containers
/
podman
mirror of https://github.com/containers/podman.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #16739 from giuseppe/no-chown-idmap 

runtime: do not chown idmapped volumes
This commit is contained in:
OpenShift Merge Robot 2022-12-05 10:21:30 -05:00 committed by GitHub
parent b825ea7824 a651cdfbc3
commit 41af424cd8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 15 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
libpod/runtime_ctr.go
View File

@ -495,16 +495,21 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Contai
logrus.Debugf("Creating new volume %s for container", vol.Name)
// The volume does not exist, so we need to create it.
volOptions := []VolumeCreateOption{WithVolumeName(vol.Name), WithVolumeUID(ctr.RootUID()), WithVolumeGID(ctr.RootGID())}
volOptions := []VolumeCreateOption{WithVolumeName(vol.Name)}
if isAnonymous {
volOptions = append(volOptions, withSetAnon())
}
needsChown := true
// If volume-opts are set parse and add driver opts.
if len(vol.Options) > 0 {
isDriverOpts := false
driverOpts := make(map[string]string)
for _, opts := range vol.Options {
if opts == "idmap" {
needsChown = false
}
if strings.HasPrefix(opts, "volume-opt") {
isDriverOpts = true
driverOptKey, driverOptValue, err := util.ParseDriverOpts(opts)
@ -519,6 +524,13 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Contai
volOptions = append(volOptions, parsedOptions...)
}
}
if needsChown {
volOptions = append(volOptions, WithVolumeUID(ctr.RootUID()), WithVolumeGID(ctr.RootGID()))
} else {
volOptions = append(volOptions, WithVolumeNoChown())
}
newVol, err := r.newVolume(ctx, false, volOptions...)
if err != nil {
return nil, fmt.Errorf("creating named volume %q: %w", vol.Name, err)

4
test/e2e/run_userns_test.go
View File

@ -109,13 +109,13 @@ var _ = Describe("Podman UserNS support", func() {
})
It("podman uidmapping and gidmapping with an idmapped volume", func() {
session := podmanTest.Podman([]string{"run", "--uidmap=0:1:500", "--gidmap=0:200:5000", "-v", "my-foo-volume:/foo:Z,idmap", "alpine", "echo", "hello"})
session := podmanTest.Podman([]string{"run", "--uidmap=0:1:500", "--gidmap=0:200:5000", "-v", "my-foo-volume:/foo:Z,idmap", "alpine", "stat", "-c", "#%u:%g#", "/foo"})
session.WaitWithDefaultTimeout()
if strings.Contains(session.ErrorToString(), "Operation not permitted") {
Skip("not sufficiently privileged")
}
Expect(session).Should(Exit(0))
Expect(session.OutputToString()).To(ContainSubstring("hello"))
Expect(session.OutputToString()).To(ContainSubstring("#0:0#"))
})
It("podman uidmapping and gidmapping --net=host", func() {