Skip to content

Commit

Permalink
Fix running container from docker client with rootful in rootless pod…
Browse files Browse the repository at this point in the history
…man.

This effectively fix errors like "unable to upgrade to tcp, received
409" like containers#19930 in the special case where podman itself is running
rootful but inside a container which itself is rootless.

[NO NEW TESTS NEEDED]

Signed-off-by: Romain Geissler <[email protected]>
  • Loading branch information
Romain-Geissler-1A committed Feb 26, 2024
1 parent 4b69d93 commit 8e492e9
Showing 1 changed file with 9 additions and 7 deletions.
16 changes: 9 additions & 7 deletions libpod/container_internal_common.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ import (
"github.com/containers/storage/pkg/archive"
"github.com/containers/storage/pkg/idtools"
"github.com/containers/storage/pkg/lockfile"
"github.com/containers/storage/pkg/unshare"
stypes "github.com/containers/storage/types"
securejoin "github.com/cyphar/filepath-securejoin"
runcuser "github.com/opencontainers/runc/libcontainer/user"
Expand Down Expand Up @@ -633,14 +634,15 @@ func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFunc
nofileSet := false
nprocSet := false
isRootless := rootless.IsRootless()
if isRootless {
if g.Config.Process != nil && g.Config.Process.OOMScoreAdj != nil {
var err error
*g.Config.Process.OOMScoreAdj, err = maybeClampOOMScoreAdj(*g.Config.Process.OOMScoreAdj)
if err != nil {
return nil, nil, err
}
isRunningInUserNs := unshare.IsRootless()
if isRunningInUserNs && g.Config.Process != nil && g.Config.Process.OOMScoreAdj != nil {
var err error
*g.Config.Process.OOMScoreAdj, err = maybeClampOOMScoreAdj(*g.Config.Process.OOMScoreAdj)
if err != nil {
return nil, nil, err
}
}
if isRootless {
for _, rlimit := range c.config.Spec.Process.Rlimits {
if rlimit.Type == "RLIMIT_NOFILE" {
nofileSet = true
Expand Down

0 comments on commit 8e492e9

Please sign in to comment.