From 708299ca400778a01c1b79ab133ddaa9bd458d0a Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 23 Mar 2021 10:51:24 +0100 Subject: [PATCH] Move RunningInUserNS() to its own package This allows using the utility without bringing whole of "sys" with it. Signed-off-by: Sebastiaan van Stijn --- archive/tar_unix.go | 4 ++-- diff/apply/apply_linux.go | 4 ++-- pkg/cri/server/service_linux.go | 4 ++-- {sys => pkg/userns}/userns_linux.go | 2 +- {sys => pkg/userns}/userns_unsupported.go | 2 +- runtime/v2/runc/v2/service.go | 4 ++-- snapshots/overlay/overlayutils/check.go | 4 ++-- sys/oom_unix.go | 4 +++- sys/userns_deprecated.go | 23 +++++++++++++++++++++++ 9 files changed, 38 insertions(+), 13 deletions(-) rename {sys => pkg/userns}/userns_linux.go (98%) rename {sys => pkg/userns}/userns_unsupported.go (98%) create mode 100644 sys/userns_deprecated.go diff --git a/archive/tar_unix.go b/archive/tar_unix.go index a187db800..896d11d40 100644 --- a/archive/tar_unix.go +++ b/archive/tar_unix.go @@ -24,7 +24,7 @@ import ( "strings" "syscall" - "github.com/containerd/containerd/sys" + "github.com/containerd/containerd/pkg/userns" "github.com/containerd/continuity/fs" "github.com/containerd/continuity/sysx" "github.com/pkg/errors" @@ -87,7 +87,7 @@ func skipFile(hdr *tar.Header) bool { switch hdr.Typeflag { case tar.TypeBlock, tar.TypeChar: // cannot create a device if running in user namespace - return sys.RunningInUserNS() + return userns.RunningInUserNS() default: return false } diff --git a/diff/apply/apply_linux.go b/diff/apply/apply_linux.go index 5eeeced5c..b3775c720 100644 --- a/diff/apply/apply_linux.go +++ b/diff/apply/apply_linux.go @@ -26,7 +26,7 @@ import ( "github.com/containerd/containerd/archive" "github.com/containerd/containerd/errdefs" "github.com/containerd/containerd/mount" - "github.com/containerd/containerd/sys" + "github.com/containerd/containerd/pkg/userns" "github.com/pkg/errors" ) @@ -35,7 +35,7 @@ func apply(ctx context.Context, mounts []mount.Mount, r io.Reader) error { case len(mounts) == 1 && mounts[0].Type == "overlay": // OverlayConvertWhiteout (mknod c 0 0) doesn't work in userns. // https://github.com/containerd/containerd/issues/3762 - if sys.RunningInUserNS() { + if userns.RunningInUserNS() { break } path, parents, err := getOverlayPath(mounts[0].Options) diff --git a/pkg/cri/server/service_linux.go b/pkg/cri/server/service_linux.go index 93fa8b92a..5cd2916ce 100644 --- a/pkg/cri/server/service_linux.go +++ b/pkg/cri/server/service_linux.go @@ -18,7 +18,7 @@ package server import ( "github.com/containerd/containerd/pkg/cap" - "github.com/containerd/containerd/sys" + "github.com/containerd/containerd/pkg/userns" cni "github.com/containerd/go-cni" "github.com/opencontainers/selinux/go-selinux" "github.com/pkg/errors" @@ -33,7 +33,7 @@ const networkAttachCount = 2 func (c *criService) initPlatform() error { var err error - if sys.RunningInUserNS() { + if userns.RunningInUserNS() { if !(c.config.DisableCgroup && !c.apparmorEnabled() && c.config.RestrictOOMScoreAdj) { logrus.Warn("Running containerd in a user namespace typically requires disable_cgroup, disable_apparmor, restrict_oom_score_adj set to be true") } diff --git a/sys/userns_linux.go b/pkg/userns/userns_linux.go similarity index 98% rename from sys/userns_linux.go rename to pkg/userns/userns_linux.go index 3cd1a2222..6656465ef 100644 --- a/sys/userns_linux.go +++ b/pkg/userns/userns_linux.go @@ -14,7 +14,7 @@ limitations under the License. */ -package sys +package userns import ( "bufio" diff --git a/sys/userns_unsupported.go b/pkg/userns/userns_unsupported.go similarity index 98% rename from sys/userns_unsupported.go rename to pkg/userns/userns_unsupported.go index 549b50200..aab756fd2 100644 --- a/sys/userns_unsupported.go +++ b/pkg/userns/userns_unsupported.go @@ -16,7 +16,7 @@ limitations under the License. */ -package sys +package userns // RunningInUserNS is a stub for non-Linux systems // Always returns false diff --git a/runtime/v2/runc/v2/service.go b/runtime/v2/runc/v2/service.go index b24c363ea..9bfffd1e0 100644 --- a/runtime/v2/runc/v2/service.go +++ b/runtime/v2/runc/v2/service.go @@ -41,11 +41,11 @@ import ( oomv2 "github.com/containerd/containerd/pkg/oom/v2" "github.com/containerd/containerd/pkg/process" "github.com/containerd/containerd/pkg/stdio" + "github.com/containerd/containerd/pkg/userns" "github.com/containerd/containerd/runtime/v2/runc" "github.com/containerd/containerd/runtime/v2/runc/options" "github.com/containerd/containerd/runtime/v2/shim" taskAPI "github.com/containerd/containerd/runtime/v2/task" - "github.com/containerd/containerd/sys" "github.com/containerd/containerd/sys/reaper" runcC "github.com/containerd/go-runc" "github.com/containerd/typeurl" @@ -386,7 +386,7 @@ func (s *service) Start(ctx context.Context, r *taskAPI.StartRequest) (*taskAPI. logrus.WithError(err).Error("failed to get root controllers") } else { if err := cg.ToggleControllers(allControllers, cgroupsv2.Enable); err != nil { - if sys.RunningInUserNS() { + if userns.RunningInUserNS() { logrus.WithError(err).Debugf("failed to enable controllers (%v)", allControllers) } else { logrus.WithError(err).Errorf("failed to enable controllers (%v)", allControllers) diff --git a/snapshots/overlay/overlayutils/check.go b/snapshots/overlay/overlayutils/check.go index 2d7dc436d..bbe2a7de1 100644 --- a/snapshots/overlay/overlayutils/check.go +++ b/snapshots/overlay/overlayutils/check.go @@ -26,7 +26,7 @@ import ( "github.com/containerd/containerd/log" "github.com/containerd/containerd/mount" - "github.com/containerd/containerd/sys" + "github.com/containerd/containerd/pkg/userns" "github.com/containerd/continuity/fs" "github.com/pkg/errors" ) @@ -108,7 +108,7 @@ func Supported(root string) error { // // The "userxattr" support is not exposed in "/sys/module/overlay/parameters". func NeedsUserXAttr(d string) (bool, error) { - if !sys.RunningInUserNS() { + if !userns.RunningInUserNS() { // we are the real root (i.e., the root in the initial user NS), // so we do never need "userxattr" opt. return false, nil diff --git a/sys/oom_unix.go b/sys/oom_unix.go index c381e1a7e..e5b8dbcef 100644 --- a/sys/oom_unix.go +++ b/sys/oom_unix.go @@ -24,6 +24,8 @@ import ( "os" "strconv" "strings" + + "github.com/containerd/containerd/pkg/userns" ) const ( @@ -42,7 +44,7 @@ func SetOOMScore(pid, score int) error { } defer f.Close() if _, err = f.WriteString(strconv.Itoa(score)); err != nil { - if os.IsPermission(err) && (RunningInUserNS() || RunningUnprivileged()) { + if os.IsPermission(err) && (userns.RunningInUserNS() || RunningUnprivileged()) { return nil } return err diff --git a/sys/userns_deprecated.go b/sys/userns_deprecated.go new file mode 100644 index 000000000..53acf5547 --- /dev/null +++ b/sys/userns_deprecated.go @@ -0,0 +1,23 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package sys + +import "github.com/containerd/containerd/pkg/userns" + +// RunningInUserNS detects whether we are currently running in a user namespace. +// Deprecated: use github.com/containerd/containerd/pkg/userns.RunningInUserNS instead. +var RunningInUserNS = userns.RunningInUserNS