From 4a02713c57d874c404539047ccc5c5ff5c1958fc Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Thu, 7 Mar 2019 08:14:22 +0100 Subject: rootless: exec join the user+mount namespace it is not enough to join the user namespace where the container is running. We also need to join the mount namespace so that we can correctly look-up inside of the container rootfs. This is necessary to lookup the mounted /etc/passwd file when --user is specified. Closes: https://github.com/containers/libpod/issues/2566 Signed-off-by: Giuseppe Scrivano --- cmd/podman/exec.go | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) (limited to 'cmd') diff --git a/cmd/podman/exec.go b/cmd/podman/exec.go index 32a6e4bb5..9ca613ec2 100644 --- a/cmd/podman/exec.go +++ b/cmd/podman/exec.go @@ -108,16 +108,25 @@ func execCmd(c *cliconfig.ExecValues) error { } - pid, err := ctr.PID() - if err != nil { - return err - } - became, ret, err := rootless.JoinNS(uint(pid), c.PreserveFDs) - if err != nil { - return err - } - if became { - os.Exit(ret) + if os.Geteuid() != 0 { + var became bool + var ret int + + data, err := ioutil.ReadFile(ctr.Config().ConmonPidFile) + if err != nil { + return errors.Wrapf(err, "cannot read conmon PID file %q", ctr.Config().ConmonPidFile) + } + conmonPid, err := strconv.Atoi(string(data)) + if err != nil { + return errors.Wrapf(err, "cannot parse PID %q", data) + } + became, ret, err = rootless.JoinDirectUserAndMountNS(uint(conmonPid)) + if err != nil { + return err + } + if became { + os.Exit(ret) + } } // ENVIRONMENT VARIABLES -- cgit v1.2.3-54-g00ecf From 081291c8d62b989373149973c1ce0fad0fe7fea1 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Thu, 7 Mar 2019 09:54:03 +0100 Subject: create: join also the mount ns of the dependency when we are creating a container that depends on another one, be sure we also join its mount namespace in addition to the user namespace. Closes: https://github.com/containers/libpod/issues/2556 Signed-off-by: Giuseppe Scrivano --- cmd/podman/create.go | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'cmd') diff --git a/cmd/podman/create.go b/cmd/podman/create.go index a7b9bbf31..9e9073a1d 100644 --- a/cmd/podman/create.go +++ b/cmd/podman/create.go @@ -894,7 +894,16 @@ func joinOrCreateRootlessUserNamespace(createConfig *cc.CreateConfig, runtime *l } return false, -1, errors.Errorf("dependency container %s is not running", ctr.ID()) } - return rootless.JoinNS(uint(pid), 0) + + data, err := ioutil.ReadFile(ctr.Config().ConmonPidFile) + if err != nil { + return false, -1, errors.Wrapf(err, "cannot read conmon PID file %q", ctr.Config().ConmonPidFile) + } + conmonPid, err := strconv.Atoi(string(data)) + if err != nil { + return false, -1, errors.Wrapf(err, "cannot parse PID %q", data) + } + return rootless.JoinDirectUserAndMountNS(uint(conmonPid)) } } return rootless.BecomeRootInUserNS() -- cgit v1.2.3-54-g00ecf