summaryrefslogtreecommitdiff
path: root/pkg/specgen
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2020-04-24 14:54:43 +0200
committerGiuseppe Scrivano <gscrivan@redhat.com>2020-04-24 15:03:50 +0200
commit64d8b4eebb01c6647b0588475c785cdd075389d3 (patch)
tree3599df29a94df5298f783b39dbacd5957f291497 /pkg/specgen
parent81c7a2444cb5cbf8b8911cdb59446a239f89168c (diff)
downloadpodman-64d8b4eebb01c6647b0588475c785cdd075389d3.tar.gz
podman-64d8b4eebb01c6647b0588475c785cdd075389d3.tar.bz2
podman-64d8b4eebb01c6647b0588475c785cdd075389d3.zip
podman: implement userns=keep-id
add missing implementation for userns=keep-id and enable the user namespaces tests. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'pkg/specgen')
-rw-r--r--pkg/specgen/generate/namespaces.go20
-rw-r--r--pkg/specgen/namespaces.go14
2 files changed, 32 insertions, 2 deletions
diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go
index 2aaeb9513..1fdc921ce 100644
--- a/pkg/specgen/generate/namespaces.go
+++ b/pkg/specgen/generate/namespaces.go
@@ -10,6 +10,7 @@ import (
"github.com/containers/libpod/pkg/cgroups"
"github.com/containers/libpod/pkg/rootless"
"github.com/containers/libpod/pkg/specgen"
+ "github.com/containers/libpod/pkg/util"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate"
"github.com/pkg/errors"
@@ -175,6 +176,13 @@ func GenerateNamespaceOptions(s *specgen.SpecGenerator, rt *libpod.Runtime, pod
// User
switch s.UserNS.NSMode {
+ case specgen.KeepID:
+ if rootless.IsRootless() {
+ s.User = ""
+ } else {
+ // keep-id as root doesn't need a user namespace
+ s.UserNS.NSMode = specgen.Host
+ }
case specgen.FromPod:
if pod == nil || infraCtr == nil {
return nil, errNoInfra
@@ -378,6 +386,18 @@ func specConfigureNamespaces(s *specgen.SpecGenerator, g *generate.Generator, rt
if err := g.RemoveLinuxNamespace(string(spec.UserNamespace)); err != nil {
return err
}
+ case specgen.KeepID:
+ var (
+ err error
+ uid, gid int
+ )
+ s.IDMappings, uid, gid, err = util.GetKeepIDMapping()
+ if err != nil {
+ return err
+ }
+ g.SetProcessUID(uint32(uid))
+ g.SetProcessGID(uint32(gid))
+ fallthrough
case specgen.Private:
if err := g.AddOrReplaceLinuxNamespace(string(spec.UserNamespace), ""); err != nil {
return err
diff --git a/pkg/specgen/namespaces.go b/pkg/specgen/namespaces.go
index fffbd6d9e..cee49ff51 100644
--- a/pkg/specgen/namespaces.go
+++ b/pkg/specgen/namespaces.go
@@ -76,6 +76,17 @@ func (n *Namespace) IsPod() bool {
func (n *Namespace) IsPrivate() bool {
return n.NSMode == Private
}
+
+// IsAuto indicates the namespace is auto
+func (n *Namespace) IsAuto() bool {
+ return n.NSMode == Auto
+}
+
+// IsKeepID indicates the namespace is KeepID
+func (n *Namespace) IsKeepID() bool {
+ return n.NSMode == KeepID
+}
+
func validateUserNS(n *Namespace) error {
if n == nil {
return nil
@@ -186,12 +197,11 @@ func ParseUserNamespace(ns string) (Namespace, error) {
if len(split) != 2 {
return toReturn, errors.Errorf("invalid setting for auto: mode")
}
- toReturn.NSMode = KeepID
+ toReturn.NSMode = Auto
toReturn.Value = split[1]
return toReturn, nil
case ns == "keep-id":
toReturn.NSMode = KeepID
- toReturn.NSMode = FromContainer
return toReturn, nil
}
return ParseNamespace(ns)