pkg/process: Only use idmap mounts if runc supports it
runc, as mandated by the runtime-spec, ignores unknown fields in the config.json. This is unfortunate for cases where we _must_ enable that feature or fail. For example, if we want to start a container with user namespaces and volumes, using the uidMappings/gidMappings field is needed so the UID/GIDs in the volume don't end up with garbage. However, if we don't fail when runc will ignore these fields (because they are unknown to runc), we will just start a container without using the mappings and the UID/GIDs the container will persist to volumes the hostUID/GID, that can change if the container is re-scheduled by Kubernetes. This will end up in volumes having "garbage" and unmapped UIDs that the container can no longer change. So, let's avoid this entirely by just checking that runc supports idmap mounts if the container we are about to create needs them. Please note that the "runc features" subcommand is only run when we are using idmap mounts. If idmap mounts are not used, the subcommand is not run and therefore this should not affect containers that don't use idmap mounts in any way. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
This commit is contained in:
Rodrigo Campos
@@ -17,6 +17,8 @@
|
||||
package integration
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"os"
|
||||
"os/user"
|
||||
@@ -27,6 +29,7 @@ import (
|
||||
"time"
|
||||
|
||||
"github.com/containerd/containerd/integration/images"
|
||||
runc "github.com/containerd/go-runc"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
exec "golang.org/x/sys/execabs"
|
||||
@@ -234,6 +237,9 @@ func TestPodUserNS(t *testing.T) {
|
||||
if test.hostVolumes && !supportsIDMap(volumeHostPath) {
|
||||
t.Skipf("ID mappings are not supported host volume filesystem: %v", volumeHostPath)
|
||||
}
|
||||
if err := supportsRuncIDMap(); err != nil {
|
||||
t.Skipf("OCI runtime doesn't support idmap mounts: %v", err)
|
||||
}
|
||||
|
||||
testPodLogDir := t.TempDir()
|
||||
sandboxOpts := append(test.sandboxOpts, WithPodLogDirectory(testPodLogDir))
|
||||
@@ -297,3 +303,22 @@ func TestPodUserNS(t *testing.T) {
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func supportsRuncIDMap() error {
|
||||
var r runc.Runc
|
||||
features, err := r.Features(context.Background())
|
||||
if err != nil {
|
||||
// If the features command is not implemented, then runc is too old.
|
||||
return fmt.Errorf("features command failed: %w", err)
|
||||
}
|
||||
|
||||
if features.Linux.MountExtensions == nil || features.Linux.MountExtensions.IDMap == nil {
|
||||
return errors.New("missing `mountExtensions.idmap` entry in `features` command")
|
||||
|
||||
}
|
||||
if enabled := features.Linux.MountExtensions.IDMap.Enabled; enabled == nil || !*enabled {
|
||||
return errors.New("idmap mounts not supported")
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user