From a389eab8d116f406aba6a4fd1dd5a545e536e88b Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 10 Jun 2020 14:45:11 +0200 Subject: container: make resolv.conf and hosts accessible in userns when running in a new userns, make sure the resolv.conf and hosts files bind mounted from another container are accessible to root in the userns. Signed-off-by: Giuseppe Scrivano --- libpod/container_internal_linux.go | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'libpod') diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index d08e012a6..e0cd39ee5 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -1171,6 +1171,15 @@ func (c *Container) makeBindMounts() error { // finally, save it in the new container c.state.BindMounts["/etc/hosts"] = hostsPath } + + if !hasCurrentUserMapped(c) { + if err := makeAccessible(resolvPath, c.RootUID(), c.RootGID()); err != nil { + return err + } + if err := makeAccessible(hostsPath, c.RootUID(), c.RootGID()); err != nil { + return err + } + } } else { if !c.config.UseImageResolvConf { newResolv, err := c.generateResolvConf() -- cgit v1.2.3-54-g00ecf From 6c27e27b8c263696c78d540a87918c6482507310 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 10 Jun 2020 14:52:08 +0200 Subject: container: do not set hostname when joining uts do not set the hostname when joining an UTS namespace, as it could be owned by a different userns. Signed-off-by: Giuseppe Scrivano --- libpod/container_internal_linux.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'libpod') diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index e0cd39ee5..e3ca3f6b2 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -392,7 +392,7 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { } for _, i := range c.config.Spec.Linux.Namespaces { - if i.Type == spec.UTSNamespace { + if i.Type == spec.UTSNamespace && i.Path == "" { hostname := c.Hostname() g.SetHostname(hostname) g.AddProcessEnv("HOSTNAME", hostname) @@ -591,7 +591,8 @@ func (c *Container) addNamespaceContainer(g *generate.Generator, ns LinuxNS, ctr if specNS == spec.UTSNamespace { hostname := nsCtr.Hostname() - g.SetHostname(hostname) + // Joining an existing namespace, cannot set the hostname + g.SetHostname("") g.AddProcessEnv("HOSTNAME", hostname) } -- cgit v1.2.3-54-g00ecf