Preserve passwd on container restart

We added code to create a `/etc/passwd` file that we bind-mount
into the container in some cases (most notably,
`--userns=keep-id` containers). This, unfortunately, was not
persistent, so user-added users would be dropped on container
restart. Changing where we store the file should fix this.

Further, we want to ensure that lookups of users in the container
use the right /etc/passwd if we replaced it. There was already
logic to do this, but it only worked for user-added mounts; it's
easy enough to alter it to use our mounts as well.

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
This commit is contained in:
Matthew Heon
2020-07-14 16:20:22 -04:00
parent 60127cf5e8
commit 1ad7042a34
3 changed files with 60 additions and 16 deletions

View File

@ -214,6 +214,9 @@ func (c *Container) getUserOverrides() *lookup.Overrides {
}
}
}
if path, ok := c.state.BindMounts["/etc/passwd"]; ok {
overrides.ContainerEtcPasswdPath = path
}
return &overrides
}
@ -1513,6 +1516,14 @@ func (c *Container) generatePasswd() (string, error) {
if !c.config.AddCurrentUserPasswdEntry && c.config.User == "" {
return "", nil
}
if MountExists(c.config.Spec.Mounts, "/etc/passwd") {
return "", nil
}
// Re-use passwd if possible
passwdPath := filepath.Join(c.config.StaticDir, "passwd")
if _, err := os.Stat(passwdPath); err == nil {
return passwdPath, nil
}
pwd := ""
if c.config.User != "" {
entry, err := c.generateUserPasswdEntry()
@ -1536,7 +1547,7 @@ func (c *Container) generatePasswd() (string, error) {
if err != nil && !os.IsNotExist(err) {
return "", errors.Wrapf(err, "unable to read passwd file %s", originPasswdFile)
}
passwdFile, err := c.writeStringToRundir("passwd", string(orig)+pwd)
passwdFile, err := c.writeStringToStaticDir("passwd", string(orig)+pwd)
if err != nil {
return "", errors.Wrapf(err, "failed to create temporary passwd file")
}