Merge pull request #4259 from estesp/fuse-overlayfs

Support helpers for label-based userns remapping
2020-07-06 11:22:34 -07:00 · 2020-07-06 11:22:34 -07:00 · 68b9b8f896
commit 68b9b8f896
parent fa0f7cbb41 45c28f56b2
2 changed files with 45 additions and 2 deletions
--- a/cmd/ctr/commands/run/run_unix.go
+++ b/cmd/ctr/commands/run/run_unix.go
@ -54,6 +54,10 @@ var platformRunFlags = []cli.Flag{
 		Name:  "gidmap",
 		Usage: "run inside a user namespace with the specified GID mapping range; specified with the format `container-gid:host-gid:length`",
 	},
+	cli.BoolFlag{
+		Name:  "remap-labels",
+		Usage: "provide the user namespace ID remapping to the snapshotter via label options; requires snapshotter support",
+	},
 }

 // NewContainer creates a new container
@ -137,8 +141,12 @@ func NewContainer(ctx gocontext.Context, client *containerd.Client, context *cli
 				}
 				opts = append(opts,
 					oci.WithUserNamespace([]specs.LinuxIDMapping{uidMap}, []specs.LinuxIDMapping{gidMap}))
-				if context.Bool("read-only") {
-					cOpts = append(cOpts, containerd.WithRemappedSnapshotView(id, image, uidMap.HostID, gidMap.HostID))
+				// use snapshotter opts or the remapped snapshot support to shift the filesystem
+				// currently the only snapshotter known to support the labels is fuse-overlayfs:
+				// https://github.com/AkihiroSuda/containerd-fuse-overlayfs
+				if context.Bool("remap-labels") {
+					cOpts = append(cOpts, containerd.WithNewSnapshot(id, image,
+						containerd.WithRemapperLabels(0, uidMap.HostID, 0, gidMap.HostID, uidMap.Size)))
 				} else {
 					cOpts = append(cOpts, containerd.WithRemappedSnapshot(id, image, uidMap.HostID, gidMap.HostID))
 				}
--- a/snapshotter_opts_unix.go
+++ b/snapshotter_opts_unix.go
@ -0,0 +1,35 @@
+// +build !windows
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package containerd
+
+import (
+	"fmt"
+
+	"github.com/containerd/containerd/snapshots"
+)
+
+// WithRemapperLabels creates the labels used by any supporting snapshotter
+// to shift the filesystem ownership (user namespace mapping) automatically; currently
+// supported by the fuse-overlayfs snapshotter
+func WithRemapperLabels(ctrUID, hostUID, ctrGID, hostGID, length uint32) snapshots.Opt {
+	return snapshots.WithLabels(map[string]string{
+		"containerd.io/snapshot/uidmapping": fmt.Sprintf("%d:%d:%d", ctrUID, hostUID, length),
+		"containerd.io/snapshot/gidmapping": fmt.Sprintf("%d:%d:%d", ctrGID, hostGID, length),
+	})
+}