mirror of https://github.com/containers/podman.git
245 lines
6.5 KiB
Go
245 lines
6.5 KiB
Go
// +build ABISupport
|
|
|
|
package abi
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"net"
|
|
"os"
|
|
"strconv"
|
|
"strings"
|
|
"syscall"
|
|
|
|
"github.com/containers/common/pkg/config"
|
|
"github.com/containers/libpod/libpod/define"
|
|
api "github.com/containers/libpod/pkg/api/server"
|
|
"github.com/containers/libpod/pkg/cgroups"
|
|
"github.com/containers/libpod/pkg/domain/entities"
|
|
"github.com/containers/libpod/pkg/rootless"
|
|
"github.com/containers/libpod/pkg/util"
|
|
iopodman "github.com/containers/libpod/pkg/varlink"
|
|
iopodmanAPI "github.com/containers/libpod/pkg/varlinkapi"
|
|
"github.com/containers/libpod/utils"
|
|
"github.com/containers/libpod/version"
|
|
"github.com/pkg/errors"
|
|
"github.com/sirupsen/logrus"
|
|
"github.com/spf13/cobra"
|
|
"github.com/varlink/go/varlink"
|
|
)
|
|
|
|
func (ic *ContainerEngine) Info(ctx context.Context) (*define.Info, error) {
|
|
return ic.Libpod.Info()
|
|
}
|
|
|
|
func (ic *ContainerEngine) RestService(_ context.Context, opts entities.ServiceOptions) error {
|
|
var (
|
|
listener net.Listener
|
|
err error
|
|
)
|
|
|
|
if opts.URI != "" {
|
|
fields := strings.Split(opts.URI, ":")
|
|
if len(fields) == 1 {
|
|
return errors.Errorf("%s is an invalid socket destination", opts.URI)
|
|
}
|
|
address := strings.Join(fields[1:], ":")
|
|
listener, err = net.Listen(fields[0], address)
|
|
if err != nil {
|
|
return errors.Wrapf(err, "unable to create socket %s", opts.URI)
|
|
}
|
|
}
|
|
|
|
server, err := api.NewServerWithSettings(ic.Libpod, opts.Timeout, &listener)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer func() {
|
|
if err := server.Shutdown(); err != nil {
|
|
logrus.Warnf("Error when stopping API service: %s", err)
|
|
}
|
|
}()
|
|
|
|
err = server.Serve()
|
|
_ = listener.Close()
|
|
return err
|
|
}
|
|
|
|
func (ic *ContainerEngine) VarlinkService(_ context.Context, opts entities.ServiceOptions) error {
|
|
var varlinkInterfaces = []*iopodman.VarlinkInterface{
|
|
iopodmanAPI.New(opts.Command, ic.Libpod),
|
|
}
|
|
|
|
service, err := varlink.NewService(
|
|
"Atomic",
|
|
"podman",
|
|
version.Version,
|
|
"https://github.com/containers/libpod",
|
|
)
|
|
if err != nil {
|
|
return errors.Wrapf(err, "unable to create new varlink service")
|
|
}
|
|
|
|
for _, i := range varlinkInterfaces {
|
|
if err := service.RegisterInterface(i); err != nil {
|
|
return errors.Errorf("unable to register varlink interface %v", i)
|
|
}
|
|
}
|
|
|
|
// Run the varlink server at the given address
|
|
if err = service.Listen(opts.URI, opts.Timeout); err != nil {
|
|
switch err.(type) {
|
|
case varlink.ServiceTimeoutError:
|
|
logrus.Infof("varlink service expired (use --timeout to increase session time beyond %s ms, 0 means never timeout)", opts.Timeout.String())
|
|
return nil
|
|
default:
|
|
return errors.Wrapf(err, "unable to start varlink service")
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (ic *ContainerEngine) SetupRootless(cmd *cobra.Command) error {
|
|
// do it only after podman has already re-execed and running with uid==0.
|
|
if os.Geteuid() == 0 {
|
|
ownsCgroup, err := cgroups.UserOwnsCurrentSystemdCgroup()
|
|
if err != nil {
|
|
logrus.Warnf("Failed to detect the owner for the current cgroup: %v", err)
|
|
}
|
|
if !ownsCgroup {
|
|
conf, err := ic.Config(context.Background())
|
|
if err != nil {
|
|
return err
|
|
}
|
|
unitName := fmt.Sprintf("podman-%d.scope", os.Getpid())
|
|
if err := utils.RunUnderSystemdScope(os.Getpid(), "user.slice", unitName); err != nil {
|
|
if conf.Engine.CgroupManager == config.SystemdCgroupsManager {
|
|
logrus.Warnf("Failed to add podman to systemd sandbox cgroup: %v", err)
|
|
} else {
|
|
logrus.Debugf("Failed to add podman to systemd sandbox cgroup: %v", err)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if !executeCommandInUserNS(cmd) {
|
|
return nil
|
|
}
|
|
|
|
pausePidPath, err := util.GetRootlessPauseProcessPidPath()
|
|
if err != nil {
|
|
return errors.Wrapf(err, "could not get pause process pid file path")
|
|
}
|
|
|
|
became, ret, err := rootless.TryJoinPauseProcess(pausePidPath)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if became {
|
|
os.Exit(ret)
|
|
}
|
|
|
|
// if there is no pid file, try to join existing containers, and create a pause process.
|
|
ctrs, err := ic.Libpod.GetRunningContainers()
|
|
if err != nil {
|
|
logrus.WithError(err).Fatal("")
|
|
}
|
|
|
|
paths := []string{}
|
|
for _, ctr := range ctrs {
|
|
paths = append(paths, ctr.Config().ConmonPidFile)
|
|
}
|
|
|
|
became, ret, err = rootless.TryJoinFromFilePaths(pausePidPath, true, paths)
|
|
if err := movePauseProcessToScope(); err != nil {
|
|
conf, err := ic.Config(context.Background())
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if conf.Engine.CgroupManager == config.SystemdCgroupsManager {
|
|
logrus.Warnf("Failed to add pause process to systemd sandbox cgroup: %v", err)
|
|
} else {
|
|
logrus.Debugf("Failed to add pause process to systemd sandbox cgroup: %v", err)
|
|
}
|
|
}
|
|
if err != nil {
|
|
logrus.WithError(err).Fatal("")
|
|
}
|
|
if became {
|
|
os.Exit(ret)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Most podman commands when run in rootless mode, need to be executed in the
|
|
// users usernamespace. This function is updated with a list of commands that
|
|
// should NOT be run within the user namespace.
|
|
func executeCommandInUserNS(cmd *cobra.Command) bool {
|
|
return os.Geteuid() == 0
|
|
// if os.Geteuid() == 0 {
|
|
// return false
|
|
// }
|
|
// switch cmd {
|
|
// case _migrateCommand,
|
|
// _mountCommand,
|
|
// _renumberCommand,
|
|
// _searchCommand,
|
|
// _versionCommand:
|
|
// return false
|
|
// }
|
|
// return true
|
|
}
|
|
|
|
func movePauseProcessToScope() error {
|
|
pausePidPath, err := util.GetRootlessPauseProcessPidPath()
|
|
if err != nil {
|
|
return errors.Wrapf(err, "could not get pause process pid file path")
|
|
}
|
|
|
|
data, err := ioutil.ReadFile(pausePidPath)
|
|
if err != nil {
|
|
return errors.Wrapf(err, "cannot read pause pid file")
|
|
}
|
|
pid, err := strconv.ParseUint(string(data), 10, 0)
|
|
if err != nil {
|
|
return errors.Wrapf(err, "cannot parse pid file %s", pausePidPath)
|
|
}
|
|
|
|
return utils.RunUnderSystemdScope(int(pid), "user.slice", "podman-pause.scope")
|
|
}
|
|
|
|
func setRLimits() error { // nolint:deadcode,unused
|
|
rlimits := new(syscall.Rlimit)
|
|
rlimits.Cur = 1048576
|
|
rlimits.Max = 1048576
|
|
if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
|
|
if err := syscall.Getrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
|
|
return errors.Wrapf(err, "error getting rlimits")
|
|
}
|
|
rlimits.Cur = rlimits.Max
|
|
if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
|
|
return errors.Wrapf(err, "error setting new rlimits")
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func setUMask() { // nolint:deadcode,unused
|
|
// Be sure we can create directories with 0755 mode.
|
|
syscall.Umask(0022)
|
|
}
|
|
|
|
// checkInput can be used to verify any of the globalopt values
|
|
func checkInput() error { // nolint:deadcode,unused
|
|
return nil
|
|
}
|
|
|
|
// func getCNIPluginsDir() string {
|
|
// if rootless.IsRootless() {
|
|
// return ""
|
|
// }
|
|
//
|
|
// return registry.PodmanOptions.Network.CNIPluginDirs[0]
|
|
// }
|