diff options
author | Aditya Rajan <arajan@redhat.com> | 2021-10-12 16:43:43 +0530 |
---|---|---|
committer | Aditya Rajan <arajan@redhat.com> | 2021-10-19 16:12:07 +0530 |
commit | 9500e11a8f1c3380c0a6a8e6ca01df862c6d640c (patch) | |
tree | 405f12619fb463a77237d28dd15d8495f468a33a | |
parent | e0ffc431fe7f016124fdcb36819698a90fe448a9 (diff) | |
download | podman-9500e11a8f1c3380c0a6a8e6ca01df862c6d640c.tar.gz podman-9500e11a8f1c3380c0a6a8e6ca01df862c6d640c.tar.bz2 podman-9500e11a8f1c3380c0a6a8e6ca01df862c6d640c.zip |
libpod: change mountpoint ownership c.Root when using overlay on top of external rootfs
Allow chainging ownership of mountpoint created on top external overlay
rootfs to support use-cases when custom --uidmap and --gidmap are
specified.
Signed-off-by: Aditya Rajan <arajan@redhat.com>
-rw-r--r-- | libpod/container_internal.go | 23 | ||||
-rw-r--r-- | test/e2e/run_test.go | 12 |
2 files changed, 33 insertions, 2 deletions
diff --git a/libpod/container_internal.go b/libpod/container_internal.go index 4e8074840..bfed94990 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -17,12 +17,14 @@ import ( "github.com/containers/buildah/copier" "github.com/containers/buildah/pkg/overlay" butil "github.com/containers/buildah/util" + "github.com/containers/common/pkg/chown" "github.com/containers/podman/v3/libpod/define" "github.com/containers/podman/v3/libpod/events" "github.com/containers/podman/v3/pkg/cgroups" "github.com/containers/podman/v3/pkg/ctime" "github.com/containers/podman/v3/pkg/hooks" "github.com/containers/podman/v3/pkg/hooks/exec" + "github.com/containers/podman/v3/pkg/lookup" "github.com/containers/podman/v3/pkg/rootless" "github.com/containers/podman/v3/pkg/selinux" "github.com/containers/podman/v3/pkg/util" @@ -485,8 +487,12 @@ func (c *Container) setupStorage(ctx context.Context) error { return errors.Wrapf(err, "error creating container storage") } - c.config.IDMappings.UIDMap = containerInfo.UIDMap - c.config.IDMappings.GIDMap = containerInfo.GIDMap + // only reconfig IDMappings if layer was mounted from storage + // if its a external overlay do not reset IDmappings + if !c.config.RootfsOverlay { + c.config.IDMappings.UIDMap = containerInfo.UIDMap + c.config.IDMappings.GIDMap = containerInfo.GIDMap + } processLabel, err := c.processLabel(containerInfo.ProcessLabel) if err != nil { @@ -1515,6 +1521,19 @@ func (c *Container) mountStorage() (_ string, deferredErr error) { } mountPoint = overlayMount.Source + execUser, err := lookup.GetUserGroupInfo(mountPoint, c.config.User, nil) + if err != nil { + return "", err + } + hostUID, hostGID, err := butil.GetHostIDs(util.IDtoolsToRuntimeSpec(c.config.IDMappings.UIDMap), util.IDtoolsToRuntimeSpec(c.config.IDMappings.GIDMap), uint32(execUser.Uid), uint32(execUser.Gid)) + if err != nil { + return "", errors.Wrap(err, "unable to get host UID and host GID") + } + + //note: this should not be recursive, if using external rootfs users should be responsible on configuring ownership. + if err := chown.ChangeHostPathOwnership(mountPoint, false, int(hostUID), int(hostGID)); err != nil { + return "", err + } } if mountPoint == "" { diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index f40d4a749..8502879ff 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -259,6 +259,18 @@ var _ = Describe("Podman run", func() { startsession.WaitWithDefaultTimeout() Expect(startsession).Should(Exit(0)) Expect(startsession.OutputToString()).To(Equal("hello")) + + // remove container for above test overlay-foo + osession = podmanTest.Podman([]string{"rm", "overlay-foo"}) + osession.WaitWithDefaultTimeout() + Expect(osession).Should(Exit(0)) + + // Test --rootfs with an external overlay with --uidmap + osession = podmanTest.Podman([]string{"run", "--uidmap", "0:1000:1000", "--rm", "--security-opt", "label=disable", + "--rootfs", rootfs + ":O", "echo", "hello"}) + osession.WaitWithDefaultTimeout() + Expect(osession).Should(Exit(0)) + Expect(osession.OutputToString()).To(Equal("hello")) }) It("podman run a container with --init", func() { |