diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2019-02-06 20:28:15 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-02-06 20:28:15 +0100 |
| commit | 9644802cd7e860aa876559cfa6e574030abada54 (patch) | |
| tree | b5e4f94d5a91d3ac20eef5c6520fe059b360b84d /pkg | |
| parent | aa6284367083dd5e3d383179fe42350e3d2b777c (diff) | |
| parent | e2970ea62d17ca98a3954c581523b8fa00a67bea (diff) | |
| download | podman-9644802cd7e860aa876559cfa6e574030abada54.tar.gz podman-9644802cd7e860aa876559cfa6e574030abada54.tar.bz2 podman-9644802cd7e860aa876559cfa6e574030abada54.zip | |
Merge pull request #2279 from giuseppe/pts-no-override-if-not-needed
rootless: do not override /dev/pts if not needed
Diffstat (limited to 'pkg')
| -rw-r--r-- | pkg/spec/spec.go | 34 |
1 files changed, 27 insertions, 7 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index 46105af4a..76b8963ff 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -9,6 +9,7 @@ import ( "github.com/containers/storage/pkg/mount" "github.com/docker/docker/daemon/caps" "github.com/docker/go-units" + "github.com/opencontainers/runc/libcontainer/user" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" "github.com/pkg/errors" @@ -45,6 +46,18 @@ func supercedeUserMounts(mounts []spec.Mount, configMount []spec.Mount) []spec.M return configMount } +func getAvailableGids() (int64, error) { + idMap, err := user.ParseIDMapFile("/proc/self/gid_map") + if err != nil { + return 0, err + } + count := int64(0) + for _, r := range idMap { + count += r.Count + } + return count, nil +} + // CreateConfigToOCISpec parses information needed to create a container into an OCI runtime spec func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint cgroupPerm := "ro" @@ -91,14 +104,21 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint g.AddMount(sysMnt) } if isRootless { - g.RemoveMount("/dev/pts") - devPts := spec.Mount{ - Destination: "/dev/pts", - Type: "devpts", - Source: "devpts", - Options: []string{"rprivate", "nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620"}, + nGids, err := getAvailableGids() + if err != nil { + return nil, err + } + if nGids < 5 { + // If we have no GID mappings, the gid=5 default option would fail, so drop it. + g.RemoveMount("/dev/pts") + devPts := spec.Mount{ + Destination: "/dev/pts", + Type: "devpts", + Source: "devpts", + Options: []string{"rprivate", "nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620"}, + } + g.AddMount(devPts) } - g.AddMount(devPts) } if inUserNS && config.IpcMode.IsHost() { g.RemoveMount("/dev/mqueue") |