diff options
| author | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-02-06 15:29:33 +0100 |
|---|---|---|
| committer | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-02-06 15:31:20 +0100 |
| commit | e2970ea62d17ca98a3954c581523b8fa00a67bea (patch) | |
| tree | 1a69fe45d3298db5b6e0941e4edbc88f9359de15 /pkg/spec | |
| parent | b1d4dbd335f4801487ef86964b6833c3604ceef5 (diff) | |
| download | podman-e2970ea62d17ca98a3954c581523b8fa00a67bea.tar.gz podman-e2970ea62d17ca98a3954c581523b8fa00a67bea.tar.bz2 podman-e2970ea62d17ca98a3954c581523b8fa00a67bea.zip | |
rootless: do not override /dev/pts if not needed
when running in rootless mode we were unconditionally overriding
/dev/pts to take ride of gid=5. This is not needed when multiple gids
are present in the namespace, which is always the case except when
running the tests suite with only one mapping. So change it to check
how many gids are present before overriding the default mount.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'pkg/spec')
| -rw-r--r-- | pkg/spec/spec.go | 34 |
1 files changed, 27 insertions, 7 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index 46105af4a..76b8963ff 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -9,6 +9,7 @@ import ( "github.com/containers/storage/pkg/mount" "github.com/docker/docker/daemon/caps" "github.com/docker/go-units" + "github.com/opencontainers/runc/libcontainer/user" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" "github.com/pkg/errors" @@ -45,6 +46,18 @@ func supercedeUserMounts(mounts []spec.Mount, configMount []spec.Mount) []spec.M return configMount } +func getAvailableGids() (int64, error) { + idMap, err := user.ParseIDMapFile("/proc/self/gid_map") + if err != nil { + return 0, err + } + count := int64(0) + for _, r := range idMap { + count += r.Count + } + return count, nil +} + // CreateConfigToOCISpec parses information needed to create a container into an OCI runtime spec func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint cgroupPerm := "ro" @@ -91,14 +104,21 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint g.AddMount(sysMnt) } if isRootless { - g.RemoveMount("/dev/pts") - devPts := spec.Mount{ - Destination: "/dev/pts", - Type: "devpts", - Source: "devpts", - Options: []string{"rprivate", "nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620"}, + nGids, err := getAvailableGids() + if err != nil { + return nil, err + } + if nGids < 5 { + // If we have no GID mappings, the gid=5 default option would fail, so drop it. + g.RemoveMount("/dev/pts") + devPts := spec.Mount{ + Destination: "/dev/pts", + Type: "devpts", + Source: "devpts", + Options: []string{"rprivate", "nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620"}, + } + g.AddMount(devPts) } - g.AddMount(devPts) } if inUserNS && config.IpcMode.IsHost() { g.RemoveMount("/dev/mqueue") |