diff options
author | Giuseppe Scrivano <gscrivan@redhat.com> | 2020-04-24 14:54:43 +0200 |
---|---|---|
committer | Giuseppe Scrivano <gscrivan@redhat.com> | 2020-04-24 15:03:50 +0200 |
commit | 64d8b4eebb01c6647b0588475c785cdd075389d3 (patch) | |
tree | 3599df29a94df5298f783b39dbacd5957f291497 /pkg/specgen/generate/namespaces.go | |
parent | 81c7a2444cb5cbf8b8911cdb59446a239f89168c (diff) | |
download | podman-64d8b4eebb01c6647b0588475c785cdd075389d3.tar.gz podman-64d8b4eebb01c6647b0588475c785cdd075389d3.tar.bz2 podman-64d8b4eebb01c6647b0588475c785cdd075389d3.zip |
podman: implement userns=keep-id
add missing implementation for userns=keep-id and enable the user
namespaces tests.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'pkg/specgen/generate/namespaces.go')
-rw-r--r-- | pkg/specgen/generate/namespaces.go | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go index 2aaeb9513..1fdc921ce 100644 --- a/pkg/specgen/generate/namespaces.go +++ b/pkg/specgen/generate/namespaces.go @@ -10,6 +10,7 @@ import ( "github.com/containers/libpod/pkg/cgroups" "github.com/containers/libpod/pkg/rootless" "github.com/containers/libpod/pkg/specgen" + "github.com/containers/libpod/pkg/util" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" "github.com/pkg/errors" @@ -175,6 +176,13 @@ func GenerateNamespaceOptions(s *specgen.SpecGenerator, rt *libpod.Runtime, pod // User switch s.UserNS.NSMode { + case specgen.KeepID: + if rootless.IsRootless() { + s.User = "" + } else { + // keep-id as root doesn't need a user namespace + s.UserNS.NSMode = specgen.Host + } case specgen.FromPod: if pod == nil || infraCtr == nil { return nil, errNoInfra @@ -378,6 +386,18 @@ func specConfigureNamespaces(s *specgen.SpecGenerator, g *generate.Generator, rt if err := g.RemoveLinuxNamespace(string(spec.UserNamespace)); err != nil { return err } + case specgen.KeepID: + var ( + err error + uid, gid int + ) + s.IDMappings, uid, gid, err = util.GetKeepIDMapping() + if err != nil { + return err + } + g.SetProcessUID(uint32(uid)) + g.SetProcessGID(uint32(gid)) + fallthrough case specgen.Private: if err := g.AddOrReplaceLinuxNamespace(string(spec.UserNamespace), ""); err != nil { return err |