diff options
| author | Giuseppe Scrivano <giuseppe@scrivano.org> | 2019-08-29 22:47:15 +0200 |
|---|---|---|
| committer | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-09-02 13:03:19 +0200 |
| commit | ba1c57030f10ece60678a848e04375e4cd2c843d (patch) | |
| tree | 9af53c644f640904204c1d6a739eaa38f8558b0b /pkg | |
| parent | e5568d4acc5b6319e46de9477c99248db55db628 (diff) | |
| download | podman-ba1c57030f10ece60678a848e04375e4cd2c843d.tar.gz podman-ba1c57030f10ece60678a848e04375e4cd2c843d.tar.bz2 podman-ba1c57030f10ece60678a848e04375e4cd2c843d.zip | |
rootless: bind mount devices instead of creating them
when running in rootless mode, --device creates a bind mount from the
host instead of specifying the device in the OCI configuration. This
is required as an unprivileged user cannot use mknod, even when root
in a user namespace.
Closes: https://github.com/containers/libpod/issues/3905
Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
Diffstat (limited to 'pkg')
| -rw-r--r-- | pkg/spec/config_linux.go | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/pkg/spec/config_linux.go b/pkg/spec/config_linux.go index 60d31d78e..dea9b393c 100644 --- a/pkg/spec/config_linux.go +++ b/pkg/spec/config_linux.go @@ -98,6 +98,26 @@ func addDevice(g *generate.Generator, device string) error { if err != nil { return errors.Wrapf(err, "%s is not a valid device", src) } + if rootless.IsRootless() { + if _, err := os.Stat(src); err != nil { + if os.IsNotExist(err) { + return errors.Wrapf(err, "the specified device %s doesn't exist", src) + } + return errors.Wrapf(err, "stat device %s exist", src) + } + perm := "ro" + if strings.Contains(permissions, "w") { + perm = "rw" + } + devMnt := spec.Mount{ + Destination: dst, + Type: TypeBind, + Source: src, + Options: []string{"slave", "nosuid", "noexec", perm, "rbind"}, + } + g.Config.Mounts = append(g.Config.Mounts, devMnt) + return nil + } dev.Path = dst linuxdev := spec.LinuxDevice{ Path: dev.Path, |