summaryrefslogtreecommitdiff
path: root/pkg
diff options
context:
space:
mode:
Diffstat (limited to 'pkg')
-rw-r--r--pkg/adapter/pods_remote.go5
-rw-r--r--pkg/chrootuser/user.go108
-rw-r--r--pkg/chrootuser/user_basic.go27
-rw-r--r--pkg/chrootuser/user_linux.go293
-rw-r--r--pkg/spec/createconfig.go15
-rw-r--r--pkg/util/utils.go64
-rw-r--r--pkg/varlinkapi/containers_create.go5
-rw-r--r--pkg/varlinkapi/images.go8
8 files changed, 24 insertions, 501 deletions
diff --git a/pkg/adapter/pods_remote.go b/pkg/adapter/pods_remote.go
index ef8de90a6..4a32607a2 100644
--- a/pkg/adapter/pods_remote.go
+++ b/pkg/adapter/pods_remote.go
@@ -14,7 +14,6 @@ import (
"github.com/containers/libpod/libpod"
"github.com/containers/libpod/pkg/varlinkapi"
"github.com/pkg/errors"
- "github.com/ulule/deepcopier"
)
// Pod ...
@@ -99,7 +98,9 @@ func (r *LocalRuntime) LookupPod(nameOrID string) (*Pod, error) {
// the data of a remotepod data struct
func (p *Pod) Inspect() (*libpod.PodInspect, error) {
config := new(libpod.PodConfig)
- deepcopier.Copy(p.remotepod.config).To(config)
+ if err := libpod.JSONDeepCopy(p.remotepod.config, config); err != nil {
+ return nil, err
+ }
inspectData := libpod.PodInspect{
Config: config,
State: p.remotepod.state,
diff --git a/pkg/chrootuser/user.go b/pkg/chrootuser/user.go
deleted file mode 100644
index c83dcc230..000000000
--- a/pkg/chrootuser/user.go
+++ /dev/null
@@ -1,108 +0,0 @@
-package chrootuser
-
-import (
- "os/user"
- "strconv"
- "strings"
-
- "github.com/pkg/errors"
-)
-
-var (
- // ErrNoSuchUser indicates that the user provided by the caller does not
- // exist in /etc/passws
- ErrNoSuchUser = errors.New("user does not exist in /etc/passwd")
-)
-
-// GetUser will return the uid, gid of the user specified in the userspec
-// it will use the /etc/passwd and /etc/group files inside of the rootdir
-// to return this information.
-// userspec format [user | user:group | uid | uid:gid | user:gid | uid:group ]
-func GetUser(rootdir, userspec string) (uint32, uint32, error) {
- var gid64 uint64
- var gerr error = user.UnknownGroupError("error looking up group")
-
- spec := strings.SplitN(userspec, ":", 2)
- userspec = spec[0]
- groupspec := ""
- if userspec == "" {
- return 0, 0, nil
- }
- if len(spec) > 1 {
- groupspec = spec[1]
- }
-
- uid64, uerr := strconv.ParseUint(userspec, 10, 32)
- if uerr == nil && groupspec == "" {
- // We parsed the user name as a number, and there's no group
- // component, so try to look up the primary GID of the user who
- // has this UID.
- var name string
- name, gid64, gerr = lookupGroupForUIDInContainer(rootdir, uid64)
- if gerr == nil {
- userspec = name
- } else {
- // Leave userspec alone, but swallow the error and just
- // use GID 0.
- gid64 = 0
- gerr = nil
- }
- }
- if uerr != nil {
- // The user ID couldn't be parsed as a number, so try to look
- // up the user's UID and primary GID.
- uid64, gid64, uerr = lookupUserInContainer(rootdir, userspec)
- gerr = uerr
- }
-
- if groupspec != "" {
- // We have a group name or number, so parse it.
- gid64, gerr = strconv.ParseUint(groupspec, 10, 32)
- if gerr != nil {
- // The group couldn't be parsed as a number, so look up
- // the group's GID.
- gid64, gerr = lookupGroupInContainer(rootdir, groupspec)
- }
- }
-
- if uerr == nil && gerr == nil {
- return uint32(uid64), uint32(gid64), nil
- }
-
- err := errors.Wrapf(uerr, "error determining run uid")
- if uerr == nil {
- err = errors.Wrapf(gerr, "error determining run gid")
- }
- return 0, 0, err
-}
-
-// GetGroup returns the gid by looking it up in the /etc/group file
-// groupspec format [ group | gid ]
-func GetGroup(rootdir, groupspec string) (uint32, error) {
- gid64, gerr := strconv.ParseUint(groupspec, 10, 32)
- if gerr != nil {
- // The group couldn't be parsed as a number, so look up
- // the group's GID.
- gid64, gerr = lookupGroupInContainer(rootdir, groupspec)
- }
- if gerr != nil {
- return 0, errors.Wrapf(gerr, "error looking up group for gid %q", groupspec)
- }
- return uint32(gid64), nil
-}
-
-// GetAdditionalGroupsForUser returns a list of gids that userid is associated with
-func GetAdditionalGroupsForUser(rootdir string, userid uint64) ([]uint32, error) {
- gids, err := lookupAdditionalGroupsForUIDInContainer(rootdir, userid)
- if err != nil {
- return nil, errors.Wrapf(err, "error looking up supplemental groups for uid %d", userid)
- }
- return gids, nil
-}
-
-// LookupUIDInContainer returns username and gid associated with a UID in a container
-// it will use the /etc/passwd files inside of the rootdir
-// to return this information.
-func LookupUIDInContainer(rootdir string, uid uint64) (user string, gid uint64, err error) {
- return lookupUIDInContainer(rootdir, uid)
-}
diff --git a/pkg/chrootuser/user_basic.go b/pkg/chrootuser/user_basic.go
deleted file mode 100644
index 79b0b24b5..000000000
--- a/pkg/chrootuser/user_basic.go
+++ /dev/null
@@ -1,27 +0,0 @@
-// +build !linux
-
-package chrootuser
-
-import (
- "github.com/pkg/errors"
-)
-
-func lookupUserInContainer(rootdir, username string) (uint64, uint64, error) {
- return 0, 0, errors.New("user lookup not supported")
-}
-
-func lookupGroupInContainer(rootdir, groupname string) (uint64, error) {
- return 0, errors.New("group lookup not supported")
-}
-
-func lookupGroupForUIDInContainer(rootdir string, userid uint64) (string, uint64, error) {
- return "", 0, errors.New("primary group lookup by uid not supported")
-}
-
-func lookupAdditionalGroupsForUIDInContainer(rootdir string, userid uint64) (gid []uint32, err error) {
- return nil, errors.New("supplemental groups list lookup by uid not supported")
-}
-
-func lookupUIDInContainer(rootdir string, uid uint64) (string, uint64, error) {
- return "", 0, errors.New("UID lookup not supported")
-}
diff --git a/pkg/chrootuser/user_linux.go b/pkg/chrootuser/user_linux.go
deleted file mode 100644
index 583eca569..000000000
--- a/pkg/chrootuser/user_linux.go
+++ /dev/null
@@ -1,293 +0,0 @@
-// +build linux
-
-package chrootuser
-
-import (
- "bufio"
- "flag"
- "fmt"
- "io"
- "os"
- "os/exec"
- "os/user"
- "strconv"
- "strings"
- "sync"
-
- "github.com/containers/storage/pkg/reexec"
- "github.com/sirupsen/logrus"
- "golang.org/x/sys/unix"
-)
-
-const (
- openChrootedCommand = "chrootuser-open"
-)
-
-func init() {
- reexec.Register(openChrootedCommand, openChrootedFileMain)
-}
-
-func openChrootedFileMain() {
- status := 0
- flag.Parse()
- if len(flag.Args()) < 1 {
- os.Exit(1)
- }
- // Our first parameter is the directory to chroot into.
- if err := unix.Chdir(flag.Arg(0)); err != nil {
- fmt.Fprintf(os.Stderr, "chdir(): %v", err)
- os.Exit(1)
- }
- if err := unix.Chroot(flag.Arg(0)); err != nil {
- fmt.Fprintf(os.Stderr, "chroot(): %v", err)
- os.Exit(1)
- }
- // Anything else is a file we want to dump out.
- for _, filename := range flag.Args()[1:] {
- f, err := os.Open(filename)
- if err != nil {
- fmt.Fprintf(os.Stderr, "open(%q): %v", filename, err)
- status = 1
- continue
- }
- _, err = io.Copy(os.Stdout, f)
- if err != nil {
- fmt.Fprintf(os.Stderr, "read(%q): %v", filename, err)
- }
- f.Close()
- }
- os.Exit(status)
-}
-
-func openChrootedFile(rootdir, filename string) (*exec.Cmd, io.ReadCloser, error) {
- // The child process expects a chroot and one or more filenames that
- // will be consulted relative to the chroot directory and concatenated
- // to its stdout. Start it up.
- cmd := reexec.Command(openChrootedCommand, rootdir, filename)
- stdout, err := cmd.StdoutPipe()
- if err != nil {
- return nil, nil, err
- }
- err = cmd.Start()
- if err != nil {
- return nil, nil, err
- }
- // Hand back the child's stdout for reading, and the child to reap.
- return cmd, stdout, nil
-}
-
-var (
- lookupUser, lookupGroup sync.Mutex
-)
-
-type lookupPasswdEntry struct {
- name string
- uid uint64
- gid uint64
-}
-type lookupGroupEntry struct {
- name string
- gid uint64
- user string
-}
-
-func readWholeLine(rc *bufio.Reader) ([]byte, error) {
- line, isPrefix, err := rc.ReadLine()
- if err != nil {
- return nil, err
- }
- for isPrefix {
- // We didn't get a whole line. Keep reading chunks until we find an end of line, and discard them.
- for isPrefix {
- logrus.Debugf("discarding partial line %q", string(line))
- _, isPrefix, err = rc.ReadLine()
- if err != nil {
- return nil, err
- }
- }
- // That last read was the end of a line, so now we try to read the (beginning of?) the next line.
- line, isPrefix, err = rc.ReadLine()
- if err != nil {
- return nil, err
- }
- }
- return line, nil
-}
-
-func parseNextPasswd(rc *bufio.Reader) *lookupPasswdEntry {
- line, err := readWholeLine(rc)
- if err != nil {
- return nil
- }
- fields := strings.Split(string(line), ":")
- if len(fields) < 7 {
- return nil
- }
- uid, err := strconv.ParseUint(fields[2], 10, 32)
- if err != nil {
- return nil
- }
- gid, err := strconv.ParseUint(fields[3], 10, 32)
- if err != nil {
- return nil
- }
- return &lookupPasswdEntry{
- name: fields[0],
- uid: uid,
- gid: gid,
- }
-}
-
-func parseNextGroup(rc *bufio.Reader) *lookupGroupEntry {
- line, err := readWholeLine(rc)
- if err != nil {
- return nil
- }
- fields := strings.Split(string(line), ":")
- if len(fields) < 4 {
- return nil
- }
- gid, err := strconv.ParseUint(fields[2], 10, 32)
- if err != nil {
- return nil
- }
- return &lookupGroupEntry{
- name: fields[0],
- gid: gid,
- user: fields[3],
- }
-}
-
-func lookupUserInContainer(rootdir, username string) (uid uint64, gid uint64, err error) {
- cmd, f, err := openChrootedFile(rootdir, "/etc/passwd")
- if err != nil {
- return 0, 0, err
- }
- defer func() {
- _ = cmd.Wait()
- }()
- rc := bufio.NewReader(f)
- defer f.Close()
-
- lookupUser.Lock()
- defer lookupUser.Unlock()
-
- pwd := parseNextPasswd(rc)
- for pwd != nil {
- if pwd.name != username {
- pwd = parseNextPasswd(rc)
- continue
- }
- return pwd.uid, pwd.gid, nil
- }
-
- return 0, 0, user.UnknownUserError(fmt.Sprintf("error looking up user %q", username))
-}
-
-func lookupGroupForUIDInContainer(rootdir string, userid uint64) (username string, gid uint64, err error) {
- cmd, f, err := openChrootedFile(rootdir, "/etc/passwd")
- if err != nil {
- return "", 0, err
- }
- defer func() {
- _ = cmd.Wait()
- }()
- rc := bufio.NewReader(f)
- defer f.Close()
-
- lookupUser.Lock()
- defer lookupUser.Unlock()
-
- pwd := parseNextPasswd(rc)
- for pwd != nil {
- if pwd.uid != userid {
- pwd = parseNextPasswd(rc)
- continue
- }
- return pwd.name, pwd.gid, nil
- }
-
- return "", 0, ErrNoSuchUser
-}
-
-func lookupAdditionalGroupsForUIDInContainer(rootdir string, userid uint64) (gid []uint32, err error) {
- // Get the username associated with userid
- username, _, err := lookupGroupForUIDInContainer(rootdir, userid)
- if err != nil {
- return nil, err
- }
-
- cmd, f, err := openChrootedFile(rootdir, "/etc/group")
- if err != nil {
- return nil, err
- }
- defer func() {
- _ = cmd.Wait()
- }()
- rc := bufio.NewReader(f)
- defer f.Close()
-
- lookupGroup.Lock()
- defer lookupGroup.Unlock()
-
- grp := parseNextGroup(rc)
- for grp != nil {
- if strings.Contains(grp.user, username) {
- gid = append(gid, uint32(grp.gid))
- }
- grp = parseNextGroup(rc)
- }
- return gid, nil
-}
-
-func lookupGroupInContainer(rootdir, groupname string) (gid uint64, err error) {
- cmd, f, err := openChrootedFile(rootdir, "/etc/group")
- if err != nil {
- return 0, err
- }
- defer func() {
- _ = cmd.Wait()
- }()
- rc := bufio.NewReader(f)
- defer f.Close()
-
- lookupGroup.Lock()
- defer lookupGroup.Unlock()
-
- grp := parseNextGroup(rc)
- for grp != nil {
- if grp.name != groupname {
- grp = parseNextGroup(rc)
- continue
- }
- return grp.gid, nil
- }
-
- return 0, user.UnknownGroupError(fmt.Sprintf("error looking up group %q", groupname))
-}
-
-func lookupUIDInContainer(rootdir string, uid uint64) (string, uint64, error) {
- cmd, f, err := openChrootedFile(rootdir, "/etc/passwd")
- if err != nil {
- return "", 0, err
- }
- defer func() {
- _ = cmd.Wait()
- }()
- rc := bufio.NewReader(f)
- defer f.Close()
-
- lookupUser.Lock()
- defer lookupUser.Unlock()
-
- pwd := parseNextPasswd(rc)
- for pwd != nil {
- if pwd.uid != uid {
- pwd = parseNextPasswd(rc)
- continue
- }
- return pwd.name, pwd.gid, nil
- }
-
- return "", 0, user.UnknownUserError(fmt.Sprintf("error looking up uid %q", uid))
-}
diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go
index 79a318771..07ae633d1 100644
--- a/pkg/spec/createconfig.go
+++ b/pkg/spec/createconfig.go
@@ -346,8 +346,11 @@ func (c *CreateConfig) GetTmpfsMounts() []spec.Mount {
return m
}
-func (c *CreateConfig) createExitCommand() []string {
- config := c.Runtime.GetConfig()
+func (c *CreateConfig) createExitCommand() ([]string, error) {
+ config, err := c.Runtime.GetConfig()
+ if err != nil {
+ return nil, err
+ }
cmd, _ := os.Executable()
command := []string{cmd,
@@ -372,7 +375,7 @@ func (c *CreateConfig) createExitCommand() []string {
command = append(command, "--rm")
}
- return command
+ return command, nil
}
// GetContainerCreateOptions takes a CreateConfig and returns a slice of CtrCreateOptions
@@ -567,7 +570,11 @@ func (c *CreateConfig) GetContainerCreateOptions(runtime *libpod.Runtime, pod *l
}
// Always use a cleanup process to clean up Podman after termination
- options = append(options, libpod.WithExitCommand(c.createExitCommand()))
+ exitCmd, err := c.createExitCommand()
+ if err != nil {
+ return nil, err
+ }
+ options = append(options, libpod.WithExitCommand(exitCmd))
if c.HealthCheck != nil {
options = append(options, libpod.WithHealthCheck(c.HealthCheck))
diff --git a/pkg/util/utils.go b/pkg/util/utils.go
index a408ad34b..19b2c44be 100644
--- a/pkg/util/utils.go
+++ b/pkg/util/utils.go
@@ -3,7 +3,6 @@ package util
import (
"fmt"
"os"
- "os/exec"
"path/filepath"
"strings"
"syscall"
@@ -241,25 +240,6 @@ func GetRootlessDirInfo() (string, string, error) {
return dataDir, rootlessRuntime, nil
}
-// GetRootlessStorageOpts returns the storage opts for containers running as non root
-func GetRootlessStorageOpts() (storage.StoreOptions, error) {
- var opts storage.StoreOptions
-
- dataDir, rootlessRuntime, err := GetRootlessDirInfo()
- if err != nil {
- return opts, err
- }
- opts.RunRoot = rootlessRuntime
- opts.GraphRoot = filepath.Join(dataDir, "containers", "storage")
- if path, err := exec.LookPath("fuse-overlayfs"); err == nil {
- opts.GraphDriverName = "overlay"
- opts.GraphDriverOptions = []string{fmt.Sprintf("overlay.mount_program=%s", path)}
- } else {
- opts.GraphDriverName = "vfs"
- }
- return opts, nil
-}
-
type tomlOptionsConfig struct {
MountProgram string `toml:"mount_program"`
}
@@ -289,42 +269,6 @@ func getTomlStorage(storeOptions *storage.StoreOptions) *tomlConfig {
return config
}
-// GetDefaultStoreOptions returns the default storage ops for containers
-func GetDefaultStoreOptions() (storage.StoreOptions, error) {
- var (
- defaultRootlessRunRoot string
- defaultRootlessGraphRoot string
- err error
- )
- storageOpts := storage.DefaultStoreOptions
- if rootless.IsRootless() {
- storageOpts, err = GetRootlessStorageOpts()
- if err != nil {
- return storageOpts, err
- }
- }
-
- storageConf := StorageConfigFile()
- if _, err = os.Stat(storageConf); err == nil {
- defaultRootlessRunRoot = storageOpts.RunRoot
- defaultRootlessGraphRoot = storageOpts.GraphRoot
- storageOpts = storage.StoreOptions{}
- storage.ReloadConfigurationFile(storageConf, &storageOpts)
- }
- if rootless.IsRootless() && err == nil {
- // If the file did not specify a graphroot or runroot,
- // set sane defaults so we don't try and use root-owned
- // directories
- if storageOpts.RunRoot == "" {
- storageOpts.RunRoot = defaultRootlessRunRoot
- }
- if storageOpts.GraphRoot == "" {
- storageOpts.GraphRoot = defaultRootlessGraphRoot
- }
- }
- return storageOpts, nil
-}
-
// WriteStorageConfigFile writes the configuration to a file
func WriteStorageConfigFile(storageOpts *storage.StoreOptions, storageConf string) error {
os.MkdirAll(filepath.Dir(storageConf), 0755)
@@ -342,14 +286,6 @@ func WriteStorageConfigFile(storageOpts *storage.StoreOptions, storageConf strin
return nil
}
-// StorageConfigFile returns the path to the storage config file used
-func StorageConfigFile() string {
- if rootless.IsRootless() {
- return filepath.Join(os.Getenv("HOME"), ".config/containers/storage.conf")
- }
- return storage.DefaultConfigFile
-}
-
// ParseInputTime takes the users input and to determine if it is valid and
// returns a time format and error. The input is compared to known time formats
// or a duration which implies no-duration
diff --git a/pkg/varlinkapi/containers_create.go b/pkg/varlinkapi/containers_create.go
index 6b53b22c6..8990ac001 100644
--- a/pkg/varlinkapi/containers_create.go
+++ b/pkg/varlinkapi/containers_create.go
@@ -22,7 +22,10 @@ import (
// CreateContainer ...
func (i *LibpodAPI) CreateContainer(call iopodman.VarlinkCall, config iopodman.Create) error {
- rtc := i.Runtime.GetConfig()
+ rtc, err := i.Runtime.GetConfig()
+ if err != nil {
+ return call.ReplyErrorOccurred(err.Error())
+ }
ctx := getContext()
newImage, err := i.Runtime.ImageRuntime().New(ctx, config.Image, rtc.SignaturePolicyPath, "", os.Stderr, nil, image.SigningOptions{}, false, nil)
diff --git a/pkg/varlinkapi/images.go b/pkg/varlinkapi/images.go
index 210f139ce..23ea24a7a 100644
--- a/pkg/varlinkapi/images.go
+++ b/pkg/varlinkapi/images.go
@@ -514,7 +514,11 @@ func (i *LibpodAPI) Commit(call iopodman.VarlinkCall, name, imageName string, ch
if err != nil {
return call.ReplyContainerNotFound(name, err.Error())
}
- sc := image.GetSystemContext(i.Runtime.GetConfig().SignaturePolicyPath, "", false)
+ rtc, err := i.Runtime.GetConfig()
+ if err != nil {
+ return call.ReplyErrorOccurred(err.Error())
+ }
+ sc := image.GetSystemContext(rtc.SignaturePolicyPath, "", false)
var mimeType string
switch manifestType {
case "oci", "": //nolint
@@ -525,7 +529,7 @@ func (i *LibpodAPI) Commit(call iopodman.VarlinkCall, name, imageName string, ch
return call.ReplyErrorOccurred(fmt.Sprintf("unrecognized image format %q", manifestType))
}
coptions := buildah.CommitOptions{
- SignaturePolicyPath: i.Runtime.GetConfig().SignaturePolicyPath,
+ SignaturePolicyPath: rtc.SignaturePolicyPath,
ReportWriter: nil,
SystemContext: sc,
PreferredManifestType: mimeType,