Skip to content

Commit

Permalink
set correct uid/gid on volumes
Browse files Browse the repository at this point in the history
When setting up the volumes for a container, make sure that new volumes
are created with the correct uid/gid which we're looking up in the
container config.

Fixes: #5698
Signed-off-by: Valentin Rothberg <[email protected]>
  • Loading branch information
vrothberg committed Jun 23, 2020
1 parent bbaba9f commit 407654c
Show file tree
Hide file tree
Showing 3 changed files with 48 additions and 3 deletions.
14 changes: 12 additions & 2 deletions libpod/container.go
Original file line number Diff line number Diff line change
Expand Up @@ -1141,8 +1141,13 @@ func (c *Container) IDMappings() (storage.IDMappingOptions, error) {

// RootUID returns the root user mapping from container
func (c *Container) RootUID() int {
return c.findUID(0)
}

// findUID returns the UID mapping of the specified uid or 0 if it couldn't be found.
func (c *Container) findUID(uid int) int {
for _, uidmap := range c.config.IDMappings.UIDMap {
if uidmap.ContainerID == 0 {
if uidmap.ContainerID == uid {
return uidmap.HostID
}
}
Expand All @@ -1151,8 +1156,13 @@ func (c *Container) RootUID() int {

// RootGID returns the root user mapping from container
func (c *Container) RootGID() int {
return c.findGID(0)
}

// findUID returns the GID mapping of the specified gid or 0 if it couldn't be found.
func (c *Container) findGID(gid int) int {
for _, gidmap := range c.config.IDMappings.GIDMap {
if gidmap.ContainerID == 0 {
if gidmap.ContainerID == gid {
return gidmap.HostID
}
}
Expand Down
10 changes: 9 additions & 1 deletion libpod/runtime_ctr.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"strings"
"time"

"github.com/containers/buildah/pkg/chrootuser"
"github.com/containers/common/pkg/config"
"github.com/containers/libpod/libpod/define"
"github.com/containers/libpod/libpod/events"
Expand Down Expand Up @@ -308,8 +309,15 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Contai

logrus.Debugf("Creating new volume %s for container", vol.Name)

// Get the uid/gid of the container user to create the volume
// with the correct uid/gid. See github.com/containers/libpod/issues/5698.
uid, gid, _, err := chrootuser.GetUser(ctr.state.Mountpoint, ctr.config.User)
if err != nil {
return nil, errors.Wrapf(err, "error created named volume %q", vol.Name)
}

// The volume does not exist, so we need to create it.
volOptions := []VolumeCreateOption{WithVolumeName(vol.Name), WithVolumeUID(ctr.RootUID()), WithVolumeGID(ctr.RootGID())}
volOptions := []VolumeCreateOption{WithVolumeName(vol.Name), WithVolumeUID(int(uid)), WithVolumeGID(int(gid))}
if isAnonymous {
volOptions = append(volOptions, withSetAnon())
}
Expand Down
27 changes: 27 additions & 0 deletions test/e2e/run_userns_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -238,4 +238,31 @@ var _ = Describe("Podman UserNS support", func() {
ok, _ := session.GrepString("4998")
Expect(ok).To(BeTrue())
})

It("podman --user with volume", func() {
tests := []struct {
uid, gid, arg, vol string
}{
{"0", "0", "0:0", "vol-0"},
{"1000", "0", "1000", "vol-1"},
{"1000", "1000", "1000:1000", "vol-2"},
}

for _, tt := range tests {
session := podmanTest.Podman([]string{"run", "-d", "--user", tt.arg, "--mount", "type=volume,src=" + tt.vol + ",dst=/home/user", "alpine", "top"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))

inspectUID := podmanTest.Podman([]string{"volume", "inspect", "--format", "{{ .UID }}", tt.vol})
inspectUID.WaitWithDefaultTimeout()
Expect(inspectUID.ExitCode()).To(Equal(0))
Expect(inspectUID.OutputToString()).To(Equal(tt.uid))

// Make sure we're defaulting to 0.
inspectGID := podmanTest.Podman([]string{"volume", "inspect", "--format", "{{ .GID }}", tt.vol})
inspectGID.WaitWithDefaultTimeout()
Expect(inspectGID.ExitCode()).To(Equal(0))
Expect(inspectGID.OutputToString()).To(Equal(tt.gid))
}
})
})

0 comments on commit 407654c

Please sign in to comment.