aboutsummaryrefslogtreecommitdiff
path: root/pkg/spec
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2019-07-12 22:31:37 +0200
committerGitHub <noreply@github.com>2019-07-12 22:31:37 +0200
commit9d87945005a4870b4f2b7978d73bf37b3fb1faf5 (patch)
tree95d3efce946518c1157b36201120954325ac9323 /pkg/spec
parent62352b280b981db9f8e3bf2d89acf02d212a04cf (diff)
parentd74db186a8934a9aaa6af3518c473e2e124b2e02 (diff)
downloadpodman-9d87945005a4870b4f2b7978d73bf37b3fb1faf5.tar.gz
podman-9d87945005a4870b4f2b7978d73bf37b3fb1faf5.tar.bz2
podman-9d87945005a4870b4f2b7978d73bf37b3fb1faf5.zip
Merge pull request #3563 from giuseppe/fix-single-mapping-rootless
spec: fix userns with less than 5 gids
Diffstat (limited to 'pkg/spec')
-rw-r--r--pkg/spec/spec.go36
1 files changed, 27 insertions, 9 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index d44beb3e4..53b73296a 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -86,23 +86,41 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
g.AddLinuxMaskedPaths("/sys/kernel")
}
}
+ gid5Available := true
if isRootless {
nGids, err := getAvailableGids()
if err != nil {
return nil, err
}
- if nGids < 5 {
- // If we have no GID mappings, the gid=5 default option would fail, so drop it.
- g.RemoveMount("/dev/pts")
- devPts := spec.Mount{
- Destination: "/dev/pts",
- Type: "devpts",
- Source: "devpts",
- Options: []string{"rprivate", "nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620"},
+ gid5Available = nGids >= 5
+ }
+ // When using a different user namespace, check that the GID 5 is mapped inside
+ // the container.
+ if gid5Available && len(config.IDMappings.GIDMap) > 0 {
+ mappingFound := false
+ for _, r := range config.IDMappings.GIDMap {
+ if r.ContainerID <= 5 && 5 < r.ContainerID+r.Size {
+ mappingFound = true
+ break
}
- g.AddMount(devPts)
}
+ if !mappingFound {
+ gid5Available = false
+ }
+
}
+ if !gid5Available {
+ // If we have no GID mappings, the gid=5 default option would fail, so drop it.
+ g.RemoveMount("/dev/pts")
+ devPts := spec.Mount{
+ Destination: "/dev/pts",
+ Type: "devpts",
+ Source: "devpts",
+ Options: []string{"rprivate", "nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620"},
+ }
+ g.AddMount(devPts)
+ }
+
if inUserNS && config.IpcMode.IsHost() {
g.RemoveMount("/dev/mqueue")
devMqueue := spec.Mount{