtime_ctr_freebsd.go libpod: Don't mount /dev/shm in containers on FreeBSD 2022-09-05 10:20:50 +01:00
runtime_ctr_linux.go libpod: Don't mount /dev/shm in containers on FreeBSD 2022-09-05 10:20:50 +01:00
runtime_img.go The removeContainer function now accepts a struct 2023-06-01 16:27:27 -04:00
runtime_migrate.go rootless: make sure we only use a single pause process 2023-04-11 10:57:46 +02:00
runtime_migrate_unsupported.go libpod: Add stubs for non-linux builds 2022-08-17 11:45:07 +01:00
runtime_pod.go Pods now return what containers were removed with them 2023-06-01 16:24:59 -04:00
runtime_pod_common.go Change Inherit to use a pointer to a container 2023-06-07 14:09:07 -04:00
runtime_pod_freebsd.go libpod: Add support for 'podman pod' on FreeBSD 2022-10-07 08:27:27 +01:00
runtime_pod_linux.go libpod: Factor out cgroup validation from (*Runtime).NewPod 2022-10-07 08:27:27 +01:00
runtime_pod_unsupported.go libpod: Add support for 'podman pod' on FreeBSD 2022-10-07 08:27:27 +01:00
runtime_pre_go1.20.go Fix rand.Seed() deprecation in golang 1.20 2023-04-26 14:55:03 -04:00
runtime_renumber.go DB: make loading container states optional 2023-01-26 10:20:38 +01:00
runtime_test.go Fix rand.Seed() deprecation in golang 1.20 2023-04-26 14:55:03 -04:00
runtime_volume.go libpod/runtime: switch to golang native error wrapping 2022-07-04 15:39:00 +02:00
runtime_volume_common.go The removeContainer function now accepts a struct 2023-06-01 16:27:27 -04:00
runtime_volume_unsupported.go libpod: Add volume support for FreeBSD 2022-09-27 16:31:40 +01:00
runtime_worker.go work queue: simplify and use a wait group 2022-05-25 10:17:46 +02:00
service.go kube play: exit-code propagation 2023-05-25 14:46:34 +02:00
sqlite_state.go make lint: enable rowserrcheck 2023-06-19 14:31:40 +02:00
sqlite_state_internal.go sqlite: move first read into a transaction 2023-04-25 16:01:49 +02:00
state.go Add initial SQLite-backed state implementation 2023-02-22 11:00:50 -05:00
state_test.go Remove concept of Namespaces from BoltDB 2023-02-22 11:00:50 -05:00
stats_common.go Fix: display online_cpus in compat REST API 2023-05-31 07:41:30 +03:00
stats_freebsd.go Fix: display online_cpus in compat REST API 2023-05-31 07:41:30 +03:00
stats_linux.go Fix: display online_cpus in compat REST API 2023-05-31 07:41:30 +03:00
stats_unsupported.go libpod: Add support for 'podman stats' on FreeBSD 2022-09-14 08:29:26 +01:00
storage.go libpod.storageService.CreateContainerStorage(): retrieve ID maps 2023-04-05 17:58:30 -04:00
util.go use libnetwork/slirp4netns from c/common 2023-06-22 11:16:13 +02:00
util_freebsd.go Must use mountlabel when creating builtin volumes 2023-03-09 12:36:52 -05:00
util_linux.go Must use mountlabel when creating builtin volumes 2023-03-09 12:36:52 -05:00
util_linux_test.go Must use mountlabel when creating builtin volumes 2023-03-09 12:36:52 -05:00
util_test.go bump go module to version 4 2022-01-18 12:47:07 +01:00
util_unsupported.go Must use mountlabel when creating builtin volumes 2023-03-09 12:36:52 -05:00
volume.go libpod/Container.rootFsSize(): use recorded image sizes 2023-05-09 09:33:37 -04:00
volume_inspect.go Include lock number in pod/container/volume inspect 2023-06-05 12:28:50 -04:00
volume_internal.go Add initial SQLite-backed state implementation 2023-02-22 11:00:50 -05:00
volume_internal_common.go libpod: Add volume support for FreeBSD 2022-09-27 16:31:40 +01:00
volume_internal_freebsd.go libpod: Add volume support for FreeBSD 2022-09-27 16:31:40 +01:00
volume_internal_linux.go libpod: Factor out usage of unix.MNT_DETACH from (*Volume).unmount 2022-09-27 16:31:40 +01:00
volume_internal_unsupported.go libpod: Add volume support for FreeBSD 2022-09-27 16:31:40 +01:00