summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2022-01-14 14:33:01 -0500
committerDaniel J Walsh <dwalsh@redhat.com>2022-01-17 06:48:54 -0500
commit10d969ff1a15e8f53eb5a2fa7eb8cfb321609b55 (patch)
treefe5be3f9cd57047c393193d467457fcebd1a506a
parentea2656dc8658f99a0e9be2342557763e974513b9 (diff)
downloadpodman-10d969ff1a15e8f53eb5a2fa7eb8cfb321609b55.tar.gz
podman-10d969ff1a15e8f53eb5a2fa7eb8cfb321609b55.tar.bz2
podman-10d969ff1a15e8f53eb5a2fa7eb8cfb321609b55.zip
Use PODMAN_USERNS environment variable when running as a service
Fixes: https://github.com/containers/podman/issues/11350#issuecomment-1011562526 Also add inspect information about the idmappings if they exists. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
-rw-r--r--libpod/container_inspect.go16
-rw-r--r--libpod/define/container_inspect.go8
-rw-r--r--pkg/specgenutil/specgen.go8
-rw-r--r--test/e2e/run_userns_test.go29
4 files changed, 58 insertions, 3 deletions
diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go
index 792dfc58e..5e63db0f2 100644
--- a/libpod/container_inspect.go
+++ b/libpod/container_inspect.go
@@ -9,6 +9,7 @@ import (
"github.com/containers/podman/v3/libpod/define"
"github.com/containers/podman/v3/libpod/driver"
"github.com/containers/podman/v3/pkg/util"
+ "github.com/containers/storage/types"
units "github.com/docker/go-units"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate"
@@ -403,6 +404,17 @@ func (c *Container) generateInspectContainerConfig(spec *spec.Spec) *define.Insp
return ctrConfig
}
+func generateIDMappings(idMappings types.IDMappingOptions) *define.InspectIDMappings {
+ var inspectMappings define.InspectIDMappings
+ for _, uid := range idMappings.UIDMap {
+ inspectMappings.UIDMap = append(inspectMappings.UIDMap, fmt.Sprintf("%d:%d:%d", uid.ContainerID, uid.HostID, uid.Size))
+ }
+ for _, gid := range idMappings.GIDMap {
+ inspectMappings.GIDMap = append(inspectMappings.GIDMap, fmt.Sprintf("%d:%d:%d", gid.ContainerID, gid.HostID, gid.Size))
+ }
+ return &inspectMappings
+}
+
// Generate the InspectContainerHostConfig struct for the HostConfig field of
// Inspect.
func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, namedVolumes []*ContainerNamedVolume, mounts []spec.Mount) (*define.InspectContainerHostConfig, error) {
@@ -815,7 +827,9 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named
}
}
hostConfig.UsernsMode = usernsMode
-
+ if c.config.IDMappings.UIDMap != nil && c.config.IDMappings.GIDMap != nil {
+ hostConfig.IDMappings = generateIDMappings(c.config.IDMappings)
+ }
// Devices
// Do not include if privileged - assumed that all devices will be
// included.
diff --git a/libpod/define/container_inspect.go b/libpod/define/container_inspect.go
index ba73e4196..a61f9e615 100644
--- a/libpod/define/container_inspect.go
+++ b/libpod/define/container_inspect.go
@@ -6,6 +6,11 @@ import (
"github.com/containers/image/v5/manifest"
)
+type InspectIDMappings struct {
+ UIDMap []string `json:"UidMap"`
+ GIDMap []string `json:"GidMap"`
+}
+
// InspectContainerConfig holds further data about how a container was initially
// configured.
type InspectContainerConfig struct {
@@ -401,7 +406,10 @@ type InspectContainerHostConfig struct {
// TODO Rootless has an additional 'keep-id' option, presently not
// reflected here.
UsernsMode string `json:"UsernsMode"`
+ // IDMappings is the UIDMapping and GIDMapping used within the container
+ IDMappings *InspectIDMappings `json:"IDMappings,omitempty"`
// ShmSize is the size of the container's SHM device.
+
ShmSize int64 `json:"ShmSize"`
// Runtime is provided purely for Docker compatibility.
// It is set unconditionally to "oci" as Podman does not presently
diff --git a/pkg/specgenutil/specgen.go b/pkg/specgenutil/specgen.go
index 8e43cc50e..70b6abff5 100644
--- a/pkg/specgenutil/specgen.go
+++ b/pkg/specgenutil/specgen.go
@@ -205,9 +205,13 @@ func setNamespaces(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions)
return err
}
}
- // userns must be treated differently
+ userns := os.Getenv("PODMAN_USERNS")
if c.UserNS != "" {
- s.UserNS, err = specgen.ParseUserNamespace(c.UserNS)
+ userns = c.UserNS
+ }
+ // userns must be treated differently
+ if userns != "" {
+ s.UserNS, err = specgen.ParseUserNamespace(userns)
if err != nil {
return err
}
diff --git a/test/e2e/run_userns_test.go b/test/e2e/run_userns_test.go
index c1645af06..e8ba42cf0 100644
--- a/test/e2e/run_userns_test.go
+++ b/test/e2e/run_userns_test.go
@@ -301,5 +301,34 @@ var _ = Describe("Podman UserNS support", func() {
Expect(inspectGID).Should(Exit(0))
Expect(inspectGID.OutputToString()).To(Equal(tt.gid))
}
+
+ })
+ It("podman PODMAN_USERNS", func() {
+ SkipIfNotRootless("keep-id only works in rootless mode")
+
+ podmanUserns, podmanUserusSet := os.LookupEnv("PODMAN_USERNS")
+ os.Setenv("PODMAN_USERNS", "keep-id")
+ defer func() {
+ if podmanUserusSet {
+ os.Setenv("PODMAN_USERNS", podmanUserns)
+ } else {
+ os.Unsetenv("PODMAN_USERNS")
+ }
+ }()
+ if IsRemote() {
+ podmanTest.RestartRemoteService()
+ }
+
+ result := podmanTest.Podman([]string{"create", ALPINE, "true"})
+ result.WaitWithDefaultTimeout()
+ Expect(result).Should(Exit(0))
+
+ inspect := podmanTest.Podman([]string{"inspect", "--format", "{{ .HostConfig.IDMappings }}", result.OutputToString()})
+ inspect.WaitWithDefaultTimeout()
+ Expect(inspect.OutputToString()).To(Not(Equal("<nil>")))
+
+ if IsRemote() {
+ podmanTest.RestartRemoteService()
+ }
})
})