Merge pull request containers#4139 from giuseppe/fix-segfault-missing…

…-slirp4netns networking: fix segfault when slirp4netns is missing
giuseppe · Oct 1, 2019 · 7a56963 · 7a56963
2 parents 4fe49f5 + ec940b0
commit 7a56963
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 5 deletions.
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
@@ -622,6 +622,10 @@ func (c *Container) refresh() error {
 		return err
 	}
 
+	if rootless.IsRootless() {
+		return nil
+	}
+
 	return c.refreshCNI()
 }
 

diff --git a/libpod/oci_internal_linux.go b/libpod/oci_internal_linux.go
@@ -137,8 +137,12 @@ func (r *OCIRuntime) createOCIContainer(ctr *Container, restoreOptions *Containe
 				return errors.Wrapf(err, "failed to create rootless network sync pipe")
 			}
 		} else {
-			defer errorhandling.CloseQuiet(ctr.rootlessSlirpSyncR)
-			defer errorhandling.CloseQuiet(ctr.rootlessSlirpSyncW)
+			if ctr.rootlessSlirpSyncR != nil {
+				defer errorhandling.CloseQuiet(ctr.rootlessSlirpSyncR)
+			}
+			if ctr.rootlessSlirpSyncW != nil {
+				defer errorhandling.CloseQuiet(ctr.rootlessSlirpSyncW)
+			}
 		}
 		// Leak one end in conmon, the other one will be leaked into slirp4netns
 		cmd.ExtraFiles = append(cmd.ExtraFiles, ctr.rootlessSlirpSyncW)

diff --git a/pkg/netns/netns_linux.go b/pkg/netns/netns_linux.go
@@ -126,9 +126,12 @@ func NewNS() (ns.NetNS, error) {
 		// Don't unlock. By not unlocking, golang will kill the OS thread when the
 		// goroutine is done (for go1.10+)
 
+		threadNsPath := getCurrentThreadNetNSPath()
+
 		var origNS ns.NetNS
-		origNS, err = ns.GetNS(getCurrentThreadNetNSPath())
+		origNS, err = ns.GetNS(threadNsPath)
 		if err != nil {
+			logrus.Warnf("cannot open current network namespace %s: %q", threadNsPath, err)
 			return
 		}
 		defer func() {
@@ -140,21 +143,27 @@ func NewNS() (ns.NetNS, error) {
 		// create a new netns on the current thread
 		err = unix.Unshare(unix.CLONE_NEWNET)
 		if err != nil {
+			logrus.Warnf("cannot create a new network namespace: %q", err)
 			return
 		}
 
 		// Put this thread back to the orig ns, since it might get reused (pre go1.10)
 		defer func() {
 			if err := origNS.Set(); err != nil {
-				logrus.Warnf("unable to set namespace: %q", err)
+				if rootless.IsRootless() && strings.Contains(err.Error(), "operation not permitted") {
+					// When running in rootless mode it will fail to re-join
+					// the network namespace owned by root on the host.
+					return
+				}
+				logrus.Warnf("unable to reset namespace: %q", err)
 			}
 		}()
 
 		// bind mount the netns from the current thread (from /proc) onto the
 		// mount point. This causes the namespace to persist, even when there
 		// are no threads in the ns. Make this a shared mount; it needs to be
 		// back-propogated to the host
-		err = unix.Mount(getCurrentThreadNetNSPath(), nsPath, "none", unix.MS_BIND|unix.MS_SHARED|unix.MS_REC, "")
+		err = unix.Mount(threadNsPath, nsPath, "none", unix.MS_BIND|unix.MS_SHARED|unix.MS_REC, "")
 		if err != nil {
 			err = fmt.Errorf("failed to bind mount ns at %s: %v", nsPath, err)
 		}