summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--libpod/container_internal_linux.go8
-rw-r--r--pkg/rootless/rootless.go84
-rw-r--r--pkg/rootless/rootless_test.go101
3 files changed, 193 insertions, 0 deletions
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index cefe12209..bc8f0f932 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -529,6 +529,13 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
}
}
+ availableUIDs, availableGIDs, err := rootless.GetAvailableIDMaps()
+ if err != nil {
+ return nil, err
+ }
+ g.Config.Linux.UIDMappings = rootless.MaybeSplitMappings(g.Config.Linux.UIDMappings, availableUIDs)
+ g.Config.Linux.GIDMappings = rootless.MaybeSplitMappings(g.Config.Linux.GIDMappings, availableGIDs)
+
// Hostname handling:
// If we have a UTS namespace, set Hostname in the OCI spec.
// Set the HOSTNAME environment variable unless explicitly overridden by
@@ -536,6 +543,7 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
// set it to the host's hostname instead.
hostname := c.Hostname()
foundUTS := false
+
for _, i := range c.config.Spec.Linux.Namespaces {
if i.Type == spec.UTSNamespace && i.Path == "" {
foundUTS = true
diff --git a/pkg/rootless/rootless.go b/pkg/rootless/rootless.go
index 2894c043f..df35c0d6b 100644
--- a/pkg/rootless/rootless.go
+++ b/pkg/rootless/rootless.go
@@ -2,10 +2,12 @@ package rootless
import (
"os"
+ "sort"
"sync"
"github.com/containers/storage"
"github.com/opencontainers/runc/libcontainer/user"
+ spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
)
@@ -87,6 +89,20 @@ func GetAvailableGidMap() ([]user.IDMap, error) {
return gidMap, gidMapError
}
+// GetAvailableIDMaps returns the UID and GID mappings in the
+// current user namespace.
+func GetAvailableIDMaps() ([]user.IDMap, []user.IDMap, error) {
+ u, err := GetAvailableUidMap()
+ if err != nil {
+ return nil, nil, err
+ }
+ g, err := GetAvailableGidMap()
+ if err != nil {
+ return nil, nil, err
+ }
+ return u, g, nil
+}
+
func countAvailableIDs(mappings []user.IDMap) int64 {
availableUids := int64(0)
for _, r := range mappings {
@@ -116,3 +132,71 @@ func GetAvailableGids() (int64, error) {
return countAvailableIDs(gids), nil
}
+
+// findIDInMappings find the the mapping that contains the specified ID.
+// It assumes availableMappings is sorted by ID.
+func findIDInMappings(id int64, availableMappings []user.IDMap) *user.IDMap {
+ i := sort.Search(len(availableMappings), func(i int) bool {
+ return availableMappings[i].ID >= id
+ })
+ if i < 0 || i >= len(availableMappings) {
+ return nil
+ }
+ r := &availableMappings[i]
+ if id >= r.ID && id < r.ID+r.Count {
+ return r
+ }
+ return nil
+}
+
+// MaybeSplitMappings checks whether the specified OCI mappings are possible
+// in the current user namespace or the specified ranges must be split.
+func MaybeSplitMappings(mappings []spec.LinuxIDMapping, availableMappings []user.IDMap) []spec.LinuxIDMapping {
+ var ret []spec.LinuxIDMapping
+ var overflow spec.LinuxIDMapping
+ overflow.Size = 0
+ consumed := 0
+ sort.Slice(availableMappings, func(i, j int) bool {
+ return availableMappings[i].ID < availableMappings[j].ID
+ })
+ for {
+ cur := overflow
+ // if there is no overflow left from the previous request, get the next one
+ if cur.Size == 0 {
+ if consumed == len(mappings) {
+ // all done
+ return ret
+ }
+ cur = mappings[consumed]
+ consumed++
+ }
+
+ // Find the range where the first specified ID is present
+ r := findIDInMappings(int64(cur.HostID), availableMappings)
+ if r == nil {
+ // The requested range is not available. Just return the original request
+ // and let other layers deal with it.
+ return mappings
+ }
+
+ offsetInRange := cur.HostID - uint32(r.ID)
+
+ usableIDs := uint32(r.Count) - offsetInRange
+
+ // the current range can satisfy the whole request
+ if usableIDs >= cur.Size {
+ // reset the overflow
+ overflow.Size = 0
+ } else {
+ // the current range can satisfy the request partially
+ // so move the rest to overflow
+ overflow.Size = cur.Size - usableIDs
+ overflow.ContainerID = cur.ContainerID + usableIDs
+ overflow.HostID = cur.HostID + usableIDs
+
+ // and cap to the usableIDs count
+ cur.Size = usableIDs
+ }
+ ret = append(ret, cur)
+ }
+}
diff --git a/pkg/rootless/rootless_test.go b/pkg/rootless/rootless_test.go
new file mode 100644
index 000000000..ef574099c
--- /dev/null
+++ b/pkg/rootless/rootless_test.go
@@ -0,0 +1,101 @@
+package rootless
+
+import (
+ "reflect"
+ "testing"
+
+ "github.com/opencontainers/runc/libcontainer/user"
+ spec "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+func TestMaybeSplitMappings(t *testing.T) {
+ mappings := []spec.LinuxIDMapping{
+ {
+ ContainerID: 0,
+ HostID: 0,
+ Size: 2,
+ },
+ }
+ desiredMappings := []spec.LinuxIDMapping{
+ {
+ ContainerID: 0,
+ HostID: 0,
+ Size: 1,
+ },
+ {
+ ContainerID: 1,
+ HostID: 1,
+ Size: 1,
+ },
+ }
+ availableMappings := []user.IDMap{
+ {
+ ID: 1,
+ ParentID: 1000000,
+ Count: 65536,
+ },
+ {
+ ID: 0,
+ ParentID: 1000,
+ Count: 1,
+ },
+ }
+ newMappings := MaybeSplitMappings(mappings, availableMappings)
+ if !reflect.DeepEqual(newMappings, desiredMappings) {
+ t.Fatal("wrong mappings generated")
+ }
+
+ mappings = []spec.LinuxIDMapping{
+ {
+ ContainerID: 0,
+ HostID: 0,
+ Size: 2,
+ },
+ }
+ desiredMappings = []spec.LinuxIDMapping{
+ {
+ ContainerID: 0,
+ HostID: 0,
+ Size: 2,
+ },
+ }
+ availableMappings = []user.IDMap{
+ {
+ ID: 0,
+ ParentID: 1000000,
+ Count: 65536,
+ },
+ }
+ newMappings = MaybeSplitMappings(mappings, availableMappings)
+
+ if !reflect.DeepEqual(newMappings, desiredMappings) {
+ t.Fatal("wrong mappings generated")
+ }
+
+ mappings = []spec.LinuxIDMapping{
+ {
+ ContainerID: 0,
+ HostID: 0,
+ Size: 1,
+ },
+ }
+ desiredMappings = []spec.LinuxIDMapping{
+ {
+ ContainerID: 0,
+ HostID: 0,
+ Size: 1,
+ },
+ }
+ availableMappings = []user.IDMap{
+ {
+ ID: 10000,
+ ParentID: 10000,
+ Count: 65536,
+ },
+ }
+
+ newMappings = MaybeSplitMappings(mappings, availableMappings)
+ if !reflect.DeepEqual(newMappings, desiredMappings) {
+ t.Fatal("wrong mappings generated")
+ }
+}