summaryrefslogtreecommitdiff
path: root/pkg/rootless/rootless_linux.go
Commit message (Collapse)AuthorAge
* rootless: move join namespace inside child processGiuseppe Scrivano2020-04-23
| | | | | | | | | open the namespace file descriptors inside of the child process. Closes: https://github.com/containers/libpod/issues/5873 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> (cherry picked from commit 788fdc685b00dee5ccb594bef845204250c4c123)
* rootless: skip looking up parent user nsGiuseppe Scrivano2020-04-23
| | | | | | | | | since we join directly the conmon user namespace, there is no need to look up its parent user namespace, as we can safely assume it is the init namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> (cherry picked from commit 8360fcf82cc17ef55a00870d7e950079a51f2083)
* rootless: become root only if the pause file is specifiedGiuseppe Scrivano2020-02-25
| | | | | | | | | | | | we need to store the pause process PID file so that it can be re-used later. commit e9dc2120925d9bc32b87ed3c4122aa40f7413db5 introduced this regression. Closes: https://github.com/containers/libpod/issues/5246 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: check if the conmon process is validGiuseppe Scrivano2020-02-17
| | | | | | | | if the pause process doesn't exist and we try to join a conmon namespace, make sure the process still exists. Otherwise re-create the user namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* fix lint in pkg/rootlessValentin Rothberg2020-01-08
| | | | Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* rootless: do not enable lingering modeGiuseppe Scrivano2019-10-17
| | | | | | | | do not automatically enable lingering mode. Closes: https://github.com/containers/libpod/issues/4224 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: drop dependency on dockerGiuseppe Scrivano2019-10-16
| | | | | | use the definition from "golang.org/x/sys/unix". Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* show uid_map in podman infoQi Wang2019-10-09
| | | | | | show uid_map gid_map in podman info Signed-off-by: Qi Wang <qiwan@redhat.com>
* rootless: do not close files twiceGiuseppe Scrivano2019-10-09
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Set log-level immediately, before rootless setupMatthew Heon2019-09-26
| | | | | | | | | | | | If we don't do this, we print WARN level messages that we should not be printing by default. Up one WARN message to ERROR so it still shows up by default. Fixes: #4115 Fixes: #4012 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* pkg/util: use rootless function to read additional usersGiuseppe Scrivano2019-09-03
| | | | | | | make pkg/rootless.GetConfiguredMappings public so that it can be used from pkg/util. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: detect user namespace configuration changesGiuseppe Scrivano2019-09-03
| | | | | | | | | | | detect if the current user namespace doesn't match the configuration in the /etc/subuid and /etc/subgid files. If there is a mismatch, raise a warning and suggest the user to recreate the user namespace with "system migrate", that also restarts the containers. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* golangci-lint round #3baude2019-07-21
| | | | | | | this is the third round of preparing to use the golangci-lint on our code base. Signed-off-by: baude <bbaude@redhat.com>
* golangci-lint pass number 2baude2019-07-11
| | | | | | clean up and prepare to migrate to the golangci-linter Signed-off-by: baude <bbaude@redhat.com>
* first pass of corrections for golangci-lintbaude2019-07-10
| | | | Signed-off-by: baude <bbaude@redhat.com>
* trivial cleanups from golangbaude2019-07-03
| | | | | | the results of a code cleanup performed by the goland IDE. Signed-off-by: baude <bbaude@redhat.com>
* rootless: allow to build without cgoGiuseppe Scrivano2019-07-02
| | | | | | | unfortunately rootless won't work without cgo, as most of the implementation is in C, but at least allow to build libpod. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: enable linger if /run/user/UID not existsGiuseppe Scrivano2019-06-27
| | | | | | | | | | | | | at least on Fedora 30 it creates the /run/user/UID directory for the user logged in via ssh. This needs to be done very early so that every other check when we create the default configuration file will point to the correct location. Closes: https://github.com/containers/libpod/issues/3410 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Build cgo files with -Wall -WerrorSascha Grunert2019-06-21
| | | | | | | | To avoid unnecessary warnings and errors in the future I'd like to propose building all cgo related sources with `-Wall -Werror`. This commit fixes some warnings which came up in `shm_lock.c`, too. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* Fix cgo includes for muslCameron Nemo2019-06-08
| | | | | | closes #3284 Signed-off-by: Cameron Nemo <cnemo@tutanota.com>
* rootless: skip NS_GET_PARENT on old kernelsGiuseppe Scrivano2019-06-06
| | | | | | | | | | | | on old kernels the ioctl NS_GET_PARENT is not available. Handle the error code and immediately return the same fd. It should be fine now that we use the namespace resolution using the conmon pid, so the namespace parent resolution is just a safety measure. Closes: https://github.com/containers/libpod/issues/2968 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: make JoinUserAndMountNS privateGiuseppe Scrivano2019-05-25
| | | | | | as it is used only by the rootless package now. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: enable loginctl lingerGiuseppe Scrivano2019-05-25
| | | | | | | otherwise the processes we leave around will be killed once the session terminates. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: new function to join existing conmon processesGiuseppe Scrivano2019-05-25
| | | | | | | | | | | | | | | move the logic for joining existing namespaces down to the rootless package. In main_local we still retrieve the list of conmon pid files and use it from the rootless package. In addition, create a temporary user namespace for reading these files, as the unprivileged user might not have enough privileges for reading the conmon pid file, for example when running with a different uidmap and root in the container is different than the rootless user. Closes: https://github.com/containers/libpod/issues/3187 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: store also the original GID in the hostGiuseppe Scrivano2019-05-23
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: join namespace immediately when possibleGiuseppe Scrivano2019-05-17
| | | | | | | | | | | add a shortcut for joining immediately the namespace so we don't need to re-exec Podman. With the pause process simplificaton, we can now attempt to join the namespaces as soon as Podman starts (and before the Go runtime kicks in), so that we don't need to re-exec and use just one process. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: use a pause processGiuseppe Scrivano2019-05-17
| | | | | | | | | | | | | | | | | use a pause process to keep the user and mount namespace alive. The pause process is created immediately on reload, and all successive Podman processes will refer to it for joining the user&mount namespace. This solves all the race conditions we had on joining the correct namespaces using the conmon processes. As a fallback if the join fails for any reason (e.g. the pause process was killed), then we try to join the running containers as we were doing before. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: do not block SIGTSTPGiuseppe Scrivano2019-04-12
| | | | | | | | | we were previously proxying all the signals, but doing that for SIGTSTP prevented the main process to be stopped by the tty. Closes: https://github.com/containers/libpod/issues/2775 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: use a single user namespaceGiuseppe Scrivano2019-04-01
| | | | | | | | | | | | | | | | | | | | | simplify the rootless implementation to use a single user namespace for all the running containers. This makes the rootless implementation behave more like root Podman, where each container is created in the host environment. There are multiple advantages to it: 1) much simpler implementation as there is only one namespace to join. 2) we can join namespaces owned by different containers. 3) commands like ps won't be limited to what container they can access as previously we either had access to the storage from a new namespace or access to /proc when running from the host. 4) rootless varlink works. 5) there are only two ways to enter in a namespace, either by creating a new one if no containers are running or joining the existing one from any container. Containers created by older Podman versions must be restarted. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: remove SkipStorageSetup()Giuseppe Scrivano2019-04-01
| | | | | | | | in the few places where we care about skipping the storage initialization, we can simply use the process effective UID, instead of relying on a global boolean flag. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: change env prefixGiuseppe Scrivano2019-03-28
| | | | | | | | | | from _LIBPOD to _CONTAINERS. The same change was done in buildah unshare. This is necessary for podman to detect we are running in a rootless environment and work properly from a "buildah unshare" session. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: use Geteuid instead of GetuidGiuseppe Scrivano2019-03-15
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #2583 from giuseppe/rootless-fix-pod-rmOpenShift Merge Robot2019-03-11
|\ | | | | rootless: fix stop and rm when the container is running with uid != 0
| * rootless: support a custom arg to the new processGiuseppe Scrivano2019-03-11
| | | | | | | | | | | | | | | | | | let the process running as euid != 0 pass down an argument to the process running in the user namespace. This will be useful for commands like rm -a that needs to join different namespaces, so that we can re-exec separately for each of them. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | rootless: allow single mappingsGiuseppe Scrivano2019-03-11
|/ | | | | | | | | | | | | | | | | | | | | | we were playing safe and not allowed any container to have less than 65536 mappings. There are a couple of reasons to change it: - it blocked libpod to work in an environment where newuidmap/newgidmap are not available, or not configured. - not allowed to use different partitions of subuids, where each user has less than 65536 ids available. Hopefully this change in containers/storage: https://github.com/containers/storage/pull/303 will make error clearers if there are not enough IDs for the image that is being used. Closes: https://github.com/containers/libpod/issues/1651 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: propagate errors from infoGiuseppe Scrivano2019-03-08
| | | | | | | | | we use "podman info" to reconfigure the runtime after a reboot, but we don't propagate the error message back if something goes wrong. Closes: https://github.com/containers/libpod/issues/2584 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* exec: support --preserve-fdsGiuseppe Scrivano2019-03-02
| | | | | | | | Allow to pass additional FDs to the process being executed. Closes: https://github.com/containers/libpod/issues/2372 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless, new[ug]idmap: on failure add outputGiuseppe Scrivano2019-02-28
| | | | | | | if any of the mapping tools for setting up the user namespace fail, then include their output in the error message. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: add function to join user and mount namespaceGiuseppe Scrivano2018-12-21
| | | | | | | | | | Add the possibility to join directly the user and mount namespace without looking up the parent of the user namespace. We need this in order to be able the conmon process, as the mount namespace is kept alive only there. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: raise error if newuidmap/newgidmap are not installedGiuseppe Scrivano2018-12-03
| | | | | | | | | | it was reported on IRC that Podman on Ubuntu failed as newuidmap/newgidmap were not installed by default. Raise an error if we are not allowing single mappings (used only by the tests suite) and any of the binaries is not present. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: call IsRootless just onceGiuseppe Scrivano2018-11-14
| | | | | | | we are calling this function several times, it is worth to store its result and re-use it. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Better document rootless containersDaniel J Walsh2018-11-10
| | | | | | | | | Need to return an error pointing user in right direction if rootless podman fails, because of no /etc/subuid or /etc/subgid files. Also fix up man pages to better describe rootless podman. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* rootless: error out if there are not enough UIDs/GIDs availableGiuseppe Scrivano2018-09-21
| | | | | | | | | | | Most container images assume there are at least 65536 UIDs/GIDs available. Raise an error if there are not enough IDs allocated to the current user. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1520 Approved by: rhatdan
* rootless: skip usage of filepath.JoinGiuseppe Scrivano2018-09-21
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1507 Approved by: rhatdan
* create, rootless: join the userns of ns:PATHGiuseppe Scrivano2018-09-21
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1507 Approved by: rhatdan
* rootless: check uid with Geteuid() instead of Getuid()Giuseppe Scrivano2018-09-04
| | | | | | | | | | | | change the tests to use chroot to set a numeric UID/GID. Go syscall.Credential doesn't change the effective UID/GID of the process. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1372 Approved by: mheon
* rootless: unexport GetUserNSForPidGiuseppe Scrivano2018-08-29
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1371 Approved by: rhatdan
* rootless: add new function to join existing namespaceGiuseppe Scrivano2018-08-29
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1371 Approved by: rhatdan
* rootless: exec handle processes that create an user namespaceGiuseppe Scrivano2018-08-26
| | | | | | | | | | | | | | Manage the case where the main process of the container creates and joins a new user namespace. In this case we want to join only the first child in the new hierarchy, which is the user namespace that was used to create the container. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1331 Approved by: rhatdan
* rootless: fix execGiuseppe Scrivano2018-08-26
| | | | | | | | | | | | | | | | | | | | | We cannot re-exec into a new user namespace to gain privileges and access an existing as the new namespace is not the owner of the existing container. "unshare" is used to join the user namespace of the target container. The current implementation assumes that the main process of the container didn't create a new user namespace. Since in the setup phase we are not running with euid=0, we must skip the setup for containers/storage. Closes: https://github.com/containers/libpod/issues/1329 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1331 Approved by: rhatdan