From d5cfadd8993d1ddab3bcb1e5476195fe3573a425 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 1 Jan 2015 15:41:31 -0400 Subject: Detect #774376 and refuse to use docker if the system is so broken that docker exec doesn't enter a chroot. --- src/Propellor/Property/Docker.hs | 31 +++++++++++++++++++++++-------- 1 file changed, 23 insertions(+), 8 deletions(-) (limited to 'src/Propellor/Property') diff --git a/src/Propellor/Property/Docker.hs b/src/Propellor/Property/Docker.hs index 02bda2e9..eb0d8ec5 100644 --- a/src/Propellor/Property/Docker.hs +++ b/src/Propellor/Property/Docker.hs @@ -351,29 +351,44 @@ runningContainer cid@(ContainerId hn cn) image runps = containerDesc cid $ prope -- Check if the ident has changed; if so the -- parameters of the container differ and it must -- be restarted. - checkident runningident + checkident (Right runningident) | runningident == Just ident = noChange | otherwise = do void $ liftIO $ stopContainer cid restartcontainer + checkident (Left errmsg) = do + warningMessage errmsg + return FailedChange restartcontainer = do oldimage <- liftIO $ fromMaybe image <$> commitContainer cid void $ liftIO $ removeContainer cid go oldimage - getrunningident = readish - <$> readProcess' (inContainerProcess cid [] ["cat", propellorIdent]) + getrunningident = withTmpFile "dockerrunsane" $ \t h -> do + -- detect #774376 which caused docker exec to not enter + -- the container namespace, and be able to access files + -- outside + hClose h + void . checkSuccessProcess . processHandle =<< + createProcess (inContainerProcess cid [] + ["rm", "-f", t]) + ifM (doesFileExist t) + ( Right . readish <$> + readProcess' (inContainerProcess cid [] + ["cat", propellorIdent]) + , return $ Left "docker exec failed to enter chroot properly (maybe an old kernel version?)" + ) - retry :: Int -> IO (Maybe a) -> IO (Maybe a) - retry 0 _ = return Nothing + retry :: Int -> IO (Either e (Maybe a)) -> IO (Either e (Maybe a)) + retry 0 _ = return (Right Nothing) retry n a = do v <- a case v of - Just _ -> return v - Nothing -> do - threadDelaySeconds (Seconds 1) + Right Nothing -> do + threadDelaySeconds (Seconds 1) retry (n-1) a + _ -> return v go img = do liftIO $ do -- cgit v1.2.3