summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2019-02-06 20:28:15 +0100
committerGitHub <noreply@github.com>2019-02-06 20:28:15 +0100
commit9644802cd7e860aa876559cfa6e574030abada54 (patch)
treeb5e4f94d5a91d3ac20eef5c6520fe059b360b84d
parentaa6284367083dd5e3d383179fe42350e3d2b777c (diff)
parente2970ea62d17ca98a3954c581523b8fa00a67bea (diff)
downloadpodman-9644802cd7e860aa876559cfa6e574030abada54.tar.gz
podman-9644802cd7e860aa876559cfa6e574030abada54.tar.bz2
podman-9644802cd7e860aa876559cfa6e574030abada54.zip
Merge pull request #2279 from giuseppe/pts-no-override-if-not-needed
rootless: do not override /dev/pts if not needed
-rw-r--r--pkg/spec/spec.go34
1 files changed, 27 insertions, 7 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index 46105af4a..76b8963ff 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -9,6 +9,7 @@ import (
"github.com/containers/storage/pkg/mount"
"github.com/docker/docker/daemon/caps"
"github.com/docker/go-units"
+ "github.com/opencontainers/runc/libcontainer/user"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate"
"github.com/pkg/errors"
@@ -45,6 +46,18 @@ func supercedeUserMounts(mounts []spec.Mount, configMount []spec.Mount) []spec.M
return configMount
}
+func getAvailableGids() (int64, error) {
+ idMap, err := user.ParseIDMapFile("/proc/self/gid_map")
+ if err != nil {
+ return 0, err
+ }
+ count := int64(0)
+ for _, r := range idMap {
+ count += r.Count
+ }
+ return count, nil
+}
+
// CreateConfigToOCISpec parses information needed to create a container into an OCI runtime spec
func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
cgroupPerm := "ro"
@@ -91,14 +104,21 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
g.AddMount(sysMnt)
}
if isRootless {
- g.RemoveMount("/dev/pts")
- devPts := spec.Mount{
- Destination: "/dev/pts",
- Type: "devpts",
- Source: "devpts",
- Options: []string{"rprivate", "nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620"},
+ nGids, err := getAvailableGids()
+ if err != nil {
+ return nil, err
+ }
+ if nGids < 5 {
+ // If we have no GID mappings, the gid=5 default option would fail, so drop it.
+ g.RemoveMount("/dev/pts")
+ devPts := spec.Mount{
+ Destination: "/dev/pts",
+ Type: "devpts",
+ Source: "devpts",
+ Options: []string{"rprivate", "nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620"},
+ }
+ g.AddMount(devPts)
}
- g.AddMount(devPts)
}
if inUserNS && config.IpcMode.IsHost() {
g.RemoveMount("/dev/mqueue")