fix: Clarify error message for podman restore without --tcp-established

[simek-m]

Newer versions of crun use show_criu_log() to report errors from CRIU and output multiple
error lines. It lead to a confusing behavior in readConmonPipeData() in Podman, because
the JSON Unmarshal() failed to parse multiple JSON objects over multiple lines. When podman restore was used without --tcp-established or --tcp-close, a confusing error message:

Error: crun: (00.022418) Error (criu/cgroup.c:1970): cg: cgroupd: recv req error: No such file or directory: OCI runtime attempted to invoke a command that was not found

was output, instead of the former:

crun: CRIU restoring failed -52.

In this PR, I parse all errors from the log and try to match
"Connected TCP socket in image". If found,
a clear error message is returned:

checkpoint contains established TCP connections, restore requires --tcp-established or --tcp-close: OCI runtime error

For other error messages, the existing behavior is retained. Tests were updated with the changed error message.

Steps to reproduce:

podman run -d --name server quay.io/libpod/testimage:20221018 nc -lp 8888
serverIP=`podman inspect server --format {{.NetworkSettings.IPAddress}}`
podman run -d -i --name client quay.io/libpod/testimage:20221018 nc $serverIP 8888
podman container checkpoint --tcp-established server
podman container restore server

Fixes: https://redhat.atlassian.net/browse/RHEL-186005

Checklist

Ensure you have completed the following checklist for your pull request to be reviewed:

• Certify you wrote the patch or otherwise have the right to pass it on as an open-source patch by signing all
  commits. (git commit -s). (If needed, use git commit -s --amend). The author email must match
  the sign-off email address. See CONTRIBUTING.md
  for more information.
• Referenced issues using Fixes: #00000 in commit message (if applicable)
• Tests have been added/updated (or no tests are needed)
• Documentation has been updated (or no documentation changes are needed)
• All commits pass make validatepr (format/lint checks)
• Release note entered in the section below (or None if no user-facing changes)

Does this PR introduce a user-facing change?

If `podman restore` is used without with a checkpoint containing established TCP connections and without the flags --tcp-established or --tcp-close, the error message "checkpoint contains established TCP connections, restore requires --tcp-established or --tcp-close: OCI runtime error" is returned.

[mheon]

Do these work with both runc and crun?

[Luap99]

that does not seem maintainable, we should not make assumptions about the error text from crun or criu, it changes often enough. Sure the tests depend on it to some extend but we should not make the code depend, i.e. this may not work for another runtime.

It would be better to work with crun and criu to produce better errors to begin with.

[simek-m]

@mheon

Do these work with both runc and crun?

Yes, it should work the same with both.

[root@lima-default]~# podman container restore server
Error: OCI runtime error: checkpoint contains established TCP connections, restore requires --tcp-established or --tcp-close

[root@lima-default]~# podman info --format '{{.Host.OCIRuntime.Name}}'
runc

It's a CRIU error being matched.

@Luap99

that does not seem maintainable, we should not make assumptions about the error text from crun or criu, it changes often enough. Sure the tests depend on it to some extend but we should not make the code depend, i.e. this may not work for another runtime.

It would be better to work with crun and criu to produce better errors to begin with.

I agree, but that's exactly what caused this bug report.
Not only the tests depend on the error output, but there's getOCIRuntimeError() that tries to match the error text and return a corresponding Podman error based on that. Because of changes in the crun output, the cg: cgroupd: recv req error: No such file or directory error was incorrectly converted to OCI runtime attempted to invoke a command that was not found by this regex and the fact that other error lines from CRIU were swallowed by the buggy JSON Unmarshal not handling multiple objects:

if match := regexp.MustCompile("(?i).*executable file not found in.*|.*no such file or directory.*|.*open executable.*").FindString(runtimeMsg); match != "" {
	errStr := match
	if includeFullOutput {
		errStr = runtimeMsg
	}
	return fmt.Errorf("%s: %s: %w", name, strings.Trim(errStr, "\n"), define.ErrOCIRuntimeNotFound)
}

Unfortunately, there's AFAIK no specific error code returned by crun or CRIU in this case that could be used and that might not be stable either.

Alternatively, the whole error output from crun could be shown to the user, or there can be no change at all - it still works as documented.

But in my opinion and from the perspective of a user, I'd like to see a helpful error message in this case, even though it's documented in https://docs.podman.io/en/latest/markdown/podman-container-restore.1.html#tcp-established