diff --git a/common/src/container.rs b/common/src/container.rs deleted file mode 100644 index 165f768..0000000 --- a/common/src/container.rs +++ /dev/null @@ -1,83 +0,0 @@ -// -// Copyright (c) 2023 SUSE Software Solutions Germany GmbH -// -// This file is part of flake-pilot -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in -// all copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -// -extern crate ini; - -use crate::defaults; -use crate::flakelog::FlakeLog; -use crate::error::FlakeError; -use crate::user::User; -use crate::command::CommandExtTrait; -use uzers::{get_current_uid, get_current_gid}; - -#[derive(Debug, Default, Clone, Copy)] -pub struct Container { -} - -impl Container { - pub fn podman_setup_permissions( - usermode: bool - ) -> Result<(), FlakeError> { - if ! usermode { - let root = User::from("root"); - let user_id = get_current_uid(); - let user_gid = get_current_gid(); - let chown_param = format!("{user_id}:{user_gid}"); - - // This is an expensive operation - let mut fix_storage = root.run("chown"); - fix_storage.arg("-R") - .arg(chown_param.clone()) - .arg(defaults::FLAKES_REGISTRY); - FlakeLog::debug( - &format!("{:?} {:?}", fix_storage.get_program(), fix_storage.get_args()) - ); - fix_storage.perform()?; - - let _ = Self::podman_setup_run_permissions(usermode); - } - Ok(()) - } - - pub fn podman_setup_run_permissions( - usermode: bool - ) -> Result<(), FlakeError> { - if ! usermode { - let root = User::from("root"); - let user_id = get_current_uid(); - let user_gid = get_current_gid(); - let chown_param = format!("{user_id}:{user_gid}"); - - let mut fix_run_storage = root.run("chown"); - fix_run_storage.arg("-R") - .arg(chown_param) - .arg("/run/libpod") - .arg(defaults::FLAKES_REGISTRY_RUNROOT); - FlakeLog::debug( - &format!("{:?} {:?}", fix_run_storage.get_program(), fix_run_storage.get_args()) - ); - fix_run_storage.perform()?; - } - Ok(()) - } -} diff --git a/common/src/lib.rs b/common/src/lib.rs index dc8d4d9..efa9cd8 100644 --- a/common/src/lib.rs +++ b/common/src/lib.rs @@ -33,4 +33,3 @@ pub mod config; pub mod flakelog; pub mod defaults; pub mod io; -pub mod container; diff --git a/flake-ctl/src/podman.rs b/flake-ctl/src/podman.rs index f97db1d..9b32faa 100644 --- a/flake-ctl/src/podman.rs +++ b/flake-ctl/src/podman.rs @@ -29,7 +29,6 @@ use std::process::Command; use glob::glob; use crate::defaults; use crate::{app, app_config}; -use flakes::container::Container; use flakes::config::get_flakes_dir; use flakes::config::get_podman_storage_conf; use flakes::config::read_storage_conf; @@ -49,12 +48,10 @@ pub fn pull(uri: &String, usermode: bool) -> i32 { if status.success() { status } else { - let _ = Container::podman_setup_permissions(usermode); call.status().unwrap() } } Err(_) => { - let _ = Container::podman_setup_permissions(usermode); call.status().unwrap() } }; @@ -97,12 +94,10 @@ pub fn load(oci: &String, usermode: bool) -> i32 { if status.success() { status } else { - let _ = Container::podman_setup_permissions(usermode); call.status().unwrap() } } Err(_) => { - let _ = Container::podman_setup_permissions(usermode); call.status().unwrap() } }; @@ -139,12 +134,10 @@ pub fn rm(container: &String, usermode: bool) { if ! status.success() { status } else { - let _ = Container::podman_setup_permissions(usermode); call.status().unwrap() } } Err(_) => { - let _ = Container::podman_setup_permissions(usermode); call.status().unwrap() } }; @@ -167,7 +160,6 @@ pub fn mount_container(container_name: &str) -> String { output } Err(_) => { - let _ = Container::podman_setup_permissions(false); call.output().unwrap() } }; @@ -195,7 +187,6 @@ pub fn umount_container(container_name: &str) -> i32 { output } Err(_) => { - let _ = Container::podman_setup_permissions(false); call.output().unwrap() } }; diff --git a/podman-pilot/src/podman.rs b/podman-pilot/src/podman.rs index 69f7dc3..411abf9 100644 --- a/podman-pilot/src/podman.rs +++ b/podman-pilot/src/podman.rs @@ -34,7 +34,6 @@ use flakes::lookup::Lookup; use flakes::io::IO; use flakes::error::FlakeError; use flakes::command::{CommandError, CommandExtTrait}; -use flakes::container::Container; use flakes::config::get_podman_ids_dir; use flakes::config::read_storage_conf; @@ -201,13 +200,9 @@ pub fn create( // Make sure CID dir exists init_cid_dir(user)?; - if ! usermode { - let _ = Container::podman_setup_run_permissions(false); - } - // Check early return condition in resume mode if Path::new(&container_cid_file).exists() && - gc_cid_file(&container_cid_file, user)? && (resume || attach) { + gc_cid_file(&container_cid_file)? && (resume || attach) { // resume or attach mode is active and container exists // report ID value and its ID file name let cid = fs::read_to_string(&container_cid_file)?; @@ -331,17 +326,7 @@ fn run_podman_creation( output } Err(error) => { - let error_pattern = Regex::new( - r".*(not permitted|permission denied).*" - ).unwrap(); - if error_pattern.captures(&format!("{:?}", error.base)).is_some() - && user.get_name() == "root" - { - // On permission error, fix permissions and try again - // This is an expensive operation depending on the storage size - let _ = Container::podman_setup_permissions(false); - app.perform()? - } else if resume { + if resume { // Cleanup potentially left over container instance from an // inconsistent state, e.g powerfail if Lookup::is_debug() { @@ -352,7 +337,7 @@ fn run_podman_creation( &format!("{:?}", error.base) ) { let cid = captures.get(1).unwrap().as_str(); - call_instance("rm_force", cid, "none", user)?; + call_instance("rm_force", cid, "none")?; } app.perform()? } else { @@ -386,7 +371,7 @@ fn run_podman_creation( mount_point }, Err(error) => { - call_instance("rm", &cid, "none", user)?; + call_instance("rm", &cid, "none")?; return Err(error); } }; @@ -497,7 +482,7 @@ fn run_podman_creation( } if let Some(provisioning_failed) = provisioning_failed { - call_instance("rm", &cid, "none", user)?; + call_instance("rm", &cid, "none")?; return Err(provisioning_failed); } @@ -508,42 +493,35 @@ pub fn start(program_name: &str, cid: &str) -> Result<(), FlakeError> { /*! Start container with the given container ID !*/ - let RuntimeSection { runas, resume, attach, .. } = config().runtime(); + let RuntimeSection { resume, attach, .. } = config().runtime(); let pilot_options = Lookup::get_pilot_run_options(); - let calling_user_name = get_current_username().unwrap(); - let user = if runas != "root" { - User::from(calling_user_name.to_str().unwrap()) - } else { - User::from("root") - }; - - let is_running = container_running(cid, user)?; - let is_created = container_exists(cid, user)?; + let is_running = container_running(cid)?; + let is_created = container_exists(cid)?; let mut is_removed = false; if is_running { if attach { // 1. Attach to running container - call_instance("attach", cid, program_name, user)?; + call_instance("attach", cid, program_name)?; } else { // 2. Execute app in running container - call_instance("exec", cid, program_name, user)?; + call_instance("exec", cid, program_name)?; } } else if resume { // 3. Startup resume type container and execute app - call_instance("start", cid, program_name, user)?; - call_instance("exec", cid, program_name, user)?; + call_instance("start", cid, program_name)?; + call_instance("exec", cid, program_name)?; } else { // 4. Startup container - call_instance("start", cid, program_name, user)?; + call_instance("start", cid, program_name)?; if ! attach || ! is_created { - call_instance("rm_force", cid, program_name, user)?; + call_instance("rm_force", cid, program_name)?; is_removed = true } }; if pilot_options.contains_key("%remove") && ! is_removed { - call_instance("rm_force", cid, program_name, user)?; + call_instance("rm_force", cid, program_name)?; }; Ok(()) } @@ -560,7 +538,7 @@ pub fn get_target_app_path(program_name: &str) -> String { } pub fn call_instance( - action: &str, cid: &str, program_name: &str, user: User + action: &str, cid: &str, program_name: &str ) -> Result<(), FlakeError> { /*! Call container ID based podman commands @@ -606,19 +584,9 @@ pub fn call_instance( } if interactive || atty::is(Stream::Stdout) { call.status()?; - } else { - match call.output() { - Ok(output) => { - let _ = io::stdout().write_all(&output.stdout); - let _ = io::stderr().write_all(&output.stderr); - }, - Err(_) => { - if user.get_name() == "root" { - let _ = Container::podman_setup_permissions(false); - call.output()?; - } - } - }; + } else if let Ok(output) = call.output() { + let _ = io::stdout().write_all(&output.stdout); + let _ = io::stderr().write_all(&output.stderr); } Ok(()) } @@ -629,9 +597,8 @@ pub fn mount_container( /*! Mount container and return mount point !*/ - let root_user = User::from("root"); - if as_image && ! container_image_exists(container_name, root_user)? { - pull(container_name, root_user)?; + if as_image && ! container_image_exists(container_name)? { + pull(container_name)?; } let mut call = setup_podman_call(false); if as_image { @@ -739,7 +706,7 @@ pub fn init_cid_dir(user: User) -> Result<(), FlakeError> { Ok(()) } -pub fn container_exists(cid: &str, user: User) -> Result { +pub fn container_exists(cid: &str) -> Result { /*! Check if container exists according to the specified cid !*/ @@ -752,19 +719,6 @@ pub fn container_exists(cid: &str, user: User) -> Result { } let output = match exists.output() { Ok(output) => { - if ! output.status.success() { - let error_pattern = Regex::new( - r".*(not permitted|permission denied).*" - ).unwrap(); - if error_pattern.captures(&format!("{output:?}")).is_some() { - // On permission error, fix permissions and try again. This - // is an expensive operation depending on the storage size - if user.get_name() == "root" { - let _ = Container::podman_setup_permissions(false); - exists.output()?; - } - } - }; output } Err(error) => { @@ -782,9 +736,7 @@ pub fn container_exists(cid: &str, user: User) -> Result { Ok(false) } -pub fn container_image_exists( - name: &str, user: User -) -> Result { +pub fn container_image_exists(name: &str) -> Result { /*! Check if container image is present in local registry !*/ @@ -797,19 +749,6 @@ pub fn container_image_exists( } let output: Output = match exists.output() { Ok(output) => { - if ! output.status.success() { - let error_pattern = Regex::new( - r".*(not permitted|permission denied).*" - ).unwrap(); - if error_pattern.captures(&format!("{output:?}")).is_some() { - // On permission error, fix permissions and try again. This - // is an expensive operation depending on the storage size - if user.get_name() == "root" { - let _ = Container::podman_setup_permissions(false); - exists.output()?; - } - } - }; output } Err(error) => { @@ -827,7 +766,7 @@ pub fn container_image_exists( Ok(false) } -pub fn container_running(cid: &str, user: User) -> Result { +pub fn container_running(cid: &str) -> Result { /*! Check if container with specified cid is running !*/ @@ -840,26 +779,7 @@ pub fn container_running(cid: &str, user: User) -> Result { if Lookup::is_debug() { debug!("{:?} {:?}", running.get_program(), running.get_args()); } - let output: Output = match running.perform() { - Ok(output) => { - output - } - Err(error) => { - let error_pattern = Regex::new( - r".*(not permitted|permission denied).*" - ).unwrap(); - if error_pattern.captures(&format!("{:?}", error.base)).is_some() - && user.get_name() == "root" - { - // On permission error, fix permissions and try again. This - // is an expensive operation depending on the storage size - let _ = Container::podman_setup_permissions(false); - running.perform()? - } else { - return Err(error) - } - } - }; + let output = running.perform()?; let mut running_cids = String::new(); running_cids.push_str( &String::from_utf8_lossy(&output.stdout) @@ -873,7 +793,7 @@ pub fn container_running(cid: &str, user: User) -> Result { Ok(running_status) } -pub fn pull(uri: &str, user: User) -> Result<(), FlakeError> { +pub fn pull(uri: &str) -> Result<(), FlakeError> { /*! Call podman pull with the provided uri !*/ @@ -889,17 +809,7 @@ pub fn pull(uri: &str, user: User) -> Result<(), FlakeError> { output } Err(error) => { - let error_pattern = Regex::new( - r".*(not permitted|permission denied).*" - ).unwrap(); - if error_pattern.captures(&format!("{:?}", error.base)).is_some() - && user.get_name() == "root" - { - let _ = Container::podman_setup_permissions(false); - pull.perform()? - } else { - return Err(FlakeError::CommandError(error)) - } + return Err(FlakeError::CommandError(error)) } }; Ok(()) @@ -1001,9 +911,7 @@ pub fn update_removed_files( Ok(()) } -pub fn gc_cid_file( - container_cid_file: &String, user: User -) -> Result { +pub fn gc_cid_file(container_cid_file: &String) -> Result { /*! Check if container exists according to the specified container_cid_file. Garbage cleanup the container_cid_file @@ -1012,7 +920,7 @@ pub fn gc_cid_file( !*/ let cid = fs::read_to_string(container_cid_file)?; - if container_exists(&cid, user)? { + if container_exists(&cid)? { Ok(true) } else { fs::remove_file(container_cid_file)?; @@ -1046,7 +954,7 @@ pub fn gc(user: User) -> Result<(), FlakeError> { } if cid_file_count > defaults::GC_THRESHOLD { for container_cid_file in cid_file_names { - let _ = gc_cid_file(&container_cid_file, user); + let _ = gc_cid_file(&container_cid_file); } } prune()?;