diff --git a/drivers/aufs/aufs.go b/drivers/aufs/aufs.go index dd5685aca5..f0eb6d2fd5 100644 --- a/drivers/aufs/aufs.go +++ b/drivers/aufs/aufs.go @@ -47,7 +47,7 @@ import ( mountpk "github.com/containers/storage/pkg/mount" "github.com/containers/storage/pkg/parsers" "github.com/containers/storage/pkg/system" - "github.com/opencontainers/runc/libcontainer/userns" + "github.com/containers/storage/pkg/unshare" "github.com/opencontainers/selinux/go-selinux/label" "github.com/sirupsen/logrus" "github.com/vbatts/tar-split/tar/storage" @@ -200,7 +200,7 @@ func supportsAufs() error { // proc/filesystems for when aufs is supported exec.Command("modprobe", "aufs").Run() - if userns.RunningInUserNS() { + if unshare.IsRootless() { return ErrAufsNested } diff --git a/drivers/copy/copy_linux.go b/drivers/copy/copy_linux.go index b92b3b12de..58c0b5daf1 100644 --- a/drivers/copy/copy_linux.go +++ b/drivers/copy/copy_linux.go @@ -27,7 +27,6 @@ import ( "github.com/containers/storage/pkg/pools" "github.com/containers/storage/pkg/system" "github.com/containers/storage/pkg/unshare" - "github.com/opencontainers/runc/libcontainer/userns" "golang.org/x/sys/unix" ) @@ -207,7 +206,7 @@ func DirCopy(srcDir, dstDir string, copyMode Mode, copyXattrs bool) error { s.Close() case mode&os.ModeDevice != 0: - if userns.RunningInUserNS() { + if unshare.IsRootless() { // cannot create a device if running in user namespace return nil } diff --git a/drivers/fsdiff.go b/drivers/fsdiff.go index b619317e05..f0e0910043 100644 --- a/drivers/fsdiff.go +++ b/drivers/fsdiff.go @@ -10,7 +10,7 @@ import ( "github.com/containers/storage/pkg/chrootarchive" "github.com/containers/storage/pkg/idtools" "github.com/containers/storage/pkg/ioutils" - "github.com/opencontainers/runc/libcontainer/userns" + "github.com/containers/storage/pkg/unshare" "github.com/sirupsen/logrus" ) @@ -179,7 +179,7 @@ func (gdw *NaiveDiffDriver) ApplyDiff(id, parent string, options ApplyDiffOpts) } tarOptions := &archive.TarOptions{ - InUserNS: userns.RunningInUserNS(), + InUserNS: unshare.IsRootless(), IgnoreChownErrors: options.IgnoreChownErrors, ForceMask: forceMask, } diff --git a/drivers/overlay/overlay.go b/drivers/overlay/overlay.go index 986ccf9f4d..8b26eaaacf 100644 --- a/drivers/overlay/overlay.go +++ b/drivers/overlay/overlay.go @@ -34,7 +34,6 @@ import ( units "github.com/docker/go-units" "github.com/hashicorp/go-multierror" digest "github.com/opencontainers/go-digest" - "github.com/opencontainers/runc/libcontainer/userns" "github.com/opencontainers/selinux/go-selinux" "github.com/opencontainers/selinux/go-selinux/label" "github.com/sirupsen/logrus" @@ -1826,7 +1825,7 @@ func (d *Driver) ApplyDiffWithDiffer(id, parent string, options *graphdriver.App GIDMaps: idMappings.GIDs(), IgnoreChownErrors: d.options.ignoreChownErrors, WhiteoutFormat: d.getWhiteoutFormat(), - InUserNS: userns.RunningInUserNS(), + InUserNS: unshare.IsRootless(), }) out.Target = applyDir return out, err @@ -1884,7 +1883,7 @@ func (d *Driver) ApplyDiff(id, parent string, options graphdriver.ApplyDiffOpts) IgnoreChownErrors: d.options.ignoreChownErrors, ForceMask: d.options.forceMask, WhiteoutFormat: d.getWhiteoutFormat(), - InUserNS: userns.RunningInUserNS(), + InUserNS: unshare.IsRootless(), }); err != nil { return 0, err } diff --git a/pkg/archive/archive.go b/pkg/archive/archive.go index c99bf2d240..fc9ca36026 100644 --- a/pkg/archive/archive.go +++ b/pkg/archive/archive.go @@ -25,7 +25,6 @@ import ( "github.com/containers/storage/pkg/system" "github.com/containers/storage/pkg/unshare" gzip "github.com/klauspost/pgzip" - "github.com/opencontainers/runc/libcontainer/userns" "github.com/sirupsen/logrus" "github.com/ulikunitz/xz" ) @@ -1159,7 +1158,7 @@ func (archiver *Archiver) TarUntar(src, dst string) error { GIDMaps: tarMappings.GIDs(), Compression: Uncompressed, CopyPass: true, - InUserNS: userns.RunningInUserNS(), + InUserNS: unshare.IsRootless(), } archive, err := TarWithOptions(src, options) if err != nil { @@ -1174,7 +1173,7 @@ func (archiver *Archiver) TarUntar(src, dst string) error { UIDMaps: untarMappings.UIDs(), GIDMaps: untarMappings.GIDs(), ChownOpts: archiver.ChownOpts, - InUserNS: userns.RunningInUserNS(), + InUserNS: unshare.IsRootless(), } return archiver.Untar(archive, dst, options) } @@ -1194,7 +1193,7 @@ func (archiver *Archiver) UntarPath(src, dst string) error { UIDMaps: untarMappings.UIDs(), GIDMaps: untarMappings.GIDs(), ChownOpts: archiver.ChownOpts, - InUserNS: userns.RunningInUserNS(), + InUserNS: unshare.IsRootless(), } return archiver.Untar(archive, dst, options) } @@ -1294,7 +1293,7 @@ func (archiver *Archiver) CopyFileWithTar(src, dst string) (err error) { UIDMaps: archiver.UntarIDMappings.UIDs(), GIDMaps: archiver.UntarIDMappings.GIDs(), ChownOpts: archiver.ChownOpts, - InUserNS: userns.RunningInUserNS(), + InUserNS: unshare.IsRootless(), NoOverwriteDirNonDir: true, } err = archiver.Untar(r, filepath.Dir(dst), options) diff --git a/pkg/archive/archive_freebsd.go b/pkg/archive/archive_freebsd.go index 7c307ffcfe..fe22eb4337 100644 --- a/pkg/archive/archive_freebsd.go +++ b/pkg/archive/archive_freebsd.go @@ -1,3 +1,4 @@ +//go:build freebsd // +build freebsd package archive @@ -11,7 +12,7 @@ import ( "github.com/containers/storage/pkg/idtools" "github.com/containers/storage/pkg/system" - "github.com/opencontainers/runc/libcontainer/userns" + "github.com/containers/storage/pkg/unshare" "golang.org/x/sys/unix" ) @@ -87,7 +88,7 @@ func minor(device uint64) uint64 { // handleTarTypeBlockCharFifo is an OS-specific helper function used by // createTarFile to handle the following types of header: Block; Char; Fifo func handleTarTypeBlockCharFifo(hdr *tar.Header, path string) error { - if userns.RunningInUserNS() { + if unshare.IsRootless() { // cannot create a device if running in user namespace return nil } diff --git a/pkg/chrootarchive/archive.go b/pkg/chrootarchive/archive.go index 25b36bea29..d66c98b30f 100644 --- a/pkg/chrootarchive/archive.go +++ b/pkg/chrootarchive/archive.go @@ -11,7 +11,7 @@ import ( "github.com/containers/storage/pkg/archive" "github.com/containers/storage/pkg/idtools" - "github.com/opencontainers/runc/libcontainer/userns" + "github.com/containers/storage/pkg/unshare" ) // NewArchiver returns a new Archiver which uses chrootarchive.Untar @@ -66,7 +66,7 @@ func untarHandler(tarArchive io.Reader, dest string, options *archive.TarOptions } if options == nil { options = &archive.TarOptions{} - options.InUserNS = userns.RunningInUserNS() + options.InUserNS = unshare.IsRootless() } if options.ExcludePatterns == nil { options.ExcludePatterns = []string{} diff --git a/pkg/chrootarchive/diff_unix.go b/pkg/chrootarchive/diff_unix.go index 3ebee94969..511c617612 100644 --- a/pkg/chrootarchive/diff_unix.go +++ b/pkg/chrootarchive/diff_unix.go @@ -16,7 +16,7 @@ import ( "github.com/containers/storage/pkg/archive" "github.com/containers/storage/pkg/reexec" "github.com/containers/storage/pkg/system" - "github.com/opencontainers/runc/libcontainer/userns" + "github.com/containers/storage/pkg/unshare" ) type applyLayerResponse struct { @@ -36,7 +36,7 @@ func applyLayer() { runtime.LockOSThread() flag.Parse() - inUserns := userns.RunningInUserNS() + inUserns := unshare.IsRootless() if err := chroot(flag.Arg(0)); err != nil { fatal(err) } @@ -95,7 +95,7 @@ func applyLayerHandler(dest string, layer io.Reader, options *archive.TarOptions } if options == nil { options = &archive.TarOptions{} - if userns.RunningInUserNS() { + if unshare.IsRootless() { options.InUserNS = true } } @@ -110,7 +110,7 @@ func applyLayerHandler(dest string, layer io.Reader, options *archive.TarOptions cmd := reexec.Command("storage-applyLayer", dest) cmd.Stdin = layer - cmd.Env = append(cmd.Env, fmt.Sprintf("OPT=%s", data)) + cmd.Env = append(os.Environ(), fmt.Sprintf("OPT=%s", data)) outBuf, errBuf := new(bytes.Buffer), new(bytes.Buffer) cmd.Stdout, cmd.Stderr = outBuf, errBuf diff --git a/vendor/github.com/opencontainers/runc/libcontainer/userns/userns.go b/vendor/github.com/opencontainers/runc/libcontainer/userns/userns.go deleted file mode 100644 index f6cb98e5e4..0000000000 --- a/vendor/github.com/opencontainers/runc/libcontainer/userns/userns.go +++ /dev/null @@ -1,5 +0,0 @@ -package userns - -// RunningInUserNS detects whether we are currently running in a user namespace. -// Originally copied from github.com/lxc/lxd/shared/util.go -var RunningInUserNS = runningInUserNS diff --git a/vendor/github.com/opencontainers/runc/libcontainer/userns/userns_fuzzer.go b/vendor/github.com/opencontainers/runc/libcontainer/userns/userns_fuzzer.go deleted file mode 100644 index 1e00ab8b50..0000000000 --- a/vendor/github.com/opencontainers/runc/libcontainer/userns/userns_fuzzer.go +++ /dev/null @@ -1,16 +0,0 @@ -//go:build gofuzz -// +build gofuzz - -package userns - -import ( - "strings" - - "github.com/opencontainers/runc/libcontainer/user" -) - -func FuzzUIDMap(data []byte) int { - uidmap, _ := user.ParseIDMap(strings.NewReader(string(data))) - _ = uidMapInUserNS(uidmap) - return 1 -} diff --git a/vendor/github.com/opencontainers/runc/libcontainer/userns/userns_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/userns/userns_linux.go deleted file mode 100644 index 724e6df012..0000000000 --- a/vendor/github.com/opencontainers/runc/libcontainer/userns/userns_linux.go +++ /dev/null @@ -1,37 +0,0 @@ -package userns - -import ( - "sync" - - "github.com/opencontainers/runc/libcontainer/user" -) - -var ( - inUserNS bool - nsOnce sync.Once -) - -// runningInUserNS detects whether we are currently running in a user namespace. -// Originally copied from github.com/lxc/lxd/shared/util.go -func runningInUserNS() bool { - nsOnce.Do(func() { - uidmap, err := user.CurrentProcessUIDMap() - if err != nil { - // This kernel-provided file only exists if user namespaces are supported - return - } - inUserNS = uidMapInUserNS(uidmap) - }) - return inUserNS -} - -func uidMapInUserNS(uidmap []user.IDMap) bool { - /* - * We assume we are in the initial user namespace if we have a full - * range - 4294967295 uids starting at uid 0. - */ - if len(uidmap) == 1 && uidmap[0].ID == 0 && uidmap[0].ParentID == 0 && uidmap[0].Count == 4294967295 { - return false - } - return true -} diff --git a/vendor/github.com/opencontainers/runc/libcontainer/userns/userns_unsupported.go b/vendor/github.com/opencontainers/runc/libcontainer/userns/userns_unsupported.go deleted file mode 100644 index f35c13a10e..0000000000 --- a/vendor/github.com/opencontainers/runc/libcontainer/userns/userns_unsupported.go +++ /dev/null @@ -1,18 +0,0 @@ -//go:build !linux -// +build !linux - -package userns - -import "github.com/opencontainers/runc/libcontainer/user" - -// runningInUserNS is a stub for non-Linux systems -// Always returns false -func runningInUserNS() bool { - return false -} - -// uidMapInUserNS is a stub for non-Linux systems -// Always returns false -func uidMapInUserNS(uidmap []user.IDMap) bool { - return false -} diff --git a/vendor/modules.txt b/vendor/modules.txt index 182aeed934..308dba33b3 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -104,7 +104,6 @@ github.com/opencontainers/go-digest # github.com/opencontainers/runc v1.1.4 ## explicit github.com/opencontainers/runc/libcontainer/user -github.com/opencontainers/runc/libcontainer/userns # github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 ## explicit github.com/opencontainers/runtime-spec/specs-go