From 8984ba7461edb0850c0a79e975d1ca7ce516a064 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Thu, 21 Feb 2019 11:13:12 +0100 Subject: [PATCH 1/2] rootless: force same cwd when re-execing when joining an existing namespace, we were not maintaining the current working directory, causing commands like export -o to fail when they weren't referring to absolute paths. Closes: https://github.com/containers/libpod/issues/2381 Signed-off-by: Giuseppe Scrivano --- pkg/rootless/rootless_linux.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/pkg/rootless/rootless_linux.c b/pkg/rootless/rootless_linux.c index acc5d6b2a4..dfbc7fe33f 100644 --- a/pkg/rootless/rootless_linux.c +++ b/pkg/rootless/rootless_linux.c @@ -109,6 +109,13 @@ reexec_userns_join (int userns, int mountns) char uid[16]; char **argv; int pid; + char *cwd = getcwd (NULL, 0); + + if (cwd == NULL) + { + fprintf (stderr, "error getting current working directory: %s\n", strerror (errno)); + _exit (EXIT_FAILURE); + } sprintf (uid, "%d", geteuid ()); @@ -154,6 +161,13 @@ reexec_userns_join (int userns, int mountns) _exit (EXIT_FAILURE); } + if (chdir (cwd) < 0) + { + fprintf (stderr, "cannot chdir: %s\n", strerror (errno)); + _exit (EXIT_FAILURE); + } + free (cwd); + execvp (argv[0], argv); _exit (EXIT_FAILURE); @@ -190,6 +204,13 @@ reexec_in_user_namespace (int ready) char *listen_fds = NULL; char *listen_pid = NULL; bool do_socket_activation = false; + char *cwd = getcwd (NULL, 0); + + if (cwd == NULL) + { + fprintf (stderr, "error getting current working directory: %s\n", strerror (errno)); + _exit (EXIT_FAILURE); + } listen_pid = getenv("LISTEN_PID"); listen_fds = getenv("LISTEN_FDS"); @@ -265,6 +286,13 @@ reexec_in_user_namespace (int ready) _exit (EXIT_FAILURE); } + if (chdir (cwd) < 0) + { + fprintf (stderr, "cannot chdir: %s\n", strerror (errno)); + _exit (EXIT_FAILURE); + } + free (cwd); + execvp (argv[0], argv); _exit (EXIT_FAILURE); From 7e920e486512d350faa43306d2cda12fdad887e1 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Thu, 21 Feb 2019 11:27:34 +0100 Subject: [PATCH 2/2] tests, rootless: use relative path for export test Signed-off-by: Giuseppe Scrivano --- test/e2e/libpod_suite_test.go | 4 ++-- test/e2e/rootless_test.go | 45 +++++++++++++++++------------------ test/utils/podmantest_test.go | 2 +- test/utils/utils.go | 12 ++++++---- 4 files changed, 33 insertions(+), 30 deletions(-) diff --git a/test/e2e/libpod_suite_test.go b/test/e2e/libpod_suite_test.go index 4b4baa93c8..33e05b8729 100644 --- a/test/e2e/libpod_suite_test.go +++ b/test/e2e/libpod_suite_test.go @@ -28,8 +28,8 @@ func (p *PodmanTestIntegration) Podman(args []string) *PodmanSessionIntegration } // PodmanAsUser is the exec call to podman on the filesystem with the specified uid/gid and environment -func (p *PodmanTestIntegration) PodmanAsUser(args []string, uid, gid uint32, env []string) *PodmanSessionIntegration { - podmanSession := p.PodmanAsUserBase(args, uid, gid, env) +func (p *PodmanTestIntegration) PodmanAsUser(args []string, uid, gid uint32, cwd string, env []string) *PodmanSessionIntegration { + podmanSession := p.PodmanAsUserBase(args, uid, gid, cwd, env) return &PodmanSessionIntegration{podmanSession} } diff --git a/test/e2e/rootless_test.go b/test/e2e/rootless_test.go index 2b84d34c93..aa8ed6faa7 100644 --- a/test/e2e/rootless_test.go +++ b/test/e2e/rootless_test.go @@ -60,7 +60,7 @@ var _ = Describe("Podman rootless", func() { for _, v := range commands { env := os.Environ() env = append(env, "USER=foo") - cmd := podmanTest.PodmanAsUser([]string{v}, 1000, 1000, env) + cmd := podmanTest.PodmanAsUser([]string{v}, 1000, 1000, "", env) cmd.WaitWithDefaultTimeout() Expect(cmd.ExitCode()).To(Equal(0)) } @@ -128,13 +128,13 @@ var _ = Describe("Podman rootless", func() { env = append(env, "PODMAN_ALLOW_SINGLE_ID_MAPPING_IN_USERNS=1") env = append(env, "USER=foo") - cmd := rootlessTest.PodmanAsUser([]string{"pod", "create", "--infra=false"}, 1000, 1000, env) + cmd := rootlessTest.PodmanAsUser([]string{"pod", "create", "--infra=false"}, 1000, 1000, "", env) cmd.WaitWithDefaultTimeout() Expect(cmd.ExitCode()).To(Equal(0)) podId := cmd.OutputToString() args := []string{"run", "--pod", podId, "--rootfs", mountPath, "echo", "hello"} - cmd = rootlessTest.PodmanAsUser(args, 1000, 1000, env) + cmd = rootlessTest.PodmanAsUser(args, 1000, 1000, "", env) cmd.WaitWithDefaultTimeout() Expect(cmd.ExitCode()).To(Equal(0)) Expect(cmd.LineInOutputContains("hello")).To(BeTrue()) @@ -158,7 +158,7 @@ var _ = Describe("Podman rootless", func() { env = append(env, fmt.Sprintf("XDG_RUNTIME_DIR=%s", xdgRuntimeDir)) env = append(env, fmt.Sprintf("HOME=%s", home)) env = append(env, "USER=foo") - cmd := podmanTest.PodmanAsUser([]string{"search", "docker.io/busybox"}, 1000, 1000, env) + cmd := podmanTest.PodmanAsUser([]string{"search", "docker.io/busybox"}, 1000, 1000, "", env) cmd.WaitWithDefaultTimeout() Expect(cmd.ExitCode()).To(Equal(0)) }) @@ -175,65 +175,65 @@ var _ = Describe("Podman rootless", func() { allArgs := append([]string{"run"}, args...) allArgs = append(allArgs, "--rootfs", mountPath, "echo", "hello") - cmd := rootlessTest.PodmanAsUser(allArgs, 1000, 1000, env) + cmd := rootlessTest.PodmanAsUser(allArgs, 1000, 1000, "", env) cmd.WaitWithDefaultTimeout() Expect(cmd.ExitCode()).To(Equal(0)) Expect(cmd.LineInOutputContains("hello")).To(BeTrue()) - cmd = rootlessTest.PodmanAsUser([]string{"rm", "-l", "-f"}, 1000, 1000, env) + cmd = rootlessTest.PodmanAsUser([]string{"rm", "-l", "-f"}, 1000, 1000, "", env) cmd.WaitWithDefaultTimeout() Expect(cmd.ExitCode()).To(Equal(0)) allArgs = append([]string{"run", "-d"}, args...) allArgs = append(allArgs, "--security-opt", "seccomp=unconfined", "--rootfs", mountPath, "top") - cmd = rootlessTest.PodmanAsUser(allArgs, 1000, 1000, env) + cmd = rootlessTest.PodmanAsUser(allArgs, 1000, 1000, "", env) cmd.WaitWithDefaultTimeout() Expect(cmd.ExitCode()).To(Equal(0)) - cmd = rootlessTest.PodmanAsUser([]string{"restart", "-l", "-t", "0"}, 1000, 1000, env) + cmd = rootlessTest.PodmanAsUser([]string{"restart", "-l", "-t", "0"}, 1000, 1000, "", env) cmd.WaitWithDefaultTimeout() Expect(cmd.ExitCode()).To(Equal(0)) canUseExec := canExec() if canUseExec { - cmd = rootlessTest.PodmanAsUser([]string{"top", "-l"}, 1000, 1000, env) + cmd = rootlessTest.PodmanAsUser([]string{"top", "-l"}, 1000, 1000, "", env) cmd.WaitWithDefaultTimeout() Expect(cmd.ExitCode()).To(Equal(0)) } - cmd = rootlessTest.PodmanAsUser([]string{"rm", "-l", "-f"}, 1000, 1000, env) + cmd = rootlessTest.PodmanAsUser([]string{"rm", "-l", "-f"}, 1000, 1000, "", env) cmd.WaitWithDefaultTimeout() Expect(cmd.ExitCode()).To(Equal(0)) allArgs = append([]string{"run", "-d"}, args...) allArgs = append(allArgs, "--security-opt", "seccomp=unconfined", "--rootfs", mountPath, "unshare", "-r", "unshare", "-r", "top") - cmd = rootlessTest.PodmanAsUser(allArgs, 1000, 1000, env) + cmd = rootlessTest.PodmanAsUser(allArgs, 1000, 1000, "", env) cmd.WaitWithDefaultTimeout() Expect(cmd.ExitCode()).To(Equal(0)) - cmd = rootlessTest.PodmanAsUser([]string{"stop", "-l", "-t", "0"}, 1000, 1000, env) + cmd = rootlessTest.PodmanAsUser([]string{"stop", "-l", "-t", "0"}, 1000, 1000, "", env) cmd.WaitWithDefaultTimeout() Expect(cmd.ExitCode()).To(Equal(0)) - cmd = rootlessTest.PodmanAsUser([]string{"inspect", "-l", "--type", "container", "--format", "{{ .State.Status }}"}, 1000, 1000, env) + cmd = rootlessTest.PodmanAsUser([]string{"inspect", "-l", "--type", "container", "--format", "{{ .State.Status }}"}, 1000, 1000, "", env) cmd.WaitWithDefaultTimeout() Expect(cmd.LineInOutputContains("exited")).To(BeTrue()) - cmd = rootlessTest.PodmanAsUser([]string{"start", "-l"}, 1000, 1000, env) + cmd = rootlessTest.PodmanAsUser([]string{"start", "-l"}, 1000, 1000, "", env) cmd.WaitWithDefaultTimeout() Expect(cmd.ExitCode()).To(Equal(0)) - cmd = rootlessTest.PodmanAsUser([]string{"stop", "-l", "-t", "0"}, 1000, 1000, env) + cmd = rootlessTest.PodmanAsUser([]string{"stop", "-l", "-t", "0"}, 1000, 1000, "", env) cmd.WaitWithDefaultTimeout() Expect(cmd.ExitCode()).To(Equal(0)) - cmd = rootlessTest.PodmanAsUser([]string{"start", "-l"}, 1000, 1000, env) + cmd = rootlessTest.PodmanAsUser([]string{"start", "-l"}, 1000, 1000, "", env) cmd.WaitWithDefaultTimeout() Expect(cmd.ExitCode()).To(Equal(0)) if len(args) == 0 { - cmd = rootlessTest.PodmanAsUser([]string{"inspect", "-l"}, 1000, 1000, env) + cmd = rootlessTest.PodmanAsUser([]string{"inspect", "-l"}, 1000, 1000, "", env) cmd.WaitWithDefaultTimeout() Expect(cmd.ExitCode()).To(Equal(0)) data := cmd.InspectContainerToJSON() @@ -244,24 +244,23 @@ var _ = Describe("Podman rootless", func() { Skip("ioctl(NS_GET_PARENT) not supported.") } - cmd = rootlessTest.PodmanAsUser([]string{"exec", "-l", "echo", "hello"}, 1000, 1000, env) + cmd = rootlessTest.PodmanAsUser([]string{"exec", "-l", "echo", "hello"}, 1000, 1000, "", env) cmd.WaitWithDefaultTimeout() Expect(cmd.ExitCode()).To(Equal(0)) Expect(cmd.LineInOutputContains("hello")).To(BeTrue()) - cmd = rootlessTest.PodmanAsUser([]string{"ps", "-l", "-q"}, 1000, 1000, env) + cmd = rootlessTest.PodmanAsUser([]string{"ps", "-l", "-q"}, 1000, 1000, "", env) cmd.WaitWithDefaultTimeout() Expect(cmd.ExitCode()).To(Equal(0)) cid := cmd.OutputToString() - cmd = rootlessTest.PodmanAsUser([]string{"exec", "-l", "sh", "-c", "echo SeCreTMessage > /file"}, 1000, 1000, env) + cmd = rootlessTest.PodmanAsUser([]string{"exec", "-l", "sh", "-c", "echo SeCreTMessage > /file"}, 1000, 1000, "", env) cmd.WaitWithDefaultTimeout() Expect(cmd.ExitCode()).To(Equal(0)) - path := filepath.Join(home, "export.tar") - cmd = rootlessTest.PodmanAsUser([]string{"export", "-o", path, cid}, 1000, 1000, env) + cmd = rootlessTest.PodmanAsUser([]string{"export", "-o", "export.tar", cid}, 1000, 1000, home, env) cmd.WaitWithDefaultTimeout() - content, err := ioutil.ReadFile(path) + content, err := ioutil.ReadFile(filepath.Join(home, "export.tar")) Expect(err).To(BeNil()) Expect(strings.Contains(string(content), "SeCreTMessage")).To(BeTrue()) } diff --git a/test/utils/podmantest_test.go b/test/utils/podmantest_test.go index 60e3e2a973..28f294a947 100644 --- a/test/utils/podmantest_test.go +++ b/test/utils/podmantest_test.go @@ -23,7 +23,7 @@ var _ = Describe("PodmanTest test", func() { FakeOutputs["check"] = []string{"check"} os.Setenv("HOOK_OPTION", "hook_option") env := os.Environ() - session := podmanTest.PodmanAsUserBase([]string{"check"}, 1000, 1000, env) + session := podmanTest.PodmanAsUserBase([]string{"check"}, 1000, 1000, "", env) os.Unsetenv("HOOK_OPTION") session.WaitWithDefaultTimeout() Expect(session.Command.Process).ShouldNot(BeNil()) diff --git a/test/utils/utils.go b/test/utils/utils.go index aace018cdb..098779321e 100644 --- a/test/utils/utils.go +++ b/test/utils/utils.go @@ -61,7 +61,7 @@ func (p *PodmanTest) MakeOptions(args []string) []string { // PodmanAsUserBase exec podman as user. uid and gid is set for credentials useage. env is used // to record the env for debugging -func (p *PodmanTest) PodmanAsUserBase(args []string, uid, gid uint32, env []string) *PodmanSession { +func (p *PodmanTest) PodmanAsUserBase(args []string, uid, gid uint32, cwd string, env []string) *PodmanSession { var command *exec.Cmd podmanOptions := p.MakeOptions(args) podmanBinary := p.PodmanBinary @@ -74,14 +74,18 @@ func (p *PodmanTest) PodmanAsUserBase(args []string, uid, gid uint32, env []stri fmt.Printf("Running: (env: %v) %s %s\n", env, podmanBinary, strings.Join(podmanOptions, " ")) } if uid != 0 || gid != 0 { - nsEnterOpts := append([]string{"--userspec", fmt.Sprintf("%d:%d", uid, gid), "/", podmanBinary}, podmanOptions...) - command = exec.Command("chroot", nsEnterOpts...) + pythonCmd := fmt.Sprintf("import os; import sys; uid = %d; gid = %d; cwd = '%s'; os.setgid(gid); os.setuid(uid); os.chdir(cwd) if len(cwd)>0 else True; os.execv(sys.argv[1], sys.argv[1:])", gid, uid, cwd) + nsEnterOpts := append([]string{"-c", pythonCmd, podmanBinary}, podmanOptions...) + command = exec.Command("python", nsEnterOpts...) } else { command = exec.Command(podmanBinary, podmanOptions...) } if env != nil { command.Env = env } + if cwd != "" { + command.Dir = cwd + } session, err := gexec.Start(command, GinkgoWriter, GinkgoWriter) if err != nil { @@ -92,7 +96,7 @@ func (p *PodmanTest) PodmanAsUserBase(args []string, uid, gid uint32, env []stri // PodmanBase exec podman with default env. func (p *PodmanTest) PodmanBase(args []string) *PodmanSession { - return p.PodmanAsUserBase(args, 0, 0, nil) + return p.PodmanAsUserBase(args, 0, 0, "", nil) } // WaitForContainer waits on a started container