opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-20 00:51:16 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12870 from rhatdan/userns1

Browse Source 
Use PODMAN_USERNS environment variable when running as a service
This commit is contained in:
OpenShift Merge Robot
2022-01-18 06:08:06 -05:00
committed by GitHub
parent 02502e2c14 10d969ff1a
commit d0eb24bae0
4 changed files with 58 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
libpod/container_inspect.go
View File

@ -9,6 +9,7 @@ import (
"github.com/containers/podman/v3/libpod/define" "github.com/containers/podman/v3/libpod/define"
"github.com/containers/podman/v3/libpod/driver" "github.com/containers/podman/v3/libpod/driver"
"github.com/containers/podman/v3/pkg/util" "github.com/containers/podman/v3/pkg/util"
"github.com/containers/storage/types"
units "github.com/docker/go-units" units "github.com/docker/go-units"
spec "github.com/opencontainers/runtime-spec/specs-go" spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate" "github.com/opencontainers/runtime-tools/generate"
@ -403,6 +404,17 @@ func (c *Container) generateInspectContainerConfig(spec *spec.Spec) *define.Insp
return ctrConfig return ctrConfig
} }
func generateIDMappings(idMappings types.IDMappingOptions) *define.InspectIDMappings {
var inspectMappings define.InspectIDMappings
for _, uid := range idMappings.UIDMap {
inspectMappings.UIDMap = append(inspectMappings.UIDMap, fmt.Sprintf("%d:%d:%d", uid.ContainerID, uid.HostID, uid.Size))
}
for _, gid := range idMappings.GIDMap {
inspectMappings.GIDMap = append(inspectMappings.GIDMap, fmt.Sprintf("%d:%d:%d", gid.ContainerID, gid.HostID, gid.Size))
}
return &inspectMappings
}
// Generate the InspectContainerHostConfig struct for the HostConfig field of // Generate the InspectContainerHostConfig struct for the HostConfig field of
// Inspect. // Inspect.
func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, namedVolumes []*ContainerNamedVolume, mounts []spec.Mount) (*define.InspectContainerHostConfig, error) { func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, namedVolumes []*ContainerNamedVolume, mounts []spec.Mount) (*define.InspectContainerHostConfig, error) {
@ -815,7 +827,9 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named
} }
} }
hostConfig.UsernsMode = usernsMode hostConfig.UsernsMode = usernsMode
if c.config.IDMappings.UIDMap != nil && c.config.IDMappings.GIDMap != nil {
hostConfig.IDMappings = generateIDMappings(c.config.IDMappings)
}
// Devices // Devices
// Do not include if privileged - assumed that all devices will be // Do not include if privileged - assumed that all devices will be
// included. // included.

8
libpod/define/container_inspect.go
View File

@ -6,6 +6,11 @@ import (
"github.com/containers/image/v5/manifest" "github.com/containers/image/v5/manifest"
) )
type InspectIDMappings struct {
UIDMap []string `json:"UidMap"`
GIDMap []string `json:"GidMap"`
}
// InspectContainerConfig holds further data about how a container was initially // InspectContainerConfig holds further data about how a container was initially
// configured. // configured.
type InspectContainerConfig struct { type InspectContainerConfig struct {
@ -401,7 +406,10 @@ type InspectContainerHostConfig struct {
// TODO Rootless has an additional 'keep-id' option, presently not // TODO Rootless has an additional 'keep-id' option, presently not
// reflected here. // reflected here.
UsernsMode string `json:"UsernsMode"` UsernsMode string `json:"UsernsMode"`
// IDMappings is the UIDMapping and GIDMapping used within the container
IDMappings *InspectIDMappings `json:"IDMappings,omitempty"`
// ShmSize is the size of the container's SHM device. // ShmSize is the size of the container's SHM device.
ShmSize int64 `json:"ShmSize"` ShmSize int64 `json:"ShmSize"`
// Runtime is provided purely for Docker compatibility. // Runtime is provided purely for Docker compatibility.
// It is set unconditionally to "oci" as Podman does not presently // It is set unconditionally to "oci" as Podman does not presently

8
pkg/specgenutil/specgen.go
View File

@ -206,9 +206,13 @@ func setNamespaces(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions)
return err return err
} }
} }
// userns must be treated differently userns := os.Getenv("PODMAN_USERNS")
if c.UserNS != "" { if c.UserNS != "" {
s.UserNS, err = specgen.ParseUserNamespace(c.UserNS) userns = c.UserNS
}
// userns must be treated differently
if userns != "" {
s.UserNS, err = specgen.ParseUserNamespace(userns)
if err != nil { if err != nil {
return err return err
} }

29
test/e2e/run_userns_test.go
View File

@ -301,5 +301,34 @@ var _ = Describe("Podman UserNS support", func() {
Expect(inspectGID).Should(Exit(0)) Expect(inspectGID).Should(Exit(0))
Expect(inspectGID.OutputToString()).To(Equal(tt.gid)) Expect(inspectGID.OutputToString()).To(Equal(tt.gid))
} }
})
It("podman PODMAN_USERNS", func() {
SkipIfNotRootless("keep-id only works in rootless mode")
podmanUserns, podmanUserusSet := os.LookupEnv("PODMAN_USERNS")
os.Setenv("PODMAN_USERNS", "keep-id")
defer func() {
if podmanUserusSet {
os.Setenv("PODMAN_USERNS", podmanUserns)
} else {
os.Unsetenv("PODMAN_USERNS")
}
}()
if IsRemote() {
podmanTest.RestartRemoteService()
}
result := podmanTest.Podman([]string{"create", ALPINE, "true"})
result.WaitWithDefaultTimeout()
Expect(result).Should(Exit(0))
inspect := podmanTest.Podman([]string{"inspect", "--format", "{{ .HostConfig.IDMappings }}", result.OutputToString()})
inspect.WaitWithDefaultTimeout()
Expect(inspect.OutputToString()).To(Not(Equal("<nil>")))
if IsRemote() {
podmanTest.RestartRemoteService()
}
}) })
}) })