containers
/
podman
mirror of https://github.com/containers/podman.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

runtime: create userns when CAP_SYS_ADMIN is not present 

when deciding to create a user namespace, check for CAP_SYS_ADMIN
instead of looking at the euid.

[NO TESTS NEEDED] Needs nested Podman

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit is contained in:
Giuseppe Scrivano 2021-04-22 14:57:49 +02:00
parent e4c269e2d0
commit 722ea2f1f8
No known key found for this signature in database
GPG Key ID: E4730F97F60286ED
2 changed files with 16 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
libpod/runtime.go
View File

@ -29,6 +29,7 @@ import (
"github.com/containers/podman/v3/pkg/rootless" "github.com/containers/podman/v3/pkg/rootless"
"github.com/containers/podman/v3/pkg/util" "github.com/containers/podman/v3/pkg/util"
"github.com/containers/storage" "github.com/containers/storage"
"github.com/containers/storage/pkg/unshare"
"github.com/cri-o/ocicni/pkg/ocicni" "github.com/cri-o/ocicni/pkg/ocicni"
"github.com/docker/docker/pkg/namesgenerator" "github.com/docker/docker/pkg/namesgenerator"
spec "github.com/opencontainers/runtime-spec/specs-go" spec "github.com/opencontainers/runtime-spec/specs-go"
@ -338,9 +339,16 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (retErr error) {
} }
logrus.Debugf("Set libpod namespace to %q", runtime.config.Engine.Namespace) logrus.Debugf("Set libpod namespace to %q", runtime.config.Engine.Namespace)
hasCapSysAdmin, err := unshare.HasCapSysAdmin()
if err != nil {
return err
}
needsUserns := !hasCapSysAdmin
// Set up containers/storage // Set up containers/storage
var store storage.Store var store storage.Store
if os.Geteuid() != 0 { if needsUserns {
logrus.Debug("Not configuring container store") logrus.Debug("Not configuring container store")
} else if runtime.noStore { } else if runtime.noStore {
logrus.Debug("No store required. Not opening container store.") logrus.Debug("No store required. Not opening container store.")
@ -480,7 +488,7 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (retErr error) {
// If we need to refresh, then it is safe to assume there are // If we need to refresh, then it is safe to assume there are
// no containers running. Create immediately a namespace, as // no containers running. Create immediately a namespace, as
// we will need to access the storage. // we will need to access the storage.
if os.Geteuid() != 0 { if needsUserns {
aliveLock.Unlock() // Unlock to avoid deadlock as BecomeRootInUserNS will reexec. aliveLock.Unlock() // Unlock to avoid deadlock as BecomeRootInUserNS will reexec.
pausePid, err := util.GetRootlessPauseProcessPidPathGivenDir(runtime.config.Engine.TmpDir) pausePid, err := util.GetRootlessPauseProcessPidPathGivenDir(runtime.config.Engine.TmpDir)
if err != nil { if err != nil {

7
pkg/domain/infra/abi/system.go
View File

@ -21,6 +21,7 @@ import (
"github.com/containers/podman/v3/pkg/util" "github.com/containers/podman/v3/pkg/util"
"github.com/containers/podman/v3/utils" "github.com/containers/podman/v3/utils"
"github.com/containers/storage" "github.com/containers/storage"
"github.com/containers/storage/pkg/unshare"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
"github.com/spf13/cobra" "github.com/spf13/cobra"
@ -58,7 +59,11 @@ func (ic *ContainerEngine) Info(ctx context.Context) (*define.Info, error) {
func (ic *ContainerEngine) SetupRootless(_ context.Context, cmd *cobra.Command) error { func (ic *ContainerEngine) SetupRootless(_ context.Context, cmd *cobra.Command) error {
// do it only after podman has already re-execed and running with uid==0. // do it only after podman has already re-execed and running with uid==0.
if os.Geteuid() == 0 { hasCapSysAdmin, err := unshare.HasCapSysAdmin()
if err != nil {
return err
}
if hasCapSysAdmin {
ownsCgroup, err := cgroups.UserOwnsCurrentSystemdCgroup() ownsCgroup, err := cgroups.UserOwnsCurrentSystemdCgroup()
if err != nil { if err != nil {
logrus.Infof("Failed to detect the owner for the current cgroup: %v", err) logrus.Infof("Failed to detect the owner for the current cgroup: %v", err)