Merge pull request #17577 from giuseppe/idmapping-mounts-always-direct-mapping

libpod: always use direct mapping for idmapped mounts
This commit is contained in:
OpenShift Merge Robot
2023-02-22 14:53:33 +01:00
committed by GitHub
4 changed files with 30 additions and 44 deletions

View File

@ -1525,7 +1525,7 @@ func (c *Container) mountStorage() (_ string, deferredErr error) {
mountPoint := c.config.Rootfs
if c.config.RootfsMapping != nil {
uidMappings, gidMappings, err := parseIDMapMountOption(c.config.IDMappings, *c.config.RootfsMapping, false)
uidMappings, gidMappings, err := parseIDMapMountOption(c.config.IDMappings, *c.config.RootfsMapping)
if err != nil {
return "", err
}

View File

@ -94,7 +94,7 @@ func parseOptionIDs(ctrMappings []idtools.IDMap, option string) ([]idtools.IDMap
return ret, nil
}
func parseIDMapMountOption(idMappings stypes.IDMappingOptions, option string, invert bool) ([]spec.LinuxIDMapping, []spec.LinuxIDMapping, error) {
func parseIDMapMountOption(idMappings stypes.IDMappingOptions, option string) ([]spec.LinuxIDMapping, []spec.LinuxIDMapping, error) {
uidMap := idMappings.UIDMap
gidMap := idMappings.GIDMap
if strings.HasPrefix(option, "idmap=") {
@ -121,33 +121,17 @@ func parseIDMapMountOption(idMappings stypes.IDMappingOptions, option string, in
uidMappings := make([]spec.LinuxIDMapping, len(uidMap))
gidMappings := make([]spec.LinuxIDMapping, len(gidMap))
for i, uidmap := range uidMap {
if invert {
uidMappings[i] = spec.LinuxIDMapping{
HostID: uint32(uidmap.ContainerID),
ContainerID: uint32(uidmap.HostID),
Size: uint32(uidmap.Size),
}
} else {
uidMappings[i] = spec.LinuxIDMapping{
HostID: uint32(uidmap.HostID),
ContainerID: uint32(uidmap.ContainerID),
Size: uint32(uidmap.Size),
}
uidMappings[i] = spec.LinuxIDMapping{
HostID: uint32(uidmap.HostID),
ContainerID: uint32(uidmap.ContainerID),
Size: uint32(uidmap.Size),
}
}
for i, gidmap := range gidMap {
if invert {
gidMappings[i] = spec.LinuxIDMapping{
HostID: uint32(gidmap.ContainerID),
ContainerID: uint32(gidmap.HostID),
Size: uint32(gidmap.Size),
}
} else {
gidMappings[i] = spec.LinuxIDMapping{
HostID: uint32(gidmap.HostID),
ContainerID: uint32(gidmap.ContainerID),
Size: uint32(gidmap.Size),
}
gidMappings[i] = spec.LinuxIDMapping{
HostID: uint32(gidmap.HostID),
ContainerID: uint32(gidmap.ContainerID),
Size: uint32(gidmap.Size),
}
}
return uidMappings, gidMappings, nil
@ -323,7 +307,7 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
for _, o := range m.Options {
if o == "idmap" || strings.HasPrefix(o, "idmap=") {
var err error
m.UIDMappings, m.GIDMappings, err = parseIDMapMountOption(c.config.IDMappings, o, true)
m.UIDMappings, m.GIDMappings, err = parseIDMapMountOption(c.config.IDMappings, o)
if err != nil {
return nil, err
}

View File

@ -90,49 +90,49 @@ func TestParseIDMapMountOption(t *testing.T) {
UIDMap: uidMap,
GIDMap: gidMap,
}
uids, gids, err := parseIDMapMountOption(options, "idmap", true)
uids, gids, err := parseIDMapMountOption(options, "idmap")
assert.Nil(t, err)
assert.Equal(t, len(uids), 1)
assert.Equal(t, len(gids), 1)
assert.Equal(t, uids[0].ContainerID, uint32(1000))
assert.Equal(t, uids[0].HostID, uint32(0))
assert.Equal(t, uids[0].HostID, uint32(1000))
assert.Equal(t, uids[0].ContainerID, uint32(0))
assert.Equal(t, uids[0].Size, uint32(10000))
assert.Equal(t, gids[0].ContainerID, uint32(2000))
assert.Equal(t, gids[0].HostID, uint32(0))
assert.Equal(t, gids[0].HostID, uint32(2000))
assert.Equal(t, gids[0].ContainerID, uint32(0))
assert.Equal(t, gids[0].Size, uint32(10000))
uids, gids, err = parseIDMapMountOption(options, "idmap=uids=0-1-10#10-11-10;gids=0-3-10", true)
uids, gids, err = parseIDMapMountOption(options, "idmap=uids=0-1-10#10-11-10;gids=0-3-10")
assert.Nil(t, err)
assert.Equal(t, len(uids), 2)
assert.Equal(t, len(gids), 1)
assert.Equal(t, uids[0].ContainerID, uint32(1))
assert.Equal(t, uids[0].HostID, uint32(0))
assert.Equal(t, uids[0].HostID, uint32(1))
assert.Equal(t, uids[0].ContainerID, uint32(0))
assert.Equal(t, uids[0].Size, uint32(10))
assert.Equal(t, uids[1].ContainerID, uint32(11))
assert.Equal(t, uids[1].HostID, uint32(10))
assert.Equal(t, uids[1].HostID, uint32(11))
assert.Equal(t, uids[1].ContainerID, uint32(10))
assert.Equal(t, uids[1].Size, uint32(10))
assert.Equal(t, gids[0].ContainerID, uint32(3))
assert.Equal(t, gids[0].HostID, uint32(0))
assert.Equal(t, gids[0].HostID, uint32(3))
assert.Equal(t, gids[0].ContainerID, uint32(0))
assert.Equal(t, gids[0].Size, uint32(10))
_, _, err = parseIDMapMountOption(options, "idmap=uids=0-1-10#10-11-10;gids=0-3-10;foobar=bar", true)
_, _, err = parseIDMapMountOption(options, "idmap=uids=0-1-10#10-11-10;gids=0-3-10;foobar=bar")
assert.NotNil(t, err)
_, _, err = parseIDMapMountOption(options, "idmap=uids=0-1-10#10-11-10;gids=0-3-10#0-12", true)
_, _, err = parseIDMapMountOption(options, "idmap=uids=0-1-10#10-11-10;gids=0-3-10#0-12")
assert.NotNil(t, err)
_, _, err = parseIDMapMountOption(options, "idmap=uids=0-1-10#10-11-10;gids=0-3-10#0-12--12", true)
_, _, err = parseIDMapMountOption(options, "idmap=uids=0-1-10#10-11-10;gids=0-3-10#0-12--12")
assert.NotNil(t, err)
_, _, err = parseIDMapMountOption(options, "idmap=uids=0-1-10#10-11-10;gids=0-3-10#-1-12-12", true)
_, _, err = parseIDMapMountOption(options, "idmap=uids=0-1-10#10-11-10;gids=0-3-10#-1-12-12")
assert.NotNil(t, err)
_, _, err = parseIDMapMountOption(options, "idmap=uids=0-1-10#10-11-10;gids=0-3-10#0--12-0", true)
_, _, err = parseIDMapMountOption(options, "idmap=uids=0-1-10#10-11-10;gids=0-3-10#0--12-0")
assert.NotNil(t, err)
}

View File

@ -109,6 +109,8 @@ var _ = Describe("Podman UserNS support", func() {
})
It("podman uidmapping and gidmapping with an idmapped volume", func() {
Skip("it depends on a breaking change in crun: https://github.com/containers/crun/pull/1147")
session := podmanTest.Podman([]string{"run", "--uidmap=0:1:500", "--gidmap=0:200:5000", "-v", "my-foo-volume:/foo:Z,idmap", "alpine", "stat", "-c", "#%u:%g#", "/foo"})
session.WaitWithDefaultTimeout()
if strings.Contains(session.ErrorToString(), "Operation not permitted") {