containers
/
podman
mirror of https://github.com/containers/podman.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
podman/libpod
History
W. Trevor King a4b483c848 libpod/container_internal: Deprecate implicit hook directories 
Part of the motivation for 800eb863 (Hooks supports two directories,
process default and override, 2018-09-17, #1487) was [1]:

> We only use this for override. The reason this was caught is people
> are trying to get hooks to work with CoreOS. You are not allowed to
> write to /usr/share... on CoreOS, so they wanted podman to also look
> at /etc, where users and third parties can write.

But we'd also been disabling hooks completely for rootless users.  And
even for root users, the override logic was tricky when folks actually
had content in both directories.  For example, if you wanted to
disable a hook from the default directory, you'd have to add a no-op
hook to the override directory.

Also, the previous implementation failed to handle the case where
there hooks defined in the override directory but the default
directory did not exist:

  $ podman version
  Version:       0.11.2-dev
  Go Version:    go1.10.3
  Git Commit:    "6df7409cb5a41c710164c42ed35e33b28f3f7214"
  Built:         Sun Dec  2 21:30:06 2018
  OS/Arch:       linux/amd64
  $ ls -l /etc/containers/oci/hooks.d/test.json
  -rw-r--r--. 1 root root 184 Dec  2 16:27 /etc/containers/oci/hooks.d/test.json
  $ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
  time="2018-12-02T21:31:19-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
  time="2018-12-02T21:31:19-08:00" level=warning msg="failed to load hooks: {}%!(EXTRA *os.PathError=open /usr/share/containers/oci/hooks.d: no such file or directory)"

With this commit:

  $ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
  time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
  time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /etc/containers/oci/hooks.d"
  time="2018-12-02T21:33:07-08:00" level=debug msg="added hook /etc/containers/oci/hooks.d/test.json"
  time="2018-12-02T21:33:07-08:00" level=debug msg="hook test.json matched; adding to stages [prestart]"
  time="2018-12-02T21:33:07-08:00" level=warning msg="implicit hook directories are deprecated; set --hooks-dir="/etc/containers/oci/hooks.d" explicitly to continue to load hooks from this directory"
  time="2018-12-02T21:33:07-08:00" level=error msg="container create failed: container_linux.go:336: starting container process caused "process_linux.go:399: container init caused \"process_linux.go:382: running prestart hook 0 caused \\\"error running hook: exit status 1, stdout: , stderr: oh, noes!\\\\n\\\"\""

(I'd setup the hook to error out).  You can see that it's silenly
ignoring the ENOENT for /usr/share/containers/oci/hooks.d and
continuing on to load hooks from /etc/containers/oci/hooks.d.

When it loads the hook, it also logs a warning-level message
suggesting that callers explicitly configure their hook directories.
That will help consumers migrate, so we can drop the implicit hook
directories in some future release.  When folks *do* explicitly
configure hook directories (via the newly-public --hooks-dir and
hooks_dir options), we error out if they're missing:

  $ podman --hooks-dir /does/not/exist run --rm docker.io/library/alpine echo 'successful container'
  error setting up OCI Hooks: open /does/not/exist: no such file or directory

I've dropped the trailing "path" from the old, hidden --hooks-dir-path
and hooks_dir_path because I think "dir(ectory)" is already enough
context for "we expect a path argument".  I consider this name change
non-breaking because the old forms were undocumented.

Coming back to rootless users, I've enabled hooks now.  I expect they
were previously disabled because users had no way to avoid
/usr/share/containers/oci/hooks.d which might contain hooks that
required root permissions.  But now rootless users will have to
explicitly configure hook directories, and since their default config
is from ~/.config/containers/libpod.conf, it's a misconfiguration if
it contains hooks_dir entries which point at directories with hooks
that require root access.  We error out so they can fix their
libpod.conf.

[1]: https://github.com/containers/libpod/pull/1487#discussion_r218149355

Signed-off-by: W. Trevor King <wking@tremily.us>
 		2018-12-03 12:54:30 -08:00
..
common Change un/pwd handling to match Buildah's 2018-02-06 09:29:23 -05:00
driver switch projectatomic to containers 2018-08-16 17:12:36 +00:00
image Merge pull request #1868 from QiWang19/issue860 2018-11-26 16:46:22 -08:00
layers Initial checkin from CRI-O repo 2017-11-01 11:24:59 -04:00
testdata libpod/container_internal: Deprecate implicit hook directories 2018-12-03 12:54:30 -08:00
boltdb_state.go Make failure to retrieve individual ctrs/pods nonfatal 2018-08-17 19:10:21 +00:00
boltdb_state_internal.go Do not fetch pod and ctr State on retrieval in Bolt 2018-07-31 14:19:50 +00:00
boltdb_state_linux.go Log an otherwise ignored error from joining a net ns 2018-10-11 11:29:42 -04:00
boltdb_state_unsupported.go Fix build on non-linux platforms 2018-07-31 14:19:50 +00:00
common_test.go Rework state testing to allow State structs to be empty 2018-07-31 14:19:50 +00:00
container.go Fix golang formatting issues 2018-11-28 09:26:24 -06:00
container_api.go Fix golang formatting issues 2018-11-28 09:26:24 -06:00
container_attach.go attach: fix attach when cuid is too long 2018-10-30 15:35:24 +01:00
container_commit.go Vendor in new new buildah/ci 2018-10-17 17:04:19 -05:00
container_easyjson.go network: allow slirp4netns mode also for root containers 2018-11-28 09:21:59 +01:00
container_graph.go Remove a loop in container graph 2018-03-29 02:18:45 +00:00
container_graph_test.go Lint: Tests: add missing assertions 2018-11-10 10:52:24 +01:00
container_inspect.go Allow containers/storage to handle on SELinux labeling 2018-10-23 10:57:23 -04:00
container_internal.go libpod/container_internal: Deprecate implicit hook directories 2018-12-03 12:54:30 -08:00
container_internal_linux.go libpod/container_internal: Deprecate implicit hook directories 2018-12-03 12:54:30 -08:00
container_internal_test.go vendor containerd/cgroups 2018-09-06 15:19:25 +00:00
container_internal_unsupported.go Add support to checkpoint/restore containers 2018-10-03 21:41:39 +02:00
container_linux.go Do not fetch pod and ctr State on retrieval in Bolt 2018-07-31 14:19:50 +00:00
container_top_linux.go vendor latest containers/psgo 2018-07-26 17:01:40 +00:00
container_top_unsupported.go podman-top: use containers/psgo 2018-07-19 20:47:52 +00:00
container_unsupported.go Do not fetch pod and ctr State on retrieval in Bolt 2018-07-31 14:19:50 +00:00
diff.go Don't output inodes created to run a container 2018-09-21 09:45:14 +00:00
errors.go Add namespaces and initial constraints to database 2018-07-24 16:12:31 -04:00
in_memory_state.go switch projectatomic to containers 2018-08-16 17:12:36 +00:00
info.go info: add rootless field 2018-11-09 09:41:57 +01:00
kube.go Fix golang formatting issues 2018-11-28 09:26:24 -06:00
mounts_linux.go set root propagation based on volume properties 2018-11-26 13:55:02 +01:00
networking_linux.go Merge pull request #1789 from mheon/fix_add_hosts_test 2018-11-09 09:41:26 -08:00
networking_unsupported.go switch projectatomic to containers 2018-08-16 17:12:36 +00:00
oci.go rootless: propagate XDG_RUNTIME_DIR to the OCI runtime 2018-11-30 22:37:09 +01:00
oci_linux.go Use also a struct to pass options to Restore() 2018-11-28 08:00:37 +01:00
oci_unsupported.go Use also a struct to pass options to Restore() 2018-11-28 08:00:37 +01:00
options.go libpod/container_internal: Deprecate implicit hook directories 2018-12-03 12:54:30 -08:00
pod.go Allow users to expose ports from the pod to the host 2018-11-20 09:49:34 -06:00
pod_api.go Add ContainerStateExited and OCI delete() in cleanup() 2018-10-02 12:05:22 -04:00
pod_easyjson.go Allow users to expose ports from the pod to the host 2018-11-20 09:49:34 -06:00
pod_internal.go Fix golang formatting issues 2018-11-28 09:26:24 -06:00
pod_top_linux.go Add podman pod top 2018-08-23 15:01:17 +00:00
pod_top_unsupported.go Add podman pod top 2018-08-23 15:01:17 +00:00
runtime.go libpod/container_internal: Deprecate implicit hook directories 2018-12-03 12:54:30 -08:00
runtime_ctr.go rm -f now removes a paused container 2018-11-08 15:18:11 -06:00
runtime_img.go Vendor in new new buildah/ci 2018-10-17 17:04:19 -05:00
runtime_img_test.go switch projectatomic to containers 2018-08-16 17:12:36 +00:00
runtime_pod.go Fixing network ns segfault 2018-08-23 18:16:28 +00:00
runtime_pod_infra_linux.go network: allow slirp4netns mode also for root containers 2018-11-28 09:21:59 +01:00
runtime_pod_linux.go Remove conmon cgroup before pod cgroup for cgroupfs 2018-11-07 09:45:34 -05:00
runtime_pod_unsupported.go Added option to share kernel namespaces in libpod and podman 2018-08-23 18:16:28 +00:00
state.go Do not fetch pod and ctr State on retrieval in Bolt 2018-07-31 14:19:50 +00:00
state_test.go Rework state testing to allow State structs to be empty 2018-07-31 14:19:50 +00:00
stats.go Add ability for ubuntu to be tested 2018-10-03 12:45:37 -05:00
stats_config.go changes to allow for darwin compilation 2018-06-29 20:44:09 +00:00
stats_unsupported.go changes to allow for darwin compilation 2018-06-29 20:44:09 +00:00
storage.go Allow containers/storage to handle on SELinux labeling 2018-10-23 10:57:23 -04:00
util.go util: use fsnotify to wait for file 2018-11-28 10:53:41 +01:00
util_linux.go Fix build on non-Linux OSes 2018-08-15 18:07:04 +00:00
util_test.go Stage3 Image Library 2018-03-14 20:21:31 +00:00
util_unsupported.go Fix build on non-Linux OSes 2018-08-15 18:07:04 +00:00
version.go Fix setting of version information 2018-10-31 00:27:08 +01:00