From 957fec36b841e19e7fcc6f1372f84e32f0288459 Mon Sep 17 00:00:00 2001 From: Romain Geissler Date: Fri, 2 Feb 2024 18:50:15 +0000 Subject: [PATCH] Fix running container from docker client with rootful in rootless podman. This effectively fix errors like "unable to upgrade to tcp, received 409" like #19930 in the special case where podman itself is running rootful but inside a container which itself is rootless. [NO NEW TESTS NEEDED] Signed-off-by: Romain Geissler --- libpod/container_internal_common.go | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go index cd19089e2e..9e2414c18a 100644 --- a/libpod/container_internal_common.go +++ b/libpod/container_internal_common.go @@ -48,6 +48,7 @@ import ( "github.com/containers/storage/pkg/archive" "github.com/containers/storage/pkg/idtools" "github.com/containers/storage/pkg/lockfile" + "github.com/containers/storage/pkg/unshare" stypes "github.com/containers/storage/types" securejoin "github.com/cyphar/filepath-securejoin" runcuser "github.com/opencontainers/runc/libcontainer/user" @@ -633,14 +634,15 @@ func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFunc nofileSet := false nprocSet := false isRootless := rootless.IsRootless() - if isRootless { - if g.Config.Process != nil && g.Config.Process.OOMScoreAdj != nil { - var err error - *g.Config.Process.OOMScoreAdj, err = maybeClampOOMScoreAdj(*g.Config.Process.OOMScoreAdj) - if err != nil { - return nil, nil, err - } + isRunningInUserNs := unshare.IsRootless() + if isRunningInUserNs && g.Config.Process != nil && g.Config.Process.OOMScoreAdj != nil { + var err error + *g.Config.Process.OOMScoreAdj, err = maybeClampOOMScoreAdj(*g.Config.Process.OOMScoreAdj) + if err != nil { + return nil, nil, err } + } + if isRootless { for _, rlimit := range c.config.Spec.Process.Rlimits { if rlimit.Type == "RLIMIT_NOFILE" { nofileSet = true