Merge pull request #2583 from giuseppe/rootless-fix-pod-rm

rootless: fix stop and rm when the container is running with uid != 0

5 files changed, 118 insertions, 8 deletions

diff --git a/pkg/adapter/runtime.go b/pkg/adapter/runtime.go
index 732b89530..482b6119a 100644
--- a/pkg/adapter/runtime.go
+++ b/pkg/adapter/runtime.go
@@ -337,3 +337,43 @@ func IsImageNotFound(err error) bool {
 func (r *LocalRuntime) HealthCheck(c *cliconfig.HealthCheckValues) (libpod.HealthCheckStatus, error) {
 	return r.Runtime.HealthCheck(c.InputArgs[0])
 }
+
+// JoinOrCreateRootlessPod joins the specified pod if it is running or it creates a new user namespace
+// if the pod is stopped
+func (r *LocalRuntime) JoinOrCreateRootlessPod(pod *Pod) (bool, int, error) {
+	if os.Geteuid() == 0 {
+		return false, 0, nil
+	}
+	opts := rootless.Opts{
+		Argument: pod.ID(),
+	}
+
+	inspect, err := pod.Inspect()
+	if err != nil {
+		return false, 0, err
+	}
+	for _, ctr := range inspect.Containers {
+		prevCtr, err := r.LookupContainer(ctr.ID)
+		if err != nil {
+			return false, -1, err
+		}
+		s, err := prevCtr.State()
+		if err != nil {
+			return false, -1, err
+		}
+		if s != libpod.ContainerStateRunning && s != libpod.ContainerStatePaused {
+			continue
+		}
+		data, err := ioutil.ReadFile(prevCtr.Config().ConmonPidFile)
+		if err != nil {
+			return false, -1, errors.Wrapf(err, "cannot read conmon PID file %q", prevCtr.Config().ConmonPidFile)
+		}
+		conmonPid, err := strconv.Atoi(string(data))
+		if err != nil {
+			return false, -1, errors.Wrapf(err, "cannot parse PID %q", data)
+		}
+		return rootless.JoinDirectUserAndMountNSWithOpts(uint(conmonPid), &opts)
+	}
+
+	return rootless.BecomeRootInUserNSWithOpts(&opts)
+}
diff --git a/pkg/adapter/runtime_remote.go b/pkg/adapter/runtime_remote.go
index 10c25c3f3..9ca4e245f 100644
--- a/pkg/adapter/runtime_remote.go
+++ b/pkg/adapter/runtime_remote.go
@@ -751,3 +751,10 @@ func IsImageNotFound(err error) bool {
 func (r *LocalRuntime) HealthCheck(c *cliconfig.HealthCheckValues) (libpod.HealthCheckStatus, error) {
 	return -1, libpod.ErrNotImplemented
 }
+
+// JoinOrCreateRootlessPod joins the specified pod if it is running or it creates a new user namespace
+// if the pod is stopped
+func (r *LocalRuntime) JoinOrCreateRootlessPod(pod *Pod) (bool, int, error) {
+	// Nothing to do in the remote case
+	return true, 0, nil
+}
diff --git a/pkg/rootless/rootless.go b/pkg/rootless/rootless.go
new file mode 100644
index 000000000..a531e43ce
--- /dev/null
+++ b/pkg/rootless/rootless.go
@@ -0,0 +1,9 @@
+package rootless
+
+// Opts allows to customize how re-execing to a rootless process is done
+type Opts struct {
+	// Argument overrides the arguments on the command line
+	// for the re-execed process.  The process in the namespace
+	// must use rootless.Argument() to read its value.
+	Argument string
+}
diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go
index d43151e8e..b2677f7d9 100644
--- a/pkg/rootless/rootless_linux.go
+++ b/pkg/rootless/rootless_linux.go
@@ -60,6 +60,11 @@ func SkipStorageSetup() bool {
 	return skipStorageSetup
 }
 
+// Argument returns the argument that was set for the rootless session.
+func Argument() string {
+	return os.Getenv("_LIBPOD_ROOTLESS_ARG")
+}
+
 // GetRootlessUID returns the UID of the user in the parent userNS
 func GetRootlessUID() int {
 	uidEnv := os.Getenv("_LIBPOD_ROOTLESS_UID")
@@ -134,8 +139,16 @@ func JoinNS(pid uint, preserveFDs int) (bool, int, error) {
 
 // JoinDirectUserAndMountNS re-exec podman in a new userNS and join the user and mount
 // namespace of the specified PID without looking up its parent.  Useful to join directly
-// the conmon process.
+// the conmon process.  It is a convenience function for JoinDirectUserAndMountNSWithOpts
+// with a default configuration.
 func JoinDirectUserAndMountNS(pid uint) (bool, int, error) {
+	return JoinDirectUserAndMountNSWithOpts(pid, nil)
+}
+
+// JoinDirectUserAndMountNSWithOpts re-exec podman in a new userNS and join the user and
+// mount namespace of the specified PID without looking up its parent.  Useful to join
+// directly the conmon process.
+func JoinDirectUserAndMountNSWithOpts(pid uint, opts *Opts) (bool, int, error) {
 	if os.Geteuid() == 0 || os.Getenv("_LIBPOD_USERNS_CONFIGURED") != "" {
 		return false, -1, nil
 	}
@@ -152,6 +165,12 @@ func JoinDirectUserAndMountNS(pid uint) (bool, int, error) {
 	}
 	defer userNS.Close()
 
+	if opts != nil && opts.Argument != "" {
+		if err := os.Setenv("_LIBPOD_ROOTLESS_ARG", opts.Argument); err != nil {
+			return false, -1, err
+		}
+	}
+
 	pidC := C.reexec_userns_join(C.int(userNS.Fd()), C.int(mountNS.Fd()))
 	if int(pidC) < 0 {
 		return false, -1, errors.Errorf("cannot re-exec process")
@@ -194,8 +213,16 @@ func JoinNSPath(path string) (bool, int, error) {
 // BecomeRootInUserNS re-exec podman in a new userNS.  It returns whether podman was re-executed
 // into a new user namespace and the return code from the re-executed podman process.
 // If podman was re-executed the caller needs to propagate the error code returned by the child
-// process.
+// process.  It is a convenience function for BecomeRootInUserNSWithOpts with a default configuration.
 func BecomeRootInUserNS() (bool, int, error) {
+	return BecomeRootInUserNSWithOpts(nil)
+}
+
+// BecomeRootInUserNSWithOpts re-exec podman in a new userNS.  It returns whether podman was
+// re-execute into a new user namespace and the return code from the re-executed podman process.
+// If podman was re-executed the caller needs to propagate the error code returned by the child
+// process.
+func BecomeRootInUserNSWithOpts(opts *Opts) (bool, int, error) {
 	if os.Geteuid() == 0 || os.Getenv("_LIBPOD_USERNS_CONFIGURED") != "" {
 		if os.Getenv("_LIBPOD_USERNS_CONFIGURED") == "init" {
 			return false, 0, runInUser()
@@ -214,6 +241,12 @@ func BecomeRootInUserNS() (bool, int, error) {
 	defer w.Close()
 	defer w.Write([]byte("0"))
 
+	if opts != nil && opts.Argument != "" {
+		if err := os.Setenv("_LIBPOD_ROOTLESS_ARG", opts.Argument); err != nil {
+			return false, -1, err
+		}
+	}
+
 	pidC := C.reexec_in_user_namespace(C.int(r.Fd()))
 	pid := int(pidC)
 	if pid < 0 {
diff --git a/pkg/rootless/rootless_unsupported.go b/pkg/rootless/rootless_unsupported.go
index 1823c023e..54e70961b 100644
--- a/pkg/rootless/rootless_unsupported.go
+++ b/pkg/rootless/rootless_unsupported.go
@@ -11,10 +11,18 @@ func IsRootless() bool {
 	return false
 }
 
+// BecomeRootInUserNS re-exec podman in a new userNS.  It returns whether podman was re-executed
+// into a new user namespace and the return code from the re-executed podman process.
+// If podman was re-executed the caller needs to propagate the error code returned by the child
+// process.  It is a convenience function for BecomeRootInUserNSWithOpts with a default configuration.
+func BecomeRootInUserNS() (bool, int, error) {
+	return false, -1, errors.New("this function is not supported on this os")
+}
+
 // BecomeRootInUserNS is a stub function that always returns false and an
 // error on unsupported OS's
-func BecomeRootInUserNS() (bool, int, error) {
-	return false, -1, errors.New("this function is not supported on this os1")
+func BecomeRootInUserNSWithOpts(opts *Opts) (bool, int, error) {
+	return false, -1, errors.New("this function is not supported on this os")
 }
 
 // GetRootlessUID returns the UID of the user in the parent userNS
@@ -34,18 +42,31 @@ func SkipStorageSetup() bool {
 // JoinNS re-exec podman in a new userNS and join the user namespace of the specified
 // PID.
 func JoinNS(pid uint) (bool, int, error) {
-	return false, -1, errors.New("this function is not supported on this os2")
+	return false, -1, errors.New("this function is not supported on this os")
 }
 
 // JoinNSPath re-exec podman in a new userNS and join the owner user namespace of the
 // specified path.
 func JoinNSPath(path string) (bool, int, error) {
-	return false, -1, errors.New("this function is not supported on this os3")
+	return false, -1, errors.New("this function is not supported on this os")
+}
+
+// JoinDirectUserAndMountNSWithOpts re-exec podman in a new userNS and join the user and
+// mount namespace of the specified PID without looking up its parent.  Useful to join
+// directly the conmon process.
+func JoinDirectUserAndMountNSWithOpts(pid uint, opts *Opts) (bool, int, error) {
+	return false, -1, errors.New("this function is not supported on this os")
 }
 
 // JoinDirectUserAndMountNS re-exec podman in a new userNS and join the user and mount
 // namespace of the specified PID without looking up its parent.  Useful to join directly
-// the conmon process.
+// the conmon process.  It is a convenience function for JoinDirectUserAndMountNSWithOpts
+// with a default configuration.
 func JoinDirectUserAndMountNS(pid uint) (bool, int, error) {
-	return false, -1, errors.New("this function is not supported on this os4")
+	return false, -1, errors.New("this function is not supported on this os")
+}
+
+// Argument returns the argument that was set for the rootless session.
+func Argument() string {
+	return ""
 }