From 542d8fe95f66c0a3aabb9d964c260a0b3b9aaae8 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 9 Nov 2018 11:22:44 -0500 Subject: Better document rootless containers Need to return an error pointing user in right direction if rootless podman fails, because of no /etc/subuid or /etc/subgid files. Also fix up man pages to better describe rootless podman. Signed-off-by: Daniel J Walsh --- pkg/rootless/rootless_linux.go | 3 +++ 1 file changed, 3 insertions(+) (limited to 'pkg/rootless/rootless_linux.go') diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go index 5c45f2694..ff8c8fe34 100644 --- a/pkg/rootless/rootless_linux.go +++ b/pkg/rootless/rootless_linux.go @@ -187,6 +187,9 @@ func BecomeRootInUserNS() (bool, int, error) { if username == "" { user, err := user.LookupId(fmt.Sprintf("%d", os.Getuid())) if err != nil && os.Getenv("PODMAN_ALLOW_SINGLE_ID_MAPPING_IN_USERNS") == "" { + if os.IsNotExist(err) { + return false, 0, errors.Wrapf(err, "/etc/subuid or /etc/subgid does not exist, see subuid/subgid man pages for information on these files") + } return false, 0, errors.Wrapf(err, "could not find user by UID nor USER env was set") } if err == nil { -- cgit v1.2.3-54-g00ecf From 1e3ff6950269cb7fdb1c9ac161cf1aabf4933326 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 14 Nov 2018 10:13:47 +0100 Subject: rootless: call IsRootless just once we are calling this function several times, it is worth to store its result and re-use it. Signed-off-by: Giuseppe Scrivano --- pkg/rootless/rootless_linux.go | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'pkg/rootless/rootless_linux.go') diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go index ff8c8fe34..85b0ef392 100644 --- a/pkg/rootless/rootless_linux.go +++ b/pkg/rootless/rootless_linux.go @@ -12,6 +12,7 @@ import ( "runtime" "strconv" "strings" + "sync" "syscall" "unsafe" @@ -33,9 +34,17 @@ func runInUser() error { return nil } +var ( + isRootlessOnce sync.Once + isRootless bool +) + // IsRootless tells us if we are running in rootless mode func IsRootless() bool { - return os.Geteuid() != 0 || os.Getenv("_LIBPOD_USERNS_CONFIGURED") != "" + isRootlessOnce.Do(func() { + isRootless = os.Geteuid() != 0 || os.Getenv("_LIBPOD_USERNS_CONFIGURED") != "" + }) + return isRootless } var ( -- cgit v1.2.3-54-g00ecf From 727b6a78ee5767646d74e04722ee1cb5f8d5594b Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 3 Dec 2018 12:14:52 +0100 Subject: rootless: raise error if newuidmap/newgidmap are not installed it was reported on IRC that Podman on Ubuntu failed as newuidmap/newgidmap were not installed by default. Raise an error if we are not allowing single mappings (used only by the tests suite) and any of the binaries is not present. Signed-off-by: Giuseppe Scrivano --- pkg/rootless/rootless_linux.go | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) (limited to 'pkg/rootless/rootless_linux.go') diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go index 85b0ef392..07002da3f 100644 --- a/pkg/rootless/rootless_linux.go +++ b/pkg/rootless/rootless_linux.go @@ -74,7 +74,7 @@ func GetRootlessUID() int { func tryMappingTool(tool string, pid int, hostID int, mappings []idtools.IDMap) error { path, err := exec.LookPath(tool) if err != nil { - return err + return errors.Wrapf(err, "cannot find %s", tool) } appendTriplet := func(l []string, a, b, c int) []string { @@ -92,7 +92,11 @@ func tryMappingTool(tool string, pid int, hostID int, mappings []idtools.IDMap) Path: path, Args: args, } - return cmd.Run() + + if err := cmd.Run(); err != nil { + return errors.Wrapf(err, "cannot setup namespace using %s", tool) + } + return nil } // JoinNS re-exec podman in a new userNS and join the user namespace of the specified @@ -191,11 +195,13 @@ func BecomeRootInUserNS() (bool, int, error) { return false, -1, errors.Errorf("cannot re-exec process") } + allowSingleIDMapping := os.Getenv("PODMAN_ALLOW_SINGLE_ID_MAPPING_IN_USERNS") != "" + var uids, gids []idtools.IDMap username := os.Getenv("USER") if username == "" { user, err := user.LookupId(fmt.Sprintf("%d", os.Getuid())) - if err != nil && os.Getenv("PODMAN_ALLOW_SINGLE_ID_MAPPING_IN_USERNS") == "" { + if err != nil && !allowSingleIDMapping { if os.IsNotExist(err) { return false, 0, errors.Wrapf(err, "/etc/subuid or /etc/subgid does not exist, see subuid/subgid man pages for information on these files") } @@ -206,7 +212,7 @@ func BecomeRootInUserNS() (bool, int, error) { } } mappings, err := idtools.NewIDMappings(username, username) - if os.Getenv("PODMAN_ALLOW_SINGLE_ID_MAPPING_IN_USERNS") == "" { + if !allowSingleIDMapping { if err != nil { return false, -1, err } @@ -236,7 +242,11 @@ func BecomeRootInUserNS() (bool, int, error) { uidsMapped := false if mappings != nil && uids != nil { - uidsMapped = tryMappingTool("newuidmap", pid, os.Getuid(), uids) == nil + err := tryMappingTool("newuidmap", pid, os.Getuid(), uids) + if !allowSingleIDMapping && err != nil { + return false, 0, err + } + uidsMapped = err == nil } if !uidsMapped { setgroups := fmt.Sprintf("/proc/%d/setgroups", pid) @@ -254,7 +264,11 @@ func BecomeRootInUserNS() (bool, int, error) { gidsMapped := false if mappings != nil && gids != nil { - gidsMapped = tryMappingTool("newgidmap", pid, os.Getgid(), gids) == nil + err := tryMappingTool("newgidmap", pid, os.Getgid(), gids) + if !allowSingleIDMapping && err != nil { + return false, 0, err + } + gidsMapped = err == nil } if !gidsMapped { gidMap := fmt.Sprintf("/proc/%d/gid_map", pid) -- cgit v1.2.3-54-g00ecf