Skip to content

Commit

Permalink
Use PODMAN_USERNS environment variable when running as a service
Browse files Browse the repository at this point in the history
Fixes: #11350 (comment)

Also add inspect information about the idmappings if they exists.

Signed-off-by: Daniel J Walsh <[email protected]>
  • Loading branch information
rhatdan committed Jan 17, 2022
1 parent ea2656d commit 10d969f
Show file tree
Hide file tree
Showing 4 changed files with 58 additions and 3 deletions.
16 changes: 15 additions & 1 deletion libpod/container_inspect.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"github.com/containers/podman/v3/libpod/define"
"github.com/containers/podman/v3/libpod/driver"
"github.com/containers/podman/v3/pkg/util"
"github.com/containers/storage/types"
units "github.com/docker/go-units"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate"
Expand Down Expand Up @@ -403,6 +404,17 @@ func (c *Container) generateInspectContainerConfig(spec *spec.Spec) *define.Insp
return ctrConfig
}

func generateIDMappings(idMappings types.IDMappingOptions) *define.InspectIDMappings {
var inspectMappings define.InspectIDMappings
for _, uid := range idMappings.UIDMap {
inspectMappings.UIDMap = append(inspectMappings.UIDMap, fmt.Sprintf("%d:%d:%d", uid.ContainerID, uid.HostID, uid.Size))
}
for _, gid := range idMappings.GIDMap {
inspectMappings.GIDMap = append(inspectMappings.GIDMap, fmt.Sprintf("%d:%d:%d", gid.ContainerID, gid.HostID, gid.Size))
}
return &inspectMappings
}

// Generate the InspectContainerHostConfig struct for the HostConfig field of
// Inspect.
func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, namedVolumes []*ContainerNamedVolume, mounts []spec.Mount) (*define.InspectContainerHostConfig, error) {
Expand Down Expand Up @@ -815,7 +827,9 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named
}
}
hostConfig.UsernsMode = usernsMode

if c.config.IDMappings.UIDMap != nil && c.config.IDMappings.GIDMap != nil {
hostConfig.IDMappings = generateIDMappings(c.config.IDMappings)
}
// Devices
// Do not include if privileged - assumed that all devices will be
// included.
Expand Down
8 changes: 8 additions & 0 deletions libpod/define/container_inspect.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,11 @@ import (
"github.com/containers/image/v5/manifest"
)

type InspectIDMappings struct {
UIDMap []string `json:"UidMap"`
GIDMap []string `json:"GidMap"`
}

// InspectContainerConfig holds further data about how a container was initially
// configured.
type InspectContainerConfig struct {
Expand Down Expand Up @@ -401,7 +406,10 @@ type InspectContainerHostConfig struct {
// TODO Rootless has an additional 'keep-id' option, presently not
// reflected here.
UsernsMode string `json:"UsernsMode"`
// IDMappings is the UIDMapping and GIDMapping used within the container
IDMappings *InspectIDMappings `json:"IDMappings,omitempty"`
// ShmSize is the size of the container's SHM device.

ShmSize int64 `json:"ShmSize"`
// Runtime is provided purely for Docker compatibility.
// It is set unconditionally to "oci" as Podman does not presently
Expand Down
8 changes: 6 additions & 2 deletions pkg/specgenutil/specgen.go
Original file line number Diff line number Diff line change
Expand Up @@ -205,9 +205,13 @@ func setNamespaces(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions)
return err
}
}
// userns must be treated differently
userns := os.Getenv("PODMAN_USERNS")
if c.UserNS != "" {
s.UserNS, err = specgen.ParseUserNamespace(c.UserNS)
userns = c.UserNS
}
// userns must be treated differently
if userns != "" {
s.UserNS, err = specgen.ParseUserNamespace(userns)
if err != nil {
return err
}
Expand Down
29 changes: 29 additions & 0 deletions test/e2e/run_userns_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -301,5 +301,34 @@ var _ = Describe("Podman UserNS support", func() {
Expect(inspectGID).Should(Exit(0))
Expect(inspectGID.OutputToString()).To(Equal(tt.gid))
}

})
It("podman PODMAN_USERNS", func() {
SkipIfNotRootless("keep-id only works in rootless mode")

podmanUserns, podmanUserusSet := os.LookupEnv("PODMAN_USERNS")
os.Setenv("PODMAN_USERNS", "keep-id")
defer func() {
if podmanUserusSet {
os.Setenv("PODMAN_USERNS", podmanUserns)
} else {
os.Unsetenv("PODMAN_USERNS")
}
}()
if IsRemote() {
podmanTest.RestartRemoteService()
}

result := podmanTest.Podman([]string{"create", ALPINE, "true"})
result.WaitWithDefaultTimeout()
Expect(result).Should(Exit(0))

inspect := podmanTest.Podman([]string{"inspect", "--format", "{{ .HostConfig.IDMappings }}", result.OutputToString()})
inspect.WaitWithDefaultTimeout()
Expect(inspect.OutputToString()).To(Not(Equal("<nil>")))

if IsRemote() {
podmanTest.RestartRemoteService()
}
})
})

0 comments on commit 10d969f

Please sign in to comment.