From 7f439379e87b732339dc787ac7ed9200f3950d70 Mon Sep 17 00:00:00 2001 From: Eduardo Vega Date: Wed, 18 Nov 2020 08:50:53 -0600 Subject: [PATCH] Add U volume flag to chown source volumes Signed-off-by: Eduardo Vega --- docs/buildah-bud.md | 13 ++++++++++++- docs/buildah-from.md | 13 ++++++++++++- docs/buildah-run.md | 13 +++++++++++++ pkg/parse/parse.go | 7 ++++++- run_linux.go | 11 ++++++++++- tests/bud.bats | 30 ++++++++++++++++++++++++++++++ 6 files changed, 83 insertions(+), 4 deletions(-) diff --git a/docs/buildah-bud.md b/docs/buildah-bud.md index f7a7223902e..7cf5d27eef5 100644 --- a/docs/buildah-bud.md +++ b/docs/buildah-bud.md @@ -575,6 +575,7 @@ process. container. The `OPTIONS` are a comma delimited list and can be: [[1]](#Footnote1) * [rw|ro] + * [U] * [z|Z|O] * [`[r]shared`|`[r]slave`|`[r]private`] @@ -587,10 +588,18 @@ and bind mounts that into the container. You can specify multiple **-v** options to mount one or more mounts to a container. + `Write Protected Volume Mounts` + You can add the `:ro` or `:rw` suffix to a volume to mount it read-only or read-write mode, respectively. By default, the volumes are mounted read-write. See examples. + `Chowning Volume Mounts` + +By default buildah does not change the owner and group of source volume directories mounted into containers. If a container is created in a new user namespace, the UID and GID in the container may correspond to another UID and GID on the host. + +The `:U` suffix tells buildah to use the correct host UID and GID based on the UID and GID within the container, to change the owner and group of the source volume. + `Labeling Volume Mounts` Labeling systems like SELinux require that proper labels are placed on volume @@ -616,7 +625,7 @@ Only the current container can use a private volume. Note: - - The `O` flag is not allowed to be specified with the `Z` or `z` flags. Content mounted into the container is labeled with the private label. + - The `O` flag is not allowed to be specified with the `Z`, `z` or `U` flags. Content mounted into the container is labeled with the private label. On SELinux systems, labels in the source directory needs to be readable by the container label. If not, SELinux container separation must be disabled for the container to work. - Modification of the directory volume mounted into the container with an overlay mount can cause unexpected failures. It is recommended that you do not modify the directory until the container finishes running. @@ -683,6 +692,8 @@ buildah bud --security-opt label=level:s0:c100,c200 --cgroup-parent /path/to/cgr buildah bud --volume /home/test:/myvol:ro,Z -t imageName . +buildah bud -v /home/test:/myvol:z,U -t imageName . + buildah bud -v /var/lib/dnf:/var/lib/dnf:O -t imageName . buildah bud --layers -t imageName . diff --git a/docs/buildah-from.md b/docs/buildah-from.md index 3fa6c2bd268..e5d8f11185b 100644 --- a/docs/buildah-from.md +++ b/docs/buildah-from.md @@ -449,6 +449,7 @@ process. container. The `OPTIONS` are a comma delimited list and can be: [[1]](#Footnote1) * [rw|ro] + * [U] * [z|Z|O] * [`[r]shared`|`[r]slave`|`[r]private`|`[r]unbindable`] @@ -461,10 +462,18 @@ and bind mounts that into the container. You can specify multiple **-v** options to mount one or more mounts to a container. + `Write Protected Volume Mounts` + You can add the `:ro` or `:rw` suffix to a volume to mount it read-only or read-write mode, respectively. By default, the volumes are mounted read-write. See examples. + `Chowning Volume Mounts` + +By default buildah does not change the owner and group of source volume directories mounted into containers. If a container is created in a new user namespace, the UID and GID in the container may correspond to another UID and GID on the host. + +The `:U` suffix tells buildah to use the correct host UID and GID based on the UID and GID within the container, to change the owner and group of the source volume. + `Labeling Volume Mounts` Labeling systems like SELinux require that proper labels are placed on volume @@ -490,7 +499,7 @@ Only the current container can use a private volume. Note: - - The `O` flag is not allowed to be specified with the `Z` or `z` flags. Content mounted into the container is labeled with the private label. + - The `O` flag is not allowed to be specified with the `Z`, `z` or `U` flags. Content mounted into the container is labeled with the private label. On SELinux systems, labels in the source directory needs to be readable by the container label. If not, SELinux container separation must be disabled for the container to work. - Modification of the directory volume mounted into the container with an overlay mount can cause unexpected failures. It is recommended that you do not modify the directory until the container finishes running. @@ -553,6 +562,8 @@ buildah from --ulimit nofile=1024:1028 --cgroup-parent /path/to/cgroup/parent my buildah from --volume /home/test:/myvol:ro,Z myregistry/myrepository/imagename:imagetag +buildah from -v /home/test:/myvol:z,U myregistry/myrepository/imagename:imagetag + buildah from -v /var/lib/yum:/var/lib/yum:O myregistry/myrepository/imagename:imagetag ## ENVIRONMENT diff --git a/docs/buildah-run.md b/docs/buildah-run.md index 1ef436df830..70328bcddf3 100644 --- a/docs/buildah-run.md +++ b/docs/buildah-run.md @@ -188,6 +188,7 @@ bind mounts `/HOST-DIR` in the host to `/CONTAINER-DIR` in the Buildah container. The `OPTIONS` are a comma delimited list and can be: [[1]](#Footnote1) * [rw|ro] + * [U] * [z|Z] * [`[r]shared`|`[r]slave`|`[r]private`] @@ -200,10 +201,20 @@ and bind mounts that into the container. You can specify multiple **-v** options to mount one or more mounts to a container. + `Write Protected Volume Mounts` + You can add the `:ro` or `:rw` suffix to a volume to mount it read-only or read-write mode, respectively. By default, the volumes are mounted read-write. See examples. + `Chowning Volume Mounts` + +By default buildah does not change the owner and group of source volume directories mounted into containers. If a container is created in a new user namespace, the UID and GID in the container may correspond to another UID and GID on the host. + +The `:U` suffix tells buildah to use the correct host UID and GID based on the UID and GID within the container, to change the owner and group of the source volume. + + `Labeling Volume Mounts` + Labeling systems like SELinux require that proper labels are placed on volume content mounted into a container. Without a label, the security system might prevent the processes running inside the container from using the content. By @@ -270,6 +281,8 @@ buildah run --tty=false containerID ls / buildah run --volume /path/on/host:/path/in/container:ro,z containerID sh +buildah run -v /path/on/host:/path/in/container:z,U containerID sh + buildah run --mount type=bind,src=/tmp/on:host,dst=/in:container,ro containerID sh ## SEE ALSO diff --git a/pkg/parse/parse.go b/pkg/parse/parse.go index fb348b252d8..f96a822feca 100644 --- a/pkg/parse/parse.go +++ b/pkg/parse/parse.go @@ -486,7 +486,7 @@ func ValidateVolumeCtrDir(ctrDir string) error { // ValidateVolumeOpts validates a volume's options func ValidateVolumeOpts(options []string) ([]string, error) { - var foundRootPropagation, foundRWRO, foundLabelChange, bindType, foundExec, foundDev, foundSuid int + var foundRootPropagation, foundRWRO, foundLabelChange, bindType, foundExec, foundDev, foundSuid, foundChown int finalOpts := make([]string, 0, len(options)) for _, opt := range options { switch opt { @@ -515,6 +515,11 @@ func ValidateVolumeOpts(options []string) ([]string, error) { if foundLabelChange > 1 { return nil, errors.Errorf("invalid options %q, can only specify 1 'z', 'Z', or 'O' option", strings.Join(options, ", ")) } + case "U": + foundChown++ + if foundChown > 1 { + return nil, errors.Errorf("invalid options %q, can only specify 1 'U' option", strings.Join(options, ", ")) + } case "private", "rprivate", "shared", "rshared", "slave", "rslave", "unbindable", "runbindable": foundRootPropagation++ if foundRootPropagation > 1 { diff --git a/run_linux.go b/run_linux.go index d907941ede3..bf0e4f06f6d 100644 --- a/run_linux.go +++ b/run_linux.go @@ -1687,7 +1687,7 @@ func (b *Builder) runSetupVolumeMounts(mountLabel string, volumeMounts []string, } parseMount := func(mountType, host, container string, options []string) (specs.Mount, error) { - var foundrw, foundro, foundz, foundZ, foundO bool + var foundrw, foundro, foundz, foundZ, foundO, foundU bool var rootProp string for _, opt := range options { switch opt { @@ -1701,6 +1701,8 @@ func (b *Builder) runSetupVolumeMounts(mountLabel string, volumeMounts []string, foundZ = true case "O": foundO = true + case "U": + foundU = true case "private", "rprivate", "slave", "rslave", "shared", "rshared": rootProp = opt } @@ -1736,6 +1738,13 @@ func (b *Builder) runSetupVolumeMounts(mountLabel string, volumeMounts []string, } return overlayMount, err } + if foundU { + if err := filepath.Walk(host, func(filePath string, f os.FileInfo, err error) error { + return os.Lchown(filePath, rootUID, rootGID) + }); err != nil { + return specs.Mount{}, err + } + } if rootProp == "" { options = append(options, "private") } diff --git a/tests/bud.bats b/tests/bud.bats index ee70c02ecf0..72c3920db18 100644 --- a/tests/bud.bats +++ b/tests/bud.bats @@ -1573,6 +1573,36 @@ function _test_http() { expect_output --substring "/testdir" } +@test "buidah bud --volume with U flag" { + # Check if we're running in an environment that can even test this. + run readlink /proc/self/ns/user + echo "readlink /proc/self/ns/user -> $output" + [ $status -eq 0 ] || skip "user namespaces not supported" + + # Generate the mappings to use for using a user namespace. + uidbase=$((${RANDOM}+1024)) + gidbase=$((${RANDOM}+1024)) + uidsize=$((${RANDOM}+1024)) + gidsize=$((${RANDOM}+1024)) + + # Create source volume. + mkdir ${TESTDIR}/testdata + touch ${TESTDIR}/testdata/testfile1.txt + + # Create a container that uses that mapping and U volume flag. + _prefetch alpine + run_buildah from --signature-policy ${TESTSDIR}/policy.json --userns-uid-map 0:$uidbase:$uidsize --userns-gid-map 0:$gidbase:$gidsize --volume ${TESTDIR}/testdata:/mnt:z,U alpine + ctr="$output" + + run_buildah run "$ctr" stat -c "%u:%g" /mnt/testfile1.txt + expect_output "0:0" + + run_buildah run "$ctr" touch /mnt/testfile2.txt + + run_buildah run "$ctr" stat -c "%u:%g" /mnt/testfile2.txt + expect_output "0:0" +} + @test "bud-copy-dot with --layers picks up changed file" { _prefetch alpine cp -a ${TESTSDIR}/bud/use-layers ${TESTDIR}/use-layers