Merge pull request #16318 from giuseppe/fix-keep-id-with-one-mapping

rootless: support keep-id with one mapping

pkg/rootless/rootless_linux.go

@@ -193,7 +193,7 @@ func joinUserAndMountNS(pid uint, pausePid string) (bool, int, error) {
 }
 
 // GetConfiguredMappings returns the additional IDs configured for the current user.
-func GetConfiguredMappings() ([]idtools.IDMap, []idtools.IDMap, error) {
+func GetConfiguredMappings(quiet bool) ([]idtools.IDMap, []idtools.IDMap, error) {
 	var uids, gids []idtools.IDMap
 	username := os.Getenv("USER")
 	if username == "" {
@@ -211,7 +211,7 @@ func GetConfiguredMappings() ([]idtools.IDMap, []idtools.IDMap, error) {
 	mappings, err := idtools.NewIDMappings(username, username)
 	if err != nil {
 		logLevel := logrus.ErrorLevel
-		if os.Geteuid() == 0 && GetRootlessUID() == 0 {
+		if quiet || (os.Geteuid() == 0 && GetRootlessUID() == 0) {
 			logLevel = logrus.DebugLevel
 		}
 		logrus.StandardLogger().Logf(logLevel, "cannot find UID/GID for user %s: %v - check rootless mode in man pages.", username, err)
@@ -317,7 +317,7 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo
 		return false, -1, fmt.Errorf("cannot re-exec process")
 	}
 
-	uids, gids, err := GetConfiguredMappings()
+	uids, gids, err := GetConfiguredMappings(false)
 	if err != nil {
 		return false, -1, err
 	}
@@ -592,7 +592,7 @@ func ConfigurationMatches() (bool, error) {
 		return true, nil
 	}
 
-	uids, gids, err := GetConfiguredMappings()
+	uids, gids, err := GetConfiguredMappings(false)
 	if err != nil {
 		return false, err
 	}

pkg/rootless/rootless_unsupported.go

@@ -57,7 +57,7 @@ func ConfigurationMatches() (bool, error) {
 }
 
 // GetConfiguredMappings returns the additional IDs configured for the current user.
-func GetConfiguredMappings() ([]idtools.IDMap, []idtools.IDMap, error) {
+func GetConfiguredMappings(quiet bool) ([]idtools.IDMap, []idtools.IDMap, error) {
 	return nil, nil, errors.New("this function is not supported on this os")
 }
 

pkg/util/utils.go

@@ -366,13 +366,11 @@ func GetKeepIDMapping(opts *namespaces.KeepIDUserNsOptions) (*stypes.IDMappingOp
 		gid = int(*opts.GID)
 	}
 
-	uids, gids, err := rootless.GetConfiguredMappings()
+	uids, gids, err := rootless.GetConfiguredMappings(true)
 	if err != nil {
 		return nil, -1, -1, fmt.Errorf("cannot read mappings: %w", err)
 	}
-	if len(uids) == 0 || len(gids) == 0 {
-		return nil, -1, -1, fmt.Errorf("keep-id requires additional UIDs or GIDs defined in /etc/subuid and /etc/subgid to function correctly: %w", err)
-	}
+
 	maxUID, maxGID := 0, 0
 	for _, u := range uids {
 		maxUID += u.Size
@@ -383,13 +381,17 @@ func GetKeepIDMapping(opts *namespaces.KeepIDUserNsOptions) (*stypes.IDMappingOp
 
 	options.UIDMap, options.GIDMap = nil, nil
 
-	options.UIDMap = append(options.UIDMap, idtools.IDMap{ContainerID: 0, HostID: 1, Size: min(uid, maxUID)})
+	if len(uids) > 0 {
+		options.UIDMap = append(options.UIDMap, idtools.IDMap{ContainerID: 0, HostID: 1, Size: min(uid, maxUID)})
+	}
 	options.UIDMap = append(options.UIDMap, idtools.IDMap{ContainerID: uid, HostID: 0, Size: 1})
 	if maxUID > uid {
 		options.UIDMap = append(options.UIDMap, idtools.IDMap{ContainerID: uid + 1, HostID: uid + 1, Size: maxUID - uid})
 	}
 
-	options.GIDMap = append(options.GIDMap, idtools.IDMap{ContainerID: 0, HostID: 1, Size: min(gid, maxGID)})
+	if len(gids) > 0 {
+		options.GIDMap = append(options.GIDMap, idtools.IDMap{ContainerID: 0, HostID: 1, Size: min(gid, maxGID)})
+	}
 	options.GIDMap = append(options.GIDMap, idtools.IDMap{ContainerID: gid, HostID: 0, Size: 1})
 	if maxGID > gid {
 		options.GIDMap = append(options.GIDMap, idtools.IDMap{ContainerID: gid + 1, HostID: gid + 1, Size: maxGID - gid})
@@ -407,7 +409,7 @@ func GetNoMapMapping() (*stypes.IDMappingOptions, int, int, error) {
 		HostUIDMapping: false,
 		HostGIDMapping: false,
 	}
-	uids, gids, err := rootless.GetConfiguredMappings()
+	uids, gids, err := rootless.GetConfiguredMappings(false)
 	if err != nil {
 		return nil, -1, -1, fmt.Errorf("cannot read mappings: %w", err)
 	}