Begin wiring in USERNS Support into podman

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #690 Approved by: mheon
author: Daniel J Walsh <dwalsh@redhat.com> 2018-04-23 20:42:53 -0400
committer: Atomic Bot <atomic-devel@projectatomic.io> 2018-05-04 17:15:55 +0000
commit: b51d7379987581da82902027fe91cdf298047bc0 (patch)
tree: f9d7fbebf3b946caea5eb5e2c626a19413c795c8 /cmd/podman/create.go
parent: 1f5debd43806cc3bd07f562ff00ef4c426540f98 (diff)
download: podman-b51d7379987581da82902027fe91cdf298047bc0.tar.gz
podman-b51d7379987581da82902027fe91cdf298047bc0.tar.bz2
podman-b51d7379987581da82902027fe91cdf298047bc0.zip
1 files changed, 48 insertions, 23 deletions
diff --git a/cmd/podman/create.go b/cmd/podman/create.go
index 54a542ee5..7740da8e1 100644
--- a/cmd/podman/create.go
+++ b/cmd/podman/create.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"net"
@@ -9,6 +10,7 @@ import (
 	"strings"
 	"syscall"
 
+	"github.com/containers/storage"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/pkg/signal"
 	"github.com/docker/go-connections/nat"
@@ -92,7 +94,8 @@ type createConfig struct {
 	Hostname           string   //hostname
 	Image              string
 	ImageID            string
-	BuiltinImgVolumes  map[string]struct{}   // volumes defined in the image config
+	BuiltinImgVolumes  map[string]struct{} // volumes defined in the image config
+	IDMappings         *storage.IDMappingOptions
 	ImageVolumeType    string                // how to handle the image volume, either bind, tmpfs, or ignore
 	Interactive        bool                  //interactive
 	IpcMode            container.IpcMode     //ipc
@@ -108,8 +111,7 @@ type createConfig struct {
 	Network            string                //network
 	NetworkAlias       []string              //network-alias
 	PidMode            container.PidMode     //pid
-	NsUser             string
-	Pod                string //pod
+	Pod                string                //pod
 	PortBindings       nat.PortMap
 	Privileged         bool     //privileged
 	Publish            []string //publish
@@ -119,20 +121,21 @@ type createConfig struct {
 	Resources          createResourceConfig
 	Rm                 bool //rm
 	ShmDir             string
-	StopSignal         syscall.Signal    // stop-signal
-	StopTimeout        uint              // stop-timeout
-	Sysctl             map[string]string //sysctl
-	Tmpfs              []string          // tmpfs
-	Tty                bool              //tty
-	User               string            //user
-	UtsMode            container.UTSMode //uts
-	Volumes            []string          //volume
-	WorkDir            string            //workdir
-	MountLabel         string            //SecurityOpts
-	ProcessLabel       string            //SecurityOpts
-	NoNewPrivs         bool              //SecurityOpts
-	ApparmorProfile    string            //SecurityOpts
-	SeccompProfilePath string            //SecurityOpts
+	StopSignal         syscall.Signal       // stop-signal
+	StopTimeout        uint                 // stop-timeout
+	Sysctl             map[string]string    //sysctl
+	Tmpfs              []string             // tmpfs
+	Tty                bool                 //tty
+	UsernsMode         container.UsernsMode //userns
+	User               string               //user
+	UtsMode            container.UTSMode    //uts
+	Volumes            []string             //volume
+	WorkDir            string               //workdir
+	MountLabel         string               //SecurityOpts
+	ProcessLabel       string               //SecurityOpts
+	NoNewPrivs         bool                 //SecurityOpts
+	ApparmorProfile    string               //SecurityOpts
+	SeccompProfilePath string               //SecurityOpts
 	SecurityOpts       []string
 }
 
@@ -174,7 +177,15 @@ func createCmd(c *cli.Context) error {
 		return errors.Errorf("image name or ID is required")
 	}
 
-	runtime, err := libpodruntime.GetRuntime(c)
+	mappings, err := util.ParseIDMapping(c.StringSlice("uidmap"), c.StringSlice("gidmap"), c.String("subuidmap"), c.String("subgidmap"))
+	if err != nil {
+		return err
+	}
+	storageOpts := storage.DefaultStoreOptions
+	storageOpts.UIDMap = mappings.UIDMap
+	storageOpts.GIDMap = mappings.GIDMap
+
+	runtime, err := libpodruntime.GetRuntimeWithStorageOpts(c, &storageOpts)
 	if err != nil {
 		return errors.Wrapf(err, "error creating libpod runtime")
 	}
@@ -188,7 +199,7 @@ func createCmd(c *cli.Context) error {
 		return err
 	}
 	data, err := newImage.Inspect(ctx)
-	createConfig, err := parseCreateOpts(c, runtime, newImage.Names()[0], data)
+	createConfig, err := parseCreateOpts(ctx, c, runtime, newImage.Names()[0], data)
 	if err != nil {
 		return err
 	}
@@ -211,6 +222,7 @@ func createCmd(c *cli.Context) error {
 	options = append(options, libpod.WithShmDir(createConfig.ShmDir))
 	options = append(options, libpod.WithShmSize(createConfig.Resources.ShmSize))
 	options = append(options, libpod.WithGroups(createConfig.GroupAdd))
+	options = append(options, libpod.WithIDMappings(*createConfig.IDMappings))
 	ctr, err := runtime.NewContainer(ctx, runtimeSpec, options...)
 	if err != nil {
 		return err
@@ -414,10 +426,16 @@ func getRandomPort() (int, error) {
 
 // Parses CLI options related to container creation into a config which can be
 // parsed into an OCI runtime spec
-func parseCreateOpts(c *cli.Context, runtime *libpod.Runtime, imageName string, data *inspect.ImageData) (*createConfig, error) {
-	var inputCommand, command []string
-	var memoryLimit, memoryReservation, memorySwap, memoryKernel int64
-	var blkioWeight uint16
+func parseCreateOpts(ctx context.Context, c *cli.Context, runtime *libpod.Runtime, imageName string, data *inspect.ImageData) (*createConfig, error) {
+	var (
+		inputCommand, command                                    []string
+		memoryLimit, memoryReservation, memorySwap, memoryKernel int64
+		blkioWeight                                              uint16
+	)
+	idmappings, err := util.ParseIDMapping(c.StringSlice("uidmap"), c.StringSlice("gidmap"), c.String("subuidname"), c.String("subgidname"))
+	if err != nil {
+		return nil, err
+	}
 
 	imageID := data.ID
 
@@ -473,6 +491,11 @@ func parseCreateOpts(c *cli.Context, runtime *libpod.Runtime, imageName string,
 		return nil, errors.Errorf("--pid %q is not valid", c.String("pid"))
 	}
 
+	usernsMode := container.UsernsMode(c.String("userns"))
+	if !usernsMode.Valid() {
+		return nil, errors.Errorf("--userns %q is not valid", c.String("userns"))
+	}
+
 	if c.Bool("detach") && c.Bool("rm") {
 		return nil, errors.Errorf("--rm and --detach can not be specified together")
 	}
@@ -653,6 +676,7 @@ func parseCreateOpts(c *cli.Context, runtime *libpod.Runtime, imageName string,
 		GroupAdd:       c.StringSlice("group-add"),
 		Hostname:       c.String("hostname"),
 		HostAdd:        c.StringSlice("add-host"),
+		IDMappings:     idmappings,
 		Image:          imageName,
 		ImageID:        imageID,
 		Interactive:    c.Bool("interactive"),
@@ -712,6 +736,7 @@ func parseCreateOpts(c *cli.Context, runtime *libpod.Runtime, imageName string,
 		Tmpfs:       c.StringSlice("tmpfs"),
 		Tty:         tty,
 		User:        user,
+		UsernsMode:  usernsMode,
 		Volumes:     c.StringSlice("volume"),
 		WorkDir:     workDir,
 	}
author	Daniel J Walsh <dwalsh@redhat.com>	2018-04-23 20:42:53 -0400
committer	Atomic Bot <atomic-devel@projectatomic.io>	2018-05-04 17:15:55 +0000
commit	b51d7379987581da82902027fe91cdf298047bc0 (patch)
tree	f9d7fbebf3b946caea5eb5e2c626a19413c795c8 /cmd/podman/create.go
parent	1f5debd43806cc3bd07f562ff00ef4c426540f98 (diff)
download	podman-b51d7379987581da82902027fe91cdf298047bc0.tar.gz podman-b51d7379987581da82902027fe91cdf298047bc0.tar.bz2 podman-b51d7379987581da82902027fe91cdf298047bc0.zip