diff options
author | cdoern <cdoern@redhat.com> | 2022-01-13 10:43:24 -0500 |
---|---|---|
committer | cdoern <cdoern@redhat.com> | 2022-01-13 14:03:51 -0500 |
commit | 6996830104afca5926daecc05d9154a0a9eb274d (patch) | |
tree | 006755309d1dfd265411390c08f1ddc9900cc76a | |
parent | e98058a3cf4f5ba4cd2d37dfdb2a0951b9aa9730 (diff) | |
download | podman-6996830104afca5926daecc05d9154a0a9eb274d.tar.gz podman-6996830104afca5926daecc05d9154a0a9eb274d.tar.bz2 podman-6996830104afca5926daecc05d9154a0a9eb274d.zip |
Prohibit --uid/gid map and --pod for container create/run
add a check in namespaceOptions() that ensures the user is not setting a new uid/gid map
if entering or creating a pod that has an infra container
resolves #12669
Signed-off-by: cdoern <cdoern@redhat.com>
-rw-r--r-- | docs/source/markdown/podman-create.1.md | 3 | ||||
-rw-r--r-- | docs/source/markdown/podman-run.1.md | 4 | ||||
-rw-r--r-- | pkg/specgen/generate/namespaces.go | 10 | ||||
-rw-r--r-- | test/e2e/create_test.go | 13 |
4 files changed, 28 insertions, 2 deletions
diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index e3647b194..dd79a8d74 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -365,6 +365,8 @@ GID map for the user namespace. Using this flag will run the container with user The following example maps uids 0-2000 in the container to the uids 30000-31999 on the host and gids 0-2000 in the container to the gids 30000-31999 on the host. `--gidmap=0:30000:2000` +Note: the **--gidmap** flag cannot be called in conjunction with the **--pod** flag as a gidmap cannot be set on the container level when in a pod. + #### **--group-add**=*group|keep-groups* Add additional groups to assign to primary user running within the container process. @@ -1166,6 +1168,7 @@ Even if a user does not have any subordinate UIDs in _/etc/subuid_, **--uidmap** could still be used to map the normal UID of the user to a container UID by running `podman create --uidmap $container_uid:0:1 --user $container_uid ...`. +Note: the **--uidmap** flag cannot be called in conjunction with the **--pod** flag as a uidmap cannot be set on the container level when in a pod. #### **--ulimit**=*option* diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index b98e563ef..80652fcdf 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -407,6 +407,8 @@ Meaning **groupname** is initially mapped to gid **100000** which is referenced above: The group **groupname** is mapped to group **100000** of the initial namespace then the **30000**st id of this namespace (which is gid 130000 in this namespace) is mapped to container namespace group id **0**. (groupname -> 100000 / 30000 -> 0) +Note: the **--gidmap** flag cannot be called in conjunction with the **--pod** flag as a gidmap cannot be set on the container level when in a pod. + #### **--group-add**=*group|keep-groups* Add additional groups to assign to primary user running within the container process. @@ -1241,6 +1243,8 @@ Even if a user does not have any subordinate UIDs in _/etc/subuid_, **--uidmap** could still be used to map the normal UID of the user to a container UID by running `podman run --uidmap $container_uid:0:1 --user $container_uid ...`. +Note: the **--uidmap** flag cannot be called in conjunction with the **--pod** flag as a uidmap cannot be set on the container level when in a pod. + #### **--ulimit**=*option* Ulimit options. You can use **host** to copy the current configuration from the host. diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go index a2bc37e34..9d4c47cc3 100644 --- a/pkg/specgen/generate/namespaces.go +++ b/pkg/specgen/generate/namespaces.go @@ -193,8 +193,14 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod. // This wipes the UserNS settings that get set from the infra container // when we are inheritting from the pod. So only apply this if the container // is not being created in a pod. - if s.IDMappings != nil && pod == nil { - toReturn = append(toReturn, libpod.WithIDMappings(*s.IDMappings)) + if s.IDMappings != nil { + if pod == nil { + toReturn = append(toReturn, libpod.WithIDMappings(*s.IDMappings)) + } else { + if pod.HasInfraContainer() && (len(s.IDMappings.UIDMap) > 0 || len(s.IDMappings.GIDMap) > 0) { + return nil, errors.Wrapf(define.ErrInvalidArg, "cannot specify a new uid/gid map when entering a pod with an infra container") + } + } } if s.User != "" { toReturn = append(toReturn, libpod.WithUser(s.User)) diff --git a/test/e2e/create_test.go b/test/e2e/create_test.go index 9126303cd..a482c0068 100644 --- a/test/e2e/create_test.go +++ b/test/e2e/create_test.go @@ -693,4 +693,17 @@ var _ = Describe("Podman create", func() { Expect(idata[0].Os).To(Equal(runtime.GOOS)) Expect(idata[0].Architecture).To(Equal("arm64")) }) + + It("podman create --uid/gidmap --pod conflict test", func() { + create := podmanTest.Podman([]string{"create", "--uidmap", "0:1000:1000", "--pod", "new:testing123", ALPINE}) + create.WaitWithDefaultTimeout() + Expect(create).ShouldNot(Exit(0)) + Expect(create.ErrorToString()).To(ContainSubstring("cannot specify a new uid/gid map when entering a pod with an infra container")) + + create = podmanTest.Podman([]string{"create", "--gidmap", "0:1000:1000", "--pod", "new:testing1234", ALPINE}) + create.WaitWithDefaultTimeout() + Expect(create).ShouldNot(Exit(0)) + Expect(create.ErrorToString()).To(ContainSubstring("cannot specify a new uid/gid map when entering a pod with an infra container")) + + }) }) |