Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pass LISTEN_* environment into container #11316

Merged
merged 1 commit into from
Aug 31, 2021

Conversation

vrothberg
Copy link
Member

@vrothberg vrothberg commented Aug 24, 2021

Make sure that Podman passes the LISTEN_* environment into containers.
Similar to runc, LISTEN_PID is set to 1.

Also remove conditionally passing the LISTEN_FDS as extra files.
The condition was wrong (inverted) and introduced to fix #3572 which
related to running under varlink which has been dropped entirely
with Podman 3.0. Note that the NOTIFY_SOCKET and LISTEN_* variables
are cleared when running system service.

Fixes: #10443
Signed-off-by: Daniel J Walsh dwalsh@redhat.com
Signed-off-by: Valentin Rothberg rothberg@redhat.com

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Aug 24, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vrothberg

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 24, 2021
@rhatdan
Copy link
Member

rhatdan commented Aug 24, 2021

LGTM
@giuseppe @flouthoc @Luap99 @mheon PTAL

@rhatdan
Copy link
Member

rhatdan commented Aug 24, 2021

Does socket activation work properly after this?

@vrothberg
Copy link
Member Author

vrothberg commented Aug 24, 2021 via email

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 24, 2021
@TomSweeneyRedHat
Copy link
Member

@vrothberg you have a merge conflict.

@openshift-ci openshift-ci bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 25, 2021
@flouthoc
Copy link
Collaborator

LGTM
One doubt @vrothberg @giuseppe crun and runc both preserves FDs but runc explictly sets LISTEN_PID=1 when not specified should we do same in crun implementation instead of podman.

@giuseppe
Copy link
Member

One doubt @vrothberg @giuseppe crun and runc both preserves FDs but runc explictly sets LISTEN_PID=1 when not specified should we do same in crun implementation instead of podman.

we can do that in crun as well, but I think it is still safer to set in Podman as this PR does

@flouthoc
Copy link
Collaborator

@vrothberg @giuseppe sure having this at podman is much safer also added a PR at crun to make sure we maintain behavior parity with runc.

@openshift-ci openshift-ci bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 25, 2021
@vrothberg
Copy link
Member Author

@rhatdan, I finally got it working but only without selinux:

time->Wed Aug 25 19:52:35 2021
type=AVC msg=audit(1629913955.973:39584): avc: denied { accept } for pid=583176 comm="systemd-socket-" path="/run/user/1000/testing.sock" scontext=system_u:system_r:container_t:s0:c191,c843tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1

Do I need to perform some labeling on the FDs?

@rhatdan
Copy link
Member

rhatdan commented Aug 25, 2021

Are you creating the FDs? If yes, then you need to call label.SetSocketOpt(ProcessLabel) on them before leaking them.

@vrothberg
Copy link
Member Author

/hold
Still facing SELinux issues in local tests.

@vrothberg
Copy link
Member Author

Copy link
Member Author

@vrothberg vrothberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@containers/podman-maintainers PTAL

Will work on an improved test once selinux changes made it into Fedora.

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 26, 2021
@TomSweeneyRedHat
Copy link
Member

LGTM once @mheon's concern is addressed

@vrothberg vrothberg force-pushed the fix-10443 branch 3 times, most recently from 7ba166e to ce099b8 Compare August 30, 2021 12:30
@TomSweeneyRedHat
Copy link
Member

Another F34 time out, restarted.

Make sure that Podman passes the LISTEN_* environment into containers.
Similar to runc, LISTEN_PID is set to 1.

Also remove conditionally passing the LISTEN_FDS as extra files.
The condition was wrong (inverted) and introduced to fix containers#3572 which
related to running under varlink which has been dropped entirely
with Podman 3.0.  Note that the NOTIFY_SOCKET and LISTEN_* variables
are cleared when running `system service`.

Fixes: containers#10443
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
@mheon
Copy link
Member

mheon commented Aug 31, 2021

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Aug 31, 2021
@openshift-merge-robot openshift-merge-robot merged commit f947ea2 into containers:main Aug 31, 2021
@eriksjolund
Copy link
Contributor

eriksjolund commented Aug 31, 2021

When I read this quote from man sd_notify (regarding FDSTORE=1):
Any open sockets and other file descriptors which should not be closed during the restart may be stored this way.
I get the impression that it's not just sockets that could be passed into Podman via LISTEN_FDS because the file descriptors could have been previously stored with FDSTORE=1.

I'm a bit curious what any other file descriptors means. Maybe container-selinux needs to allow all kinds of file descriptors? (I don't know so much about SELINUX so sorry for any confusion on my part)

Taking a look at
containers/container-selinux@v2.165.1...v2.167.0
it seems the change was mostly about unix_stream_socket.

When I find some time for it, I will experiment and see how the socket activation works together with FDSTORE=1 and see whether running with Podman versus running without Podman makes any difference.
(But I have some other projects I will need to attend to first so it will take some time)

@vrothberg
Copy link
Member Author

@eriksjolund, indeed while testing I ran into SELinux issues which @rhatdan has fixed in the meantime.

Feel free to drop a message when you find time to get back.

@vrothberg vrothberg deleted the fix-10443 branch September 1, 2021 06:23
@rhatdan
Copy link
Member

rhatdan commented Sep 1, 2021

@vrothberg I think it is time for us to write a long blog on the integration between Podman and Systemd.

@vrothberg
Copy link
Member Author

@vrothberg I think it is time for us to write a long blog on the integration between Podman and Systemd.

Started one this morning :-) I'll add you after PTO :^)

@rhatdan
Copy link
Member

rhatdan commented Sep 1, 2021

Sadly, I am not on PTO this afternoon (Customer meeting) or tomorrow for devconf.US.

// Force the PID to `1` since we cannot rely on (all
// versions of) all runtimes to do it for us.
if key == "LISTEN_PID" {
val = "1"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if the user passed --init, then the main pid will be 2. Who is supposed to rewrite that. For sure catatonit (currently used on e.g. fedora) doesn't do that.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alexlarsson This is been fixed in underlying runtime via containers/crun#721 if catatonit sets LISTEN_PID=2 crun will adhere it. We can remove this explicit LISTEN_PID=1 once latest crun is released and vendor-ed into the Podman CI.

However following edge case still remains if OCI runtime is runc this is only fixed for crun. cc @giuseppe

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair point, @ alexlarsson. I think Podman should set it since we should not (and to a certain degree cannot) rely on the runtimes or inits to do this work.

Mind opening a PR against Podman?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ftr, @giuseppe is fixing catatonit here: openSUSE/catatonit#15

alexlarsson added a commit to alexlarsson/podman that referenced this pull request Oct 25, 2022
This was added in the old quadlet to work around issues with podman
not passing on notify fds and pids. However, these are now fixed with:

containers#11316
openSUSE/catatonit#15

So, remove this key (which was never in a podman release anyway)

Signed-off-by: Alexander Larsson <alexl@redhat.com>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 22, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
9 participants