Merge pull request #2706 from giuseppe/rootless-single-usernamespace

rootless: single user namespace
2025-12-10 07:42:12 +08:00 · 2019-04-04 09:21:09 -07:00
parent 71555a9ea0 72382a12a7
commit 1759eb09e1
29 changed files with 171 additions and 851 deletions
--- a/cmd/podman/main.go
+++ b/cmd/podman/main.go
@@ -3,13 +3,16 @@ package main
 import (
 	"context"
 	"io"
+	"io/ioutil"
 	"log/syslog"
 	"os"
 	"runtime/pprof"
+	"strconv"
 	"strings"
 	"syscall"

 	"github.com/containers/libpod/cmd/podman/cliconfig"
+	"github.com/containers/libpod/cmd/podman/libpodruntime"
 	"github.com/containers/libpod/libpod"
 	_ "github.com/containers/libpod/pkg/hooks/0.1.0"
 	"github.com/containers/libpod/pkg/rootless"
@@ -60,36 +63,6 @@ var mainCommands = []*cobra.Command{
 	systemCommand.Command,
 }

-var cmdsNotRequiringRootless = map[*cobra.Command]bool{
-	_versionCommand: true,
-	_createCommand:  true,
-	_execCommand:    true,
-	_cpCommand:      true,
-	_exportCommand:  true,
-	//// `info` must be executed in an user namespace.
-	//// If this change, please also update libpod.refreshRootless()
-	_loginCommand:      true,
-	_logoutCommand:     true,
-	_mountCommand:      true,
-	_killCommand:       true,
-	_pauseCommand:      true,
-	_podRmCommand:      true,
-	_podKillCommand:    true,
-	_podRestartCommand: true,
-	_podStatsCommand:   true,
-	_podStopCommand:    true,
-	_podTopCommand:     true,
-	_restartCommand:    true,
-	&_psCommand:        true,
-	_rmCommand:         true,
-	_runCommand:        true,
-	_unpauseCommand:    true,
-	_searchCommand:     true,
-	_statsCommand:      true,
-	_stopCommand:       true,
-	_topCommand:        true,
-}
-
 var rootCmd = &cobra.Command{
 	Use:  "podman",
 	Long: "manage pods and images",
@@ -153,18 +126,52 @@ func before(cmd *cobra.Command, args []string) error {
 		logrus.Errorf(err.Error())
 		os.Exit(1)
 	}
-	if rootless.IsRootless() {
-		notRequireRootless := cmdsNotRequiringRootless[cmd]
-		if !notRequireRootless && !strings.HasPrefix(cmd.Use, "help") {
-			became, ret, err := rootless.BecomeRootInUserNS()
-			if err != nil {
-				logrus.Errorf(err.Error())
-				os.Exit(1)
-			}
-			if became {
-				os.Exit(ret)
+	if os.Geteuid() != 0 && cmd != _searchCommand && cmd != _versionCommand && !strings.HasPrefix(cmd.Use, "help") {
+		podmanCmd := cliconfig.PodmanCommand{
+			cmd,
+			args,
+			MainGlobalOpts,
+		}
+		runtime, err := libpodruntime.GetRuntime(&podmanCmd)
+		if err != nil {
+			return errors.Wrapf(err, "could not get runtime")
+		}
+		defer runtime.Shutdown(false)
+
+		ctrs, err := runtime.GetRunningContainers()
+		if err != nil {
+			logrus.Errorf(err.Error())
+			os.Exit(1)
+		}
+		var became bool
+		var ret int
+		if len(ctrs) == 0 {
+			became, ret, err = rootless.BecomeRootInUserNS()
+		} else {
+			for _, ctr := range ctrs {
+				data, err := ioutil.ReadFile(ctr.Config().ConmonPidFile)
+				if err != nil {
+					logrus.Errorf(err.Error())
+					os.Exit(1)
+				}
+				conmonPid, err := strconv.Atoi(string(data))
+				if err != nil {
+					logrus.Errorf(err.Error())
+					os.Exit(1)
+				}
+				became, ret, err = rootless.JoinUserAndMountNS(uint(conmonPid))
+				if err == nil {
+					break
+				}
 			}
 		}
+		if err != nil {
+			logrus.Errorf(err.Error())
+			os.Exit(1)
+		}
+		if became {
+			os.Exit(ret)
+		}
 	}

 	if MainGlobalOpts.Syslog {