mirror of
				https://github.com/containers/podman.git
				synced 2025-10-26 10:45:26 +08:00 
			
		
		
		
	 0f668aa085
			
		
	
	0f668aa085
	
	
	
		
			
			A container's workdir can be specified via the CLI via `--workdir` and via an image config with the CLI having precedence. Since images have a tendency to specify workdirs without necessarily shipping the paths with the root FS, make sure that Podman creates the workdir. When specified via the CLI, do not create the path, but check for its existence and return a human-friendly error. NOTE: `crun` is performing a similar check that would yield exit code 127. With this change, however, Podman performs the check and yields exit code 126. Since this is specific to `crun`, I do not consider it to be a breaking change of Podman. Fixes: #9040 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
		
			
				
	
	
		
			167 lines
		
	
	
		
			6.1 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			167 lines
		
	
	
		
			6.1 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| package libpod
 | |
| 
 | |
| import (
 | |
| 	"path/filepath"
 | |
| 	"strings"
 | |
| 
 | |
| 	securejoin "github.com/cyphar/filepath-securejoin"
 | |
| 	"github.com/opencontainers/runtime-spec/specs-go"
 | |
| 	"github.com/pkg/errors"
 | |
| 	"github.com/sirupsen/logrus"
 | |
| )
 | |
| 
 | |
| // resolveContainerPaths resolves the container's mount point and the container
 | |
| // path as specified by the user.  Both may resolve to paths outside of the
 | |
| // container's mount point when the container path hits a volume or bind mount.
 | |
| //
 | |
| // It returns a bool, indicating whether containerPath resolves outside of
 | |
| // mountPoint (e.g., via a mount or volume), the resolved root (e.g., container
 | |
| // mount, bind mount or volume) and the resolved path on the root (absolute to
 | |
| // the host).
 | |
| func (container *Container) resolvePath(mountPoint string, containerPath string) (string, string, error) {
 | |
| 	// Let's first make sure we have a path relative to the mount point.
 | |
| 	pathRelativeToContainerMountPoint := containerPath
 | |
| 	if !filepath.IsAbs(containerPath) {
 | |
| 		// If the containerPath is not absolute, it's relative to the
 | |
| 		// container's working dir.  To be extra careful, let's first
 | |
| 		// join the working dir with "/", and the add the containerPath
 | |
| 		// to it.
 | |
| 		pathRelativeToContainerMountPoint = filepath.Join(filepath.Join("/", container.WorkingDir()), containerPath)
 | |
| 	}
 | |
| 	resolvedPathOnTheContainerMountPoint := filepath.Join(mountPoint, pathRelativeToContainerMountPoint)
 | |
| 	pathRelativeToContainerMountPoint = strings.TrimPrefix(pathRelativeToContainerMountPoint, mountPoint)
 | |
| 	pathRelativeToContainerMountPoint = filepath.Join("/", pathRelativeToContainerMountPoint)
 | |
| 
 | |
| 	// Now we have an "absolute container Path" but not yet resolved on the
 | |
| 	// host (e.g., "/foo/bar/file.txt").  As mentioned above, we need to
 | |
| 	// check if "/foo/bar/file.txt" is on a volume or bind mount.  To do
 | |
| 	// that, we need to walk *down* the paths to the root.  Assuming
 | |
| 	// volume-1 is mounted to "/foo" and volume-2 is mounted to "/foo/bar",
 | |
| 	// we must select "/foo/bar".  Once selected, we need to rebase the
 | |
| 	// remainder (i.e, "/file.txt") on the volume's mount point on the
 | |
| 	// host.  Same applies to bind mounts.
 | |
| 
 | |
| 	searchPath := pathRelativeToContainerMountPoint
 | |
| 	for {
 | |
| 		volume, err := findVolume(container, searchPath)
 | |
| 		if err != nil {
 | |
| 			return "", "", err
 | |
| 		}
 | |
| 		if volume != nil {
 | |
| 			logrus.Debugf("Container path %q resolved to volume %q on path %q", containerPath, volume.Name(), searchPath)
 | |
| 
 | |
| 			// TODO: We really need to force the volume to mount
 | |
| 			// before doing this, but that API is not exposed
 | |
| 			// externally right now and doing so is beyond the scope
 | |
| 			// of this commit.
 | |
| 			mountPoint, err := volume.MountPoint()
 | |
| 			if err != nil {
 | |
| 				return "", "", err
 | |
| 			}
 | |
| 			if mountPoint == "" {
 | |
| 				return "", "", errors.Errorf("volume %s is not mounted, cannot copy into it", volume.Name())
 | |
| 			}
 | |
| 
 | |
| 			// We found a matching volume for searchPath.  We now
 | |
| 			// need to first find the relative path of our input
 | |
| 			// path to the searchPath, and then join it with the
 | |
| 			// volume's mount point.
 | |
| 			pathRelativeToVolume := strings.TrimPrefix(pathRelativeToContainerMountPoint, searchPath)
 | |
| 			absolutePathOnTheVolumeMount, err := securejoin.SecureJoin(mountPoint, pathRelativeToVolume)
 | |
| 			if err != nil {
 | |
| 				return "", "", err
 | |
| 			}
 | |
| 			return mountPoint, absolutePathOnTheVolumeMount, nil
 | |
| 		}
 | |
| 
 | |
| 		if mount := findBindMount(container, searchPath); mount != nil {
 | |
| 			logrus.Debugf("Container path %q resolved to bind mount %q:%q on path %q", containerPath, mount.Source, mount.Destination, searchPath)
 | |
| 			// We found a matching bind mount for searchPath.  We
 | |
| 			// now need to first find the relative path of our
 | |
| 			// input path to the searchPath, and then join it with
 | |
| 			// the source of the bind mount.
 | |
| 			pathRelativeToBindMount := strings.TrimPrefix(pathRelativeToContainerMountPoint, searchPath)
 | |
| 			absolutePathOnTheBindMount, err := securejoin.SecureJoin(mount.Source, pathRelativeToBindMount)
 | |
| 			if err != nil {
 | |
| 				return "", "", err
 | |
| 			}
 | |
| 			return mount.Source, absolutePathOnTheBindMount, nil
 | |
| 
 | |
| 		}
 | |
| 
 | |
| 		if searchPath == "/" {
 | |
| 			// Cannot go beyond "/", so we're done.
 | |
| 			break
 | |
| 		}
 | |
| 
 | |
| 		// Walk *down* the path (e.g., "/foo/bar/x" -> "/foo/bar").
 | |
| 		searchPath = filepath.Dir(searchPath)
 | |
| 	}
 | |
| 
 | |
| 	// No volume, no bind mount but just a normal path on the container.
 | |
| 	return mountPoint, resolvedPathOnTheContainerMountPoint, nil
 | |
| }
 | |
| 
 | |
| // findVolume checks if the specified containerPath matches the destination
 | |
| // path of a Volume.  Returns a matching Volume or nil.
 | |
| func findVolume(c *Container, containerPath string) (*Volume, error) {
 | |
| 	runtime := c.Runtime()
 | |
| 	cleanedContainerPath := filepath.Clean(containerPath)
 | |
| 	for _, vol := range c.Config().NamedVolumes {
 | |
| 		if cleanedContainerPath == filepath.Clean(vol.Dest) {
 | |
| 			return runtime.GetVolume(vol.Name)
 | |
| 		}
 | |
| 	}
 | |
| 	return nil, nil
 | |
| }
 | |
| 
 | |
| // isPathOnVolume returns true if the specified containerPath is a subdir of any
 | |
| // Volume's destination.
 | |
| func isPathOnVolume(c *Container, containerPath string) bool {
 | |
| 	cleanedContainerPath := filepath.Clean(containerPath)
 | |
| 	for _, vol := range c.Config().NamedVolumes {
 | |
| 		if cleanedContainerPath == filepath.Clean(vol.Dest) {
 | |
| 			return true
 | |
| 		}
 | |
| 		for dest := vol.Dest; dest != "/"; dest = filepath.Dir(dest) {
 | |
| 			if cleanedContainerPath == dest {
 | |
| 				return true
 | |
| 			}
 | |
| 		}
 | |
| 	}
 | |
| 	return false
 | |
| }
 | |
| 
 | |
| // findBindMounts checks if the specified containerPath matches the destination
 | |
| // path of a Mount.  Returns a matching Mount or nil.
 | |
| func findBindMount(c *Container, containerPath string) *specs.Mount {
 | |
| 	cleanedPath := filepath.Clean(containerPath)
 | |
| 	for _, m := range c.Config().Spec.Mounts {
 | |
| 		if m.Type != "bind" {
 | |
| 			continue
 | |
| 		}
 | |
| 		if cleanedPath == filepath.Clean(m.Destination) {
 | |
| 			mount := m
 | |
| 			return &mount
 | |
| 		}
 | |
| 	}
 | |
| 	return nil
 | |
| }
 | |
| 
 | |
| /// isPathOnBindMount returns true if the specified containerPath is a subdir of any
 | |
| // Mount's destination.
 | |
| func isPathOnBindMount(c *Container, containerPath string) bool {
 | |
| 	cleanedContainerPath := filepath.Clean(containerPath)
 | |
| 	for _, m := range c.Config().Spec.Mounts {
 | |
| 		if cleanedContainerPath == filepath.Clean(m.Destination) {
 | |
| 			return true
 | |
| 		}
 | |
| 		for dest := m.Destination; dest != "/"; dest = filepath.Dir(dest) {
 | |
| 			if cleanedContainerPath == dest {
 | |
| 				return true
 | |
| 			}
 | |
| 		}
 | |
| 	}
 | |
| 	return false
 | |
| }
 |