podman cp: support copying on tmpfs mounts

Traditionally, the path resolution for containers has been resolved on
the *host*; relative to the container's mount point or relative to
specified bind mounts or volumes.

While this works nicely for non-running containers, it poses a problem
for running ones.  In that case, certain kinds of mounts (e.g., tmpfs)
will not resolve correctly.  A tmpfs is held in memory and hence cannot
be resolved relatively to the container's mount point.  A copy operation
will succeed but the data will not show up inside the container.

To support these kinds of mounts, we need to join the *running*
container's mount namespace (and PID namespace) when copying.

Note that this change implies moving the copy and stat logic into
`libpod` since we need to keep the container locked to avoid race
conditions.  The immediate benefit is that all logic is now inside
`libpod`; the code isn't scattered anymore.

Further note that Docker does not support copying to tmpfs mounts.

Tests have been extended to cover *both* path resolutions for running
and created containers.  New tests have been added to exercise the
tmpfs-mount case.

For the record: Some tests could be improved by using `start -a` instead
of a start-exec sequence.  Unfortunately, `start -a` is flaky in the CI
which forced me to use the more expensive start-exec option.

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>

4 files changed, 9 insertions, 295 deletions

diff --git a/pkg/copy/fileinfo.go b/pkg/copy/fileinfo.go
index b95bcd90c..fb711311c 100644
--- a/pkg/copy/fileinfo.go
+++ b/pkg/copy/fileinfo.go
@@ -7,8 +7,8 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
-	"time"
 
+	"github.com/containers/podman/v3/libpod/define"
 	"github.com/pkg/errors"
 )
 
@@ -22,14 +22,7 @@ var ErrENOENT = errors.New("No such file or directory")
 
 // FileInfo describes a file or directory and is returned by
 // (*CopyItem).Stat().
-type FileInfo struct {
-	Name       string      `json:"name"`
-	Size       int64       `json:"size"`
-	Mode       os.FileMode `json:"mode"`
-	ModTime    time.Time   `json:"mtime"`
-	IsDir      bool        `json:"isDir"`
-	LinkTarget string      `json:"linkTarget"`
-}
+type FileInfo = define.FileInfo
 
 // EncodeFileInfo serializes the specified FileInfo as a base64 encoded JSON
 // payload.  Intended for Docker compat.
diff --git a/pkg/domain/entities/containers.go b/pkg/domain/entities/containers.go
index ac965834a..7d074f89d 100644
--- a/pkg/domain/entities/containers.go
+++ b/pkg/domain/entities/containers.go
@@ -8,7 +8,6 @@ import (
 
 	"github.com/containers/image/v5/types"
 	"github.com/containers/podman/v3/libpod/define"
-	"github.com/containers/podman/v3/pkg/copy"
 	"github.com/containers/podman/v3/pkg/specgen"
 	"github.com/cri-o/ocicni/pkg/ocicni"
 )
@@ -145,7 +144,7 @@ type ContainerInspectReport struct {
 }
 
 type ContainerStatReport struct {
-	copy.FileInfo
+	define.FileInfo
 }
 
 type CommitOptions struct {
diff --git a/pkg/domain/infra/abi/archive.go b/pkg/domain/infra/abi/archive.go
index 528771ee7..2ea63aa5e 100644
--- a/pkg/domain/infra/abi/archive.go
+++ b/pkg/domain/infra/abi/archive.go
@@ -3,72 +3,16 @@ package abi
 import (
 	"context"
 	"io"
-	"path/filepath"
-	"strings"
 
-	buildahCopiah "github.com/containers/buildah/copier"
-	"github.com/containers/buildah/pkg/chrootuser"
-	"github.com/containers/buildah/util"
-	"github.com/containers/podman/v3/libpod"
 	"github.com/containers/podman/v3/pkg/domain/entities"
-	"github.com/containers/storage"
-	"github.com/containers/storage/pkg/archive"
-	"github.com/containers/storage/pkg/idtools"
-	"github.com/opencontainers/runtime-spec/specs-go"
-	"github.com/pkg/errors"
-	"github.com/sirupsen/logrus"
 )
 
-// NOTE: Only the parent directory of the container path must exist.  The path
-// itself may be created while copying.
 func (ic *ContainerEngine) ContainerCopyFromArchive(ctx context.Context, nameOrID string, containerPath string, reader io.Reader) (entities.ContainerCopyFunc, error) {
 	container, err := ic.Libpod.LookupContainer(nameOrID)
 	if err != nil {
 		return nil, err
 	}
-
-	containerMountPoint, err := container.Mount()
-	if err != nil {
-		return nil, err
-	}
-
-	unmount := func() {
-		if err := container.Unmount(false); err != nil {
-			logrus.Errorf("Error unmounting container: %v", err)
-		}
-	}
-
-	_, resolvedRoot, resolvedContainerPath, err := ic.containerStat(container, containerMountPoint, containerPath)
-	if err != nil {
-		unmount()
-		return nil, err
-	}
-
-	decompressed, err := archive.DecompressStream(reader)
-	if err != nil {
-		unmount()
-		return nil, err
-	}
-
-	idMappings, idPair, err := getIDMappingsAndPair(container, resolvedRoot)
-	if err != nil {
-		unmount()
-		return nil, err
-	}
-
-	logrus.Debugf("Container copy *to* %q (resolved: %q) on container %q (ID: %s)", containerPath, resolvedContainerPath, container.Name(), container.ID())
-
-	return func() error {
-		defer unmount()
-		defer decompressed.Close()
-		putOptions := buildahCopiah.PutOptions{
-			UIDMap:     idMappings.UIDMap,
-			GIDMap:     idMappings.GIDMap,
-			ChownDirs:  idPair,
-			ChownFiles: idPair,
-		}
-		return buildahCopiah.Put(resolvedRoot, resolvedContainerPath, putOptions, decompressed)
-	}, nil
+	return container.CopyFromArchive(ctx, containerPath, reader)
 }
 
 func (ic *ContainerEngine) ContainerCopyToArchive(ctx context.Context, nameOrID string, containerPath string, writer io.Writer) (entities.ContainerCopyFunc, error) {
@@ -76,108 +20,5 @@ func (ic *ContainerEngine) ContainerCopyToArchive(ctx context.Context, nameOrID
 	if err != nil {
 		return nil, err
 	}
-
-	containerMountPoint, err := container.Mount()
-	if err != nil {
-		return nil, err
-	}
-
-	unmount := func() {
-		if err := container.Unmount(false); err != nil {
-			logrus.Errorf("Error unmounting container: %v", err)
-		}
-	}
-
-	// Make sure that "/" copies the *contents* of the mount point and not
-	// the directory.
-	if containerPath == "/" {
-		containerPath = "/."
-	}
-
-	statInfo, resolvedRoot, resolvedContainerPath, err := ic.containerStat(container, containerMountPoint, containerPath)
-	if err != nil {
-		unmount()
-		return nil, err
-	}
-
-	idMappings, idPair, err := getIDMappingsAndPair(container, resolvedRoot)
-	if err != nil {
-		unmount()
-		return nil, err
-	}
-
-	logrus.Debugf("Container copy *from* %q (resolved: %q) on container %q (ID: %s)", containerPath, resolvedContainerPath, container.Name(), container.ID())
-
-	return func() error {
-		defer container.Unmount(false)
-		getOptions := buildahCopiah.GetOptions{
-			// Unless the specified points to ".", we want to copy the base directory.
-			KeepDirectoryNames: statInfo.IsDir && filepath.Base(containerPath) != ".",
-			UIDMap:             idMappings.UIDMap,
-			GIDMap:             idMappings.GIDMap,
-			ChownDirs:          idPair,
-			ChownFiles:         idPair,
-		}
-		return buildahCopiah.Get(resolvedRoot, "", getOptions, []string{resolvedContainerPath}, writer)
-	}, nil
-}
-
-// getIDMappingsAndPair returns the ID mappings for the container and the host
-// ID pair.
-func getIDMappingsAndPair(container *libpod.Container, containerMount string) (*storage.IDMappingOptions, *idtools.IDPair, error) {
-	user, err := getContainerUser(container, containerMount)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	idMappingOpts, err := container.IDMappings()
-	if err != nil {
-		return nil, nil, err
-	}
-
-	hostUID, hostGID, err := util.GetHostIDs(idtoolsToRuntimeSpec(idMappingOpts.UIDMap), idtoolsToRuntimeSpec(idMappingOpts.GIDMap), user.UID, user.GID)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	idPair := idtools.IDPair{UID: int(hostUID), GID: int(hostGID)}
-	return &idMappingOpts, &idPair, nil
-}
-
-// getContainerUser returns the specs.User of the container.
-func getContainerUser(container *libpod.Container, mountPoint string) (specs.User, error) {
-	userspec := container.Config().User
-
-	uid, gid, _, err := chrootuser.GetUser(mountPoint, userspec)
-	u := specs.User{
-		UID:      uid,
-		GID:      gid,
-		Username: userspec,
-	}
-
-	if !strings.Contains(userspec, ":") {
-		groups, err2 := chrootuser.GetAdditionalGroupsForUser(mountPoint, uint64(u.UID))
-		if err2 != nil {
-			if errors.Cause(err2) != chrootuser.ErrNoSuchUser && err == nil {
-				err = err2
-			}
-		} else {
-			u.AdditionalGids = groups
-		}
-	}
-
-	return u, err
-}
-
-// idtoolsToRuntimeSpec converts idtools ID mapping to the one of the runtime spec.
-func idtoolsToRuntimeSpec(idMaps []idtools.IDMap) (convertedIDMap []specs.LinuxIDMapping) {
-	for _, idmap := range idMaps {
-		tempIDMap := specs.LinuxIDMapping{
-			ContainerID: uint32(idmap.ContainerID),
-			HostID:      uint32(idmap.HostID),
-			Size:        uint32(idmap.Size),
-		}
-		convertedIDMap = append(convertedIDMap, tempIDMap)
-	}
-	return convertedIDMap
+	return container.CopyToArchive(ctx, containerPath, writer)
 }
diff --git a/pkg/domain/infra/abi/containers_stat.go b/pkg/domain/infra/abi/containers_stat.go
index 1baeb9178..98a23c70b 100644
--- a/pkg/domain/infra/abi/containers_stat.go
+++ b/pkg/domain/infra/abi/containers_stat.go
@@ -2,139 +2,20 @@ package abi
 
 import (
 	"context"
-	"os"
-	"path/filepath"
-	"strings"
 
-	buildahCopiah "github.com/containers/buildah/copier"
-	"github.com/containers/podman/v3/libpod"
-	"github.com/containers/podman/v3/pkg/copy"
 	"github.com/containers/podman/v3/pkg/domain/entities"
-	"github.com/pkg/errors"
-	"github.com/sirupsen/logrus"
 )
 
-func (ic *ContainerEngine) containerStat(container *libpod.Container, containerMountPoint string, containerPath string) (*entities.ContainerStatReport, string, string, error) {
-	// Make sure that "/" copies the *contents* of the mount point and not
-	// the directory.
-	if containerPath == "/" {
-		containerPath += "/."
-	}
-
-	// Now resolve the container's path.  It may hit a volume, it may hit a
-	// bind mount, it may be relative.
-	resolvedRoot, resolvedContainerPath, err := container.ResolvePath(context.Background(), containerMountPoint, containerPath)
-	if err != nil {
-		return nil, "", "", err
-	}
-
-	statInfo, statInfoErr := secureStat(resolvedRoot, resolvedContainerPath)
-	if statInfoErr != nil {
-		// Not all errors from secureStat map to ErrNotExist, so we
-		// have to look into the error string.  Turning it into an
-		// ENOENT let's the API handlers return the correct status code
-		// which is crucial for the remote client.
-		if os.IsNotExist(err) || strings.Contains(statInfoErr.Error(), "o such file or directory") {
-			statInfoErr = copy.ErrENOENT
-		}
-		//  If statInfo is nil, there's nothing we can do anymore.  A
-		//  non-nil statInfo may indicate a symlink where we must have
-		//  a closer look.
-		if statInfo == nil {
-			return nil, "", "", statInfoErr
-		}
-	}
-
-	// Now make sure that the info's LinkTarget is relative to the
-	// container's mount.
-	var absContainerPath string
-
-	if statInfo.IsSymlink {
-		// Evaluated symlinks are always relative to the container's mount point.
-		absContainerPath = statInfo.ImmediateTarget
-	} else if strings.HasPrefix(resolvedContainerPath, containerMountPoint) {
-		// If the path is on the container's mount point, strip it off.
-		absContainerPath = strings.TrimPrefix(resolvedContainerPath, containerMountPoint)
-		absContainerPath = filepath.Join("/", absContainerPath)
-	} else {
-		// No symlink and not on the container's mount point, so let's
-		// move it back to the original input.  It must have evaluated
-		// to a volume or bind mount but we cannot return host paths.
-		absContainerPath = containerPath
-	}
-
-	// Now we need to make sure to preserve the base path as specified by
-	// the user.  The `filepath` packages likes to remove trailing slashes
-	// and dots that are crucial to the copy logic.
-	absContainerPath = copy.PreserveBasePath(containerPath, absContainerPath)
-	resolvedContainerPath = copy.PreserveBasePath(containerPath, resolvedContainerPath)
-
-	info := copy.FileInfo{
-		IsDir:      statInfo.IsDir,
-		Name:       filepath.Base(absContainerPath),
-		Size:       statInfo.Size,
-		Mode:       statInfo.Mode,
-		ModTime:    statInfo.ModTime,
-		LinkTarget: absContainerPath,
-	}
-
-	return &entities.ContainerStatReport{FileInfo: info}, resolvedRoot, resolvedContainerPath, statInfoErr
-}
-
 func (ic *ContainerEngine) ContainerStat(ctx context.Context, nameOrID string, containerPath string) (*entities.ContainerStatReport, error) {
 	container, err := ic.Libpod.LookupContainer(nameOrID)
 	if err != nil {
 		return nil, err
 	}
 
-	containerMountPoint, err := container.Mount()
-	if err != nil {
-		return nil, err
-	}
-
-	defer func() {
-		if err := container.Unmount(false); err != nil {
-			logrus.Errorf("Error unmounting container: %v", err)
-		}
-	}()
-
-	statReport, _, _, err := ic.containerStat(container, containerMountPoint, containerPath)
-	return statReport, err
-}
-
-// secureStat extracts file info for path in a chroot'ed environment in root.
-func secureStat(root string, path string) (*buildahCopiah.StatForItem, error) {
-	var glob string
-	var err error
-
-	// If root and path are equal, then dir must be empty and the glob must
-	// be ".".
-	if filepath.Clean(root) == filepath.Clean(path) {
-		glob = "."
-	} else {
-		glob, err = filepath.Rel(root, path)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	globStats, err := buildahCopiah.Stat(root, "", buildahCopiah.StatOptions{}, []string{glob})
-	if err != nil {
-		return nil, err
-	}
-
-	if len(globStats) != 1 {
-		return nil, errors.Errorf("internal error: secureStat: expected 1 item but got %d", len(globStats))
-	}
-
-	stat, exists := globStats[0].Results[glob] // only one glob passed, so that's okay
-	if !exists {
-		return nil, copy.ErrENOENT
-	}
+	info, err := container.Stat(ctx, containerPath)
 
-	var statErr error
-	if stat.Error != "" {
-		statErr = errors.New(stat.Error)
+	if info != nil {
+		return &entities.ContainerStatReport{FileInfo: *info}, err
 	}
-	return stat, statErr
+	return nil, err
 }