diff options
author | Valentin Rothberg <rothberg@redhat.com> | 2021-03-02 09:20:53 +0100 |
---|---|---|
committer | Valentin Rothberg <rothberg@redhat.com> | 2021-03-04 15:43:12 +0100 |
commit | a090301bbb10424ce4f99e40c97959f0e8664718 (patch) | |
tree | 3b2596e3d152204d35162b1ca89f524c5803ad8c /pkg | |
parent | 833670079c5b1f95fbb7c9bb8ba9095f1c66c7b4 (diff) | |
download | podman-a090301bbb10424ce4f99e40c97959f0e8664718.tar.gz podman-a090301bbb10424ce4f99e40c97959f0e8664718.tar.bz2 podman-a090301bbb10424ce4f99e40c97959f0e8664718.zip |
podman cp: support copying on tmpfs mounts
Traditionally, the path resolution for containers has been resolved on
the *host*; relative to the container's mount point or relative to
specified bind mounts or volumes.
While this works nicely for non-running containers, it poses a problem
for running ones. In that case, certain kinds of mounts (e.g., tmpfs)
will not resolve correctly. A tmpfs is held in memory and hence cannot
be resolved relatively to the container's mount point. A copy operation
will succeed but the data will not show up inside the container.
To support these kinds of mounts, we need to join the *running*
container's mount namespace (and PID namespace) when copying.
Note that this change implies moving the copy and stat logic into
`libpod` since we need to keep the container locked to avoid race
conditions. The immediate benefit is that all logic is now inside
`libpod`; the code isn't scattered anymore.
Further note that Docker does not support copying to tmpfs mounts.
Tests have been extended to cover *both* path resolutions for running
and created containers. New tests have been added to exercise the
tmpfs-mount case.
For the record: Some tests could be improved by using `start -a` instead
of a start-exec sequence. Unfortunately, `start -a` is flaky in the CI
which forced me to use the more expensive start-exec option.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Diffstat (limited to 'pkg')
-rw-r--r-- | pkg/copy/fileinfo.go | 11 | ||||
-rw-r--r-- | pkg/domain/entities/containers.go | 3 | ||||
-rw-r--r-- | pkg/domain/infra/abi/archive.go | 163 | ||||
-rw-r--r-- | pkg/domain/infra/abi/containers_stat.go | 127 |
4 files changed, 9 insertions, 295 deletions
diff --git a/pkg/copy/fileinfo.go b/pkg/copy/fileinfo.go index b95bcd90c..fb711311c 100644 --- a/pkg/copy/fileinfo.go +++ b/pkg/copy/fileinfo.go @@ -7,8 +7,8 @@ import ( "os" "path/filepath" "strings" - "time" + "github.com/containers/podman/v3/libpod/define" "github.com/pkg/errors" ) @@ -22,14 +22,7 @@ var ErrENOENT = errors.New("No such file or directory") // FileInfo describes a file or directory and is returned by // (*CopyItem).Stat(). -type FileInfo struct { - Name string `json:"name"` - Size int64 `json:"size"` - Mode os.FileMode `json:"mode"` - ModTime time.Time `json:"mtime"` - IsDir bool `json:"isDir"` - LinkTarget string `json:"linkTarget"` -} +type FileInfo = define.FileInfo // EncodeFileInfo serializes the specified FileInfo as a base64 encoded JSON // payload. Intended for Docker compat. diff --git a/pkg/domain/entities/containers.go b/pkg/domain/entities/containers.go index ac965834a..7d074f89d 100644 --- a/pkg/domain/entities/containers.go +++ b/pkg/domain/entities/containers.go @@ -8,7 +8,6 @@ import ( "github.com/containers/image/v5/types" "github.com/containers/podman/v3/libpod/define" - "github.com/containers/podman/v3/pkg/copy" "github.com/containers/podman/v3/pkg/specgen" "github.com/cri-o/ocicni/pkg/ocicni" ) @@ -145,7 +144,7 @@ type ContainerInspectReport struct { } type ContainerStatReport struct { - copy.FileInfo + define.FileInfo } type CommitOptions struct { diff --git a/pkg/domain/infra/abi/archive.go b/pkg/domain/infra/abi/archive.go index 528771ee7..2ea63aa5e 100644 --- a/pkg/domain/infra/abi/archive.go +++ b/pkg/domain/infra/abi/archive.go @@ -3,72 +3,16 @@ package abi import ( "context" "io" - "path/filepath" - "strings" - buildahCopiah "github.com/containers/buildah/copier" - "github.com/containers/buildah/pkg/chrootuser" - "github.com/containers/buildah/util" - "github.com/containers/podman/v3/libpod" "github.com/containers/podman/v3/pkg/domain/entities" - "github.com/containers/storage" - "github.com/containers/storage/pkg/archive" - "github.com/containers/storage/pkg/idtools" - "github.com/opencontainers/runtime-spec/specs-go" - "github.com/pkg/errors" - "github.com/sirupsen/logrus" ) -// NOTE: Only the parent directory of the container path must exist. The path -// itself may be created while copying. func (ic *ContainerEngine) ContainerCopyFromArchive(ctx context.Context, nameOrID string, containerPath string, reader io.Reader) (entities.ContainerCopyFunc, error) { container, err := ic.Libpod.LookupContainer(nameOrID) if err != nil { return nil, err } - - containerMountPoint, err := container.Mount() - if err != nil { - return nil, err - } - - unmount := func() { - if err := container.Unmount(false); err != nil { - logrus.Errorf("Error unmounting container: %v", err) - } - } - - _, resolvedRoot, resolvedContainerPath, err := ic.containerStat(container, containerMountPoint, containerPath) - if err != nil { - unmount() - return nil, err - } - - decompressed, err := archive.DecompressStream(reader) - if err != nil { - unmount() - return nil, err - } - - idMappings, idPair, err := getIDMappingsAndPair(container, resolvedRoot) - if err != nil { - unmount() - return nil, err - } - - logrus.Debugf("Container copy *to* %q (resolved: %q) on container %q (ID: %s)", containerPath, resolvedContainerPath, container.Name(), container.ID()) - - return func() error { - defer unmount() - defer decompressed.Close() - putOptions := buildahCopiah.PutOptions{ - UIDMap: idMappings.UIDMap, - GIDMap: idMappings.GIDMap, - ChownDirs: idPair, - ChownFiles: idPair, - } - return buildahCopiah.Put(resolvedRoot, resolvedContainerPath, putOptions, decompressed) - }, nil + return container.CopyFromArchive(ctx, containerPath, reader) } func (ic *ContainerEngine) ContainerCopyToArchive(ctx context.Context, nameOrID string, containerPath string, writer io.Writer) (entities.ContainerCopyFunc, error) { @@ -76,108 +20,5 @@ func (ic *ContainerEngine) ContainerCopyToArchive(ctx context.Context, nameOrID if err != nil { return nil, err } - - containerMountPoint, err := container.Mount() - if err != nil { - return nil, err - } - - unmount := func() { - if err := container.Unmount(false); err != nil { - logrus.Errorf("Error unmounting container: %v", err) - } - } - - // Make sure that "/" copies the *contents* of the mount point and not - // the directory. - if containerPath == "/" { - containerPath = "/." - } - - statInfo, resolvedRoot, resolvedContainerPath, err := ic.containerStat(container, containerMountPoint, containerPath) - if err != nil { - unmount() - return nil, err - } - - idMappings, idPair, err := getIDMappingsAndPair(container, resolvedRoot) - if err != nil { - unmount() - return nil, err - } - - logrus.Debugf("Container copy *from* %q (resolved: %q) on container %q (ID: %s)", containerPath, resolvedContainerPath, container.Name(), container.ID()) - - return func() error { - defer container.Unmount(false) - getOptions := buildahCopiah.GetOptions{ - // Unless the specified points to ".", we want to copy the base directory. - KeepDirectoryNames: statInfo.IsDir && filepath.Base(containerPath) != ".", - UIDMap: idMappings.UIDMap, - GIDMap: idMappings.GIDMap, - ChownDirs: idPair, - ChownFiles: idPair, - } - return buildahCopiah.Get(resolvedRoot, "", getOptions, []string{resolvedContainerPath}, writer) - }, nil -} - -// getIDMappingsAndPair returns the ID mappings for the container and the host -// ID pair. -func getIDMappingsAndPair(container *libpod.Container, containerMount string) (*storage.IDMappingOptions, *idtools.IDPair, error) { - user, err := getContainerUser(container, containerMount) - if err != nil { - return nil, nil, err - } - - idMappingOpts, err := container.IDMappings() - if err != nil { - return nil, nil, err - } - - hostUID, hostGID, err := util.GetHostIDs(idtoolsToRuntimeSpec(idMappingOpts.UIDMap), idtoolsToRuntimeSpec(idMappingOpts.GIDMap), user.UID, user.GID) - if err != nil { - return nil, nil, err - } - - idPair := idtools.IDPair{UID: int(hostUID), GID: int(hostGID)} - return &idMappingOpts, &idPair, nil -} - -// getContainerUser returns the specs.User of the container. -func getContainerUser(container *libpod.Container, mountPoint string) (specs.User, error) { - userspec := container.Config().User - - uid, gid, _, err := chrootuser.GetUser(mountPoint, userspec) - u := specs.User{ - UID: uid, - GID: gid, - Username: userspec, - } - - if !strings.Contains(userspec, ":") { - groups, err2 := chrootuser.GetAdditionalGroupsForUser(mountPoint, uint64(u.UID)) - if err2 != nil { - if errors.Cause(err2) != chrootuser.ErrNoSuchUser && err == nil { - err = err2 - } - } else { - u.AdditionalGids = groups - } - } - - return u, err -} - -// idtoolsToRuntimeSpec converts idtools ID mapping to the one of the runtime spec. -func idtoolsToRuntimeSpec(idMaps []idtools.IDMap) (convertedIDMap []specs.LinuxIDMapping) { - for _, idmap := range idMaps { - tempIDMap := specs.LinuxIDMapping{ - ContainerID: uint32(idmap.ContainerID), - HostID: uint32(idmap.HostID), - Size: uint32(idmap.Size), - } - convertedIDMap = append(convertedIDMap, tempIDMap) - } - return convertedIDMap + return container.CopyToArchive(ctx, containerPath, writer) } diff --git a/pkg/domain/infra/abi/containers_stat.go b/pkg/domain/infra/abi/containers_stat.go index 1baeb9178..98a23c70b 100644 --- a/pkg/domain/infra/abi/containers_stat.go +++ b/pkg/domain/infra/abi/containers_stat.go @@ -2,139 +2,20 @@ package abi import ( "context" - "os" - "path/filepath" - "strings" - buildahCopiah "github.com/containers/buildah/copier" - "github.com/containers/podman/v3/libpod" - "github.com/containers/podman/v3/pkg/copy" "github.com/containers/podman/v3/pkg/domain/entities" - "github.com/pkg/errors" - "github.com/sirupsen/logrus" ) -func (ic *ContainerEngine) containerStat(container *libpod.Container, containerMountPoint string, containerPath string) (*entities.ContainerStatReport, string, string, error) { - // Make sure that "/" copies the *contents* of the mount point and not - // the directory. - if containerPath == "/" { - containerPath += "/." - } - - // Now resolve the container's path. It may hit a volume, it may hit a - // bind mount, it may be relative. - resolvedRoot, resolvedContainerPath, err := container.ResolvePath(context.Background(), containerMountPoint, containerPath) - if err != nil { - return nil, "", "", err - } - - statInfo, statInfoErr := secureStat(resolvedRoot, resolvedContainerPath) - if statInfoErr != nil { - // Not all errors from secureStat map to ErrNotExist, so we - // have to look into the error string. Turning it into an - // ENOENT let's the API handlers return the correct status code - // which is crucial for the remote client. - if os.IsNotExist(err) || strings.Contains(statInfoErr.Error(), "o such file or directory") { - statInfoErr = copy.ErrENOENT - } - // If statInfo is nil, there's nothing we can do anymore. A - // non-nil statInfo may indicate a symlink where we must have - // a closer look. - if statInfo == nil { - return nil, "", "", statInfoErr - } - } - - // Now make sure that the info's LinkTarget is relative to the - // container's mount. - var absContainerPath string - - if statInfo.IsSymlink { - // Evaluated symlinks are always relative to the container's mount point. - absContainerPath = statInfo.ImmediateTarget - } else if strings.HasPrefix(resolvedContainerPath, containerMountPoint) { - // If the path is on the container's mount point, strip it off. - absContainerPath = strings.TrimPrefix(resolvedContainerPath, containerMountPoint) - absContainerPath = filepath.Join("/", absContainerPath) - } else { - // No symlink and not on the container's mount point, so let's - // move it back to the original input. It must have evaluated - // to a volume or bind mount but we cannot return host paths. - absContainerPath = containerPath - } - - // Now we need to make sure to preserve the base path as specified by - // the user. The `filepath` packages likes to remove trailing slashes - // and dots that are crucial to the copy logic. - absContainerPath = copy.PreserveBasePath(containerPath, absContainerPath) - resolvedContainerPath = copy.PreserveBasePath(containerPath, resolvedContainerPath) - - info := copy.FileInfo{ - IsDir: statInfo.IsDir, - Name: filepath.Base(absContainerPath), - Size: statInfo.Size, - Mode: statInfo.Mode, - ModTime: statInfo.ModTime, - LinkTarget: absContainerPath, - } - - return &entities.ContainerStatReport{FileInfo: info}, resolvedRoot, resolvedContainerPath, statInfoErr -} - func (ic *ContainerEngine) ContainerStat(ctx context.Context, nameOrID string, containerPath string) (*entities.ContainerStatReport, error) { container, err := ic.Libpod.LookupContainer(nameOrID) if err != nil { return nil, err } - containerMountPoint, err := container.Mount() - if err != nil { - return nil, err - } - - defer func() { - if err := container.Unmount(false); err != nil { - logrus.Errorf("Error unmounting container: %v", err) - } - }() - - statReport, _, _, err := ic.containerStat(container, containerMountPoint, containerPath) - return statReport, err -} - -// secureStat extracts file info for path in a chroot'ed environment in root. -func secureStat(root string, path string) (*buildahCopiah.StatForItem, error) { - var glob string - var err error - - // If root and path are equal, then dir must be empty and the glob must - // be ".". - if filepath.Clean(root) == filepath.Clean(path) { - glob = "." - } else { - glob, err = filepath.Rel(root, path) - if err != nil { - return nil, err - } - } - - globStats, err := buildahCopiah.Stat(root, "", buildahCopiah.StatOptions{}, []string{glob}) - if err != nil { - return nil, err - } - - if len(globStats) != 1 { - return nil, errors.Errorf("internal error: secureStat: expected 1 item but got %d", len(globStats)) - } - - stat, exists := globStats[0].Results[glob] // only one glob passed, so that's okay - if !exists { - return nil, copy.ErrENOENT - } + info, err := container.Stat(ctx, containerPath) - var statErr error - if stat.Error != "" { - statErr = errors.New(stat.Error) + if info != nil { + return &entities.ContainerStatReport{FileInfo: *info}, err } - return stat, statErr + return nil, err } |