opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-07-03 17:27:18 +08:00
Code Issues Packages Projects Releases Wiki Activity

quadlet: do not reject RemapUsers=keep-id as root

Browse Source 
This is simply wrong, as of commit de63ad7044 --userns=keep-id is also
allowed as root.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This commit is contained in:
Paul Holzinger
2024-10-17 15:42:12 +02:00
parent ada75c0bb8
commit 9c6b1e20a3
1 changed files with 6 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
pkg/systemd/quadlet/quadlet.go
View File

@ -782,7 +782,7 @@ func ConvertContainer(container *parser.UnitFile, isUser bool, unitsInfoMap map[
return nil, err
}
if err := handleUserMappings(container, ContainerGroup, podman, isUser, true); err != nil {
if err := handleUserMappings(container, ContainerGroup, podman, true); err != nil {
return nil, err
}
@ -1224,7 +1224,7 @@ func ConvertKube(kube *parser.UnitFile, unitsInfoMap map[string]*UnitInfo, isUse
handleLogDriver(kube, KubeGroup, execStart)
handleLogOpt(kube, KubeGroup, execStart)
if err := handleUserMappings(kube, KubeGroup, execStart, isUser, false); err != nil {
if err := handleUserMappings(kube, KubeGroup, execStart, false); err != nil {
return nil, err
}
@ -1613,7 +1613,7 @@ func ConvertPod(podUnit *parser.UnitFile, name string, unitsInfoMap map[string]*
"--replace",
)
if err := handleUserMappings(podUnit, PodGroup, execStartPre, isUser, true); err != nil {
if err := handleUserMappings(podUnit, PodGroup, execStartPre, true); err != nil {
return nil, err
}
@ -1684,7 +1684,7 @@ func handleUser(unitFile *parser.UnitFile, groupName string, podman *PodmanCmdli
return nil
}
func handleUserMappings(unitFile *parser.UnitFile, groupName string, podman *PodmanCmdline, isUser, supportManual bool) error {
func handleUserMappings(unitFile *parser.UnitFile, groupName string, podman *PodmanCmdline, supportManual bool) error {
mappingsDefined := false
if userns, ok := unitFile.Lookup(groupName, KeyUserNS); ok && len(userns) > 0 {
@ -1724,10 +1724,10 @@ func handleUserMappings(unitFile *parser.UnitFile, groupName string, podman *Pod
return nil
}
return handleUserRemap(unitFile, groupName, podman, isUser, supportManual)
return handleUserRemap(unitFile, groupName, podman, supportManual)
}
func handleUserRemap(unitFile *parser.UnitFile, groupName string, podman *PodmanCmdline, isUser, supportManual bool) error {
func handleUserRemap(unitFile *parser.UnitFile, groupName string, podman *PodmanCmdline, supportManual bool) error {
uidMaps := unitFile.LookupAllStrv(groupName, KeyRemapUid)
gidMaps := unitFile.LookupAllStrv(groupName, KeyRemapGid)
remapUsers, _ := unitFile.LookupLast(groupName, KeyRemapUsers)
@ -1765,10 +1765,6 @@ func handleUserRemap(unitFile *parser.UnitFile, groupName string, podman *Podman
podman.add("--userns", usernsOpts("auto", autoOpts))
case "keep-id":
if !isUser {
return fmt.Errorf("RemapUsers=keep-id is unsupported for system units")
}
keepidOpts := make([]string, 0)
if len(uidMaps) > 0 {
if len(uidMaps) > 1 {