aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2018-08-29 13:24:03 +0200
committerAtomic Bot <atomic-devel@projectatomic.io>2018-09-04 14:36:57 +0000
commit8ca67d2794b22d293dc7a896f8a3285787cd7d39 (patch)
treea8c4fc9b994dcdfc0f683cdf9a0fe6443ffd2b4d
parent4d129742143a93290288555eaf7cc894e0d808f6 (diff)
downloadpodman-8ca67d2794b22d293dc7a896f8a3285787cd7d39.tar.gz
podman-8ca67d2794b22d293dc7a896f8a3285787cd7d39.tar.bz2
podman-8ca67d2794b22d293dc7a896f8a3285787cd7d39.zip
rootless, run: support --pod
move re-exec later on, so that we can check whether we need to join the infra container user namespace or we need to create another one. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1372 Approved by: mheon
-rw-r--r--cmd/podman/create.go34
-rw-r--r--cmd/podman/main.go1
-rw-r--r--cmd/podman/run.go15
3 files changed, 49 insertions, 1 deletions
diff --git a/cmd/podman/create.go b/cmd/podman/create.go
index e7e349306..586368e24 100644
--- a/cmd/podman/create.go
+++ b/cmd/podman/create.go
@@ -764,3 +764,37 @@ func parseCreateOpts(ctx context.Context, c *cli.Context, runtime *libpod.Runtim
}
return config, nil
}
+
+func joinOrCreateRootlessUserNamespace(createConfig *cc.CreateConfig, runtime *libpod.Runtime) (bool, int, error) {
+ if os.Getuid() == 0 {
+ return false, 0, nil
+ }
+
+ if createConfig.Pod != "" {
+ pod, err := runtime.LookupPod(createConfig.Pod)
+ if err != nil {
+ return false, -1, err
+ }
+ inspect, err := pod.Inspect()
+ for _, ctr := range inspect.Containers {
+ prevCtr, err := runtime.LookupContainer(ctr.ID)
+ if err != nil {
+ return false, -1, err
+ }
+ s, err := prevCtr.State()
+ if err != nil {
+ return false, -1, err
+ }
+ if s != libpod.ContainerStateRunning && s != libpod.ContainerStatePaused {
+ continue
+ }
+ pid, err := prevCtr.PID()
+ if err != nil {
+ return false, -1, err
+ }
+ return rootless.JoinNS(uint(pid))
+ }
+ }
+
+ return rootless.BecomeRootInUserNS()
+}
diff --git a/cmd/podman/main.go b/cmd/podman/main.go
index 6b9bda55e..7960fc277 100644
--- a/cmd/podman/main.go
+++ b/cmd/podman/main.go
@@ -35,6 +35,7 @@ var cmdsNotRequiringRootless = map[string]bool{
"logout": true,
"kill": true,
"pause": true,
+ "run": true,
"unpause": true,
"search": true,
"stats": true,
diff --git a/cmd/podman/run.go b/cmd/podman/run.go
index 66e78dafd..d8a8a48d5 100644
--- a/cmd/podman/run.go
+++ b/cmd/podman/run.go
@@ -13,6 +13,7 @@ import (
"github.com/containers/libpod/libpod"
"github.com/containers/libpod/libpod/image"
"github.com/containers/libpod/pkg/inspect"
+ "github.com/containers/libpod/pkg/rootless"
cc "github.com/containers/libpod/pkg/spec"
"github.com/containers/libpod/pkg/util"
"github.com/pkg/errors"
@@ -73,6 +74,10 @@ func runCmd(c *cli.Context) error {
storageOpts.UIDMap = mappings.UIDMap
storageOpts.GIDMap = mappings.GIDMap
+ if os.Getuid() != 0 {
+ rootless.SetSkipStorageSetup(true)
+ }
+
runtime, err := libpodruntime.GetRuntimeWithStorageOpts(c, &storageOpts)
if err != nil {
return errors.Wrapf(err, "error creating libpod runtime")
@@ -93,7 +98,7 @@ func runCmd(c *cli.Context) error {
var newImage *image.Image = nil
var data *inspect.ImageData = nil
- if rootfs == "" {
+ if rootfs == "" && !rootless.SkipStorageSetup() {
newImage, err = runtime.ImageRuntime().New(ctx, c.Args()[0], rtc.SignaturePolicyPath, "", os.Stderr, nil, image.SigningOptions{}, false, false)
if err != nil {
return errors.Wrapf(err, "unable to find image")
@@ -124,6 +129,14 @@ func runCmd(c *cli.Context) error {
return err
}
+ became, ret, err := joinOrCreateRootlessUserNamespace(createConfig, runtime)
+ if err != nil {
+ return err
+ }
+ if became {
+ os.Exit(ret)
+ }
+
ctr, err := runtime.NewContainer(ctx, runtimeSpec, options...)
if err != nil {
return err