mirror of
https://github.com/containers/podman.git
synced 2025-05-31 07:27:13 +08:00
ee11f3bce9
move the logic for joining existing namespaces down to the rootless package. In main_local we still retrieve the list of conmon pid files and use it from the rootless package. In addition, create a temporary user namespace for reading these files, as the unprivileged user might not have enough privileges for reading the conmon pid file, for example when running with a different uidmap and root in the container is different than the rootless user. Closes: https://github.com/containers/libpod/issues/3187 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
51 lines
2.0 KiB
Go
51 lines
2.0 KiB
Go
// +build !linux
|
|
|
|
package rootless
|
|
|
|
import (
|
|
"github.com/pkg/errors"
|
|
)
|
|
|
|
// IsRootless returns false on all non-linux platforms
|
|
func IsRootless() bool {
|
|
return false
|
|
}
|
|
|
|
// BecomeRootInUserNS re-exec podman in a new userNS. It returns whether podman was re-executed
|
|
// into a new user namespace and the return code from the re-executed podman process.
|
|
// If podman was re-executed the caller needs to propagate the error code returned by the child
|
|
// process. It is a convenience function for BecomeRootInUserNSWithOpts with a default configuration.
|
|
func BecomeRootInUserNS(pausePid string) (bool, int, error) {
|
|
return false, -1, errors.New("this function is not supported on this os")
|
|
}
|
|
|
|
// GetRootlessUID returns the UID of the user in the parent userNS
|
|
func GetRootlessUID() int {
|
|
return -1
|
|
}
|
|
|
|
// GetRootlessGID returns the GID of the user in the parent userNS
|
|
func GetRootlessGID() int {
|
|
return -1
|
|
}
|
|
|
|
// JoinUserAndMountNS re-exec podman in a new userNS and join the user and mount
|
|
// namespace of the specified PID without looking up its parent. Useful to join directly
|
|
// the conmon process. It is a convenience function for JoinUserAndMountNSWithOpts
|
|
// with a default configuration.
|
|
func JoinUserAndMountNS(pid uint, pausePid string) (bool, int, error) {
|
|
return false, -1, errors.New("this function is not supported on this os")
|
|
}
|
|
|
|
// TryJoinFromFilePaths attempts to join the namespaces of the pid files in paths.
|
|
// This is useful when there are already running containers and we
|
|
// don't have a pause process yet. We can use the paths to the conmon
|
|
// processes to attempt joining their namespaces.
|
|
// If needNewNamespace is set, the file is read from a temporary user
|
|
// namespace, this is useful for containers that are running with a
|
|
// different uidmap and the unprivileged user has no way to read the
|
|
// file owned by the root in the container.
|
|
func TryJoinFromFilePaths(pausePidPath string, needNewNamespace bool, paths []string) (bool, int, error) {
|
|
return false, -1, errors.New("this function is not supported on this os")
|
|
}
|