diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2020-04-24 22:39:26 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-04-24 22:39:26 +0200 |
commit | 2afe579c064923841a55d57458fac4d91bec8173 (patch) | |
tree | 698f40ce419698c30cf8969b9438b3aa395f8434 /pkg/specgen | |
parent | 10f3a8ac6bd9028f1c70ad48a7ebf2b2e33f2d6e (diff) | |
parent | 88f1994ab9a0bf3a8df3c8f74a39cd1db27c2070 (diff) | |
download | podman-2afe579c064923841a55d57458fac4d91bec8173.tar.gz podman-2afe579c064923841a55d57458fac4d91bec8173.tar.bz2 podman-2afe579c064923841a55d57458fac4d91bec8173.zip |
Merge pull request #5971 from giuseppe/fix-userns-tests
v2, podman: fix and enable all run_userns_test.go tests
Diffstat (limited to 'pkg/specgen')
-rw-r--r-- | pkg/specgen/generate/namespaces.go | 20 | ||||
-rw-r--r-- | pkg/specgen/namespaces.go | 14 |
2 files changed, 32 insertions, 2 deletions
diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go index 2e0e088bf..a8b74b504 100644 --- a/pkg/specgen/generate/namespaces.go +++ b/pkg/specgen/generate/namespaces.go @@ -10,6 +10,7 @@ import ( "github.com/containers/libpod/pkg/cgroups" "github.com/containers/libpod/pkg/rootless" "github.com/containers/libpod/pkg/specgen" + "github.com/containers/libpod/pkg/util" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" "github.com/pkg/errors" @@ -175,6 +176,13 @@ func GenerateNamespaceOptions(s *specgen.SpecGenerator, rt *libpod.Runtime, pod // User switch s.UserNS.NSMode { + case specgen.KeepID: + if rootless.IsRootless() { + s.User = "" + } else { + // keep-id as root doesn't need a user namespace + s.UserNS.NSMode = specgen.Host + } case specgen.FromPod: if pod == nil || infraCtr == nil { return nil, errNoInfra @@ -378,6 +386,18 @@ func specConfigureNamespaces(s *specgen.SpecGenerator, g *generate.Generator, rt if err := g.RemoveLinuxNamespace(string(spec.UserNamespace)); err != nil { return err } + case specgen.KeepID: + var ( + err error + uid, gid int + ) + s.IDMappings, uid, gid, err = util.GetKeepIDMapping() + if err != nil { + return err + } + g.SetProcessUID(uint32(uid)) + g.SetProcessGID(uint32(gid)) + fallthrough case specgen.Private: if err := g.AddOrReplaceLinuxNamespace(string(spec.UserNamespace), ""); err != nil { return err diff --git a/pkg/specgen/namespaces.go b/pkg/specgen/namespaces.go index fffbd6d9e..cee49ff51 100644 --- a/pkg/specgen/namespaces.go +++ b/pkg/specgen/namespaces.go @@ -76,6 +76,17 @@ func (n *Namespace) IsPod() bool { func (n *Namespace) IsPrivate() bool { return n.NSMode == Private } + +// IsAuto indicates the namespace is auto +func (n *Namespace) IsAuto() bool { + return n.NSMode == Auto +} + +// IsKeepID indicates the namespace is KeepID +func (n *Namespace) IsKeepID() bool { + return n.NSMode == KeepID +} + func validateUserNS(n *Namespace) error { if n == nil { return nil @@ -186,12 +197,11 @@ func ParseUserNamespace(ns string) (Namespace, error) { if len(split) != 2 { return toReturn, errors.Errorf("invalid setting for auto: mode") } - toReturn.NSMode = KeepID + toReturn.NSMode = Auto toReturn.Value = split[1] return toReturn, nil case ns == "keep-id": toReturn.NSMode = KeepID - toReturn.NSMode = FromContainer return toReturn, nil } return ParseNamespace(ns) |