From baef6eff36775dd3d1762e5821703fec22168ad7 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Fri, 2 Oct 2020 08:53:54 +0200 Subject: rootless: move GetAvailableGids to the rootless pkg Signed-off-by: Giuseppe Scrivano --- pkg/rootless/rootless.go | 15 +++++++++++++++ pkg/specgen/generate/oci.go | 15 +-------------- 2 files changed, 16 insertions(+), 14 deletions(-) diff --git a/pkg/rootless/rootless.go b/pkg/rootless/rootless.go index d02721ea9..3c33597b6 100644 --- a/pkg/rootless/rootless.go +++ b/pkg/rootless/rootless.go @@ -4,6 +4,7 @@ import ( "os" "github.com/containers/storage" + "github.com/opencontainers/runc/libcontainer/user" "github.com/pkg/errors" ) @@ -46,3 +47,17 @@ func TryJoinPauseProcess(pausePidPath string) (bool, int, error) { } return became, ret, err } + +// GetAvailableGids returns how many GIDs are available in the +// current user namespace. +func GetAvailableGids() (int64, error) { + idMap, err := user.ParseIDMapFile("/proc/self/gid_map") + if err != nil { + return 0, err + } + count := int64(0) + for _, r := range idMap { + count += r.Count + } + return count, nil +} diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go index b57ddf1aa..f02432f5b 100644 --- a/pkg/specgen/generate/oci.go +++ b/pkg/specgen/generate/oci.go @@ -10,7 +10,6 @@ import ( "github.com/containers/podman/v2/libpod/image" "github.com/containers/podman/v2/pkg/rootless" "github.com/containers/podman/v2/pkg/specgen" - "github.com/opencontainers/runc/libcontainer/user" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" "github.com/pkg/errors" @@ -200,7 +199,7 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt } gid5Available := true if isRootless { - nGids, err := GetAvailableGids() + nGids, err := rootless.GetAvailableGids() if err != nil { return nil, err } @@ -360,15 +359,3 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt return configSpec, nil } - -func GetAvailableGids() (int64, error) { - idMap, err := user.ParseIDMapFile("/proc/self/gid_map") - if err != nil { - return 0, err - } - count := int64(0) - for _, r := range idMap { - count += r.Count - } - return count, nil -} -- cgit v1.2.3-54-g00ecf From 07546cca18c28f444deacaf7f001c5bcc5d3219a Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Fri, 2 Oct 2020 09:05:34 +0200 Subject: rootless: use sync.Once for GetAvailableGids() Signed-off-by: Giuseppe Scrivano --- pkg/rootless/rootless.go | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/pkg/rootless/rootless.go b/pkg/rootless/rootless.go index 3c33597b6..799c793d8 100644 --- a/pkg/rootless/rootless.go +++ b/pkg/rootless/rootless.go @@ -2,6 +2,7 @@ package rootless import ( "os" + "sync" "github.com/containers/storage" "github.com/opencontainers/runc/libcontainer/user" @@ -48,16 +49,25 @@ func TryJoinPauseProcess(pausePidPath string) (bool, int, error) { return became, ret, err } +var ( + availableGids int64 + availableGidsErr error + availableGidsOnce sync.Once +) + // GetAvailableGids returns how many GIDs are available in the // current user namespace. func GetAvailableGids() (int64, error) { - idMap, err := user.ParseIDMapFile("/proc/self/gid_map") - if err != nil { - return 0, err - } - count := int64(0) - for _, r := range idMap { - count += r.Count - } - return count, nil + availableGidsOnce.Do(func() { + idMap, err := user.ParseIDMapFile("/proc/self/gid_map") + if err != nil { + availableGidsErr = err + return + } + availableGids = int64(0) + for _, r := range idMap { + availableGids += r.Count + } + }) + return availableGids, availableGidsErr } -- cgit v1.2.3-54-g00ecf From d30121969f0ba7b16700238b876a6bba7417875a Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Fri, 2 Oct 2020 09:25:12 +0200 Subject: libpod: check the gid is present before adding it check there are enough gids in the user namespace before adding supplementary gids from /etc/group. Follow-up for baede7cd2776b1f722dcbb65cff6228eeab5db44 Signed-off-by: Giuseppe Scrivano --- libpod/container_internal_linux.go | 40 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index eba732d2a..514cdaee1 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -7,6 +7,7 @@ import ( "fmt" "io" "io/ioutil" + "math" "net" "os" "os/user" @@ -35,6 +36,7 @@ import ( "github.com/containers/podman/v2/pkg/util" "github.com/containers/podman/v2/utils" "github.com/containers/storage/pkg/archive" + "github.com/containers/storage/pkg/idtools" securejoin "github.com/cyphar/filepath-securejoin" runcuser "github.com/opencontainers/runc/libcontainer/user" spec "github.com/opencontainers/runtime-spec/specs-go" @@ -416,9 +418,43 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { // Look up and add groups the user belongs to, if a group wasn't directly specified if !strings.Contains(c.config.User, ":") { + // the gidMappings that are present inside the container user namespace + var gidMappings []idtools.IDMap + + switch { + case len(c.config.IDMappings.GIDMap) > 0: + gidMappings = c.config.IDMappings.GIDMap + case rootless.IsRootless(): + // Check whether the current user namespace has enough gids available. + availableGids, err := rootless.GetAvailableGids() + if err != nil { + return nil, errors.Wrapf(err, "cannot read number of available GIDs") + } + gidMappings = []idtools.IDMap{{ + ContainerID: 0, + HostID: 0, + Size: int(availableGids), + }} + default: + gidMappings = []idtools.IDMap{{ + ContainerID: 0, + HostID: 0, + Size: math.MaxInt32, + }} + } for _, gid := range execUser.Sgids { - // FIXME: We need to add a flag to containers.conf to not add these for HPC Users. - g.AddProcessAdditionalGid(uint32(gid)) + isGidAvailable := false + for _, m := range gidMappings { + if gid >= m.ContainerID && gid < m.ContainerID+m.Size { + isGidAvailable = true + break + } + } + if isGidAvailable { + g.AddProcessAdditionalGid(uint32(gid)) + } else { + logrus.Warnf("additional gid=%d is not present in the user namespace, skip setting it", gid) + } } } -- cgit v1.2.3-54-g00ecf