| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
| |
Add the possibility to join directly the user and mount namespace
without looking up the parent of the user namespace.
We need this in order to be able the conmon process, as the mount
namespace is kept alive only there.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
it was reported on IRC that Podman on Ubuntu failed as
newuidmap/newgidmap were not installed by default.
Raise an error if we are not allowing single mappings (used only by
the tests suite) and any of the binaries is not present.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
|
|
|
|
|
| |
we are calling this function several times, it is worth to store its
result and re-use it.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Need to return an error pointing user in right direction if rootless podman
fails, because of no /etc/subuid or /etc/subgid files.
Also fix up man pages to better describe rootless podman.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Most container images assume there are at least 65536 UIDs/GIDs
available. Raise an error if there are not enough IDs allocated to
the current user.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1520
Approved by: rhatdan
|
| |
|
|
|
|
|
| |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1507
Approved by: rhatdan
|
| |
|
|
|
|
|
| |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1507
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
|
|
|
| |
change the tests to use chroot to set a numeric UID/GID.
Go syscall.Credential doesn't change the effective UID/GID of the
process.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1372
Approved by: mheon
|
| |
|
|
|
|
|
| |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1371
Approved by: rhatdan
|
| |
|
|
|
|
|
| |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1371
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manage the case where the main process of the container creates and
joins a new user namespace.
In this case we want to join only the first child in the new
hierarchy, which is the user namespace that was used to create the
container.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1331
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We cannot re-exec into a new user namespace to gain privileges and
access an existing as the new namespace is not the owner of the
existing container.
"unshare" is used to join the user namespace of the target container.
The current implementation assumes that the main process of the
container didn't create a new user namespace.
Since in the setup phase we are not running with euid=0, we must skip
the setup for containers/storage.
Closes: https://github.com/containers/libpod/issues/1329
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1331
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Lookup the current username by UID if the USER env variable is not
set.
Reported in: https://github.com/projectatomic/libpod/issues/1092
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1217
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
| |
It is required only when directly configuring the user namespace.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1200
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Most images won't work without multiple ids/gids. Error out
immediately if there are no multiple ids available.
The error code when the user is not present in /etc/sub{g,u}id looks
like:
$ bin/podman run --rm -ti alpine echo hello
ERRO[0000] No subuid ranges found for user "gscrivano"
Closes: https://github.com/projectatomic/libpod/issues/1087
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1097
Approved by: rhatdan
|
| |
|
|
| |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The files were split apart by b96be3af (changes to allow for darwin
compilation, 2018-06-20, #1015), but the C import and two functions
left in rootless.go are all Linux-specific as well. This commit moves
all of the pre-b96be3af rootless.go into rootless_linux.go, just
adding the '// +build linux' header (b96be3af also scrambled the + in
that header) and keeping the new GetRootlessUID from a1545fe6
(rootless: add function to retrieve the original UID, 2018-07-05, #1048).
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1034
Approved by: baude
|
| |
|
|
|
|
|
|
|
|
| |
After we re-exec in the userNS os.Getuid() returns the new UID (= 0)
which is not what we want to use.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1048
Approved by: mheon
|
|
|
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1015
Approved by: baude
|
