Open ventifus opened 2 weeks ago
ENOENT should not be an error to begin with IMO as this is only a config dir and AFAIK all other tools work fine without a config file in the home dir.
Second the bindings should not really import any of this code I think, at least not github.com/containers/common/pkg/config
Second the bindings should not really import any of this code I think, at least not
github.com/containers/common/pkg/config
This part is the Podman bug, and should be fixed. (IIRC it’s c/podman/pkg/util
importing this — util
packages are always an anti pattern.)
ENOENT should not be an error to begin with IMO as this is only a config dir and AFAIK all other tools work fine without a config file in the home dir.
At least podman machine
is creating files in $XDG_CONFIG_HOME (and/or the fallback). So for podman machine
, we do need the ability to have, or create, a reasonable …ConfigHome
directory.
The situation is a non-root user with a home directory, but not allowed to write into such a home directory. I generally suggest that this is an unreasonable setup to run (the full feature set of) Podman in, and not really worth adding special cases for.
ENOENT should not be an error to begin with IMO as this is only a config dir and AFAIK all other tools work fine without a config file in the home dir.
At least
podman machine
is creating files in $XDG_CONFIG_HOME (and/or the fallback). So forpodman machine
, we do need the ability to have, or create, a reasonable…ConfigHome
directory.
There are two types of callers readers and writers, readers just use this to read a config file so they just join the result to its path and try to open the file which then either fails or not so they have to handle ENOENT errors if these files are optional so stating the dir before is just a waste of a syscall. Writers on the other side have to create a further directories, AFAICT none of other tools would write into .config but rather .config/containers so they must mkdir containers anyway. Now that can fail if they just call Mkdir vs MkdirAll but looking at it it seems they are already use MkdirAll
A function name like GetConfigHome() should just return the path regadless if it does exists or not, it should especially not create the path IMO because this means a command like podman ps creates the dir for no reason whatsoever.
How about we deprecate GetConfigHome() and add ConfigHome() to do what you want, then we move all callers to ConfigHome()?
There are two types of callers readers and writers …
I think that’s all a fair analysis.
The one thing I do care about is that the permission special case remains: if we inherit $XDG_CONFIG_HOME
belonging to a different user account (not owned by us), we must fail, at the very least for writers (because root
writing to other users’ directory can do damage), and I’d prefer that for for readers as well.
How about we deprecate GetConfigHome() and add ConfigHome() to do what you want, then we move all callers to ConfigHome()?
👍 Sounds like a good way to make this change and ensure all aspects are reviewed.
How about we deprecate GetConfigHome() and add ConfigHome() to do what you want, then we move all callers to ConfigHome()?
I would be fine with that as well.
Issue Description
XDG runtime checks should not be performed when only the go bindings are used.
After updating our podman go bindings from 4.9.4 to 5.0.3, our application began failing with the error
We tracked this down to https://github.com/containers/storage/blob/main/pkg/homedir/homedir_unix.go#L120-L123, where the XDG runtime checks are verifying that
$HOME/.config
exists. Our application runs in a container with$HOME
set to/
, and there is no .config, and the runtime non-root user doesn't have permission to create it.Inserting a
debug.PrintStack()
inGetConfigHome()
shows this stack trace:Additional context: https://redhat-internal.slack.com/archives/CBBJY9GSX/p1725040560356209
Steps to reproduce the issue
Steps to reproduce the issue
$HOME=/
or other un-writable directory.Describe the results you received
Program exits with the error
Describe the results you expected
Program runs as expected
podman info output
Podman in a container
No
Privileged Or Rootless
None
Upstream Latest Release
Yes
Additional environment details
No response
Additional information
Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting