Skip to content

Commit

Permalink
Fix running container from docker client with rootful in rootless pod…
Browse files Browse the repository at this point in the history 
…man.

This effectively fix errors like "unable to upgrade to tcp, received
409" like containers#19930 in the special case where podman itself is running
rootful but inside a container which itself is rootless.

[NO NEW TESTS NEEDED]

Signed-off-by: Romain Geissler <[email protected]>
  • Loading branch information
@Romain-Geissler-1A
Romain-Geissler-1A committed Feb 18, 2024
1 parent fbb4d5d commit f59a5f1
Showing 1 changed file with 9 additions and 7 deletions.
16 changes: 9 additions & 7 deletions libpod/container_internal_common.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ import (
"github.com/containers/storage/pkg/archive"
"github.com/containers/storage/pkg/idtools"
"github.com/containers/storage/pkg/lockfile"
"github.com/containers/storage/pkg/unshare"
stypes "github.com/containers/storage/types"
securejoin "github.com/cyphar/filepath-securejoin"
runcuser "github.com/moby/sys/user"
Expand Down Expand Up @@ -632,14 +633,15 @@ func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFunc
nofileSet := false
nprocSet := false
isRootless := rootless.IsRootless()
if isRootless {
if g.Config.Process != nil && g.Config.Process.OOMScoreAdj != nil {
var err error
*g.Config.Process.OOMScoreAdj, err = maybeClampOOMScoreAdj(*g.Config.Process.OOMScoreAdj)
if err != nil {
return nil, nil, err
}
isRunningInUserNs := unshare.IsRootless()
if isRunningInUserNs && g.Config.Process != nil && g.Config.Process.OOMScoreAdj != nil {
var err error
*g.Config.Process.OOMScoreAdj, err = maybeClampOOMScoreAdj(*g.Config.Process.OOMScoreAdj)
if err != nil {
return nil, nil, err
}
}
if isRootless {
for _, rlimit := range c.config.Spec.Process.Rlimits {
if rlimit.Type == "RLIMIT_NOFILE" {
nofileSet = true
Expand Down

0 comments on commit f59a5f1

Please sign in to comment.