From 8ca67d2794b22d293dc7a896f8a3285787cd7d39 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 29 Aug 2018 13:24:03 +0200 Subject: rootless, run: support --pod move re-exec later on, so that we can check whether we need to join the infra container user namespace or we need to create another one. Signed-off-by: Giuseppe Scrivano Closes: #1372 Approved by: mheon --- cmd/podman/create.go | 34 ++++++++++++++++++++++++++++++++++ cmd/podman/main.go | 1 + cmd/podman/run.go | 15 ++++++++++++++- 3 files changed, 49 insertions(+), 1 deletion(-) (limited to 'cmd/podman') diff --git a/cmd/podman/create.go b/cmd/podman/create.go index e7e349306..586368e24 100644 --- a/cmd/podman/create.go +++ b/cmd/podman/create.go @@ -764,3 +764,37 @@ func parseCreateOpts(ctx context.Context, c *cli.Context, runtime *libpod.Runtim } return config, nil } + +func joinOrCreateRootlessUserNamespace(createConfig *cc.CreateConfig, runtime *libpod.Runtime) (bool, int, error) { + if os.Getuid() == 0 { + return false, 0, nil + } + + if createConfig.Pod != "" { + pod, err := runtime.LookupPod(createConfig.Pod) + if err != nil { + return false, -1, err + } + inspect, err := pod.Inspect() + for _, ctr := range inspect.Containers { + prevCtr, err := runtime.LookupContainer(ctr.ID) + if err != nil { + return false, -1, err + } + s, err := prevCtr.State() + if err != nil { + return false, -1, err + } + if s != libpod.ContainerStateRunning && s != libpod.ContainerStatePaused { + continue + } + pid, err := prevCtr.PID() + if err != nil { + return false, -1, err + } + return rootless.JoinNS(uint(pid)) + } + } + + return rootless.BecomeRootInUserNS() +} diff --git a/cmd/podman/main.go b/cmd/podman/main.go index 6b9bda55e..7960fc277 100644 --- a/cmd/podman/main.go +++ b/cmd/podman/main.go @@ -35,6 +35,7 @@ var cmdsNotRequiringRootless = map[string]bool{ "logout": true, "kill": true, "pause": true, + "run": true, "unpause": true, "search": true, "stats": true, diff --git a/cmd/podman/run.go b/cmd/podman/run.go index 66e78dafd..d8a8a48d5 100644 --- a/cmd/podman/run.go +++ b/cmd/podman/run.go @@ -13,6 +13,7 @@ import ( "github.com/containers/libpod/libpod" "github.com/containers/libpod/libpod/image" "github.com/containers/libpod/pkg/inspect" + "github.com/containers/libpod/pkg/rootless" cc "github.com/containers/libpod/pkg/spec" "github.com/containers/libpod/pkg/util" "github.com/pkg/errors" @@ -73,6 +74,10 @@ func runCmd(c *cli.Context) error { storageOpts.UIDMap = mappings.UIDMap storageOpts.GIDMap = mappings.GIDMap + if os.Getuid() != 0 { + rootless.SetSkipStorageSetup(true) + } + runtime, err := libpodruntime.GetRuntimeWithStorageOpts(c, &storageOpts) if err != nil { return errors.Wrapf(err, "error creating libpod runtime") @@ -93,7 +98,7 @@ func runCmd(c *cli.Context) error { var newImage *image.Image = nil var data *inspect.ImageData = nil - if rootfs == "" { + if rootfs == "" && !rootless.SkipStorageSetup() { newImage, err = runtime.ImageRuntime().New(ctx, c.Args()[0], rtc.SignaturePolicyPath, "", os.Stderr, nil, image.SigningOptions{}, false, false) if err != nil { return errors.Wrapf(err, "unable to find image") @@ -124,6 +129,14 @@ func runCmd(c *cli.Context) error { return err } + became, ret, err := joinOrCreateRootlessUserNamespace(createConfig, runtime) + if err != nil { + return err + } + if became { + os.Exit(ret) + } + ctr, err := runtime.NewContainer(ctx, runtimeSpec, options...) if err != nil { return err -- cgit v1.2.3-54-g00ecf