opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-27 21:50:18 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #16318 from giuseppe/fix-keep-id-with-one-mapping

Browse Source 
rootless: support keep-id with one mapping
This commit is contained in:
OpenShift Merge Robot
2022-10-28 10:02:20 -04:00
committed by GitHub
parent 26e5661c27 83313c547c
commit 67c533b85a
3 changed files with 14 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
pkg/rootless/rootless_linux.go
View File

@ -193,7 +193,7 @@ func joinUserAndMountNS(pid uint, pausePid string) (bool, int, error) {
} }
// GetConfiguredMappings returns the additional IDs configured for the current user. // GetConfiguredMappings returns the additional IDs configured for the current user.
func GetConfiguredMappings() ([]idtools.IDMap, []idtools.IDMap, error) { func GetConfiguredMappings(quiet bool) ([]idtools.IDMap, []idtools.IDMap, error) {
var uids, gids []idtools.IDMap var uids, gids []idtools.IDMap
username := os.Getenv("USER") username := os.Getenv("USER")
if username == "" { if username == "" {
@ -211,7 +211,7 @@ func GetConfiguredMappings() ([]idtools.IDMap, []idtools.IDMap, error) {
mappings, err := idtools.NewIDMappings(username, username) mappings, err := idtools.NewIDMappings(username, username)
if err != nil { if err != nil {
logLevel := logrus.ErrorLevel logLevel := logrus.ErrorLevel
if os.Geteuid() == 0 && GetRootlessUID() == 0 { if quiet || (os.Geteuid() == 0 && GetRootlessUID() == 0) {
logLevel = logrus.DebugLevel logLevel = logrus.DebugLevel
} }
logrus.StandardLogger().Logf(logLevel, "cannot find UID/GID for user %s: %v - check rootless mode in man pages.", username, err) logrus.StandardLogger().Logf(logLevel, "cannot find UID/GID for user %s: %v - check rootless mode in man pages.", username, err)
@ -317,7 +317,7 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo
return false, -1, fmt.Errorf("cannot re-exec process") return false, -1, fmt.Errorf("cannot re-exec process")
} }
uids, gids, err := GetConfiguredMappings() uids, gids, err := GetConfiguredMappings(false)
if err != nil { if err != nil {
return false, -1, err return false, -1, err
} }
@ -592,7 +592,7 @@ func ConfigurationMatches() (bool, error) {
return true, nil return true, nil
} }
uids, gids, err := GetConfiguredMappings() uids, gids, err := GetConfiguredMappings(false)
if err != nil { if err != nil {
return false, err return false, err
} }

2
pkg/rootless/rootless_unsupported.go
View File

@ -57,7 +57,7 @@ func ConfigurationMatches() (bool, error) {
} }
// GetConfiguredMappings returns the additional IDs configured for the current user. // GetConfiguredMappings returns the additional IDs configured for the current user.
func GetConfiguredMappings() ([]idtools.IDMap, []idtools.IDMap, error) { func GetConfiguredMappings(quiet bool) ([]idtools.IDMap, []idtools.IDMap, error) {
return nil, nil, errors.New("this function is not supported on this os") return nil, nil, errors.New("this function is not supported on this os")
} }

16
pkg/util/utils.go
View File

@ -366,13 +366,11 @@ func GetKeepIDMapping(opts *namespaces.KeepIDUserNsOptions) (*stypes.IDMappingOp
gid = int(*opts.GID) gid = int(*opts.GID)
} }
uids, gids, err := rootless.GetConfiguredMappings() uids, gids, err := rootless.GetConfiguredMappings(true)
if err != nil { if err != nil {
return nil, -1, -1, fmt.Errorf("cannot read mappings: %w", err) return nil, -1, -1, fmt.Errorf("cannot read mappings: %w", err)
} }
if len(uids) == 0 || len(gids) == 0 {
return nil, -1, -1, fmt.Errorf("keep-id requires additional UIDs or GIDs defined in /etc/subuid and /etc/subgid to function correctly: %w", err)
}
maxUID, maxGID := 0, 0 maxUID, maxGID := 0, 0
for _, u := range uids { for _, u := range uids {
maxUID += u.Size maxUID += u.Size
@ -383,13 +381,17 @@ func GetKeepIDMapping(opts *namespaces.KeepIDUserNsOptions) (*stypes.IDMappingOp
options.UIDMap, options.GIDMap = nil, nil options.UIDMap, options.GIDMap = nil, nil
options.UIDMap = append(options.UIDMap, idtools.IDMap{ContainerID: 0, HostID: 1, Size: min(uid, maxUID)}) if len(uids) > 0 {
options.UIDMap = append(options.UIDMap, idtools.IDMap{ContainerID: 0, HostID: 1, Size: min(uid, maxUID)})
}
options.UIDMap = append(options.UIDMap, idtools.IDMap{ContainerID: uid, HostID: 0, Size: 1}) options.UIDMap = append(options.UIDMap, idtools.IDMap{ContainerID: uid, HostID: 0, Size: 1})
if maxUID > uid { if maxUID > uid {
options.UIDMap = append(options.UIDMap, idtools.IDMap{ContainerID: uid + 1, HostID: uid + 1, Size: maxUID - uid}) options.UIDMap = append(options.UIDMap, idtools.IDMap{ContainerID: uid + 1, HostID: uid + 1, Size: maxUID - uid})
} }
options.GIDMap = append(options.GIDMap, idtools.IDMap{ContainerID: 0, HostID: 1, Size: min(gid, maxGID)}) if len(gids) > 0 {
options.GIDMap = append(options.GIDMap, idtools.IDMap{ContainerID: 0, HostID: 1, Size: min(gid, maxGID)})
}
options.GIDMap = append(options.GIDMap, idtools.IDMap{ContainerID: gid, HostID: 0, Size: 1}) options.GIDMap = append(options.GIDMap, idtools.IDMap{ContainerID: gid, HostID: 0, Size: 1})
if maxGID > gid { if maxGID > gid {
options.GIDMap = append(options.GIDMap, idtools.IDMap{ContainerID: gid + 1, HostID: gid + 1, Size: maxGID - gid}) options.GIDMap = append(options.GIDMap, idtools.IDMap{ContainerID: gid + 1, HostID: gid + 1, Size: maxGID - gid})
@ -407,7 +409,7 @@ func GetNoMapMapping() (*stypes.IDMappingOptions, int, int, error) {
HostUIDMapping: false, HostUIDMapping: false,
HostGIDMapping: false, HostGIDMapping: false,
} }
uids, gids, err := rootless.GetConfiguredMappings() uids, gids, err := rootless.GetConfiguredMappings(false)
if err != nil { if err != nil {
return nil, -1, -1, fmt.Errorf("cannot read mappings: %w", err) return nil, -1, -1, fmt.Errorf("cannot read mappings: %w", err)
} }