From b3e7be7a0b1d5484b98bbb733ce58af84137316a Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Fri, 11 Jan 2019 10:34:27 +0100 Subject: spec: add nosuid,noexec,nodev to ro bind mount runc fails to change the ro mode of a rootless bind mount if the other flags are not kept. Signed-off-by: Giuseppe Scrivano --- libpod/container_internal_linux.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index 2f03d45ea..9c343d051 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -227,7 +227,7 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { Options: []string{"bind", "private"}, } if c.IsReadOnly() && dstPath != "/dev/shm" { - newMount.Options = append(newMount.Options, "ro") + newMount.Options = append(newMount.Options, "ro", "nosuid", "noexec", "nodev") } if !MountExists(g.Mounts(), dstPath) { g.AddMount(newMount) -- cgit v1.2.3-54-g00ecf From c4f054f102101dd198cc6e12a28510edb7849552 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Fri, 11 Jan 2019 11:51:21 +0100 Subject: rootless: join both userns and mount namespace with --pod When --pod is specified then join both the user and mount namespace for the pod so we can initialize the storage. Signed-off-by: Giuseppe Scrivano --- cmd/podman/create.go | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/cmd/podman/create.go b/cmd/podman/create.go index d98b78bd4..7472426eb 100644 --- a/cmd/podman/create.go +++ b/cmd/podman/create.go @@ -4,6 +4,7 @@ import ( "context" "encoding/json" "fmt" + "io/ioutil" "os" "path/filepath" "strconv" @@ -785,11 +786,15 @@ func joinOrCreateRootlessUserNamespace(createConfig *cc.CreateConfig, runtime *l if s != libpod.ContainerStateRunning && s != libpod.ContainerStatePaused { continue } - pid, err := prevCtr.PID() + data, err := ioutil.ReadFile(prevCtr.Config().ConmonPidFile) if err != nil { - return false, -1, err + return false, -1, errors.Wrapf(err, "cannot read conmon PID file %q", prevCtr.Config().ConmonPidFile) } - return rootless.JoinNS(uint(pid)) + conmonPid, err := strconv.Atoi(string(data)) + if err != nil { + return false, -1, errors.Wrapf(err, "cannot parse PID %q", data) + } + return rootless.JoinDirectUserAndMountNS(uint(conmonPid)) } } -- cgit v1.2.3-54-g00ecf From 04a4ba9b7302b807b7a5d9a180d3fcd27560052a Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Fri, 11 Jan 2019 11:23:19 +0100 Subject: rootless: create the userns immediately when creating a new pod Closes: https://github.com/containers/libpod/issues/2124 Signed-off-by: Giuseppe Scrivano --- cmd/podman/create.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/cmd/podman/create.go b/cmd/podman/create.go index 7472426eb..87fa18e47 100644 --- a/cmd/podman/create.go +++ b/cmd/podman/create.go @@ -422,6 +422,16 @@ func parseCreateOpts(ctx context.Context, c *cli.Context, runtime *libpod.Runtim } if c.IsSet("pod") { if strings.HasPrefix(originalPodName, "new:") { + if rootless.IsRootless() { + // To create a new pod, we must immediately create the userns. + became, ret, err := rootless.BecomeRootInUserNS() + if err != nil { + return nil, err + } + if became { + os.Exit(ret) + } + } // pod does not exist; lets make it var podOptions []libpod.PodCreateOption podOptions = append(podOptions, libpod.WithPodName(podName), libpod.WithInfraContainer(), libpod.WithPodCgroups()) -- cgit v1.2.3-54-g00ecf