summaryrefslogtreecommitdiff
path: root/libpod
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2020-02-24 17:38:06 +0100
committerGiuseppe Scrivano <gscrivan@redhat.com>2020-04-06 16:32:36 +0200
commit3a0a727110c59332e1a0f5b4a5be311244668a8c (patch)
treeff1afd6d97f329718f15dd541aa95e721690fe65 /libpod
parent5b853bb272a754a54fa78a3e619de0304864151f (diff)
downloadpodman-3a0a727110c59332e1a0f5b4a5be311244668a8c.tar.gz
podman-3a0a727110c59332e1a0f5b4a5be311244668a8c.tar.bz2
podman-3a0a727110c59332e1a0f5b4a5be311244668a8c.zip
userns: support --userns=auto
automatically pick an empty range and create an user namespace for the container. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'libpod')
-rw-r--r--libpod/container_internal.go40
-rw-r--r--libpod/container_internal_linux.go14
-rw-r--r--libpod/container_internal_unsupported.go5
-rw-r--r--libpod/storage.go5
4 files changed, 56 insertions, 8 deletions
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index 4e18819b8..c930017a4 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -339,6 +339,29 @@ func (c *Container) syncContainer() error {
return nil
}
+func (c *Container) setupStorageMapping(dest, from *storage.IDMappingOptions) {
+ if c.config.Rootfs != "" {
+ return
+ }
+ *dest = *from
+ if dest.AutoUserNs {
+ overrides := c.getUserOverrides()
+ dest.AutoUserNsOpts.PasswdFile = overrides.ContainerEtcPasswdPath
+ dest.AutoUserNsOpts.GroupFile = overrides.ContainerEtcGroupPath
+ if c.config.User != "" {
+ initialSize := uint32(0)
+ parts := strings.Split(c.config.User, ":")
+ for _, p := range parts {
+ s, err := strconv.ParseUint(p, 10, 32)
+ if err == nil && uint32(s) > initialSize {
+ initialSize = uint32(s)
+ }
+ }
+ dest.AutoUserNsOpts.InitialSize = initialSize + 1
+ }
+ }
+}
+
// Create container root filesystem for use
func (c *Container) setupStorage(ctx context.Context) error {
span, _ := opentracing.StartSpanFromContext(ctx, "setupStorage")
@@ -398,14 +421,20 @@ func (c *Container) setupStorage(ctx context.Context) error {
options.MountOpts = newOptions
}
- if c.config.Rootfs == "" {
- options.IDMappingOptions = c.config.IDMappings
- }
+ c.setupStorageMapping(&options.IDMappingOptions, &c.config.IDMappings)
+
containerInfo, err := c.runtime.storageService.CreateContainerStorage(ctx, c.runtime.imageContext, c.config.RootfsImageName, c.config.RootfsImageID, c.config.Name, c.config.ID, options)
if err != nil {
return errors.Wrapf(err, "error creating container storage")
}
+ c.config.IDMappings.UIDMap = containerInfo.UIDMap
+ c.config.IDMappings.GIDMap = containerInfo.GIDMap
+ c.config.ProcessLabel = containerInfo.ProcessLabel
+ c.config.MountLabel = containerInfo.MountLabel
+ c.config.StaticDir = containerInfo.Dir
+ c.state.RunDir = containerInfo.RunDir
+
if len(c.config.IDMappings.UIDMap) != 0 || len(c.config.IDMappings.GIDMap) != 0 {
if err := os.Chown(containerInfo.RunDir, c.RootUID(), c.RootGID()); err != nil {
return err
@@ -416,11 +445,6 @@ func (c *Container) setupStorage(ctx context.Context) error {
}
}
- c.config.ProcessLabel = containerInfo.ProcessLabel
- c.config.MountLabel = containerInfo.MountLabel
- c.config.StaticDir = containerInfo.Dir
- c.state.RunDir = containerInfo.RunDir
-
// Set the default Entrypoint and Command
if containerInfo.Config != nil {
if c.config.Entrypoint == nil {
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index a3f97f2a6..c40ad45b9 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -396,6 +396,20 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
}
}
+ if c.config.IDMappings.AutoUserNs {
+ if err := g.AddOrReplaceLinuxNamespace(string(spec.UserNamespace), ""); err != nil {
+ return nil, err
+ }
+ g.ClearLinuxUIDMappings()
+ for _, uidmap := range c.config.IDMappings.UIDMap {
+ g.AddLinuxUIDMapping(uint32(uidmap.HostID), uint32(uidmap.ContainerID), uint32(uidmap.Size))
+ }
+ g.ClearLinuxGIDMappings()
+ for _, gidmap := range c.config.IDMappings.GIDMap {
+ g.AddLinuxGIDMapping(uint32(gidmap.HostID), uint32(gidmap.ContainerID), uint32(gidmap.Size))
+ }
+ }
+
g.SetRootPath(c.state.Mountpoint)
g.AddAnnotation(annotations.Created, c.config.CreatedTime.Format(time.RFC3339Nano))
g.AddAnnotation("org.opencontainers.image.stopSignal", fmt.Sprintf("%d", c.config.StopSignal))
diff --git a/libpod/container_internal_unsupported.go b/libpod/container_internal_unsupported.go
index 395271b2a..2a611c2d9 100644
--- a/libpod/container_internal_unsupported.go
+++ b/libpod/container_internal_unsupported.go
@@ -6,6 +6,7 @@ import (
"context"
"github.com/containers/libpod/libpod/define"
+ "github.com/containers/libpod/pkg/lookup"
spec "github.com/opencontainers/runtime-spec/specs-go"
)
@@ -44,3 +45,7 @@ func (c *Container) copyOwnerAndPerms(source, dest string) error {
func (c *Container) getOCICgroupPath() (string, error) {
return "", define.ErrNotImplemented
}
+
+func (c *Container) getUserOverrides() *lookup.Overrides {
+ return nil
+}
diff --git a/libpod/storage.go b/libpod/storage.go
index d675f4ffe..34e40f699 100644
--- a/libpod/storage.go
+++ b/libpod/storage.go
@@ -8,6 +8,7 @@ import (
"github.com/containers/image/v5/types"
"github.com/containers/libpod/libpod/define"
"github.com/containers/storage"
+ "github.com/containers/storage/pkg/idtools"
v1 "github.com/opencontainers/image-spec/specs-go/v1"
"github.com/opentracing/opentracing-go"
"github.com/pkg/errors"
@@ -35,6 +36,8 @@ type ContainerInfo struct {
Config *v1.Image
ProcessLabel string
MountLabel string
+ UIDMap []idtools.IDMap
+ GIDMap []idtools.IDMap
}
// RuntimeContainerMetadata is the structure that we encode as JSON and store
@@ -166,6 +169,8 @@ func (r *storageService) CreateContainerStorage(ctx context.Context, systemConte
logrus.Debugf("container %q has run directory %q", container.ID, containerRunDir)
return ContainerInfo{
+ UIDMap: options.UIDMap,
+ GIDMap: options.GIDMap,
Dir: containerDir,
RunDir: containerRunDir,
Config: imageConfig,