v2 podman unshare command

add unshare command add cp and init to container sub-command allow mount to run as rootless Signed-off-by: Brent Baude <bbaude@redhat.com>
2025-06-21 17:38:12 +08:00 · 2020-05-08 13:09:11 -05:00
parent b2e8915baa
commit 1074a02ff8
7 changed files with 125 additions and 8 deletions
--- a/cmd/podman/containers/cp.go
+++ b/cmd/podman/containers/cp.go
@ -7,6 +7,7 @@ import (
 	"github.com/containers/libpod/pkg/rootless"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
 )

 var (
@ -22,20 +23,41 @@ var (
 		RunE:    cp,
 		Example: "podman cp [CONTAINER:]SRC_PATH [CONTAINER:]DEST_PATH",
 	}
+
+	containerCpCommand = &cobra.Command{
+		Use:     cpCommand.Use,
+		Short:   cpCommand.Short,
+		Long:    cpCommand.Long,
+		Args:    cpCommand.Args,
+		RunE:    cpCommand.RunE,
+		Example: "podman container cp [CONTAINER:]SRC_PATH [CONTAINER:]DEST_PATH",
+	}
 )

 var (
 	cpOpts entities.ContainerCpOptions
 )

+func cpFlags(flags *pflag.FlagSet) {
+	flags.BoolVar(&cpOpts.Extract, "extract", false, "Extract the tar file into the destination directory.")
+	flags.BoolVar(&cpOpts.Pause, "pause", copyPause(), "Pause the container while copying")
+}
+
 func init() {
 	registry.Commands = append(registry.Commands, registry.CliCommand{
 		Mode:    []entities.EngineMode{entities.ABIMode},
 		Command: cpCommand,
 	})
 	flags := cpCommand.Flags()
-	flags.BoolVar(&cpOpts.Extract, "extract", false, "Extract the tar file into the destination directory.")
-	flags.BoolVar(&cpOpts.Pause, "pause", copyPause(), "Pause the container while copying")
+	cpFlags(flags)
+
+	registry.Commands = append(registry.Commands, registry.CliCommand{
+		Mode:    []entities.EngineMode{entities.ABIMode},
+		Command: containerCpCommand,
+		Parent:  containerCmd,
+	})
+	containerCpFlags := containerCpCommand.Flags()
+	cpFlags(containerCpFlags)
 }

 func cp(cmd *cobra.Command, args []string) error {
--- a/cmd/podman/containers/init.go
+++ b/cmd/podman/containers/init.go
@ -8,6 +8,7 @@ import (
 	"github.com/containers/libpod/cmd/podman/utils"
 	"github.com/containers/libpod/pkg/domain/entities"
 	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
 )

 var (
@ -25,21 +26,47 @@ var (
  podman init 3c45ef19d893
  podman init test1`,
 	}
+
+	containerInitCommand = &cobra.Command{
+		Use:   initCommand.Use,
+		Short: initCommand.Short,
+		Long:  initCommand.Long,
+		RunE:  initCommand.RunE,
+		Args:  initCommand.Args,
+		Example: `podman container init --latest
+  podman container init 3c45ef19d893
+  podman container init test1`,
+	}
 )

 var (
 	initOptions entities.ContainerInitOptions
 )

+func initFlags(flags *pflag.FlagSet) {
+	flags.BoolVarP(&initOptions.All, "all", "a", false, "Initialize all containers")
+	flags.BoolVarP(&initOptions.Latest, "latest", "l", false, "Act on the latest container podman is aware of")
+	if registry.IsRemote() {
+		_ = flags.MarkHidden("latest")
+	}
+}
+
 func init() {
 	registry.Commands = append(registry.Commands, registry.CliCommand{
 		Mode:    []entities.EngineMode{entities.ABIMode, entities.TunnelMode},
 		Command: initCommand,
 	})
 	flags := initCommand.Flags()
-	flags.BoolVarP(&initOptions.All, "all", "a", false, "Initialize all containers")
-	flags.BoolVarP(&initOptions.Latest, "latest", "l", false, "Act on the latest container podman is aware of")
-	_ = flags.MarkHidden("latest")
+	initFlags(flags)
+
+	registry.Commands = append(registry.Commands, registry.CliCommand{
+		Mode:    []entities.EngineMode{entities.ABIMode, entities.TunnelMode},
+		Parent:  containerCmd,
+		Command: containerInitCommand,
+	})
+
+	containerInitFlags := containerInitCommand.Flags()
+	initFlags(containerInitFlags)
 }

 func initContainer(cmd *cobra.Command, args []string) error {
--- a/cmd/podman/containers/mount.go
+++ b/cmd/podman/containers/mount.go
@ -30,9 +30,6 @@ var (
 		Args: func(cmd *cobra.Command, args []string) error {
 			return parse.CheckAllLatestAndCIDFile(cmd, args, true, false)
 		},
-		Annotations: map[string]string{
-			registry.ParentNSRequired: "",
-		},
 	}

 	containerMountCommmand = &cobra.Command{
--- a/cmd/podman/system/unshare.go
+++ b/cmd/podman/system/unshare.go
@ -0,0 +1,50 @@
+package system
+
+import (
+	"os"
+
+	"github.com/containers/libpod/cmd/podman/registry"
+	"github.com/containers/libpod/pkg/domain/entities"
+	"github.com/containers/libpod/pkg/rootless"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+var (
+	unshareDescription = "Runs a command in a modified user namespace."
+	unshareCommand     = &cobra.Command{
+		Use:   "unshare [flags] [COMMAND [ARG]]",
+		Short: "Run a command in a modified user namespace",
+		Long:  unshareDescription,
+		RunE:  unshare,
+		Example: `podman unshare id
+  podman unshare cat /proc/self/uid_map,
+  podman unshare podman-script.sh`,
+	}
+)
+
+func init() {
+	registry.Commands = append(registry.Commands, registry.CliCommand{
+		Mode:    []entities.EngineMode{entities.ABIMode},
+		Command: unshareCommand,
+	})
+	flags := unshareCommand.Flags()
+	flags.SetInterspersed(false)
+}
+
+func unshare(cmd *cobra.Command, args []string) error {
+	if isRootless := rootless.IsRootless(); !isRootless {
+		return errors.Errorf("please use unshare with rootless")
+	}
+	// exec the specified command, if there is one
+	if len(args) < 1 {
+		// try to exec the shell, if one's set
+		shell, shellSet := os.LookupEnv("SHELL")
+		if !shellSet {
+			return errors.Errorf("no command specified and no $SHELL specified")
+		}
+		args = []string{shell}
+	}
+
+	return registry.ContainerEngine().Unshare(registry.Context(), args)
+}
--- a/pkg/domain/entities/engine_container.go
+++ b/pkg/domain/entities/engine_container.go
@ -71,6 +71,7 @@ type ContainerEngine interface {
 	SetupRootless(ctx context.Context, cmd *cobra.Command) error
 	Shutdown(ctx context.Context)
 	SystemDf(ctx context.Context, options SystemDfOptions) (*SystemDfReport, error)
+	Unshare(ctx context.Context, args []string) error
 	VarlinkService(ctx context.Context, opts ServiceOptions) error
 	VolumeCreate(ctx context.Context, opts VolumeCreateOptions) (*IdOrNameResponse, error)
 	VolumeInspect(ctx context.Context, namesOrIds []string, opts VolumeInspectOptions) ([]*VolumeInspectReport, error)
--- a/pkg/domain/infra/abi/system.go
+++ b/pkg/domain/infra/abi/system.go
@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"strconv"
 	"syscall"
@ -391,3 +392,18 @@ func (s SystemEngine) Shutdown(ctx context.Context) {
 		logrus.Error(err)
 	}
 }
+
+func unshareEnv(graphroot, runroot string) []string {
+	return append(os.Environ(), "_CONTAINERS_USERNS_CONFIGURED=done",
+		fmt.Sprintf("CONTAINERS_GRAPHROOT=%s", graphroot),
+		fmt.Sprintf("CONTAINERS_RUNROOT=%s", runroot))
+}
+
+func (ic *ContainerEngine) Unshare(ctx context.Context, args []string) error {
+	cmd := exec.Command(args[0], args[1:]...)
+	cmd.Env = unshareEnv(ic.Libpod.StorageConfig().GraphRoot, ic.Libpod.StorageConfig().RunRoot)
+	cmd.Stdin = os.Stdin
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	return cmd.Run()
+}
--- a/pkg/domain/infra/tunnel/system.go
+++ b/pkg/domain/infra/tunnel/system.go
@ -30,3 +30,7 @@ func (ic *ContainerEngine) SystemPrune(ctx context.Context, options entities.Sys
 func (ic *ContainerEngine) SystemDf(ctx context.Context, options entities.SystemDfOptions) (*entities.SystemDfReport, error) {
 	panic(errors.New("system df is not supported on remote clients"))
 }
+
+func (ic *ContainerEngine) Unshare(ctx context.Context, args []string) error {
+	return errors.New("unshare is not supported on remote clients")
+}