From 5ff90677c83b78366554493e10f7615119f7e0a1 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 11 Jun 2018 16:03:34 +0200 Subject: rootless: add management for the userNS When running podman as non root user always create an userNS and let the OCI runtime use it. Signed-off-by: Giuseppe Scrivano Closes: #936 Approved by: rhatdan --- pkg/spec/createconfig.go | 3 ++- pkg/spec/spec.go | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) (limited to 'pkg/spec') diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go index 205e08c57..af0a62c65 100644 --- a/pkg/spec/createconfig.go +++ b/pkg/spec/createconfig.go @@ -16,6 +16,7 @@ import ( "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" "github.com/projectatomic/libpod/libpod" + "github.com/projectatomic/libpod/pkg/rootless" "github.com/sirupsen/logrus" "golang.org/x/sys/unix" ) @@ -360,7 +361,7 @@ func (c *CreateConfig) GetContainerCreateOptions() ([]libpod.CtrCreateOption, er // does not have one options = append(options, libpod.WithEntrypoint(c.Entrypoint)) - if os.Getuid() != 0 { + if rootless.IsRootless() { if !c.NetMode.IsHost() && !c.NetMode.IsNone() { options = append(options, libpod.WithNetNS(portBindings, true)) } diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index b341c8a35..565c07014 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -1,7 +1,6 @@ package createconfig import ( - "os" "strings" "github.com/docker/docker/daemon/caps" @@ -12,6 +11,7 @@ import ( spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" "github.com/pkg/errors" + "github.com/projectatomic/libpod/pkg/rootless" "github.com/sirupsen/logrus" "io/ioutil" ) @@ -45,7 +45,7 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint } g.AddMount(sysMnt) } - if os.Getuid() != 0 { + if rootless.IsRootless() { g.RemoveMount("/dev/pts") devPts := spec.Mount{ Destination: "/dev/pts", @@ -82,7 +82,7 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint } g.AddProcessEnv("container", "podman") - canAddResources := os.Getuid() == 0 + canAddResources := !rootless.IsRootless() if canAddResources { // RESOURCES - MEMORY -- cgit v1.2.3-54-g00ecf