containers
/
podman
mirror of https://github.com/containers/podman.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
podman/libpod
History
Giuseppe Scrivano ecedda63a6
rootless: automatically split userns ranges 
writing to the id map fails when an extent overlaps multiple mappings
in the parent user namespace:

$ cat /proc/self/uid_map
         0       1000          1
         1     100000      65536
$ unshare -U sleep 100 &
[1] 1029703
$ printf "0 0 100\n" | tee /proc/$!/uid_map
0 0 100
tee: /proc/1029703/uid_map: Operation not permitted

This limitation is particularly annoying when working with rootless
containers as each container runs in the rootless user namespace, so a
command like:

$ podman run --uidmap 0:0:2 --rm fedora echo hi
Error: writing file `/proc/664087/gid_map`: Operation not permitted: OCI permission denied

would fail since the specified mapping overlaps the first
mapping (where the user id is mapped to root) and the second extent
with the additional IDs available.

Detect such cases and automatically split the specified mapping with
the equivalent of:

$ podman run --uidmap 0:0:1 --uidmap 1:1:1 --rm fedora echo hi
hi

A fix has already been proposed for the kernel[1], but even if it
accepted it will take time until it is available in a released kernel,
so fix it also in pkg/rootless.

[1] https://lkml.kernel.org/lkml/20201203150252.1229077-1-gscrivan@redhat.com/

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
 		2021-01-07 09:42:27 +01:00
..
common Set blob cache directory based on GraphDriver 2019-03-29 08:27:33 -04:00
define Spelling 2020-12-22 13:34:31 -05:00
driver removMergeDir from inspect result if not mounted 2019-08-13 15:13:20 -04:00
events close journald when reading 2021-01-04 13:27:38 -06:00
image Merge pull request #8831 from bblenard/issue-8658-system-prune-reclaimed-space 2021-01-05 11:35:18 -05:00
layers Initial checkin from CRI-O repo 2017-11-01 11:24:59 -04:00
linkmode Add podman static build 2020-05-11 13:11:07 +02:00
lock Remove excessive error wrapping 2020-10-05 15:30:37 -07:00
logs re-open container log files 2020-12-23 14:04:32 -06:00
network Spelling 2020-12-22 13:34:31 -05:00
plugin Add API for communicating with Docker volume plugins 2020-12-01 12:56:55 -05:00
shutdown Do not error on installing duplicate shutdown handler 2020-12-07 10:00:36 -05:00
boltdb_state.go add network connect|disconnect compat endpoints 2020-11-17 14:22:39 -06:00
boltdb_state_internal.go Add support for network connect / disconnect to DB 2020-11-11 16:37:54 -05:00
boltdb_state_linux.go Spelling 2020-12-22 13:34:31 -05:00
boltdb_state_unsupported.go podman-remote inspect 2019-01-18 15:43:11 -06:00
common_test.go Switch all references to github.com/containers/libpod -> podman 2020-07-28 08:23:45 -04:00
container.go libpod: handle single user mapped as root 2020-12-24 13:39:15 +01:00
container_api.go Spelling 2020-12-22 13:34:31 -05:00
container_commit.go Switch all references to github.com/containers/libpod -> podman 2020-07-28 08:23:45 -04:00
container_config.go Spelling 2020-12-22 13:34:31 -05:00
container_exec.go Preserve groups in exec sessions in ctrs with --user 2020-09-18 13:54:25 -04:00
container_graph.go Switch all references to github.com/containers/libpod -> podman 2020-07-28 08:23:45 -04:00
container_graph_test.go Switch all references to github.com/containers/libpod -> podman 2020-07-28 08:23:45 -04:00
container_inspect.go Add LogSize to container inspect 2020-12-15 17:22:06 -05:00
container_internal.go Spelling 2020-12-22 13:34:31 -05:00
container_internal_linux.go rootless: automatically split userns ranges 2021-01-07 09:42:27 +01:00
container_internal_linux_test.go Make an entry in /etc/group when we modify /etc/passwd 2020-09-10 13:02:31 -04:00
container_internal_test.go Refactor container config 2020-07-23 10:18:14 -04:00
container_internal_unsupported.go Implement pod-network-reload 2020-12-07 19:26:23 +01:00
container_linux.go Do not fetch pod and ctr State on retrieval in Bolt 2018-07-31 14:19:50 +00:00
container_log.go Spelling 2020-12-22 13:34:31 -05:00
container_log_linux.go Fix Podman logs reading journald 2020-10-02 10:05:19 -04:00
container_log_unsupported.go Switch all references to github.com/containers/libpod -> podman 2020-07-28 08:23:45 -04:00
container_top_linux.go Remove varlink support from Podman 2020-11-26 16:50:42 -05:00
container_top_unsupported.go Spelling 2020-12-22 13:34:31 -05:00
container_unsupported.go Do not fetch pod and ctr State on retrieval in Bolt 2018-07-31 14:19:50 +00:00
container_validate.go Spelling 2020-12-22 13:34:31 -05:00
diff.go fix podman container exists and diff for storage containers 2020-10-15 09:51:15 -04:00
events.go add network connect|disconnect compat endpoints 2020-11-19 08:16:19 -06:00
healthcheck.go Stop excessive wrapping of errors 2020-10-30 05:34:04 -04:00
healthcheck_linux.go Set PATH env in systemd timer. 2020-11-23 10:26:02 -08:00
healthcheck_unsupported.go Switch all references to github.com/containers/libpod -> podman 2020-07-28 08:23:45 -04:00
in_memory_state.go Add support for network connect / disconnect to DB 2020-11-11 16:37:54 -05:00
info.go Add Security information to podman info 2020-12-22 08:13:14 -05:00
kube.go Spelling 2020-12-22 13:34:31 -05:00
mounts_linux.go set root propagation based on volume properties 2018-11-26 13:55:02 +01:00
networking_linux.go The slirp4netns sandbox requires pivot_root 2020-12-29 18:03:49 +01:00
networking_unsupported.go Implement pod-network-reload 2020-12-07 19:26:23 +01:00
oci.go Spelling 2020-12-22 13:34:31 -05:00
oci_attach_linux.go Spelling 2020-12-22 13:34:31 -05:00
oci_attach_linux_cgo.go Implement conmon exec 2019-07-22 15:57:23 -04:00
oci_attach_linux_nocgo.go Implement conmon exec 2019-07-22 15:57:23 -04:00
oci_attach_unsupported.go Force Attach() to send a SIGWINCH and redraw 2020-09-10 17:54:47 -04:00
oci_conmon.go podman: add new cgroup mode split 2020-06-25 17:16:12 +02:00
oci_conmon_exec_linux.go libpod: change function to accept ExecOptions 2020-12-24 22:01:38 +01:00
oci_conmon_linux.go Merge pull request #8878 from mheon/no_edit_config 2021-01-04 21:11:27 -05:00
oci_conmon_unsupported.go Add global options --runtime-flags 2020-09-04 15:04:36 -04:00
oci_missing.go Send HTTP Hijack headers after successful attach 2020-08-27 12:50:22 -04:00
oci_util.go Switch all references to github.com/containers/libpod -> podman 2020-07-28 08:23:45 -04:00
options.go Merge pull request #8787 from jsoref/spelling 2020-12-23 17:38:43 +01:00
pod.go Add SELinux support for pods 2020-10-02 15:14:18 -04:00
pod_api.go Fix podman pod inspect show wrong MAC string 2020-11-18 18:06:06 +08:00
pod_internal.go Switch all references to github.com/containers/libpod -> podman 2020-07-28 08:23:45 -04:00
pod_status.go Add a Degraded state to pods 2020-10-21 13:31:40 -04:00
pod_top_linux.go Spelling 2020-12-22 13:34:31 -05:00
pod_top_unsupported.go Switch all references to github.com/containers/libpod -> podman 2020-07-28 08:23:45 -04:00
reset.go Don't accidently remove XDG_RUNTIME_DIR when reseting storage 2020-12-16 15:09:37 -05:00
rootless_cni_linux.go Spelling 2020-12-22 13:34:31 -05:00
runtime.go Do not error on installing duplicate shutdown handler 2020-12-07 10:00:36 -05:00
runtime_cstorage.go Drop default log-level from error to warn 2020-12-03 06:28:09 -05:00
runtime_ctr.go Rework pruning to report reclaimed space 2020-12-30 19:57:35 -06:00
runtime_img.go Spelling 2020-12-22 13:34:31 -05:00
runtime_img_test.go Switch all references to github.com/containers/libpod -> podman 2020-07-28 08:23:45 -04:00
runtime_migrate.go Use Libpod tmpdir for pause path 2020-12-02 14:18:37 -05:00
runtime_migrate_unsupported.go Use Libpod tmpdir for pause path 2020-12-02 14:18:37 -05:00
runtime_pod.go Switch all references to github.com/containers/libpod -> podman 2020-07-28 08:23:45 -04:00
runtime_pod_infra_linux.go Add default sysctls for pod infra containers 2021-01-04 15:29:18 -05:00
runtime_pod_linux.go Drop default log-level from error to warn 2020-12-03 06:28:09 -05:00
runtime_pod_unsupported.go Switch all references to github.com/containers/libpod -> podman 2020-07-28 08:23:45 -04:00
runtime_renumber.go Switch all references to github.com/containers/libpod -> podman 2020-07-28 08:23:45 -04:00
runtime_volume.go Rework pruning to report reclaimed space 2020-12-30 19:57:35 -06:00
runtime_volume_linux.go Fix missing options in volumes display while setting uid and gid 2020-12-23 09:13:20 +08:00
runtime_volume_unsupported.go Switch all references to github.com/containers/libpod -> podman 2020-07-28 08:23:45 -04:00
state.go Add support for network connect / disconnect to DB 2020-11-11 16:37:54 -05:00
state_test.go Spelling 2020-12-22 13:34:31 -05:00
stats.go container cgroup path 2020-12-07 15:16:20 +01:00
stats_unsupported.go Switch all references to github.com/containers/libpod -> podman 2020-07-28 08:23:45 -04:00
storage.go Switch all references to github.com/containers/libpod -> podman 2020-07-28 08:23:45 -04:00
util.go Add support for Gentoo file to package query 2020-12-29 20:33:27 +01:00
util_linux.go Fix mismatch between log messages and behavior of libpod.LabelVolumePath. 2020-09-13 23:24:15 -04:00
util_linux_test.go Fix mismatch between log messages and behavior of libpod.LabelVolumePath. 2020-09-13 23:24:15 -04:00
util_test.go Switch all references to github.com/containers/libpod -> podman 2020-07-28 08:23:45 -04:00
util_unsupported.go Switch all references to github.com/containers/libpod -> podman 2020-07-28 08:23:45 -04:00
volume.go Rework pruning to report reclaimed space 2020-12-30 19:57:35 -06:00
volume_inspect.go Switch all references to github.com/containers/libpod -> podman 2020-07-28 08:23:45 -04:00
volume_internal.go Switch all references to github.com/containers/libpod -> podman 2020-07-28 08:23:45 -04:00
volume_internal_linux.go Switch all references to github.com/containers/libpod -> podman 2020-07-28 08:23:45 -04:00
volume_internal_unsupported.go Switch all references to github.com/containers/libpod -> podman 2020-07-28 08:23:45 -04:00