Merge pull request #18347 from TomSweeneyRedHat/dev/tsweeney/4.4.1-preexec

edsantiago · web-flow · commit aa5db476a828 · 2023-04-26T10:30:23.000-06:00
[v4.4.1-rhel] Add file switch for pre-exec hooks
diff --git a/pkg/rootless/rootless_linux.c b/pkg/rootless/rootless_linux.c
@@ -263,6 +263,13 @@ do_preexec_hooks_dir (const char *dir, char **argv, int argc)
 static void
 do_preexec_hooks (char **argv, int argc)
 {
+  // Access the preexec_hooks_dir indicator file
+  // return without processing if the file doesn't exist
+  char preexec_hooks_path[] = "/etc/containers/podman_preexec_hooks.txt";
+  if (access(preexec_hooks_path, F_OK) != 0) {
+    return;
+  }
+
   char *preexec_hooks = getenv ("PODMAN_PREEXEC_HOOKS_DIR");
   do_preexec_hooks_dir (LIBEXECPODMAN "/pre-exec-hooks", argv, argc);
   do_preexec_hooks_dir (ETC_PREEXEC_HOOKS, argv, argc);
diff --git a/test/system/950-preexec-hooks.bats b/test/system/950-preexec-hooks.bats
@@ -6,15 +6,39 @@
 load helpers
 load helpers.network
 
+# The existence of this file allows preexec hooks to run.
+preexec_hook_ok_file=/etc/containers/podman_preexec_hooks.txt
+
 function setup() {
     basic_setup
 }
 
 function teardown() {
+    if [[ -n "$preexec_hook_ok_file" ]]; then
+        sudo -n rm -f $preexec_hook_ok_file || true
+    fi
+
     basic_teardown
 }
 
 @test "podman preexec hook" {
+    # This file does not exist on any CI system nor any developer system
+    # nor actually anywhere in the universe except a small small set of
+    # places with very specific requirements. If we find this file on
+    # our test system, it could be a leftover from prior testing, or
+    # basically just something very weird. So, fail loudly if we see it.
+    # No podman developer ever wants this file to exist.
+    if [[ -e $preexec_hook_ok_file ]]; then
+        # Unset the variable, so we don't delete it in teardown
+        msg="File already exists (it should not): $preexec_hook_ok_file"
+        preexec_hook_ok_file=
+
+        die "$msg"
+    fi
+
+    # Good. File does not exist. Now see if we can TEMPORARILY create it.
+    sudo -n touch $preexec_hook_ok_file || skip "test requires sudo"
+
     preexec_hook_dir=$PODMAN_TMPDIR/auth
     mkdir -p $preexec_hook_dir
     preexec_hook_script=$preexec_hook_dir/pull_check.sh
@@ -29,5 +53,10 @@ EOF
     chmod +x $preexec_hook_script
 
     PODMAN_PREEXEC_HOOKS_DIR=$preexec_hook_dir run_podman 42 pull foobar
-    PODMAN_PREEXEC_HOOKS_DIR=$preexec_hook_dir run_podman 43 pull barfoo
+    PODMAN_PREEXEC_HOOKS_DIR=$preexec_hook_dir run_podman 43 version
+
+    sudo -n rm -f $preexec_hook_ok_file || true
+
+    # no hooks-ok file, everything should now work again (HOOKS_DIR is ignored)
+    PODMAN_PREEXEC_HOOKS_DIR=$preexec_hook_dir run_podman version
 }
