Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add U volume flag to chown source volumes #2805

Merged
merged 1 commit into from
Dec 17, 2020
Merged

Add U volume flag to chown source volumes #2805

merged 1 commit into from
Dec 17, 2020

Conversation

EduardoVega
Copy link
Contributor

What type of PR is this?

/kind feature

What this PR does / why we need it:

It adds the U volume flag to chown source volumes based on the uid, gid within the container.

When a new container is created with a user namespace, we want to get the uid,gid that has been assigned outside the container to chown source volumes. This will isolate the filesystem (source volumes) from other containers (users, groups) since they will be owned by the same user and group within the container.

This is required by podman, so it can parse the U volume flag.
Podman Issue: 7778

How to verify it

There is an integration test to validate this functionality.
Example:

# Create source volume
mkdir -p /var/tmp/foo

# Create container with user namespace and mount volume using U flag
buildah from --userns-uid-map 0:1000:1024 --userns-gid-map 0:1000:1024 --volume /var/tmp/foo:/testdata:z,U --name container-foo alpine

# Ensure owner of the volume is 0:0
buildah run container-foo stat -c "%u:%g" /testdata

# Ensure source volume has been chowned based on user namespace mapping
stat -c "%u:%g" /var/tmp/foo

Which issue(s) this PR fixes:

None

Special notes for your reviewer:

Does this PR introduce a user-facing change?

None

Signed-off-by: Eduardo Vega [email protected]

@openshift-ci-robot openshift-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Nov 18, 2020
@TomSweeneyRedHat
Copy link
Member

@EduardoVega thanks for the PR. The tests don't look happy and it looks like you need to rebase.
@giuseppe PTAL

@TomSweeneyRedHat
Copy link
Member

Need man page changes.

@EduardoVega EduardoVega force-pushed the add-U-volume-flag branch 2 times, most recently from 7f43937 to 57e02d2 Compare November 20, 2020 14:16
@EduardoVega
Copy link
Contributor Author

I have updated docs.

rhatdan
rhatdan reviewed Nov 21, 2020
View reviewed changes
run_linux.go Outdated Show resolved Hide resolved
rhatdan
rhatdan reviewed Nov 21, 2020
View reviewed changes
run_linux.go Outdated Show resolved Hide resolved
@rhatdan
Copy link
Member

rhatdan commented Nov 21, 2020

@giuseppe PTAL

@giuseppe
Copy link
Member

LGTM once the comment with --user is addressed

@EduardoVega EduardoVega force-pushed the add-U-volume-flag branch 2 times, most recently from 6b5dad7 to 99b1bef Compare November 29, 2020 23:54
@TomSweeneyRedHat
Copy link
Member

A few doc nits and a rebase is needed. Otherwise LGTM
Thanks @EduardoVega !

@EduardoVega EduardoVega force-pushed the add-U-volume-flag branch 4 times, most recently from 6c8d217 to f87e4cb Compare December 2, 2020 13:16
@TomSweeneyRedHat
Copy link
Member

@EduardoVega thanks for the updates. Hover it looks like you need to rebase and beyond that, it looks like one of the tests flaked and the rebase will hopefully clear that too.

rhatdan
rhatdan approved these changes Dec 3, 2020
View reviewed changes
docs/buildah-bud.md Outdated
@@ -622,7 +631,7 @@ Only the current container can use a private volume.

Note:

- The `O` flag is not allowed to be specified with the `Z` or `z` flags. Content mounted into the container is labeled with the private label.
- The `O` flag is not allowed to be specified with the `Z`, `z` or `U` flags. Content mounted into the container is labeled with the private label.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason to not allow Overlay options with the U Flag? In SELinux the kernel will prevent this. Might not be a good idea because it will trigger a copy-up, but it might be the case where content is intended to be used for the run of the container temporarily but not written to the host. Of course this would mean the chown would need to happen on each run of the container.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. Let me work on this.

Copy link
Contributor Author

@EduardoVega EduardoVega Dec 10, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently buildah will chown the source volume and then use the processUID and processGID to create the overlay temp dir, would this be the expected behaviour? Initially I tried to chown the overlay temp directory only, in the case of rootless containers the UID/GID were added correctly, but in the case of rootful containers the content of the source volume was never present on the overlay temp dir so the correct UID/GID were never added to sub dirs/files.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you chown the files after the volume is mounted, it should create new INODES in the upper directory with the correct ownership.

Copy link
Contributor Author

@EduardoVega EduardoVega Dec 16, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems to work with rootless containers since the volume is mounted using fuse-overlayfs here https://github.com/containers/buildah/blob/master/pkg/overlay/overlay.go#L64, but for containers created by root the overlay volume is mounted by crun using the native overlay type.

If I am not wrong there's no way to specify uid/gid as an option for overlay native mount type. The only way I can see this working is if the real source volume is chown just like volumes without the O flag. So the chown would be permanent but any other operation would be temporary.

run_linux.go Show resolved Hide resolved
@openshift-ci-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: EduardoVega, rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@EduardoVega EduardoVega force-pushed the add-U-volume-flag branch 2 times, most recently from 40cdbb0 to 54d4857 Compare December 10, 2020 13:18
@rhatdan
Copy link
Member

rhatdan commented Dec 16, 2020

@EduardoVega Please rebase to get past the ubuntu failures.

@rhatdan
Copy link
Member

rhatdan commented Dec 17, 2020

/lgtm
Thanks @EduardoVega

@openshift-merge-robot openshift-merge-robot merged commit 6747061 into containers:master Dec 17, 2020
@EduardoVega EduardoVega deleted the add-U-volume-flag branch December 17, 2020 13:49
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 25, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@TomSweeneyRedHat TomSweeneyRedHat TomSweeneyRedHat left review comments

@rhatdan rhatdan rhatdan approved these changes

Assignees

@rhatdan rhatdan

Labels
approved kind/feature Categorizes issue or PR as related to a new feature. lgtm locked - please file new issue/PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@EduardoVega @TomSweeneyRedHat @rhatdan @giuseppe @openshift-ci-robot @openshift-merge-robot