diff options
Diffstat (limited to 'pkg/domain/infra')
-rw-r--r-- | pkg/domain/infra/abi/images.go | 73 | ||||
-rw-r--r-- | pkg/domain/infra/abi/images_test.go | 17 | ||||
-rw-r--r-- | pkg/domain/infra/abi/play.go | 10 |
3 files changed, 67 insertions, 33 deletions
diff --git a/pkg/domain/infra/abi/images.go b/pkg/domain/infra/abi/images.go index 3adf9b26c..0b1281aac 100644 --- a/pkg/domain/infra/abi/images.go +++ b/pkg/domain/infra/abi/images.go @@ -12,6 +12,7 @@ import ( "path/filepath" "strconv" "strings" + "syscall" "github.com/containers/common/libimage" "github.com/containers/common/pkg/config" @@ -94,7 +95,9 @@ func (ir *ImageEngine) Prune(ctx context.Context, opts entities.ImagePruneOption func toDomainHistoryLayer(layer *libimage.ImageHistory) entities.ImageHistoryLayer { l := entities.ImageHistoryLayer{} l.ID = layer.ID - l.Created = *layer.Created + if layer.Created != nil { + l.Created = *layer.Created + } l.CreatedBy = layer.CreatedBy copy(l.Tags, layer.Tags) l.Size = layer.Size @@ -780,7 +783,7 @@ func transferRootless(source entities.ImageScpOptions, dest entities.ImageScpOpt return cmdLoad.Run() } -// TransferRootful creates new podman processes using exec.Command and su/machinectl, transferring images between the given source and destination users +// TransferRootful creates new podman processes using exec.Command and a new uid/gid alongside a cleared environment func transferRootful(source entities.ImageScpOptions, dest entities.ImageScpOptions, podman string, parentFlags []string) error { basicCommand := []string{podman} basicCommand = append(basicCommand, parentFlags...) @@ -792,12 +795,9 @@ func transferRootful(source entities.ImageScpOptions, dest entities.ImageScpOpti } saveCommand = append(saveCommand, []string{"--output", source.File, source.Image}...) loadCommand = append(loadCommand, []string{"--input", dest.File}...) - save := []string{strings.Join(saveCommand, " ")} - load := []string{strings.Join(loadCommand, " ")} - // if executing using sudo or transferring between two users, the TransferRootless approach will not work, default to using machinectl or su as necessary. - // the approach using sudo is preferable and more straightforward. There is no reason for using sudo in these situations - // since the feature is meant to transfer from root to rootless an vice versa without explicit sudo evocaiton. + // if executing using sudo or transferring between two users, the TransferRootless approach will not work, the new process needs to be set up + // with the proper uid and gid as well as environmental variables. var uSave *user.User var uLoad *user.User var err error @@ -828,20 +828,11 @@ func transferRootful(source entities.ImageScpOptions, dest entities.ImageScpOpti return err } } - machinectl, err := exec.LookPath("machinectl") - if err != nil { - logrus.Warn("defaulting to su since machinectl is not available, su will fail if no user session is available") - err = execSu(uSave, save) - if err != nil { - return err - } - return execSu(uLoad, load) - } - err = execMachine(uSave, saveCommand, machinectl) + err = execPodman(uSave, saveCommand) if err != nil { return err } - return execMachine(uLoad, loadCommand, machinectl) + return execPodman(uLoad, loadCommand) } func lookupUser(u string) (*user.User, error) { @@ -851,21 +842,37 @@ func lookupUser(u string) (*user.User, error) { return user.Lookup(u) } -func execSu(execUser *user.User, command []string) error { - cmd := exec.Command("su", "-l", execUser.Username, "--command") - cmd = utils.CreateSCPCommand(cmd, command) - logrus.Debugf("Executing via su: %q", cmd) - return cmd.Run() -} - -func execMachine(execUser *user.User, command []string, machinectl string) error { - verb := machinectl - args := []string{"shell", "-q", execUser.Username + "@.host"} - if execUser.Uid == "0" { - args = append([]string{verb}, args...) - verb = "sudo" +func execPodman(execUser *user.User, command []string) error { + cmdLogin, err := utils.LoginUser(execUser.Username) + if err != nil { + return err + } + defer func() error { + err := cmdLogin.Process.Kill() + if err != nil { + return err + } + return cmdLogin.Wait() + }() + cmd := exec.Command(command[0], command[1:]...) + cmd.Env = []string{"PATH=" + os.Getenv("PATH"), "TERM=" + os.Getenv("TERM")} + cmd.Stderr = os.Stderr + cmd.Stdout = os.Stdout + uid, err := strconv.ParseInt(execUser.Uid, 10, 32) + if err != nil { + return err + } + gid, err := strconv.ParseInt(execUser.Gid, 10, 32) + if err != nil { + return err + } + cmd.SysProcAttr = &syscall.SysProcAttr{ + Credential: &syscall.Credential{ + Uid: uint32(uid), + Gid: uint32(gid), + Groups: nil, + NoSetGroups: false, + }, } - cmd := utils.CreateSCPCommand(exec.Command(verb, args...), command) - logrus.Debugf("Executing via machinectl: %q", cmd) return cmd.Run() } diff --git a/pkg/domain/infra/abi/images_test.go b/pkg/domain/infra/abi/images_test.go index 20ef1b150..e38b9390d 100644 --- a/pkg/domain/infra/abi/images_test.go +++ b/pkg/domain/infra/abi/images_test.go @@ -1,5 +1,22 @@ package abi +import ( + "testing" + + "github.com/containers/common/libimage" + "github.com/stretchr/testify/assert" +) + +// This is really intended to verify what happens with a +// nil pointer in layer.Created, but we'll just sanity +// check round tripping 42. +func TestToDomainHistoryLayer(t *testing.T) { + var layer libimage.ImageHistory + layer.Size = 42 + newLayer := toDomainHistoryLayer(&layer) + assert.Equal(t, layer.Size, newLayer.Size) +} + // // import ( // "context" diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go index 86a60e92d..cad8c4609 100644 --- a/pkg/domain/infra/abi/play.go +++ b/pkg/domain/infra/abi/play.go @@ -365,6 +365,11 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY if err != nil { return nil, err } + + for k, v := range podSpec.PodSpecGen.Labels { // add podYAML labels + labels[k] = v + } + specgenOpts := kube.CtrSpecGenOptions{ Annotations: annotations, Container: initCtr, @@ -405,7 +410,12 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY return nil, err } + for k, v := range podSpec.PodSpecGen.Labels { // add podYAML labels + labels[k] = v + } + specgenOpts := kube.CtrSpecGenOptions{ + Annotations: annotations, Container: container, Image: pulledImage, Volumes: volumes, |