Merge pull request #6977 from mheon/fix_6953

Preserve passwd on container restart
2025-06-22 09:58:10 +08:00 · 2020-07-15 14:03:14 -04:00
parent 8704b78a6f 1ad7042a34
commit 38f73db9de
3 changed files with 60 additions and 16 deletions
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@ -28,7 +28,6 @@ import (
 	securejoin "github.com/cyphar/filepath-securejoin"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
-	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/opentracing/opentracing-go"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@ -1759,32 +1758,40 @@ func (c *Container) postDeleteHooks(ctx context.Context) error {
 	return nil
 }

-// writeStringToRundir copies the provided file to the runtimedir
-func (c *Container) writeStringToRundir(destFile, output string) (string, error) {
+// writeStringToRundir writes the given string to a file with the given name in
+// the container's temporary files directory. The file will be chown'd to the
+// container's root user and have an appropriate SELinux label set.
+// If a file with the same name already exists, it will be deleted and recreated
+// with the new contents.
+// Returns the full path to the new file.
+func (c *Container) writeStringToRundir(destFile, contents string) (string, error) {
 	destFileName := filepath.Join(c.state.RunDir, destFile)

 	if err := os.Remove(destFileName); err != nil && !os.IsNotExist(err) {
 		return "", errors.Wrapf(err, "error removing %s for container %s", destFile, c.ID())
 	}

-	f, err := os.Create(destFileName)
-	if err != nil {
-		return "", errors.Wrapf(err, "unable to create %s", destFileName)
-	}
-	defer f.Close()
-	if err := f.Chown(c.RootUID(), c.RootGID()); err != nil {
+	if err := writeStringToPath(destFileName, contents, c.config.MountLabel, c.RootUID(), c.RootGID()); err != nil {
 		return "", err
 	}

-	if _, err := f.WriteString(output); err != nil {
-		return "", errors.Wrapf(err, "unable to write %s", destFileName)
-	}
-	// Relabel runDirResolv for the container
-	if err := label.Relabel(destFileName, c.config.MountLabel, false); err != nil {
+	return destFileName, nil
+}
+
+// writeStringToStaticDir writes the given string to a file with the given name
+// in the container's permanent files directory. The file will be chown'd to the
+// container's root user and have an appropriate SELinux label set.
+// Unlike writeStringToRundir, will *not* delete and re-create if the file
+// already exists (will instead error).
+// Returns the full path to the new file.
+func (c *Container) writeStringToStaticDir(filename, contents string) (string, error) {
+	destFileName := filepath.Join(c.config.StaticDir, filename)
+
+	if err := writeStringToPath(destFileName, contents, c.config.MountLabel, c.RootUID(), c.RootGID()); err != nil {
 		return "", err
 	}

-	return filepath.Join(c.state.RunDir, destFile), nil
+	return destFileName, nil
 }

 // appendStringToRundir appends the provided string to the runtimedir file
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@ -214,6 +214,9 @@ func (c *Container) getUserOverrides() *lookup.Overrides {
 			}
 		}
 	}
+	if path, ok := c.state.BindMounts["/etc/passwd"]; ok {
+		overrides.ContainerEtcPasswdPath = path
+	}
 	return &overrides
 }

@ -1513,6 +1516,14 @@ func (c *Container) generatePasswd() (string, error) {
 	if !c.config.AddCurrentUserPasswdEntry && c.config.User == "" {
 		return "", nil
 	}
+	if MountExists(c.config.Spec.Mounts, "/etc/passwd") {
+		return "", nil
+	}
+	// Re-use passwd if possible
+	passwdPath := filepath.Join(c.config.StaticDir, "passwd")
+	if _, err := os.Stat(passwdPath); err == nil {
+		return passwdPath, nil
+	}
 	pwd := ""
 	if c.config.User != "" {
 		entry, err := c.generateUserPasswdEntry()
@ -1536,7 +1547,7 @@ func (c *Container) generatePasswd() (string, error) {
 	if err != nil && !os.IsNotExist(err) {
 		return "", errors.Wrapf(err, "unable to read passwd file %s", originPasswdFile)
 	}
-	passwdFile, err := c.writeStringToRundir("passwd", string(orig)+pwd)
+	passwdFile, err := c.writeStringToStaticDir("passwd", string(orig)+pwd)
 	if err != nil {
 		return "", errors.Wrapf(err, "failed to create temporary passwd file")
 	}
--- a/libpod/util.go
+++ b/libpod/util.go
@ -18,6 +18,7 @@ import (
 	"github.com/cri-o/ocicni/pkg/ocicni"
 	"github.com/fsnotify/fsnotify"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@ -273,3 +274,28 @@ func makeInspectPortBindings(bindings []ocicni.PortMapping) map[string][]define.
 	}
 	return portBindings
 }
+
+// Write a given string to a new file at a given path.
+// Will error if a file with the given name already exists.
+// Will be chown'd to the UID/GID provided and have the provided SELinux label
+// set.
+func writeStringToPath(path, contents, mountLabel string, uid, gid int) error {
+	f, err := os.Create(path)
+	if err != nil {
+		return errors.Wrapf(err, "unable to create %s", path)
+	}
+	defer f.Close()
+	if err := f.Chown(uid, gid); err != nil {
+		return err
+	}
+
+	if _, err := f.WriteString(contents); err != nil {
+		return errors.Wrapf(err, "unable to write %s", path)
+	}
+	// Relabel runDirResolv for the container
+	if err := label.Relabel(path, mountLabel, false); err != nil {
+		return err
+	}
+
+	return nil
+}