diff options
Diffstat (limited to 'pkg')
| -rw-r--r-- | pkg/spec/spec.go | 34 | ||||
| -rw-r--r-- | pkg/util/utils.go | 44 | ||||
| -rw-r--r-- | pkg/varlinkapi/containers_create.go | 26 |
3 files changed, 61 insertions, 43 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index 46105af4a..76b8963ff 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -9,6 +9,7 @@ import ( "github.com/containers/storage/pkg/mount" "github.com/docker/docker/daemon/caps" "github.com/docker/go-units" + "github.com/opencontainers/runc/libcontainer/user" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" "github.com/pkg/errors" @@ -45,6 +46,18 @@ func supercedeUserMounts(mounts []spec.Mount, configMount []spec.Mount) []spec.M return configMount } +func getAvailableGids() (int64, error) { + idMap, err := user.ParseIDMapFile("/proc/self/gid_map") + if err != nil { + return 0, err + } + count := int64(0) + for _, r := range idMap { + count += r.Count + } + return count, nil +} + // CreateConfigToOCISpec parses information needed to create a container into an OCI runtime spec func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint cgroupPerm := "ro" @@ -91,14 +104,21 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint g.AddMount(sysMnt) } if isRootless { - g.RemoveMount("/dev/pts") - devPts := spec.Mount{ - Destination: "/dev/pts", - Type: "devpts", - Source: "devpts", - Options: []string{"rprivate", "nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620"}, + nGids, err := getAvailableGids() + if err != nil { + return nil, err + } + if nGids < 5 { + // If we have no GID mappings, the gid=5 default option would fail, so drop it. + g.RemoveMount("/dev/pts") + devPts := spec.Mount{ + Destination: "/dev/pts", + Type: "devpts", + Source: "devpts", + Options: []string{"rprivate", "nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620"}, + } + g.AddMount(devPts) } - g.AddMount(devPts) } if inUserNS && config.IpcMode.IsHost() { g.RemoveMount("/dev/mqueue") diff --git a/pkg/util/utils.go b/pkg/util/utils.go index e0b94b011..52f431881 100644 --- a/pkg/util/utils.go +++ b/pkg/util/utils.go @@ -301,36 +301,36 @@ func getTomlStorage(storeOptions *storage.StoreOptions) *tomlConfig { // for the volume API // It also returns the path where all named volumes will be created using the volume API func GetDefaultStoreOptions() (storage.StoreOptions, string, error) { + var ( + defaultRootlessRunRoot string + defaultRootlessGraphRoot string + err error + ) storageOpts := storage.DefaultStoreOptions volumePath := "/var/lib/containers/storage" + if rootless.IsRootless() { - var err error storageOpts, err = GetRootlessStorageOpts() if err != nil { return storageOpts, volumePath, err } + volumePath, err = GetRootlessVolumeInfo() if err != nil { return storageOpts, volumePath, err } + } - storageConf := StorageConfigFile() - if _, err := os.Stat(storageConf); err == nil { - defaultRootlessRunRoot := storageOpts.RunRoot - defaultRootlessGraphRoot := storageOpts.GraphRoot - storageOpts = storage.StoreOptions{} - storage.ReloadConfigurationFile(storageConf, &storageOpts) + storageConf := StorageConfigFile() + if _, err = os.Stat(storageConf); err == nil { + defaultRootlessRunRoot = storageOpts.RunRoot + defaultRootlessGraphRoot = storageOpts.GraphRoot + storageOpts = storage.StoreOptions{} + storage.ReloadConfigurationFile(storageConf, &storageOpts) + } - // If the file did not specify a graphroot or runroot, - // set sane defaults so we don't try and use root-owned - // directories - if storageOpts.RunRoot == "" { - storageOpts.RunRoot = defaultRootlessRunRoot - } - if storageOpts.GraphRoot == "" { - storageOpts.GraphRoot = defaultRootlessGraphRoot - } - } else if os.IsNotExist(err) { + if rootless.IsRootless() { + if os.IsNotExist(err) { os.MkdirAll(filepath.Dir(storageConf), 0755) file, err := os.OpenFile(storageConf, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0666) if err != nil { @@ -343,6 +343,16 @@ func GetDefaultStoreOptions() (storage.StoreOptions, string, error) { if err := enc.Encode(tomlConfiguration); err != nil { os.Remove(storageConf) } + } else if err == nil { + // If the file did not specify a graphroot or runroot, + // set sane defaults so we don't try and use root-owned + // directories + if storageOpts.RunRoot == "" { + storageOpts.RunRoot = defaultRootlessRunRoot + } + if storageOpts.GraphRoot == "" { + storageOpts.GraphRoot = defaultRootlessGraphRoot + } } } return storageOpts, volumePath, nil diff --git a/pkg/varlinkapi/containers_create.go b/pkg/varlinkapi/containers_create.go index cc707b11f..f1835a189 100644 --- a/pkg/varlinkapi/containers_create.go +++ b/pkg/varlinkapi/containers_create.go @@ -68,17 +68,11 @@ func (i *LibpodAPI) CreateContainer(call iopodman.VarlinkCall, config iopodman.C // varlinkCreateToCreateConfig takes the varlink input struct and maps it to a pointer // of a CreateConfig, which eventually can be used to create the OCI spec. func varlinkCreateToCreateConfig(ctx context.Context, create iopodman.Create, runtime *libpod.Runtime, imageName string, data *inspect.ImageData) (*cc.CreateConfig, error) { - var ( - inputCommand, command []string - memoryLimit, memoryReservation, memorySwap, memoryKernel int64 - blkioWeight uint16 - ) - idmappings, err := util.ParseIDMapping(create.Uidmap, create.Gidmap, create.Subuidname, create.Subgidname) if err != nil { return nil, err } - inputCommand = create.Command + inputCommand := create.Command entrypoint := create.Entrypoint // ENTRYPOINT @@ -92,9 +86,7 @@ func varlinkCreateToCreateConfig(ctx context.Context, create iopodman.Create, ru } // Build the command // If we have an entry point, it goes first - if len(entrypoint) > 0 { - command = entrypoint - } + command := entrypoint if len(inputCommand) > 0 { // User command overrides data CMD command = append(command, inputCommand...) @@ -103,10 +95,6 @@ func varlinkCreateToCreateConfig(ctx context.Context, create iopodman.Create, ru command = append(command, data.Config.Cmd...) } - if create.Resources.Blkio_weight != 0 { - blkioWeight = uint16(create.Resources.Blkio_weight) - } - stopSignal := syscall.SIGTERM if create.Stop_signal > 0 { stopSignal, err = signal.ParseSignal(fmt.Sprintf("%d", create.Stop_signal)) @@ -183,7 +171,7 @@ func varlinkCreateToCreateConfig(ctx context.Context, create iopodman.Create, ru Quiet: create.Quiet, ReadOnlyRootfs: create.Readonly_rootfs, Resources: cc.CreateResourceConfig{ - BlkioWeight: blkioWeight, + BlkioWeight: uint16(create.Resources.Blkio_weight), BlkioWeightDevice: create.Resources.Blkio_weight_device, CPUShares: uint64(create.Resources.Cpu_shares), CPUPeriod: uint64(create.Resources.Cpu_period), @@ -199,11 +187,11 @@ func varlinkCreateToCreateConfig(ctx context.Context, create iopodman.Create, ru DeviceWriteIOps: create.Resources.Device_write_iops, DisableOomKiller: create.Resources.Disable_oomkiller, ShmSize: create.Resources.Shm_size, - Memory: memoryLimit, - MemoryReservation: memoryReservation, - MemorySwap: memorySwap, + Memory: create.Resources.Memory, + MemoryReservation: create.Resources.Memory_reservation, + MemorySwap: create.Resources.Memory_swap, MemorySwappiness: int(create.Resources.Memory_swappiness), - KernelMemory: memoryKernel, + KernelMemory: create.Resources.Kernel_memory, OomScoreAdj: int(create.Resources.Oom_score_adj), PidsLimit: create.Resources.Pids_limit, Ulimit: create.Resources.Ulimit, |