cgroup-manager-systemd: Warn early if user is rootless and no relevent user session is present. #11212
Conversation
libpod/container_internal_linux.go
Outdated
| // If user is rootless and no valid systemd user session is present then break early. | ||
| if rootless.IsRootless() { | ||
| if !utils.CheckifSystemdSessionisValid(rootless.GetRootlessUID()) { | ||
| return "", errors.Wrapf(define.ErrInternal, "invalid systemd user session") |
There was a problem hiding this comment.
Can we have a warning instead of hard failure and let runtime handle the failures ?
There was a problem hiding this comment.
Warning is probably better, the configuration could work.
|
@mheon Could you please take a look ? We can also spit a warning instead of explicit failure. |
|
I'm unsure as to whether this is a good idea. We have a lot of people running rootless Podman in cron jobs, systemd units, and other environments that don't have a login session, generally with success. Warning line is a lot better, and we might even want to drop it down to Info level so it's not printed by default, but people will still see it with Also, this shouldn't be for all rootless systems - I think this is Rootless CGv2 + Systemd cgroups driver only. |
|
@mheon Agreed we can suppress this to debug log level as well. |
flouthoc
force-pushed
the
check-valid-systemd-session
branch
2 times, most recently
from
940eeb6 to
a68560e
Compare
utils/utils_supported.go
Outdated
| @@ -101,6 +101,20 @@ func GetCgroupProcess(pid int) (string, error) { | |||
| return getCgroupProcess(fmt.Sprintf("/proc/%d/cgroup", pid)) | |||
| } | |||
|
|
|||
| // CheckifSystemdSessionisValid checks if valid user session ever existsted or not. | |||
| func CheckifSystemdSessionisValid(uid int) bool { | |||
| slicePath := fmt.Sprintf("/sys/fs/cgroup/user.slice/user-%d.slice/user@%d.service", uid, uid) | |||
There was a problem hiding this comment.
does systemd document that it uses always this path and it won't be changed in future?
There was a problem hiding this comment.
Should we define this in containers.conf just in case?
There was a problem hiding this comment.
@giuseppe @TomSweeneyRedHat I checked so systemd doesn't guarantee about this path, although its accepted as a norm in most of cases but in some cases it could also be /sys/fs/cgroup/user.slice/user-1000.slice/session-11.scope. I'll refactor the code and get session details from Dbus instead.
There was a problem hiding this comment.
@giuseppe @TomSweeneyRedHat Made changes instead of doing a stat on a static path we are now verifying valid systemd session for rootless user using d-bus interface of systemd-logind following method is guaranteed by systemd.
flouthoc
force-pushed
the
check-valid-systemd-session
branch
2 times, most recently
from
33557c4 to
91ba60a
Compare
flouthoc
changed the title
flouthoc
force-pushed
the
check-valid-systemd-session
branch
from
91ba60a to
faded89
Compare
openshift-ci
bot
added
the
approved
flouthoc
force-pushed
the
check-valid-systemd-session
branch
from
faded89 to
b5faabd
Compare
libpod/runtime.go
Outdated
| if runtime.config.Engine.CgroupManager == config.SystemdCgroupsManager { | ||
| unified, _ := cgroups.IsCgroup2UnifiedMode() | ||
| if unified && rootless.IsRootless() && !utils.CheckifSystemdSessionisValid(rootless.GetRootlessUID()) { | ||
| logrus.Infof("Invalid systemd user session for current user") |
There was a problem hiding this comment.
This should be higher the Infof, most likely Warning.
Info does not show by default, so likely no one will see this.
There was a problem hiding this comment.
@rhatdan changed to warning instead :)
flouthoc
force-pushed
the
check-valid-systemd-session
branch
2 times, most recently
from
86add8d to
1a698bf
Compare
utils/utils_supported.go
Outdated
| @@ -101,6 +101,72 @@ func GetCgroupProcess(pid int) (string, error) { | |||
| return getCgroupProcess(fmt.Sprintf("/proc/%d/cgroup", pid)) | |||
| } | |||
|
|
|||
| // CheckifSystemdSessionisValid checks if sessions is valid for provided rootless uid. | |||
| func CheckifSystemdSessionisValid(uid int) bool { | |||
There was a problem hiding this comment.
You must like to type. How about
IsSystemdSessionValid()
ValidSystemdSession()
There is a pkg/systemd, would this make more sense under there. Then you could have
systemd.IsSessionValid()
There was a problem hiding this comment.
Sure I'll do that.
There was a problem hiding this comment.
@rhatdan this is implemented in latest commit.
flouthoc
force-pushed
the
check-valid-systemd-session
branch
2 times, most recently
from
76c9c58 to
37597a3
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: flouthoc, giuseppe, rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
flouthoc
force-pushed
the
check-valid-systemd-session
branch
from
37597a3 to
6b0d131
Compare
flouthoc
force-pushed
the
check-valid-systemd-session
branch
from
6b0d131 to
f3b58bc
Compare
|
@rhatdan added |
flouthoc
force-pushed
the
check-valid-systemd-session
branch
from
f3b58bc to
9d8fac6
Compare
…on is not present. [NO TESTS NEEDED] Signed-off-by: flouthoc <[email protected]>
flouthoc
force-pushed
the
check-valid-systemd-session
branch
from
9d8fac6 to
e7ee15f
Compare
|
/lgtm |
github-actions
bot
added
the
locked - please file new issue/PR
If podman is invoked with cgroup manager as
systemdand user isrootless, podman should fail early if no valid session is present.Problem:
Currently following scenario is handled by runtimes. Idea is to make experience more seamless for users with appropriate failures at manager level.
PS: We can also just spit a warning instead of strict failure.
Closes: #11197