Vendor in latest container/storage for devicemapper support

container/storage now supports devicemapper options that allow you to configure it. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #808 Approved by: mheon
2025-12-04 12:17:34 +08:00 · 2018-05-19 04:46:28 -04:00
parent ae7c45968d
commit 926d07d0aa
13 changed files with 142 additions and 18 deletions
--- a/vendor/github.com/containers/storage/pkg/chrootarchive/chroot_linux.go
+++ b/vendor/github.com/containers/storage/pkg/chrootarchive/chroot_linux.go
@@ -7,7 +7,7 @@ import (
 	"path/filepath"

 	"github.com/containers/storage/pkg/mount"
-	rsystem "github.com/opencontainers/runc/libcontainer/system"
+	"github.com/syndtr/gocapability/capability"
 	"golang.org/x/sys/unix"
 )

@@ -18,10 +18,16 @@ import (
 // Old root is removed after the call to pivot_root so it is no longer available under the new root.
 // This is similar to how libcontainer sets up a container's rootfs
 func chroot(path string) (err error) {
-	// if the engine is running in a user namespace we need to use actual chroot
-	if rsystem.RunningInUserNS() {
+	caps, err := capability.NewPid(0)
+	if err != nil {
+		return err
+	}
+
+	// if the process doesn't have CAP_SYS_ADMIN, but does have CAP_SYS_CHROOT, we need to use the actual chroot
+	if !caps.Get(capability.EFFECTIVE, capability.CAP_SYS_ADMIN) && caps.Get(capability.EFFECTIVE, capability.CAP_SYS_CHROOT) {
 		return realChroot(path)
 	}
+
 	if err := unix.Unshare(unix.CLONE_NEWNS); err != nil {
 		return fmt.Errorf("Error creating mount namespace before pivot: %v", err)
 	}