diff options
| -rw-r--r-- | cmd/podman/cp.go | 4 | ||||
| -rw-r--r-- | cmd/podman/create.go | 5 | ||||
| -rw-r--r-- | cmd/podman/unshare.go | 49 | ||||
| -rw-r--r-- | docs/podman-unshare.1.md | 7 | ||||
| -rw-r--r-- | libpod/container_internal_linux.go | 12 | ||||
| -rw-r--r-- | test/e2e/cp_test.go | 27 | ||||
| -rwxr-xr-x | test/test_podman_baseline.sh | 10 |
7 files changed, 97 insertions, 17 deletions
diff --git a/cmd/podman/cp.go b/cmd/podman/cp.go index 4cb8a8c54..8240cc193 100644 --- a/cmd/podman/cp.go +++ b/cmd/podman/cp.go @@ -272,6 +272,10 @@ func copy(src, destPath, dest string, idMappingOpts storage.IDMappingOptions, ch } return nil } + + if destDirIsExist || strings.HasSuffix(dest, string(os.PathSeparator)) { + destPath = filepath.Join(destPath, filepath.Base(srcPath)) + } // Copy the file, preserving attributes. logrus.Debugf("copying %q to %q", srcPath, destPath) if err = copyFileWithTar(srcPath, destPath); err != nil { diff --git a/cmd/podman/create.go b/cmd/podman/create.go index cb3ba14c5..2351f5860 100644 --- a/cmd/podman/create.go +++ b/cmd/podman/create.go @@ -7,6 +7,7 @@ import ( "github.com/containers/libpod/pkg/adapter" "github.com/opentracing/opentracing-go" "github.com/pkg/errors" + "github.com/sirupsen/logrus" "github.com/spf13/cobra" ) @@ -72,6 +73,10 @@ func createInit(c *cliconfig.PodmanCommand) error { defer span.Finish() } + if c.IsSet("privileged") && c.IsSet("security-opt") { + logrus.Warn("setting security options with --privileged has no effect") + } + // Docker-compatibility: the "-h" flag for run/create is reserved for // the hostname (see https://github.com/containers/libpod/issues/1367). diff --git a/cmd/podman/unshare.go b/cmd/podman/unshare.go index 1db647dba..4a4e371db 100644 --- a/cmd/podman/unshare.go +++ b/cmd/podman/unshare.go @@ -3,10 +3,14 @@ package main import ( + "fmt" "os" "os/exec" - "github.com/containers/buildah/pkg/unshare" + "github.com/containers/libpod/cmd/podman/cliconfig" + "github.com/containers/libpod/cmd/podman/libpodruntime" + "github.com/containers/libpod/libpod" + "github.com/containers/libpod/pkg/rootless" "github.com/pkg/errors" "github.com/spf13/cobra" ) @@ -17,38 +21,61 @@ var ( Use: "unshare [flags] [COMMAND [ARG]]", Short: "Run a command in a modified user namespace", Long: unshareDescription, - RunE: unshareCmd, + RunE: func(cmd *cobra.Command, args []string) error { + unshareCommand.InputArgs = args + unshareCommand.GlobalFlags = MainGlobalOpts + return unshareCmd(&unshareCommand) + }, Example: `podman unshare id podman unshare cat /proc/self/uid_map, podman unshare podman-script.sh`, } + unshareCommand cliconfig.PodmanCommand ) func init() { - _unshareCommand.SetUsageTemplate(UsageTemplate()) + unshareCommand.Command = _unshareCommand + unshareCommand.SetHelpTemplate(HelpTemplate()) + unshareCommand.SetUsageTemplate(UsageTemplate()) flags := _unshareCommand.Flags() flags.SetInterspersed(false) } +func unshareEnv(config *libpod.RuntimeConfig) []string { + return append(os.Environ(), "_CONTAINERS_USERNS_CONFIGURED=done", + fmt.Sprintf("CONTAINERS_GRAPHROOT=%s", config.StorageConfig.GraphRoot), + fmt.Sprintf("CONTAINERS_RUNROOT=%s", config.StorageConfig.RunRoot)) +} + // unshareCmd execs whatever using the ID mappings that we want to use for ourselves -func unshareCmd(c *cobra.Command, args []string) error { - if isRootless := unshare.IsRootless(); !isRootless { +func unshareCmd(c *cliconfig.PodmanCommand) error { + + if isRootless := rootless.IsRootless(); !isRootless { return errors.Errorf("please use unshare with rootless") } // exec the specified command, if there is one - if len(args) < 1 { + if len(c.InputArgs) < 1 { // try to exec the shell, if one's set shell, shellSet := os.LookupEnv("SHELL") if !shellSet { return errors.Errorf("no command specified and no $SHELL specified") } - args = []string{shell} + c.InputArgs = []string{shell} } - cmd := exec.Command(args[0], args[1:]...) - cmd.Env = unshare.RootlessEnv() + + runtime, err := libpodruntime.GetRuntime(getContext(), c) + if err != nil { + return err + } + runtimeConfig, err := runtime.GetConfig() + if err != nil { + return err + } + + cmd := exec.Command(c.InputArgs[0], c.InputArgs[1:]...) + cmd.Env = unshareEnv(runtimeConfig) cmd.Stdin = os.Stdin cmd.Stdout = os.Stdout cmd.Stderr = os.Stderr - unshare.ExecRunnable(cmd) - return nil + return cmd.Run() } diff --git a/docs/podman-unshare.1.md b/docs/podman-unshare.1.md index a7f018ce1..a10fb40f9 100644 --- a/docs/podman-unshare.1.md +++ b/docs/podman-unshare.1.md @@ -19,6 +19,11 @@ manually clearing storage and other data related to images and containers. It is also useful if you want to use the `podman mount` command. If an unprivileged users wants to mount and work with a container, then they need to execute podman unshare. Executing `podman mount` fails for unprivileged users unless the user is running inside a `podman unshare` session. +The unshare session defines two environment variables: + +**CONTAINERS_GRAPHROOT** the path to the persistent containers data. +**CONTAINERS_RUNROOT** the path to the volatile containers data. + ## EXAMPLE ``` @@ -34,4 +39,4 @@ $ podman unshare cat /proc/self/uid_map /proc/self/gid_map ## SEE ALSO -podman(1), podman-mount(1), namespaces(7), newuidmap(1), newgidmap(1), user\_namespaces(7)
\ No newline at end of file +podman(1), podman-mount(1), namespaces(7), newuidmap(1), newgidmap(1), user\_namespaces(7) diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index c5e404155..f25f76092 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -25,7 +25,7 @@ import ( "github.com/containers/libpod/pkg/lookup" "github.com/containers/libpod/pkg/resolvconf" "github.com/containers/libpod/pkg/rootless" - "github.com/cyphar/filepath-securejoin" + securejoin "github.com/cyphar/filepath-securejoin" "github.com/opencontainers/runc/libcontainer/user" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" @@ -188,11 +188,13 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { } // Apply AppArmor checks and load the default profile if needed. - updatedProfile, err := apparmor.CheckProfileAndLoadDefault(c.config.Spec.Process.ApparmorProfile) - if err != nil { - return nil, err + if !c.config.Privileged { + updatedProfile, err := apparmor.CheckProfileAndLoadDefault(c.config.Spec.Process.ApparmorProfile) + if err != nil { + return nil, err + } + g.SetProcessApparmorProfile(updatedProfile) } - g.SetProcessApparmorProfile(updatedProfile) if err := c.makeBindMounts(); err != nil { return nil, err diff --git a/test/e2e/cp_test.go b/test/e2e/cp_test.go index 71fc064a5..f8df5d3d0 100644 --- a/test/e2e/cp_test.go +++ b/test/e2e/cp_test.go @@ -131,4 +131,31 @@ var _ = Describe("Podman cp", func() { session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) }) + + It("podman cp tar", func() { + path, err := os.Getwd() + Expect(err).To(BeNil()) + testDirPath := filepath.Join(path, "TestDir") + err = os.Mkdir(testDirPath, 0777) + Expect(err).To(BeNil()) + cmd := exec.Command("tar", "-cvf", "file.tar", testDirPath) + _, err = cmd.Output() + Expect(err).To(BeNil()) + + session := podmanTest.Podman([]string{"create", "--name", "testctr", ALPINE, "ls", "-l", "foo"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + session = podmanTest.Podman([]string{"cp", "file.tar", "testctr:/foo/"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + session = podmanTest.Podman([]string{"start", "-a", "testctr"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("file.tar")) + + os.Remove("file.tar") + os.RemoveAll(testDirPath) + }) }) diff --git a/test/test_podman_baseline.sh b/test/test_podman_baseline.sh index 5c24229bb..92bc8e20c 100755 --- a/test/test_podman_baseline.sh +++ b/test/test_podman_baseline.sh @@ -504,6 +504,16 @@ EOF echo "failed" fi + #Expected to pass (as root with --privileged). + #Note that the profile should not be loaded letting the mount succeed. + podman run --privileged docker.io/library/alpine:latest sh -c "mkdir tmp2; mount --bind tmp tmp2" + rc=$? + echo -n "root with specified AppArmor profile but --privileged: " + if [ $rc == 0 ]; then + echo "passed" + else + echo "failed" + fi #Expected to fail (as rootless) sudo -u "#1000" podman run --security-opt apparmor=$aaProfile docker.io/library/alpine:latest echo hello rc=$? |