From 8ca67d2794b22d293dc7a896f8a3285787cd7d39 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Wed, 29 Aug 2018 13:24:03 +0200
Subject: rootless, run: support --pod

move re-exec later on, so that we can check whether we need to join
the infra container user namespace or we need to create another one.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Closes: #1372
Approved by: mheon
---
 cmd/podman/create.go | 34 ++++++++++++++++++++++++++++++++++
 cmd/podman/main.go   |  1 +
 cmd/podman/run.go    | 15 ++++++++++++++-
 3 files changed, 49 insertions(+), 1 deletion(-)

(limited to 'cmd')

diff --git a/cmd/podman/create.go b/cmd/podman/create.go
index e7e349306..586368e24 100644
--- a/cmd/podman/create.go
+++ b/cmd/podman/create.go
@@ -764,3 +764,37 @@ func parseCreateOpts(ctx context.Context, c *cli.Context, runtime *libpod.Runtim
 	}
 	return config, nil
 }
+
+func joinOrCreateRootlessUserNamespace(createConfig *cc.CreateConfig, runtime *libpod.Runtime) (bool, int, error) {
+	if os.Getuid() == 0 {
+		return false, 0, nil
+	}
+
+	if createConfig.Pod != "" {
+		pod, err := runtime.LookupPod(createConfig.Pod)
+		if err != nil {
+			return false, -1, err
+		}
+		inspect, err := pod.Inspect()
+		for _, ctr := range inspect.Containers {
+			prevCtr, err := runtime.LookupContainer(ctr.ID)
+			if err != nil {
+				return false, -1, err
+			}
+			s, err := prevCtr.State()
+			if err != nil {
+				return false, -1, err
+			}
+			if s != libpod.ContainerStateRunning && s != libpod.ContainerStatePaused {
+				continue
+			}
+			pid, err := prevCtr.PID()
+			if err != nil {
+				return false, -1, err
+			}
+			return rootless.JoinNS(uint(pid))
+		}
+	}
+
+	return rootless.BecomeRootInUserNS()
+}
diff --git a/cmd/podman/main.go b/cmd/podman/main.go
index 6b9bda55e..7960fc277 100644
--- a/cmd/podman/main.go
+++ b/cmd/podman/main.go
@@ -35,6 +35,7 @@ var cmdsNotRequiringRootless = map[string]bool{
 	"logout":  true,
 	"kill":    true,
 	"pause":   true,
+	"run":     true,
 	"unpause": true,
 	"search":  true,
 	"stats":   true,
diff --git a/cmd/podman/run.go b/cmd/podman/run.go
index 66e78dafd..d8a8a48d5 100644
--- a/cmd/podman/run.go
+++ b/cmd/podman/run.go
@@ -13,6 +13,7 @@ import (
 	"github.com/containers/libpod/libpod"
 	"github.com/containers/libpod/libpod/image"
 	"github.com/containers/libpod/pkg/inspect"
+	"github.com/containers/libpod/pkg/rootless"
 	cc "github.com/containers/libpod/pkg/spec"
 	"github.com/containers/libpod/pkg/util"
 	"github.com/pkg/errors"
@@ -73,6 +74,10 @@ func runCmd(c *cli.Context) error {
 	storageOpts.UIDMap = mappings.UIDMap
 	storageOpts.GIDMap = mappings.GIDMap
 
+	if os.Getuid() != 0 {
+		rootless.SetSkipStorageSetup(true)
+	}
+
 	runtime, err := libpodruntime.GetRuntimeWithStorageOpts(c, &storageOpts)
 	if err != nil {
 		return errors.Wrapf(err, "error creating libpod runtime")
@@ -93,7 +98,7 @@ func runCmd(c *cli.Context) error {
 
 	var newImage *image.Image = nil
 	var data *inspect.ImageData = nil
-	if rootfs == "" {
+	if rootfs == "" && !rootless.SkipStorageSetup() {
 		newImage, err = runtime.ImageRuntime().New(ctx, c.Args()[0], rtc.SignaturePolicyPath, "", os.Stderr, nil, image.SigningOptions{}, false, false)
 		if err != nil {
 			return errors.Wrapf(err, "unable to find image")
@@ -124,6 +129,14 @@ func runCmd(c *cli.Context) error {
 		return err
 	}
 
+	became, ret, err := joinOrCreateRootlessUserNamespace(createConfig, runtime)
+	if err != nil {
+		return err
+	}
+	if became {
+		os.Exit(ret)
+	}
+
 	ctr, err := runtime.NewContainer(ctx, runtimeSpec, options...)
 	if err != nil {
 		return err
-- 
cgit v1.2.3-54-g00ecf