opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-26 12:56:45 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12621 from giuseppe/honor-userns-auto-conf-file

Browse Source 
specgen: honor userns=auto from containers.conf
This commit is contained in:
OpenShift Merge Robot
2021-12-21 14:42:19 +01:00
committed by GitHub
parent 76d32a1eb9 89ee302a9f
commit da7de332b6
2 changed files with 39 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
pkg/specgen/generate/container_create.go
View File

@ -9,6 +9,7 @@ import (
cdi "github.com/container-orchestrated-devices/container-device-interface/pkg" cdi "github.com/container-orchestrated-devices/container-device-interface/pkg"
"github.com/containers/common/libimage" "github.com/containers/common/libimage"
"github.com/containers/podman/v3/libpod" "github.com/containers/podman/v3/libpod"
"github.com/containers/podman/v3/pkg/namespaces"
"github.com/containers/podman/v3/pkg/specgen" "github.com/containers/podman/v3/pkg/specgen"
"github.com/containers/podman/v3/pkg/util" "github.com/containers/podman/v3/pkg/util"
spec "github.com/opencontainers/runtime-spec/specs-go" spec "github.com/opencontainers/runtime-spec/specs-go"
@ -96,6 +97,12 @@ func MakeContainer(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGener
return nil, nil, nil, err return nil, nil, nil, err
} }
s.UserNS = defaultNS s.UserNS = defaultNS
mappings, err := util.ParseIDMapping(namespaces.UsernsMode(s.UserNS.NSMode), nil, nil, "", "")
if err != nil {
return nil, nil, nil, err
}
s.IDMappings = mappings
} }
if s.NetNS.IsDefault() { if s.NetNS.IsDefault() {
defaultNS, err := GetDefaultNamespaceMode("net", rtc, pod) defaultNS, err := GetDefaultNamespaceMode("net", rtc, pod)

38
test/system/170-run-userns.bats
View File

@ -17,7 +17,7 @@ function _require_crun() {
skip_if_rootless "chroot is not allowed in rootless mode" skip_if_rootless "chroot is not allowed in rootless mode"
skip_if_remote "--group-add keep-groups not supported in remote mode" skip_if_remote "--group-add keep-groups not supported in remote mode"
_require_crun _require_crun
run chroot --groups 1234 / ${PODMAN} run --uidmap 0:200000:5000 --group-add keep-groups $IMAGE id run chroot --groups 1234 / ${PODMAN} run --rm --uidmap 0:200000:5000 --group-add keep-groups $IMAGE id
is "$output" ".*65534(nobody)" "Check group leaked into user namespace" is "$output" ".*65534(nobody)" "Check group leaked into user namespace"
} }
@ -25,30 +25,56 @@ function _require_crun() {
skip_if_rootless "chroot is not allowed in rootless mode" skip_if_rootless "chroot is not allowed in rootless mode"
skip_if_remote "--group-add keep-groups not supported in remote mode" skip_if_remote "--group-add keep-groups not supported in remote mode"
_require_crun _require_crun
run chroot --groups 1234,5678 / ${PODMAN} run --group-add keep-groups $IMAGE id run chroot --groups 1234,5678 / ${PODMAN} run --rm --group-add keep-groups $IMAGE id
is "$output" ".*1234" "Check group leaked into container" is "$output" ".*1234" "Check group leaked into container"
} }
@test "podman --group-add without keep-groups while in a userns" { @test "podman --group-add without keep-groups while in a userns" {
skip_if_rootless "chroot is not allowed in rootless mode" skip_if_rootless "chroot is not allowed in rootless mode"
skip_if_remote "--group-add keep-groups not supported in remote mode" skip_if_remote "--group-add keep-groups not supported in remote mode"
run chroot --groups 1234,5678 / ${PODMAN} run --uidmap 0:200000:5000 --group-add 457 $IMAGE id run chroot --groups 1234,5678 / ${PODMAN} run --rm --uidmap 0:200000:5000 --group-add 457 $IMAGE id
is "$output" ".*457" "Check group leaked into container" is "$output" ".*457" "Check group leaked into container"
} }
@test "podman --remote --group-add keep-groups " { @test "podman --remote --group-add keep-groups " {
if is_remote; then if is_remote; then
run_podman 125 run --group-add keep-groups $IMAGE id run_podman 125 run --rm --group-add keep-groups $IMAGE id
is "$output" ".*not supported in remote mode" "Remote check --group-add keep-groups" is "$output" ".*not supported in remote mode" "Remote check --group-add keep-groups"
fi fi
} }
@test "podman --group-add without keep-groups " { @test "podman --group-add without keep-groups " {
run_podman run --group-add 457 $IMAGE id run_podman run --rm --group-add 457 $IMAGE id
is "$output" ".*457" "Check group leaked into container" is "$output" ".*457" "Check group leaked into container"
} }
@test "podman --group-add keep-groups plus added groups " { @test "podman --group-add keep-groups plus added groups " {
run_podman 125 run --group-add keep-groups --group-add 457 $IMAGE id run_podman 125 run --rm --group-add keep-groups --group-add 457 $IMAGE id
is "$output" ".*the '--group-add keep-groups' option is not allowed with any other --group-add options" "Check group leaked into container" is "$output" ".*the '--group-add keep-groups' option is not allowed with any other --group-add options" "Check group leaked into container"
} }
@test "podman userns=auto in config file" {
skip_if_remote "userns=auto is set on the server"
if is_rootless; then
egrep -q "^$(id -un):" /etc/subuid || skip "no IDs allocated for current user"
else
egrep -q "^containers:" /etc/subuid || skip "no IDs allocated for user 'containers'"
fi
cat > $PODMAN_TMPDIR/userns_auto.conf <<EOF
[containers]
userns="auto"
EOF
# First make sure a user namespace is created
CONTAINERS_CONF=$PODMAN_TMPDIR/userns_auto.conf run_podman run -d $IMAGE sleep infinity
cid=$output
run_podman inspect --format '{{.HostConfig.UsernsMode}}' $cid
is "$output" "private" "Check that a user namespace was created for the container"
run_podman rm -t 0 -f $cid
# Then check that the main user is not mapped into the user namespace
CONTAINERS_CONF=$PODMAN_TMPDIR/userns_auto.conf run_podman 0 run --rm $IMAGE awk '{if($2 == "0"){exit 1}}' /proc/self/uid_map /proc/self/gid_map
}