aboutsummaryrefslogtreecommitdiff
path: root/libpod
diff options
context:
space:
mode:
Diffstat (limited to 'libpod')
-rw-r--r--libpod/container.go23
-rw-r--r--libpod/options.go13
-rw-r--r--libpod/runtime_ctr.go4
-rw-r--r--libpod/storage.go4
4 files changed, 36 insertions, 8 deletions
diff --git a/libpod/container.go b/libpod/container.go
index 454fe43ac..18f3ca5ae 100644
--- a/libpod/container.go
+++ b/libpod/container.go
@@ -28,6 +28,7 @@ import (
"github.com/pkg/errors"
"github.com/projectatomic/libpod/libpod/driver"
crioAnnotations "github.com/projectatomic/libpod/pkg/annotations"
+ "github.com/projectatomic/libpod/pkg/chrootuser"
"github.com/sirupsen/logrus"
"github.com/ulule/deepcopier"
"golang.org/x/sys/unix"
@@ -153,7 +154,8 @@ type ContainerConfig struct {
SharedNamespaceMap map[string]string `json:"sharedNamespaces"`
// Time container was created
CreatedTime time.Time `json:"createdTime"`
-
+ // User/GID to use within the container
+ User string `json:"user"`
// TODO save log location here and pass into OCI code
// TODO allow overriding of log path
}
@@ -440,7 +442,6 @@ func newContainer(rspec *spec.Spec, lockDir string) (*Container, error) {
ctr.config.Spec = new(spec.Spec)
deepcopier.Copy(rspec).To(ctr.config.Spec)
-
ctr.config.CreatedTime = time.Now()
// Path our lock file will reside at
@@ -614,6 +615,20 @@ func (c *Container) Init() (err error) {
g.AddBindMount(runDirResolv, "/etc/resolv.conf", []string{"rw"})
// Bind mount hosts
g.AddBindMount(runDirHosts, "/etc/hosts", []string{"rw"})
+
+ if c.config.User != "" {
+ if !c.state.Mounted {
+ return errors.Wrapf(ErrCtrStateInvalid, "container %s must be mounted in order to translate User field", c.ID())
+ }
+ uid, gid, err := chrootuser.GetUser(c.state.Mountpoint, c.config.User)
+ if err != nil {
+ return err
+ }
+ // User and Group must go together
+ g.SetProcessUID(uid)
+ g.SetProcessGID(gid)
+ }
+
c.runningSpec = g.Spec()
c.runningSpec.Root.Path = c.state.Mountpoint
c.runningSpec.Annotations[crioAnnotations.Created] = c.config.CreatedTime.Format(time.RFC3339Nano)
@@ -1078,7 +1093,7 @@ func (c *Container) mountStorage() (err error) {
}
}
- mountPoint, err := c.runtime.storageService.StartContainer(c.ID())
+ mountPoint, err := c.runtime.storageService.MountContainerImage(c.ID())
if err != nil {
return errors.Wrapf(err, "error mounting storage for container %s", c.ID())
}
@@ -1124,7 +1139,7 @@ func (c *Container) cleanupStorage() error {
}
// Also unmount storage
- if err := c.runtime.storageService.StopContainer(c.ID()); err != nil {
+ if err := c.runtime.storageService.UnmountContainerImage(c.ID()); err != nil {
return errors.Wrapf(err, "error unmounting container %s root filesystem", c.ID())
}
diff --git a/libpod/options.go b/libpod/options.go
index 4836e1d67..70db3bdae 100644
--- a/libpod/options.go
+++ b/libpod/options.go
@@ -307,6 +307,19 @@ func WithSELinuxLabels(processLabel, mountLabel string) CtrCreateOption {
}
}
+// WithUser sets the user identity field in configutation
+// Valid uses [user | user:group | uid | uid:gid | user:gid | uid:group ]
+func WithUser(user string) CtrCreateOption {
+ return func(ctr *Container) error {
+ if ctr.valid {
+ return ErrCtrFinalized
+ }
+
+ ctr.config.User = user
+ return nil
+ }
+}
+
// WithRootFSFromImage sets up a fresh root filesystem using the given image
// If useImageConfig is specified, image volumes, environment variables, and
// other configuration from the image will be added to the config
diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go
index 1f2b8945e..9e42ff8d1 100644
--- a/libpod/runtime_ctr.go
+++ b/libpod/runtime_ctr.go
@@ -25,14 +25,14 @@ type CtrCreateOption func(*Container) error
type ContainerFilter func(*Container) bool
// NewContainer creates a new container from a given OCI config
-func (r *Runtime) NewContainer(spec *spec.Spec, options ...CtrCreateOption) (c *Container, err error) {
+func (r *Runtime) NewContainer(rSpec *spec.Spec, options ...CtrCreateOption) (c *Container, err error) {
r.lock.Lock()
defer r.lock.Unlock()
if !r.valid {
return nil, ErrRuntimeStopped
}
- ctr, err := newContainer(spec, r.lockDir)
+ ctr, err := newContainer(rSpec, r.lockDir)
if err != nil {
return nil, err
}
diff --git a/libpod/storage.go b/libpod/storage.go
index 5e18aaf5c..42b9a86ad 100644
--- a/libpod/storage.go
+++ b/libpod/storage.go
@@ -200,7 +200,7 @@ func (r *storageService) GetContainerMetadata(idOrName string) (RuntimeContainer
return metadata, nil
}
-func (r *storageService) StartContainer(idOrName string) (string, error) {
+func (r *storageService) MountContainerImage(idOrName string) (string, error) {
container, err := r.store.Container(idOrName)
if err != nil {
if errors.Cause(err) == storage.ErrContainerUnknown {
@@ -221,7 +221,7 @@ func (r *storageService) StartContainer(idOrName string) (string, error) {
return mountPoint, nil
}
-func (r *storageService) StopContainer(idOrName string) error {
+func (r *storageService) UnmountContainerImage(idOrName string) error {
if idOrName == "" {
return ErrEmptyID
}