From af3e73426aa6746333ef8581711ec768e2594530 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Sun, 10 Mar 2019 22:38:12 +0100 Subject: rootless: allow single mappings we were playing safe and not allowed any container to have less than 65536 mappings. There are a couple of reasons to change it: - it blocked libpod to work in an environment where newuidmap/newgidmap are not available, or not configured. - not allowed to use different partitions of subuids, where each user has less than 65536 ids available. Hopefully this change in containers/storage: https://github.com/containers/storage/pull/303 will make error clearers if there are not enough IDs for the image that is being used. Closes: https://github.com/containers/libpod/issues/1651 Signed-off-by: Giuseppe Scrivano --- pkg/rootless/rootless_linux.go | 59 +++--------------------------------------- test/e2e/rootless_test.go | 2 -- 2 files changed, 4 insertions(+), 57 deletions(-) diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go index 933cfa2c2..d43151e8e 100644 --- a/pkg/rootless/rootless_linux.go +++ b/pkg/rootless/rootless_linux.go @@ -11,7 +11,6 @@ import ( "os/user" "runtime" "strconv" - "strings" "sync" "syscall" "unsafe" @@ -192,22 +191,6 @@ func JoinNSPath(path string) (bool, int, error) { return true, int(ret), nil } -const defaultMinimumMappings = 65536 - -func getMinimumIDs(p string) int { - content, err := ioutil.ReadFile(p) - if err != nil { - logrus.Debugf("error reading data from %q, use a default value of %d", p, defaultMinimumMappings) - return defaultMinimumMappings - } - ret, err := strconv.Atoi(strings.TrimSuffix(string(content), "\n")) - if err != nil { - logrus.Debugf("error reading data from %q, use a default value of %d", p, defaultMinimumMappings) - return defaultMinimumMappings - } - return ret + 1 -} - // BecomeRootInUserNS re-exec podman in a new userNS. It returns whether podman was re-executed // into a new user namespace and the return code from the re-executed podman process. // If podman was re-executed the caller needs to propagate the error code returned by the child @@ -237,47 +220,18 @@ func BecomeRootInUserNS() (bool, int, error) { return false, -1, errors.Errorf("cannot re-exec process") } - allowSingleIDMapping := os.Getenv("PODMAN_ALLOW_SINGLE_ID_MAPPING_IN_USERNS") != "" - var uids, gids []idtools.IDMap username := os.Getenv("USER") if username == "" { user, err := user.LookupId(fmt.Sprintf("%d", os.Getuid())) - if err != nil && !allowSingleIDMapping { - if os.IsNotExist(err) { - return false, 0, errors.Wrapf(err, "/etc/subuid or /etc/subgid does not exist, see subuid/subgid man pages for information on these files") - } - return false, 0, errors.Wrapf(err, "could not find user by UID nor USER env was set") - } if err == nil { username = user.Username } } mappings, err := idtools.NewIDMappings(username, username) - if !allowSingleIDMapping { - if err != nil { - return false, -1, err - } - - availableGIDs, availableUIDs := 0, 0 - for _, i := range mappings.UIDs() { - availableUIDs += i.Size - } - - minUIDs := getMinimumIDs("/proc/sys/kernel/overflowuid") - if availableUIDs < minUIDs { - return false, 0, fmt.Errorf("not enough UIDs available for the user, at least %d are needed", minUIDs) - } - - for _, i := range mappings.GIDs() { - availableGIDs += i.Size - } - minGIDs := getMinimumIDs("/proc/sys/kernel/overflowgid") - if availableGIDs < minGIDs { - return false, 0, fmt.Errorf("not enough GIDs available for the user, at least %d are needed", minGIDs) - } - } - if err == nil { + if err != nil { + logrus.Warnf("cannot find mappings for user %s: %v", username, err) + } else { uids = mappings.UIDs() gids = mappings.GIDs() } @@ -285,12 +239,10 @@ func BecomeRootInUserNS() (bool, int, error) { uidsMapped := false if mappings != nil && uids != nil { err := tryMappingTool("newuidmap", pid, os.Getuid(), uids) - if !allowSingleIDMapping && err != nil { - return false, 0, err - } uidsMapped = err == nil } if !uidsMapped { + logrus.Warnf("using rootless single mapping into the namespace. This might break some images. Check /etc/subuid and /etc/subgid for adding subids") setgroups := fmt.Sprintf("/proc/%d/setgroups", pid) err = ioutil.WriteFile(setgroups, []byte("deny\n"), 0666) if err != nil { @@ -307,9 +259,6 @@ func BecomeRootInUserNS() (bool, int, error) { gidsMapped := false if mappings != nil && gids != nil { err := tryMappingTool("newgidmap", pid, os.Getgid(), gids) - if !allowSingleIDMapping && err != nil { - return false, 0, err - } gidsMapped = err == nil } if !gidsMapped { diff --git a/test/e2e/rootless_test.go b/test/e2e/rootless_test.go index 908c459da..cd771e2ba 100644 --- a/test/e2e/rootless_test.go +++ b/test/e2e/rootless_test.go @@ -126,7 +126,6 @@ var _ = Describe("Podman rootless", func() { env := os.Environ() env = append(env, fmt.Sprintf("XDG_RUNTIME_DIR=%s", xdgRuntimeDir)) env = append(env, fmt.Sprintf("HOME=%s", home)) - env = append(env, "PODMAN_ALLOW_SINGLE_ID_MAPPING_IN_USERNS=1") env = append(env, "USER=foo") cmd := rootlessTest.PodmanAsUser([]string{"pod", "create", "--infra=false"}, 1000, 1000, "", env) @@ -171,7 +170,6 @@ var _ = Describe("Podman rootless", func() { env := os.Environ() env = append(env, fmt.Sprintf("XDG_RUNTIME_DIR=%s", xdgRuntimeDir)) env = append(env, fmt.Sprintf("HOME=%s", home)) - env = append(env, "PODMAN_ALLOW_SINGLE_ID_MAPPING_IN_USERNS=1") env = append(env, "USER=foo") allArgs := append([]string{"run"}, args...) -- cgit v1.2.3-54-g00ecf