summaryrefslogtreecommitdiff
path: root/libpod/container_internal.go
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2019-03-21 12:18:42 +0100
committerGiuseppe Scrivano <gscrivan@redhat.com>2019-03-29 14:04:44 +0100
commit849548ffb8e958e901317eceffdcc2d918cafd8d (patch)
treedf4ed8253470a4598d4c2a5561b60305f5401c8a /libpod/container_internal.go
parentf7e72bc86aff2ff986290f190309deceb7f22099 (diff)
downloadpodman-849548ffb8e958e901317eceffdcc2d918cafd8d.tar.gz
podman-849548ffb8e958e901317eceffdcc2d918cafd8d.tar.bz2
podman-849548ffb8e958e901317eceffdcc2d918cafd8d.zip
userns: do not use an intermediate mount namespace
We have an issue in the current implementation where the cleanup process is not able to umount the storage as it is running in a separate namespace. Simplify the implementation for user namespaces by not using an intermediate mount namespace. For doing it, we need to relax the permissions on the parent directories and allow browsing them. Containers that are running without a user namespace, will still maintain mode 0700 on their directory. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'libpod/container_internal.go')
-rw-r--r--libpod/container_internal.go47
1 files changed, 10 insertions, 37 deletions
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index 7a90bc7d4..daa32007a 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -310,23 +310,12 @@ func (c *Container) setupStorage(ctx context.Context) error {
}
if !rootless.IsRootless() && (len(c.config.IDMappings.UIDMap) != 0 || len(c.config.IDMappings.GIDMap) != 0) {
- info, err := os.Stat(c.runtime.config.TmpDir)
- if err != nil {
- return errors.Wrapf(err, "cannot stat `%s`", c.runtime.config.TmpDir)
- }
- if err := os.Chmod(c.runtime.config.TmpDir, info.Mode()|0111); err != nil {
- return errors.Wrapf(err, "cannot chmod `%s`", c.runtime.config.TmpDir)
- }
- root := filepath.Join(c.runtime.config.TmpDir, "containers-root", c.ID())
- if err := os.MkdirAll(root, 0755); err != nil {
- return errors.Wrapf(err, "error creating userNS tmpdir for container %s", c.ID())
- }
- if err := os.Chown(root, c.RootUID(), c.RootGID()); err != nil {
+ if err := os.Chown(containerInfo.RunDir, c.RootUID(), c.RootGID()); err != nil {
return err
}
- c.state.UserNSRoot, err = filepath.EvalSymlinks(root)
- if err != nil {
- return errors.Wrapf(err, "failed to eval symlinks for %s", root)
+
+ if err := os.Chown(containerInfo.Dir, c.RootUID(), c.RootGID()); err != nil {
+ return err
}
}
@@ -334,10 +323,6 @@ func (c *Container) setupStorage(ctx context.Context) error {
c.config.MountLabel = containerInfo.MountLabel
c.config.StaticDir = containerInfo.Dir
c.state.RunDir = containerInfo.RunDir
- c.state.DestinationRunDir = c.state.RunDir
- if c.state.UserNSRoot != "" {
- c.state.DestinationRunDir = filepath.Join(c.state.UserNSRoot, "rundir")
- }
// Set the default Entrypoint and Command
if containerInfo.Config != nil {
@@ -372,12 +357,6 @@ func (c *Container) teardownStorage() error {
return errors.Wrapf(err, "failed to cleanup container %s storage", c.ID())
}
- if c.state.UserNSRoot != "" {
- if err := os.RemoveAll(c.state.UserNSRoot); err != nil {
- return errors.Wrapf(err, "error removing userns root %q", c.state.UserNSRoot)
- }
- }
-
if err := c.runtime.storageService.DeleteContainer(c.ID()); err != nil {
// If the container has already been removed, warn but do not
// error - we wanted it gone, it is already gone.
@@ -432,6 +411,7 @@ func (c *Container) refresh() error {
if err != nil {
return errors.Wrapf(err, "error retrieving temporary directory for container %s", c.ID())
}
+ c.state.RunDir = dir
if len(c.config.IDMappings.UIDMap) != 0 || len(c.config.IDMappings.GIDMap) != 0 {
info, err := os.Stat(c.runtime.config.TmpDir)
@@ -448,16 +428,6 @@ func (c *Container) refresh() error {
if err := os.Chown(root, c.RootUID(), c.RootGID()); err != nil {
return err
}
- c.state.UserNSRoot, err = filepath.EvalSymlinks(root)
- if err != nil {
- return errors.Wrapf(err, "failed to eval symlinks for %s", root)
- }
- }
-
- c.state.RunDir = dir
- c.state.DestinationRunDir = c.state.RunDir
- if c.state.UserNSRoot != "" {
- c.state.DestinationRunDir = filepath.Join(c.state.UserNSRoot, "rundir")
}
// We need to pick up a new lock
@@ -1260,7 +1230,7 @@ func (c *Container) writeStringToRundir(destFile, output string) (string, error)
return "", err
}
- return filepath.Join(c.state.DestinationRunDir, destFile), nil
+ return filepath.Join(c.state.RunDir, destFile), nil
}
// appendStringToRundir appends the provided string to the runtimedir file
@@ -1277,7 +1247,7 @@ func (c *Container) appendStringToRundir(destFile, output string) (string, error
return "", errors.Wrapf(err, "unable to write %s", destFileName)
}
- return filepath.Join(c.state.DestinationRunDir, destFile), nil
+ return filepath.Join(c.state.RunDir, destFile), nil
}
// Save OCI spec to disk, replacing any existing specs for the container
@@ -1410,6 +1380,9 @@ func (c *Container) mount() (string, error) {
if err != nil {
return "", errors.Wrapf(err, "error resolving storage path for container %s", c.ID())
}
+ if err := os.Chown(mountPoint, c.RootUID(), c.RootGID()); err != nil {
+ return "", errors.Wrapf(err, "cannot chown %s to %d:%d", mountPoint, c.RootUID(), c.RootGID())
+ }
return mountPoint, nil
}