From b51d7379987581da82902027fe91cdf298047bc0 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 23 Apr 2018 20:42:53 -0400 Subject: Begin wiring in USERNS Support into podman Signed-off-by: Daniel J Walsh Closes: #690 Approved by: mheon --- cmd/podman/create.go | 71 +++++++++++++++++++++++++++++++++++----------------- 1 file changed, 48 insertions(+), 23 deletions(-) (limited to 'cmd/podman/create.go') diff --git a/cmd/podman/create.go b/cmd/podman/create.go index 54a542ee5..7740da8e1 100644 --- a/cmd/podman/create.go +++ b/cmd/podman/create.go @@ -1,6 +1,7 @@ package main import ( + "context" "encoding/json" "fmt" "net" @@ -9,6 +10,7 @@ import ( "strings" "syscall" + "github.com/containers/storage" "github.com/docker/docker/api/types/container" "github.com/docker/docker/pkg/signal" "github.com/docker/go-connections/nat" @@ -92,7 +94,8 @@ type createConfig struct { Hostname string //hostname Image string ImageID string - BuiltinImgVolumes map[string]struct{} // volumes defined in the image config + BuiltinImgVolumes map[string]struct{} // volumes defined in the image config + IDMappings *storage.IDMappingOptions ImageVolumeType string // how to handle the image volume, either bind, tmpfs, or ignore Interactive bool //interactive IpcMode container.IpcMode //ipc @@ -108,8 +111,7 @@ type createConfig struct { Network string //network NetworkAlias []string //network-alias PidMode container.PidMode //pid - NsUser string - Pod string //pod + Pod string //pod PortBindings nat.PortMap Privileged bool //privileged Publish []string //publish @@ -119,20 +121,21 @@ type createConfig struct { Resources createResourceConfig Rm bool //rm ShmDir string - StopSignal syscall.Signal // stop-signal - StopTimeout uint // stop-timeout - Sysctl map[string]string //sysctl - Tmpfs []string // tmpfs - Tty bool //tty - User string //user - UtsMode container.UTSMode //uts - Volumes []string //volume - WorkDir string //workdir - MountLabel string //SecurityOpts - ProcessLabel string //SecurityOpts - NoNewPrivs bool //SecurityOpts - ApparmorProfile string //SecurityOpts - SeccompProfilePath string //SecurityOpts + StopSignal syscall.Signal // stop-signal + StopTimeout uint // stop-timeout + Sysctl map[string]string //sysctl + Tmpfs []string // tmpfs + Tty bool //tty + UsernsMode container.UsernsMode //userns + User string //user + UtsMode container.UTSMode //uts + Volumes []string //volume + WorkDir string //workdir + MountLabel string //SecurityOpts + ProcessLabel string //SecurityOpts + NoNewPrivs bool //SecurityOpts + ApparmorProfile string //SecurityOpts + SeccompProfilePath string //SecurityOpts SecurityOpts []string } @@ -174,7 +177,15 @@ func createCmd(c *cli.Context) error { return errors.Errorf("image name or ID is required") } - runtime, err := libpodruntime.GetRuntime(c) + mappings, err := util.ParseIDMapping(c.StringSlice("uidmap"), c.StringSlice("gidmap"), c.String("subuidmap"), c.String("subgidmap")) + if err != nil { + return err + } + storageOpts := storage.DefaultStoreOptions + storageOpts.UIDMap = mappings.UIDMap + storageOpts.GIDMap = mappings.GIDMap + + runtime, err := libpodruntime.GetRuntimeWithStorageOpts(c, &storageOpts) if err != nil { return errors.Wrapf(err, "error creating libpod runtime") } @@ -188,7 +199,7 @@ func createCmd(c *cli.Context) error { return err } data, err := newImage.Inspect(ctx) - createConfig, err := parseCreateOpts(c, runtime, newImage.Names()[0], data) + createConfig, err := parseCreateOpts(ctx, c, runtime, newImage.Names()[0], data) if err != nil { return err } @@ -211,6 +222,7 @@ func createCmd(c *cli.Context) error { options = append(options, libpod.WithShmDir(createConfig.ShmDir)) options = append(options, libpod.WithShmSize(createConfig.Resources.ShmSize)) options = append(options, libpod.WithGroups(createConfig.GroupAdd)) + options = append(options, libpod.WithIDMappings(*createConfig.IDMappings)) ctr, err := runtime.NewContainer(ctx, runtimeSpec, options...) if err != nil { return err @@ -414,10 +426,16 @@ func getRandomPort() (int, error) { // Parses CLI options related to container creation into a config which can be // parsed into an OCI runtime spec -func parseCreateOpts(c *cli.Context, runtime *libpod.Runtime, imageName string, data *inspect.ImageData) (*createConfig, error) { - var inputCommand, command []string - var memoryLimit, memoryReservation, memorySwap, memoryKernel int64 - var blkioWeight uint16 +func parseCreateOpts(ctx context.Context, c *cli.Context, runtime *libpod.Runtime, imageName string, data *inspect.ImageData) (*createConfig, error) { + var ( + inputCommand, command []string + memoryLimit, memoryReservation, memorySwap, memoryKernel int64 + blkioWeight uint16 + ) + idmappings, err := util.ParseIDMapping(c.StringSlice("uidmap"), c.StringSlice("gidmap"), c.String("subuidname"), c.String("subgidname")) + if err != nil { + return nil, err + } imageID := data.ID @@ -473,6 +491,11 @@ func parseCreateOpts(c *cli.Context, runtime *libpod.Runtime, imageName string, return nil, errors.Errorf("--pid %q is not valid", c.String("pid")) } + usernsMode := container.UsernsMode(c.String("userns")) + if !usernsMode.Valid() { + return nil, errors.Errorf("--userns %q is not valid", c.String("userns")) + } + if c.Bool("detach") && c.Bool("rm") { return nil, errors.Errorf("--rm and --detach can not be specified together") } @@ -653,6 +676,7 @@ func parseCreateOpts(c *cli.Context, runtime *libpod.Runtime, imageName string, GroupAdd: c.StringSlice("group-add"), Hostname: c.String("hostname"), HostAdd: c.StringSlice("add-host"), + IDMappings: idmappings, Image: imageName, ImageID: imageID, Interactive: c.Bool("interactive"), @@ -712,6 +736,7 @@ func parseCreateOpts(c *cli.Context, runtime *libpod.Runtime, imageName string, Tmpfs: c.StringSlice("tmpfs"), Tty: tty, User: user, + UsernsMode: usernsMode, Volumes: c.StringSlice("volume"), WorkDir: workDir, } -- cgit v1.2.3-54-g00ecf