summaryrefslogtreecommitdiff
path: root/pkg
diff options
context:
space:
mode:
authorValentin Rothberg <rothberg@redhat.com>2021-03-02 09:20:53 +0100
committerValentin Rothberg <rothberg@redhat.com>2021-03-04 15:43:12 +0100
commita090301bbb10424ce4f99e40c97959f0e8664718 (patch)
tree3b2596e3d152204d35162b1ca89f524c5803ad8c /pkg
parent833670079c5b1f95fbb7c9bb8ba9095f1c66c7b4 (diff)
downloadpodman-a090301bbb10424ce4f99e40c97959f0e8664718.tar.gz
podman-a090301bbb10424ce4f99e40c97959f0e8664718.tar.bz2
podman-a090301bbb10424ce4f99e40c97959f0e8664718.zip
podman cp: support copying on tmpfs mounts
Traditionally, the path resolution for containers has been resolved on the *host*; relative to the container's mount point or relative to specified bind mounts or volumes. While this works nicely for non-running containers, it poses a problem for running ones. In that case, certain kinds of mounts (e.g., tmpfs) will not resolve correctly. A tmpfs is held in memory and hence cannot be resolved relatively to the container's mount point. A copy operation will succeed but the data will not show up inside the container. To support these kinds of mounts, we need to join the *running* container's mount namespace (and PID namespace) when copying. Note that this change implies moving the copy and stat logic into `libpod` since we need to keep the container locked to avoid race conditions. The immediate benefit is that all logic is now inside `libpod`; the code isn't scattered anymore. Further note that Docker does not support copying to tmpfs mounts. Tests have been extended to cover *both* path resolutions for running and created containers. New tests have been added to exercise the tmpfs-mount case. For the record: Some tests could be improved by using `start -a` instead of a start-exec sequence. Unfortunately, `start -a` is flaky in the CI which forced me to use the more expensive start-exec option. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Diffstat (limited to 'pkg')
-rw-r--r--pkg/copy/fileinfo.go11
-rw-r--r--pkg/domain/entities/containers.go3
-rw-r--r--pkg/domain/infra/abi/archive.go163
-rw-r--r--pkg/domain/infra/abi/containers_stat.go127
4 files changed, 9 insertions, 295 deletions
diff --git a/pkg/copy/fileinfo.go b/pkg/copy/fileinfo.go
index b95bcd90c..fb711311c 100644
--- a/pkg/copy/fileinfo.go
+++ b/pkg/copy/fileinfo.go
@@ -7,8 +7,8 @@ import (
"os"
"path/filepath"
"strings"
- "time"
+ "github.com/containers/podman/v3/libpod/define"
"github.com/pkg/errors"
)
@@ -22,14 +22,7 @@ var ErrENOENT = errors.New("No such file or directory")
// FileInfo describes a file or directory and is returned by
// (*CopyItem).Stat().
-type FileInfo struct {
- Name string `json:"name"`
- Size int64 `json:"size"`
- Mode os.FileMode `json:"mode"`
- ModTime time.Time `json:"mtime"`
- IsDir bool `json:"isDir"`
- LinkTarget string `json:"linkTarget"`
-}
+type FileInfo = define.FileInfo
// EncodeFileInfo serializes the specified FileInfo as a base64 encoded JSON
// payload. Intended for Docker compat.
diff --git a/pkg/domain/entities/containers.go b/pkg/domain/entities/containers.go
index ac965834a..7d074f89d 100644
--- a/pkg/domain/entities/containers.go
+++ b/pkg/domain/entities/containers.go
@@ -8,7 +8,6 @@ import (
"github.com/containers/image/v5/types"
"github.com/containers/podman/v3/libpod/define"
- "github.com/containers/podman/v3/pkg/copy"
"github.com/containers/podman/v3/pkg/specgen"
"github.com/cri-o/ocicni/pkg/ocicni"
)
@@ -145,7 +144,7 @@ type ContainerInspectReport struct {
}
type ContainerStatReport struct {
- copy.FileInfo
+ define.FileInfo
}
type CommitOptions struct {
diff --git a/pkg/domain/infra/abi/archive.go b/pkg/domain/infra/abi/archive.go
index 528771ee7..2ea63aa5e 100644
--- a/pkg/domain/infra/abi/archive.go
+++ b/pkg/domain/infra/abi/archive.go
@@ -3,72 +3,16 @@ package abi
import (
"context"
"io"
- "path/filepath"
- "strings"
- buildahCopiah "github.com/containers/buildah/copier"
- "github.com/containers/buildah/pkg/chrootuser"
- "github.com/containers/buildah/util"
- "github.com/containers/podman/v3/libpod"
"github.com/containers/podman/v3/pkg/domain/entities"
- "github.com/containers/storage"
- "github.com/containers/storage/pkg/archive"
- "github.com/containers/storage/pkg/idtools"
- "github.com/opencontainers/runtime-spec/specs-go"
- "github.com/pkg/errors"
- "github.com/sirupsen/logrus"
)
-// NOTE: Only the parent directory of the container path must exist. The path
-// itself may be created while copying.
func (ic *ContainerEngine) ContainerCopyFromArchive(ctx context.Context, nameOrID string, containerPath string, reader io.Reader) (entities.ContainerCopyFunc, error) {
container, err := ic.Libpod.LookupContainer(nameOrID)
if err != nil {
return nil, err
}
-
- containerMountPoint, err := container.Mount()
- if err != nil {
- return nil, err
- }
-
- unmount := func() {
- if err := container.Unmount(false); err != nil {
- logrus.Errorf("Error unmounting container: %v", err)
- }
- }
-
- _, resolvedRoot, resolvedContainerPath, err := ic.containerStat(container, containerMountPoint, containerPath)
- if err != nil {
- unmount()
- return nil, err
- }
-
- decompressed, err := archive.DecompressStream(reader)
- if err != nil {
- unmount()
- return nil, err
- }
-
- idMappings, idPair, err := getIDMappingsAndPair(container, resolvedRoot)
- if err != nil {
- unmount()
- return nil, err
- }
-
- logrus.Debugf("Container copy *to* %q (resolved: %q) on container %q (ID: %s)", containerPath, resolvedContainerPath, container.Name(), container.ID())
-
- return func() error {
- defer unmount()
- defer decompressed.Close()
- putOptions := buildahCopiah.PutOptions{
- UIDMap: idMappings.UIDMap,
- GIDMap: idMappings.GIDMap,
- ChownDirs: idPair,
- ChownFiles: idPair,
- }
- return buildahCopiah.Put(resolvedRoot, resolvedContainerPath, putOptions, decompressed)
- }, nil
+ return container.CopyFromArchive(ctx, containerPath, reader)
}
func (ic *ContainerEngine) ContainerCopyToArchive(ctx context.Context, nameOrID string, containerPath string, writer io.Writer) (entities.ContainerCopyFunc, error) {
@@ -76,108 +20,5 @@ func (ic *ContainerEngine) ContainerCopyToArchive(ctx context.Context, nameOrID
if err != nil {
return nil, err
}
-
- containerMountPoint, err := container.Mount()
- if err != nil {
- return nil, err
- }
-
- unmount := func() {
- if err := container.Unmount(false); err != nil {
- logrus.Errorf("Error unmounting container: %v", err)
- }
- }
-
- // Make sure that "/" copies the *contents* of the mount point and not
- // the directory.
- if containerPath == "/" {
- containerPath = "/."
- }
-
- statInfo, resolvedRoot, resolvedContainerPath, err := ic.containerStat(container, containerMountPoint, containerPath)
- if err != nil {
- unmount()
- return nil, err
- }
-
- idMappings, idPair, err := getIDMappingsAndPair(container, resolvedRoot)
- if err != nil {
- unmount()
- return nil, err
- }
-
- logrus.Debugf("Container copy *from* %q (resolved: %q) on container %q (ID: %s)", containerPath, resolvedContainerPath, container.Name(), container.ID())
-
- return func() error {
- defer container.Unmount(false)
- getOptions := buildahCopiah.GetOptions{
- // Unless the specified points to ".", we want to copy the base directory.
- KeepDirectoryNames: statInfo.IsDir && filepath.Base(containerPath) != ".",
- UIDMap: idMappings.UIDMap,
- GIDMap: idMappings.GIDMap,
- ChownDirs: idPair,
- ChownFiles: idPair,
- }
- return buildahCopiah.Get(resolvedRoot, "", getOptions, []string{resolvedContainerPath}, writer)
- }, nil
-}
-
-// getIDMappingsAndPair returns the ID mappings for the container and the host
-// ID pair.
-func getIDMappingsAndPair(container *libpod.Container, containerMount string) (*storage.IDMappingOptions, *idtools.IDPair, error) {
- user, err := getContainerUser(container, containerMount)
- if err != nil {
- return nil, nil, err
- }
-
- idMappingOpts, err := container.IDMappings()
- if err != nil {
- return nil, nil, err
- }
-
- hostUID, hostGID, err := util.GetHostIDs(idtoolsToRuntimeSpec(idMappingOpts.UIDMap), idtoolsToRuntimeSpec(idMappingOpts.GIDMap), user.UID, user.GID)
- if err != nil {
- return nil, nil, err
- }
-
- idPair := idtools.IDPair{UID: int(hostUID), GID: int(hostGID)}
- return &idMappingOpts, &idPair, nil
-}
-
-// getContainerUser returns the specs.User of the container.
-func getContainerUser(container *libpod.Container, mountPoint string) (specs.User, error) {
- userspec := container.Config().User
-
- uid, gid, _, err := chrootuser.GetUser(mountPoint, userspec)
- u := specs.User{
- UID: uid,
- GID: gid,
- Username: userspec,
- }
-
- if !strings.Contains(userspec, ":") {
- groups, err2 := chrootuser.GetAdditionalGroupsForUser(mountPoint, uint64(u.UID))
- if err2 != nil {
- if errors.Cause(err2) != chrootuser.ErrNoSuchUser && err == nil {
- err = err2
- }
- } else {
- u.AdditionalGids = groups
- }
- }
-
- return u, err
-}
-
-// idtoolsToRuntimeSpec converts idtools ID mapping to the one of the runtime spec.
-func idtoolsToRuntimeSpec(idMaps []idtools.IDMap) (convertedIDMap []specs.LinuxIDMapping) {
- for _, idmap := range idMaps {
- tempIDMap := specs.LinuxIDMapping{
- ContainerID: uint32(idmap.ContainerID),
- HostID: uint32(idmap.HostID),
- Size: uint32(idmap.Size),
- }
- convertedIDMap = append(convertedIDMap, tempIDMap)
- }
- return convertedIDMap
+ return container.CopyToArchive(ctx, containerPath, writer)
}
diff --git a/pkg/domain/infra/abi/containers_stat.go b/pkg/domain/infra/abi/containers_stat.go
index 1baeb9178..98a23c70b 100644
--- a/pkg/domain/infra/abi/containers_stat.go
+++ b/pkg/domain/infra/abi/containers_stat.go
@@ -2,139 +2,20 @@ package abi
import (
"context"
- "os"
- "path/filepath"
- "strings"
- buildahCopiah "github.com/containers/buildah/copier"
- "github.com/containers/podman/v3/libpod"
- "github.com/containers/podman/v3/pkg/copy"
"github.com/containers/podman/v3/pkg/domain/entities"
- "github.com/pkg/errors"
- "github.com/sirupsen/logrus"
)
-func (ic *ContainerEngine) containerStat(container *libpod.Container, containerMountPoint string, containerPath string) (*entities.ContainerStatReport, string, string, error) {
- // Make sure that "/" copies the *contents* of the mount point and not
- // the directory.
- if containerPath == "/" {
- containerPath += "/."
- }
-
- // Now resolve the container's path. It may hit a volume, it may hit a
- // bind mount, it may be relative.
- resolvedRoot, resolvedContainerPath, err := container.ResolvePath(context.Background(), containerMountPoint, containerPath)
- if err != nil {
- return nil, "", "", err
- }
-
- statInfo, statInfoErr := secureStat(resolvedRoot, resolvedContainerPath)
- if statInfoErr != nil {
- // Not all errors from secureStat map to ErrNotExist, so we
- // have to look into the error string. Turning it into an
- // ENOENT let's the API handlers return the correct status code
- // which is crucial for the remote client.
- if os.IsNotExist(err) || strings.Contains(statInfoErr.Error(), "o such file or directory") {
- statInfoErr = copy.ErrENOENT
- }
- // If statInfo is nil, there's nothing we can do anymore. A
- // non-nil statInfo may indicate a symlink where we must have
- // a closer look.
- if statInfo == nil {
- return nil, "", "", statInfoErr
- }
- }
-
- // Now make sure that the info's LinkTarget is relative to the
- // container's mount.
- var absContainerPath string
-
- if statInfo.IsSymlink {
- // Evaluated symlinks are always relative to the container's mount point.
- absContainerPath = statInfo.ImmediateTarget
- } else if strings.HasPrefix(resolvedContainerPath, containerMountPoint) {
- // If the path is on the container's mount point, strip it off.
- absContainerPath = strings.TrimPrefix(resolvedContainerPath, containerMountPoint)
- absContainerPath = filepath.Join("/", absContainerPath)
- } else {
- // No symlink and not on the container's mount point, so let's
- // move it back to the original input. It must have evaluated
- // to a volume or bind mount but we cannot return host paths.
- absContainerPath = containerPath
- }
-
- // Now we need to make sure to preserve the base path as specified by
- // the user. The `filepath` packages likes to remove trailing slashes
- // and dots that are crucial to the copy logic.
- absContainerPath = copy.PreserveBasePath(containerPath, absContainerPath)
- resolvedContainerPath = copy.PreserveBasePath(containerPath, resolvedContainerPath)
-
- info := copy.FileInfo{
- IsDir: statInfo.IsDir,
- Name: filepath.Base(absContainerPath),
- Size: statInfo.Size,
- Mode: statInfo.Mode,
- ModTime: statInfo.ModTime,
- LinkTarget: absContainerPath,
- }
-
- return &entities.ContainerStatReport{FileInfo: info}, resolvedRoot, resolvedContainerPath, statInfoErr
-}
-
func (ic *ContainerEngine) ContainerStat(ctx context.Context, nameOrID string, containerPath string) (*entities.ContainerStatReport, error) {
container, err := ic.Libpod.LookupContainer(nameOrID)
if err != nil {
return nil, err
}
- containerMountPoint, err := container.Mount()
- if err != nil {
- return nil, err
- }
-
- defer func() {
- if err := container.Unmount(false); err != nil {
- logrus.Errorf("Error unmounting container: %v", err)
- }
- }()
-
- statReport, _, _, err := ic.containerStat(container, containerMountPoint, containerPath)
- return statReport, err
-}
-
-// secureStat extracts file info for path in a chroot'ed environment in root.
-func secureStat(root string, path string) (*buildahCopiah.StatForItem, error) {
- var glob string
- var err error
-
- // If root and path are equal, then dir must be empty and the glob must
- // be ".".
- if filepath.Clean(root) == filepath.Clean(path) {
- glob = "."
- } else {
- glob, err = filepath.Rel(root, path)
- if err != nil {
- return nil, err
- }
- }
-
- globStats, err := buildahCopiah.Stat(root, "", buildahCopiah.StatOptions{}, []string{glob})
- if err != nil {
- return nil, err
- }
-
- if len(globStats) != 1 {
- return nil, errors.Errorf("internal error: secureStat: expected 1 item but got %d", len(globStats))
- }
-
- stat, exists := globStats[0].Results[glob] // only one glob passed, so that's okay
- if !exists {
- return nil, copy.ErrENOENT
- }
+ info, err := container.Stat(ctx, containerPath)
- var statErr error
- if stat.Error != "" {
- statErr = errors.New(stat.Error)
+ if info != nil {
+ return &entities.ContainerStatReport{FileInfo: *info}, err
}
- return stat, statErr
+ return nil, err
}