diff options
| author | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-03-20 12:05:02 +0100 |
|---|---|---|
| committer | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-03-21 21:18:13 +0100 |
| commit | 7f6f2f3f4a764f8e566752e61092254bd285424b (patch) | |
| tree | 04ffcf5979fc8261e40d780843906efde7f9065b /libpod/oci_linux.go | |
| parent | bf10fac19371f295dab3038b5042483f595c68f3 (diff) | |
| download | podman-7f6f2f3f4a764f8e566752e61092254bd285424b.tar.gz podman-7f6f2f3f4a764f8e566752e61092254bd285424b.tar.bz2 podman-7f6f2f3f4a764f8e566752e61092254bd285424b.zip | |
userns: use the intermediate mountns for volumes
when --uidmap is used, the user won't be able to access
/var/lib/containers/storage/volumes. Use the intermediate mount
namespace, that is accessible to root in the container, for mounting
the volumes inside the container.
Closes: https://github.com/containers/libpod/issues/2713
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'libpod/oci_linux.go')
| -rw-r--r-- | libpod/oci_linux.go | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/libpod/oci_linux.go b/libpod/oci_linux.go index 2737a641e..f85c5ee62 100644 --- a/libpod/oci_linux.go +++ b/libpod/oci_linux.go @@ -106,6 +106,23 @@ func (r *OCIRuntime) createContainer(ctr *Container, cgroupParent string, restor if err != nil { return } + + if ctr.state.UserNSRoot != "" { + _, err := os.Stat(ctr.runtime.config.VolumePath) + if err != nil && !os.IsNotExist(err) { + return + } + if err == nil { + volumesTarget := filepath.Join(ctr.state.UserNSRoot, "volumes") + if err := idtools.MkdirAs(volumesTarget, 0700, ctr.RootUID(), ctr.RootGID()); err != nil { + return + } + if err = unix.Mount(ctr.runtime.config.VolumePath, volumesTarget, "none", unix.MS_BIND, ""); err != nil { + return + } + } + } + err = r.createOCIContainer(ctr, cgroupParent, restoreOptions) }() wg.Wait() |