Skip to content

Commit

Permalink
Fix running container from docker client with rootful in rootless pod…
Browse files Browse the repository at this point in the history 
…man.

This effectively fix errors like "unable to upgrade to tcp, received
409" like containers#19930 in the special case where podman itself is running
rootful but inside a container which itself is rootless.

[NO NEW TESTS NEEDED]

Signed-off-by: Romain Geissler <[email protected]>
  • Loading branch information
@Romain-Geissler-1A @TomSweeneyRedHat
Romain-Geissler-1A authored and TomSweeneyRedHat committed Mar 7, 2024
1 parent c82fdc8 commit 957fec3
Showing 1 changed file with 9 additions and 7 deletions.
16 changes: 9 additions & 7 deletions libpod/container_internal_common.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ import (
"github.com/containers/storage/pkg/archive"
"github.com/containers/storage/pkg/idtools"
"github.com/containers/storage/pkg/lockfile"
"github.com/containers/storage/pkg/unshare"
stypes "github.com/containers/storage/types"
securejoin "github.com/cyphar/filepath-securejoin"
runcuser "github.com/opencontainers/runc/libcontainer/user"
Expand Down Expand Up @@ -633,14 +634,15 @@ func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFunc
nofileSet := false
nprocSet := false
isRootless := rootless.IsRootless()
if isRootless {
if g.Config.Process != nil && g.Config.Process.OOMScoreAdj != nil {
var err error
*g.Config.Process.OOMScoreAdj, err = maybeClampOOMScoreAdj(*g.Config.Process.OOMScoreAdj)
if err != nil {
return nil, nil, err
}
isRunningInUserNs := unshare.IsRootless()
if isRunningInUserNs && g.Config.Process != nil && g.Config.Process.OOMScoreAdj != nil {
var err error
*g.Config.Process.OOMScoreAdj, err = maybeClampOOMScoreAdj(*g.Config.Process.OOMScoreAdj)
if err != nil {
return nil, nil, err
}
}
if isRootless {
for _, rlimit := range c.config.Spec.Process.Rlimits {
if rlimit.Type == "RLIMIT_NOFILE" {
nofileSet = true
Expand Down

0 comments on commit 957fec3

Please sign in to comment.