Merge pull request #2604 from giuseppe/allow-single-mappings

rootless: allow single ID mappings
2025-06-20 00:51:16 +08:00 · 2019-03-11 07:30:31 -07:00
parent b33a00ef96 af3e73426a
commit 9b42577c32
3 changed files with 5 additions and 58 deletions
--- a/libpod/image/pull.go
+++ b/libpod/image/pull.go
@ -267,7 +267,7 @@ func (ir *Runtime) doPullImage(ctx context.Context, sc *types.SystemContext, goa
 		_, err = cp.Image(ctx, policyContext, imageInfo.dstRef, imageInfo.srcRef, copyOptions)
 		if err != nil {
 			pullErrors = multierror.Append(pullErrors, err)
-			logrus.Debugf("Error pulling image ref %s: %v", imageInfo.srcRef.StringWithinTransport(), err)
+			logrus.Errorf("Error pulling image ref %s: %v", imageInfo.srcRef.StringWithinTransport(), err)
 			if writer != nil {
 				io.WriteString(writer, "Failed\n")
 			}
--- a/pkg/rootless/rootless_linux.go
+++ b/pkg/rootless/rootless_linux.go
@ -11,7 +11,6 @@ import (
 	"os/user"
 	"runtime"
 	"strconv"
-	"strings"
 	"sync"
 	"syscall"
 	"unsafe"
@ -192,22 +191,6 @@ func JoinNSPath(path string) (bool, int, error) {
 	return true, int(ret), nil
 }

-const defaultMinimumMappings = 65536
-
-func getMinimumIDs(p string) int {
-	content, err := ioutil.ReadFile(p)
-	if err != nil {
-		logrus.Debugf("error reading data from %q, use a default value of %d", p, defaultMinimumMappings)
-		return defaultMinimumMappings
-	}
-	ret, err := strconv.Atoi(strings.TrimSuffix(string(content), "\n"))
-	if err != nil {
-		logrus.Debugf("error reading data from %q, use a default value of %d", p, defaultMinimumMappings)
-		return defaultMinimumMappings
-	}
-	return ret + 1
-}
-
 // BecomeRootInUserNS re-exec podman in a new userNS.  It returns whether podman was re-executed
 // into a new user namespace and the return code from the re-executed podman process.
 // If podman was re-executed the caller needs to propagate the error code returned by the child
@ -237,47 +220,18 @@ func BecomeRootInUserNS() (bool, int, error) {
 		return false, -1, errors.Errorf("cannot re-exec process")
 	}

-	allowSingleIDMapping := os.Getenv("PODMAN_ALLOW_SINGLE_ID_MAPPING_IN_USERNS") != ""
-
 	var uids, gids []idtools.IDMap
 	username := os.Getenv("USER")
 	if username == "" {
 		user, err := user.LookupId(fmt.Sprintf("%d", os.Getuid()))
-		if err != nil && !allowSingleIDMapping {
-			if os.IsNotExist(err) {
-				return false, 0, errors.Wrapf(err, "/etc/subuid or /etc/subgid does not exist, see subuid/subgid man pages for information on these files")
-			}
-			return false, 0, errors.Wrapf(err, "could not find user by UID nor USER env was set")
-		}
 		if err == nil {
 			username = user.Username
 		}
 	}
 	mappings, err := idtools.NewIDMappings(username, username)
-	if !allowSingleIDMapping {
-		if err != nil {
-			return false, -1, err
-		}
-
-		availableGIDs, availableUIDs := 0, 0
-		for _, i := range mappings.UIDs() {
-			availableUIDs += i.Size
-		}
-
-		minUIDs := getMinimumIDs("/proc/sys/kernel/overflowuid")
-		if availableUIDs < minUIDs {
-			return false, 0, fmt.Errorf("not enough UIDs available for the user, at least %d are needed", minUIDs)
-		}
-
-		for _, i := range mappings.GIDs() {
-			availableGIDs += i.Size
-		}
-		minGIDs := getMinimumIDs("/proc/sys/kernel/overflowgid")
-		if availableGIDs < minGIDs {
-			return false, 0, fmt.Errorf("not enough GIDs available for the user, at least %d are needed", minGIDs)
-		}
-	}
-	if err == nil {
+	if err != nil {
+		logrus.Warnf("cannot find mappings for user %s: %v", username, err)
+	} else {
 		uids = mappings.UIDs()
 		gids = mappings.GIDs()
 	}
@ -285,12 +239,10 @@ func BecomeRootInUserNS() (bool, int, error) {
 	uidsMapped := false
 	if mappings != nil && uids != nil {
 		err := tryMappingTool("newuidmap", pid, os.Getuid(), uids)
-		if !allowSingleIDMapping && err != nil {
-			return false, 0, err
-		}
 		uidsMapped = err == nil
 	}
 	if !uidsMapped {
+		logrus.Warnf("using rootless single mapping into the namespace. This might break some images. Check /etc/subuid and /etc/subgid for adding subids")
 		setgroups := fmt.Sprintf("/proc/%d/setgroups", pid)
 		err = ioutil.WriteFile(setgroups, []byte("deny\n"), 0666)
 		if err != nil {
@ -307,9 +259,6 @@ func BecomeRootInUserNS() (bool, int, error) {
 	gidsMapped := false
 	if mappings != nil && gids != nil {
 		err := tryMappingTool("newgidmap", pid, os.Getgid(), gids)
-		if !allowSingleIDMapping && err != nil {
-			return false, 0, err
-		}
 		gidsMapped = err == nil
 	}
 	if !gidsMapped {
--- a/test/e2e/rootless_test.go
+++ b/test/e2e/rootless_test.go
@ -126,7 +126,6 @@ var _ = Describe("Podman rootless", func() {
 			env := os.Environ()
 			env = append(env, fmt.Sprintf("XDG_RUNTIME_DIR=%s", xdgRuntimeDir))
 			env = append(env, fmt.Sprintf("HOME=%s", home))
-			env = append(env, "PODMAN_ALLOW_SINGLE_ID_MAPPING_IN_USERNS=1")
 			env = append(env, "USER=foo")

 			cmd := rootlessTest.PodmanAsUser([]string{"pod", "create", "--infra=false"}, 1000, 1000, "", env)
@ -171,7 +170,6 @@ var _ = Describe("Podman rootless", func() {
 			env := os.Environ()
 			env = append(env, fmt.Sprintf("XDG_RUNTIME_DIR=%s", xdgRuntimeDir))
 			env = append(env, fmt.Sprintf("HOME=%s", home))
-			env = append(env, "PODMAN_ALLOW_SINGLE_ID_MAPPING_IN_USERNS=1")
 			env = append(env, "USER=foo")

 			allArgs := append([]string{"run"}, args...)