From 1074a02ff85bb9f1d0db3e4468b067a6516b1521 Mon Sep 17 00:00:00 2001 From: Brent Baude Date: Fri, 8 May 2020 13:09:11 -0500 Subject: v2 podman unshare command add unshare command add cp and init to container sub-command allow mount to run as rootless Signed-off-by: Brent Baude --- cmd/podman/containers/cp.go | 26 +++++++++++++++-- cmd/podman/containers/init.go | 33 ++++++++++++++++++++-- cmd/podman/containers/mount.go | 3 -- cmd/podman/system/unshare.go | 50 +++++++++++++++++++++++++++++++++ pkg/domain/entities/engine_container.go | 1 + pkg/domain/infra/abi/system.go | 16 +++++++++++ pkg/domain/infra/tunnel/system.go | 4 +++ 7 files changed, 125 insertions(+), 8 deletions(-) create mode 100644 cmd/podman/system/unshare.go diff --git a/cmd/podman/containers/cp.go b/cmd/podman/containers/cp.go index f0f9a158d..ac7037621 100644 --- a/cmd/podman/containers/cp.go +++ b/cmd/podman/containers/cp.go @@ -7,6 +7,7 @@ import ( "github.com/containers/libpod/pkg/rootless" "github.com/sirupsen/logrus" "github.com/spf13/cobra" + "github.com/spf13/pflag" ) var ( @@ -22,20 +23,41 @@ var ( RunE: cp, Example: "podman cp [CONTAINER:]SRC_PATH [CONTAINER:]DEST_PATH", } + + containerCpCommand = &cobra.Command{ + Use: cpCommand.Use, + Short: cpCommand.Short, + Long: cpCommand.Long, + Args: cpCommand.Args, + RunE: cpCommand.RunE, + Example: "podman container cp [CONTAINER:]SRC_PATH [CONTAINER:]DEST_PATH", + } ) var ( cpOpts entities.ContainerCpOptions ) +func cpFlags(flags *pflag.FlagSet) { + flags.BoolVar(&cpOpts.Extract, "extract", false, "Extract the tar file into the destination directory.") + flags.BoolVar(&cpOpts.Pause, "pause", copyPause(), "Pause the container while copying") +} + func init() { registry.Commands = append(registry.Commands, registry.CliCommand{ Mode: []entities.EngineMode{entities.ABIMode}, Command: cpCommand, }) flags := cpCommand.Flags() - flags.BoolVar(&cpOpts.Extract, "extract", false, "Extract the tar file into the destination directory.") - flags.BoolVar(&cpOpts.Pause, "pause", copyPause(), "Pause the container while copying") + cpFlags(flags) + + registry.Commands = append(registry.Commands, registry.CliCommand{ + Mode: []entities.EngineMode{entities.ABIMode}, + Command: containerCpCommand, + Parent: containerCmd, + }) + containerCpFlags := containerCpCommand.Flags() + cpFlags(containerCpFlags) } func cp(cmd *cobra.Command, args []string) error { diff --git a/cmd/podman/containers/init.go b/cmd/podman/containers/init.go index bb02f22fd..417f170c3 100644 --- a/cmd/podman/containers/init.go +++ b/cmd/podman/containers/init.go @@ -8,6 +8,7 @@ import ( "github.com/containers/libpod/cmd/podman/utils" "github.com/containers/libpod/pkg/domain/entities" "github.com/spf13/cobra" + "github.com/spf13/pflag" ) var ( @@ -25,21 +26,47 @@ var ( podman init 3c45ef19d893 podman init test1`, } + + containerInitCommand = &cobra.Command{ + Use: initCommand.Use, + Short: initCommand.Short, + Long: initCommand.Long, + RunE: initCommand.RunE, + Args: initCommand.Args, + Example: `podman container init --latest + podman container init 3c45ef19d893 + podman container init test1`, + } ) var ( initOptions entities.ContainerInitOptions ) +func initFlags(flags *pflag.FlagSet) { + flags.BoolVarP(&initOptions.All, "all", "a", false, "Initialize all containers") + flags.BoolVarP(&initOptions.Latest, "latest", "l", false, "Act on the latest container podman is aware of") + if registry.IsRemote() { + _ = flags.MarkHidden("latest") + } +} + func init() { registry.Commands = append(registry.Commands, registry.CliCommand{ Mode: []entities.EngineMode{entities.ABIMode, entities.TunnelMode}, Command: initCommand, }) flags := initCommand.Flags() - flags.BoolVarP(&initOptions.All, "all", "a", false, "Initialize all containers") - flags.BoolVarP(&initOptions.Latest, "latest", "l", false, "Act on the latest container podman is aware of") - _ = flags.MarkHidden("latest") + initFlags(flags) + + registry.Commands = append(registry.Commands, registry.CliCommand{ + Mode: []entities.EngineMode{entities.ABIMode, entities.TunnelMode}, + Parent: containerCmd, + Command: containerInitCommand, + }) + + containerInitFlags := containerInitCommand.Flags() + initFlags(containerInitFlags) } func initContainer(cmd *cobra.Command, args []string) error { diff --git a/cmd/podman/containers/mount.go b/cmd/podman/containers/mount.go index 0bdac72cb..af4d52caa 100644 --- a/cmd/podman/containers/mount.go +++ b/cmd/podman/containers/mount.go @@ -30,9 +30,6 @@ var ( Args: func(cmd *cobra.Command, args []string) error { return parse.CheckAllLatestAndCIDFile(cmd, args, true, false) }, - Annotations: map[string]string{ - registry.ParentNSRequired: "", - }, } containerMountCommmand = &cobra.Command{ diff --git a/cmd/podman/system/unshare.go b/cmd/podman/system/unshare.go new file mode 100644 index 000000000..7db5d36d2 --- /dev/null +++ b/cmd/podman/system/unshare.go @@ -0,0 +1,50 @@ +package system + +import ( + "os" + + "github.com/containers/libpod/cmd/podman/registry" + "github.com/containers/libpod/pkg/domain/entities" + "github.com/containers/libpod/pkg/rootless" + "github.com/pkg/errors" + "github.com/spf13/cobra" +) + +var ( + unshareDescription = "Runs a command in a modified user namespace." + unshareCommand = &cobra.Command{ + Use: "unshare [flags] [COMMAND [ARG]]", + Short: "Run a command in a modified user namespace", + Long: unshareDescription, + RunE: unshare, + Example: `podman unshare id + podman unshare cat /proc/self/uid_map, + podman unshare podman-script.sh`, + } +) + +func init() { + registry.Commands = append(registry.Commands, registry.CliCommand{ + Mode: []entities.EngineMode{entities.ABIMode}, + Command: unshareCommand, + }) + flags := unshareCommand.Flags() + flags.SetInterspersed(false) +} + +func unshare(cmd *cobra.Command, args []string) error { + if isRootless := rootless.IsRootless(); !isRootless { + return errors.Errorf("please use unshare with rootless") + } + // exec the specified command, if there is one + if len(args) < 1 { + // try to exec the shell, if one's set + shell, shellSet := os.LookupEnv("SHELL") + if !shellSet { + return errors.Errorf("no command specified and no $SHELL specified") + } + args = []string{shell} + } + + return registry.ContainerEngine().Unshare(registry.Context(), args) +} diff --git a/pkg/domain/entities/engine_container.go b/pkg/domain/entities/engine_container.go index 7c93e6802..bb13794bd 100644 --- a/pkg/domain/entities/engine_container.go +++ b/pkg/domain/entities/engine_container.go @@ -71,6 +71,7 @@ type ContainerEngine interface { SetupRootless(ctx context.Context, cmd *cobra.Command) error Shutdown(ctx context.Context) SystemDf(ctx context.Context, options SystemDfOptions) (*SystemDfReport, error) + Unshare(ctx context.Context, args []string) error VarlinkService(ctx context.Context, opts ServiceOptions) error VolumeCreate(ctx context.Context, opts VolumeCreateOptions) (*IdOrNameResponse, error) VolumeInspect(ctx context.Context, namesOrIds []string, opts VolumeInspectOptions) ([]*VolumeInspectReport, error) diff --git a/pkg/domain/infra/abi/system.go b/pkg/domain/infra/abi/system.go index 24c62465f..fc92da1b2 100644 --- a/pkg/domain/infra/abi/system.go +++ b/pkg/domain/infra/abi/system.go @@ -5,6 +5,7 @@ import ( "fmt" "io/ioutil" "os" + "os/exec" "path/filepath" "strconv" "syscall" @@ -391,3 +392,18 @@ func (s SystemEngine) Shutdown(ctx context.Context) { logrus.Error(err) } } + +func unshareEnv(graphroot, runroot string) []string { + return append(os.Environ(), "_CONTAINERS_USERNS_CONFIGURED=done", + fmt.Sprintf("CONTAINERS_GRAPHROOT=%s", graphroot), + fmt.Sprintf("CONTAINERS_RUNROOT=%s", runroot)) +} + +func (ic *ContainerEngine) Unshare(ctx context.Context, args []string) error { + cmd := exec.Command(args[0], args[1:]...) + cmd.Env = unshareEnv(ic.Libpod.StorageConfig().GraphRoot, ic.Libpod.StorageConfig().RunRoot) + cmd.Stdin = os.Stdin + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + return cmd.Run() +} diff --git a/pkg/domain/infra/tunnel/system.go b/pkg/domain/infra/tunnel/system.go index 448fbed1f..d00795741 100644 --- a/pkg/domain/infra/tunnel/system.go +++ b/pkg/domain/infra/tunnel/system.go @@ -30,3 +30,7 @@ func (ic *ContainerEngine) SystemPrune(ctx context.Context, options entities.Sys func (ic *ContainerEngine) SystemDf(ctx context.Context, options entities.SystemDfOptions) (*entities.SystemDfReport, error) { panic(errors.New("system df is not supported on remote clients")) } + +func (ic *ContainerEngine) Unshare(ctx context.Context, args []string) error { + return errors.New("unshare is not supported on remote clients") +} -- cgit v1.2.3-54-g00ecf