diff options
| -rw-r--r-- | .copr/prepare.sh | 2 | ||||
| -rw-r--r-- | Dockerfile | 2 | ||||
| -rw-r--r-- | Dockerfile.centos | 2 | ||||
| -rw-r--r-- | Dockerfile.fedora | 2 | ||||
| -rw-r--r-- | cmd/podman/cp.go | 4 | ||||
| -rw-r--r-- | cmd/podman/create.go | 5 | ||||
| -rw-r--r-- | cmd/podman/unshare.go | 49 | ||||
| -rw-r--r-- | contrib/spec/podman.spec.in | 2 | ||||
| -rw-r--r-- | docs/podman-unshare.1.md | 7 | ||||
| -rw-r--r-- | install.md | 2 | ||||
| -rw-r--r-- | libpod/container_internal_linux.go | 12 | ||||
| -rw-r--r-- | libpod/runtime.go | 5 | ||||
| -rw-r--r-- | test/e2e/cp_test.go | 27 | ||||
| -rwxr-xr-x | test/test_podman_baseline.sh | 10 |
14 files changed, 105 insertions, 26 deletions
diff --git a/.copr/prepare.sh b/.copr/prepare.sh index a40e2aadb..57c380b02 100644 --- a/.copr/prepare.sh +++ b/.copr/prepare.sh @@ -29,4 +29,4 @@ fi mkdir build/ git archive --prefix "libpod-${COMMIT_SHORT}/" --format "tar.gz" HEAD -o "build/libpod-${COMMIT_SHORT}.tar.gz" git clone https://github.com/containers/conmon -cd conmon && git checkout f02c053eb37010fc76d1e2966de7f2cb9f969ef2 && git archive --prefix "conmon/" --format "tar.gz" HEAD -o "../build/conmon.tar.gz" +cd conmon && git checkout 59952292a3b07ac125575024ae21956efe0ecdfb && git archive --prefix "conmon/" --format "tar.gz" HEAD -o "../build/conmon.tar.gz" diff --git a/Dockerfile b/Dockerfile index f3afd5e25..4fc85e959 100644 --- a/Dockerfile +++ b/Dockerfile @@ -56,7 +56,7 @@ RUN set -x \ && rm -rf "$GOPATH" # Install conmon -ENV CONMON_COMMIT f02c053eb37010fc76d1e2966de7f2cb9f969ef2 +ENV CONMON_COMMIT 59952292a3b07ac125575024ae21956efe0ecdfb RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/containers/conmon.git "$GOPATH/src/github.com/containers/conmon.git" \ diff --git a/Dockerfile.centos b/Dockerfile.centos index 47f7182b6..159449c63 100644 --- a/Dockerfile.centos +++ b/Dockerfile.centos @@ -64,7 +64,7 @@ RUN set -x \ && install -D -m 755 "$GOPATH"/bin/easyjson /usr/bin/ # Install conmon -ENV CONMON_COMMIT f02c053eb37010fc76d1e2966de7f2cb9f969ef2 +ENV CONMON_COMMIT 59952292a3b07ac125575024ae21956efe0ecdfb RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/containers/conmon.git "$GOPATH/src/github.com/containers/conmon.git" \ diff --git a/Dockerfile.fedora b/Dockerfile.fedora index 290fe3f82..74a770a90 100644 --- a/Dockerfile.fedora +++ b/Dockerfile.fedora @@ -68,7 +68,7 @@ RUN set -x \ && install -D -m 755 "$GOPATH"/bin/easyjson /usr/bin/ # Install conmon -ENV CONMON_COMMIT f02c053eb37010fc76d1e2966de7f2cb9f969ef2 +ENV CONMON_COMMIT 59952292a3b07ac125575024ae21956efe0ecdfb RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/containers/conmon.git "$GOPATH/src/github.com/containers/conmon.git" \ diff --git a/cmd/podman/cp.go b/cmd/podman/cp.go index 4cb8a8c54..8240cc193 100644 --- a/cmd/podman/cp.go +++ b/cmd/podman/cp.go @@ -272,6 +272,10 @@ func copy(src, destPath, dest string, idMappingOpts storage.IDMappingOptions, ch } return nil } + + if destDirIsExist || strings.HasSuffix(dest, string(os.PathSeparator)) { + destPath = filepath.Join(destPath, filepath.Base(srcPath)) + } // Copy the file, preserving attributes. logrus.Debugf("copying %q to %q", srcPath, destPath) if err = copyFileWithTar(srcPath, destPath); err != nil { diff --git a/cmd/podman/create.go b/cmd/podman/create.go index cb3ba14c5..2351f5860 100644 --- a/cmd/podman/create.go +++ b/cmd/podman/create.go @@ -7,6 +7,7 @@ import ( "github.com/containers/libpod/pkg/adapter" "github.com/opentracing/opentracing-go" "github.com/pkg/errors" + "github.com/sirupsen/logrus" "github.com/spf13/cobra" ) @@ -72,6 +73,10 @@ func createInit(c *cliconfig.PodmanCommand) error { defer span.Finish() } + if c.IsSet("privileged") && c.IsSet("security-opt") { + logrus.Warn("setting security options with --privileged has no effect") + } + // Docker-compatibility: the "-h" flag for run/create is reserved for // the hostname (see https://github.com/containers/libpod/issues/1367). diff --git a/cmd/podman/unshare.go b/cmd/podman/unshare.go index 1db647dba..4a4e371db 100644 --- a/cmd/podman/unshare.go +++ b/cmd/podman/unshare.go @@ -3,10 +3,14 @@ package main import ( + "fmt" "os" "os/exec" - "github.com/containers/buildah/pkg/unshare" + "github.com/containers/libpod/cmd/podman/cliconfig" + "github.com/containers/libpod/cmd/podman/libpodruntime" + "github.com/containers/libpod/libpod" + "github.com/containers/libpod/pkg/rootless" "github.com/pkg/errors" "github.com/spf13/cobra" ) @@ -17,38 +21,61 @@ var ( Use: "unshare [flags] [COMMAND [ARG]]", Short: "Run a command in a modified user namespace", Long: unshareDescription, - RunE: unshareCmd, + RunE: func(cmd *cobra.Command, args []string) error { + unshareCommand.InputArgs = args + unshareCommand.GlobalFlags = MainGlobalOpts + return unshareCmd(&unshareCommand) + }, Example: `podman unshare id podman unshare cat /proc/self/uid_map, podman unshare podman-script.sh`, } + unshareCommand cliconfig.PodmanCommand ) func init() { - _unshareCommand.SetUsageTemplate(UsageTemplate()) + unshareCommand.Command = _unshareCommand + unshareCommand.SetHelpTemplate(HelpTemplate()) + unshareCommand.SetUsageTemplate(UsageTemplate()) flags := _unshareCommand.Flags() flags.SetInterspersed(false) } +func unshareEnv(config *libpod.RuntimeConfig) []string { + return append(os.Environ(), "_CONTAINERS_USERNS_CONFIGURED=done", + fmt.Sprintf("CONTAINERS_GRAPHROOT=%s", config.StorageConfig.GraphRoot), + fmt.Sprintf("CONTAINERS_RUNROOT=%s", config.StorageConfig.RunRoot)) +} + // unshareCmd execs whatever using the ID mappings that we want to use for ourselves -func unshareCmd(c *cobra.Command, args []string) error { - if isRootless := unshare.IsRootless(); !isRootless { +func unshareCmd(c *cliconfig.PodmanCommand) error { + + if isRootless := rootless.IsRootless(); !isRootless { return errors.Errorf("please use unshare with rootless") } // exec the specified command, if there is one - if len(args) < 1 { + if len(c.InputArgs) < 1 { // try to exec the shell, if one's set shell, shellSet := os.LookupEnv("SHELL") if !shellSet { return errors.Errorf("no command specified and no $SHELL specified") } - args = []string{shell} + c.InputArgs = []string{shell} } - cmd := exec.Command(args[0], args[1:]...) - cmd.Env = unshare.RootlessEnv() + + runtime, err := libpodruntime.GetRuntime(getContext(), c) + if err != nil { + return err + } + runtimeConfig, err := runtime.GetConfig() + if err != nil { + return err + } + + cmd := exec.Command(c.InputArgs[0], c.InputArgs[1:]...) + cmd.Env = unshareEnv(runtimeConfig) cmd.Stdin = os.Stdin cmd.Stdout = os.Stdout cmd.Stderr = os.Stderr - unshare.ExecRunnable(cmd) - return nil + return cmd.Run() } diff --git a/contrib/spec/podman.spec.in b/contrib/spec/podman.spec.in index 985dbbc74..a1c11a5a6 100644 --- a/contrib/spec/podman.spec.in +++ b/contrib/spec/podman.spec.in @@ -35,7 +35,7 @@ # People want conmon packaged with the copr rpm %global import_path_conmon github.com/containers/conmon %global git_conmon https://%{import_path_conmon} -%global commit_conmon f02c053eb37010fc76d1e2966de7f2cb9f969ef2 +%global commit_conmon 59952292a3b07ac125575024ae21956efe0ecdfb %global shortcommit_conmon %(c=%{commit_conmon}; echo ${c:0:7}) Name: podman diff --git a/docs/podman-unshare.1.md b/docs/podman-unshare.1.md index a7f018ce1..a10fb40f9 100644 --- a/docs/podman-unshare.1.md +++ b/docs/podman-unshare.1.md @@ -19,6 +19,11 @@ manually clearing storage and other data related to images and containers. It is also useful if you want to use the `podman mount` command. If an unprivileged users wants to mount and work with a container, then they need to execute podman unshare. Executing `podman mount` fails for unprivileged users unless the user is running inside a `podman unshare` session. +The unshare session defines two environment variables: + +**CONTAINERS_GRAPHROOT** the path to the persistent containers data. +**CONTAINERS_RUNROOT** the path to the volatile containers data. + ## EXAMPLE ``` @@ -34,4 +39,4 @@ $ podman unshare cat /proc/self/uid_map /proc/self/gid_map ## SEE ALSO -podman(1), podman-mount(1), namespaces(7), newuidmap(1), newgidmap(1), user\_namespaces(7)
\ No newline at end of file +podman(1), podman-mount(1), namespaces(7), newuidmap(1), newgidmap(1), user\_namespaces(7) diff --git a/install.md b/install.md index ae74acdf8..94de2ea74 100644 --- a/install.md +++ b/install.md @@ -159,7 +159,7 @@ git submodule update --init # for Fedora, CentOS, RHEL sudo yum install -y automake bison e2fsprogs-devel fuse-devel libtool xz-devel zlib-devel # for Debian, Ubuntu etc. -sudo apt-get install -y automake bison e2fsprogs fuse liblzma-dev libtool zlib1g +sudo apt-get install -y automake bison e2fsprogs e2fslibs-dev fuse libfuse-dev libgpgme-dev liblzma-dev libtool zlib1g ./autogen.sh --prefix=/usr --libdir=/usr/lib64 --sysconfdir=/etc # remove --nonet option due to https:/github.com/ostreedev/ostree/issues/1374 diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index c5e404155..f25f76092 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -25,7 +25,7 @@ import ( "github.com/containers/libpod/pkg/lookup" "github.com/containers/libpod/pkg/resolvconf" "github.com/containers/libpod/pkg/rootless" - "github.com/cyphar/filepath-securejoin" + securejoin "github.com/cyphar/filepath-securejoin" "github.com/opencontainers/runc/libcontainer/user" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" @@ -188,11 +188,13 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { } // Apply AppArmor checks and load the default profile if needed. - updatedProfile, err := apparmor.CheckProfileAndLoadDefault(c.config.Spec.Process.ApparmorProfile) - if err != nil { - return nil, err + if !c.config.Privileged { + updatedProfile, err := apparmor.CheckProfileAndLoadDefault(c.config.Spec.Process.ApparmorProfile) + if err != nil { + return nil, err + } + g.SetProcessApparmorProfile(updatedProfile) } - g.SetProcessApparmorProfile(updatedProfile) if err := c.makeBindMounts(); err != nil { return nil, err diff --git a/libpod/runtime.go b/libpod/runtime.go index def7ba639..1f8dd98b4 100644 --- a/libpod/runtime.go +++ b/libpod/runtime.go @@ -877,10 +877,9 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (err error) { // TODO: we can't close the FD in this lock, so we should keep it around // and use it to lock important operations aliveLock.Lock() - locked := true doRefresh := false defer func() { - if locked { + if aliveLock.Locked() { aliveLock.Unlock() } }() @@ -891,7 +890,7 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (err error) { // no containers running. Create immediately a namespace, as // we will need to access the storage. if os.Geteuid() != 0 { - aliveLock.Unlock() + aliveLock.Unlock() // Unlock to avoid deadlock as BecomeRootInUserNS will reexec. pausePid, err := util.GetRootlessPauseProcessPidPath() if err != nil { return errors.Wrapf(err, "could not get pause process pid file path") diff --git a/test/e2e/cp_test.go b/test/e2e/cp_test.go index 71fc064a5..f8df5d3d0 100644 --- a/test/e2e/cp_test.go +++ b/test/e2e/cp_test.go @@ -131,4 +131,31 @@ var _ = Describe("Podman cp", func() { session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) }) + + It("podman cp tar", func() { + path, err := os.Getwd() + Expect(err).To(BeNil()) + testDirPath := filepath.Join(path, "TestDir") + err = os.Mkdir(testDirPath, 0777) + Expect(err).To(BeNil()) + cmd := exec.Command("tar", "-cvf", "file.tar", testDirPath) + _, err = cmd.Output() + Expect(err).To(BeNil()) + + session := podmanTest.Podman([]string{"create", "--name", "testctr", ALPINE, "ls", "-l", "foo"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + session = podmanTest.Podman([]string{"cp", "file.tar", "testctr:/foo/"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + session = podmanTest.Podman([]string{"start", "-a", "testctr"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("file.tar")) + + os.Remove("file.tar") + os.RemoveAll(testDirPath) + }) }) diff --git a/test/test_podman_baseline.sh b/test/test_podman_baseline.sh index 5c24229bb..92bc8e20c 100755 --- a/test/test_podman_baseline.sh +++ b/test/test_podman_baseline.sh @@ -504,6 +504,16 @@ EOF echo "failed" fi + #Expected to pass (as root with --privileged). + #Note that the profile should not be loaded letting the mount succeed. + podman run --privileged docker.io/library/alpine:latest sh -c "mkdir tmp2; mount --bind tmp tmp2" + rc=$? + echo -n "root with specified AppArmor profile but --privileged: " + if [ $rc == 0 ]; then + echo "passed" + else + echo "failed" + fi #Expected to fail (as rootless) sudo -u "#1000" podman run --security-opt apparmor=$aaProfile docker.io/library/alpine:latest echo hello rc=$? |