mirror/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2026-03-27 19:13:49 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
0cdb9b3b2294de552faccf4804586ef36eb29ca9
podman/pkg/domain/infra/abi/system_linux.go
Paul Holzinger 942f789a88 set !remote build tags where needed 
The new golangci-lint version 1.60.1 has problems with typecheck when
linting remote files. We have certain pakcages that should never be
inlcuded in remote but the typecheck tries to compile all of them but
this never works and it seems to ignore the exclude files we gave it.

To fix this the proper way is to mark all packages we only use locally
with !remote tags. This is a bit ugly but more correct. I also moved the
DecodeChanges() code around as it is called from the client so the
handles package which should only be remote doesn't really fit anyway.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2024-08-19 11:41:28 +02:00

110 lines
3.0 KiB
Go
Raw Blame History

//go:build !remote
package abi
import (
"context"
"fmt"
"os"
"github.com/containers/common/pkg/cgroups"
"github.com/containers/common/pkg/config"
"github.com/containers/common/pkg/systemd"
"github.com/containers/podman/v5/pkg/rootless"
"github.com/containers/podman/v5/pkg/util"
"github.com/containers/storage/pkg/unshare"
"github.com/sirupsen/logrus"
)
// Default path for system runtime state
const defaultRunPath = "/run"
func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool, cgroupMode string) error {
runsUnderSystemd := systemd.RunsOnSystemd()
if !runsUnderSystemd {
isPid1 := os.Getpid() == 1
if _, found := os.LookupEnv("container"); isPid1 || found {
if err := cgroups.MaybeMoveToSubCgroup(); err != nil {
// it is a best effort operation, so just print the
// error for debugging purposes.
logrus.Debugf("Could not move to subcgroup: %v", err)
}
}
}
hasCapSysAdmin, err := unshare.HasCapSysAdmin()
if err != nil {
return err
}
// check for both euid == 0 and CAP_SYS_ADMIN because we may be running in a container with CAP_SYS_ADMIN set.
if os.Geteuid() == 0 && hasCapSysAdmin {
// do it only after podman has already re-execed and running with uid==0.
configureCgroup := cgroupMode != "disabled"
if configureCgroup {
ownsCgroup, err := cgroups.UserOwnsCurrentSystemdCgroup()
if err != nil {
logrus.Infof("Failed to detect the owner for the current cgroup: %v", err)
}
if !ownsCgroup {
conf, err := ic.Config(context.Background())
if err != nil {
return err
}
unitName := fmt.Sprintf("podman-%d.scope", os.Getpid())
if runsUnderSystemd || conf.Engine.CgroupManager == config.SystemdCgroupsManager {
if err := systemd.RunUnderSystemdScope(os.Getpid(), "user.slice", unitName); err != nil {
logrus.Debugf("Failed to add podman to systemd sandbox cgroup: %v", err)
}
}
}
}
return nil
}
pausePidPath, err := util.GetRootlessPauseProcessPidPath()
if err != nil {
return fmt.Errorf("could not get pause process pid file path: %w", err)
}
became, ret, err := rootless.TryJoinPauseProcess(pausePidPath)
if err != nil {
return err
}
if became {
os.Exit(ret)
}
if noMoveProcess {
return nil
}
// if there is no pid file, try to join existing containers, and create a pause process.
ctrs, err := ic.Libpod.GetRunningContainers()
if err != nil {
logrus.Error(err.Error())
os.Exit(1)
}
paths := []string{}
for _, ctr := range ctrs {
paths = append(paths, ctr.ConfigNoCopy().ConmonPidFile)
}
if len(paths) > 0 {
became, ret, err = rootless.TryJoinFromFilePaths(pausePidPath, paths)
} else {
became, ret, err = rootless.BecomeRootInUserNS(pausePidPath)
if err == nil {
systemd.MovePauseProcessToScope(pausePidPath)
}
}
if err != nil {
logrus.Error(fmt.Errorf("invalid internal status, try resetting the pause process with %q: %w", os.Args[0]+" system migrate", err))
os.Exit(1)
}
if became {
os.Exit(ret)
}
return nil
}
Reference in New Issue View Git Blame Copy Permalink