update ctr run to support multiple uid/gid mappings
Signed-off-by: Henry Wang <henwang@amazon.com>
This commit is contained in:
Henry Wang
@@ -27,32 +27,55 @@ import (
|
||||
|
||||
"github.com/containerd/containerd/v2/core/containers"
|
||||
"github.com/containerd/containerd/v2/core/mount"
|
||||
"github.com/containerd/containerd/v2/internal/userns"
|
||||
|
||||
"github.com/containerd/errdefs"
|
||||
"github.com/opencontainers/image-spec/identity"
|
||||
"github.com/opencontainers/runtime-spec/specs-go"
|
||||
)
|
||||
|
||||
// WithRemappedSnapshot creates a new snapshot and remaps the uid/gid for the
|
||||
// filesystem to be used by a container with user namespaces
|
||||
func WithRemappedSnapshot(id string, i Image, uid, gid uint32) NewContainerOpts {
|
||||
return withRemappedSnapshotBase(id, i, uid, gid, false)
|
||||
uidmaps := []specs.LinuxIDMapping{{ContainerID: 0, HostID: uid, Size: 65536}}
|
||||
gidmaps := []specs.LinuxIDMapping{{ContainerID: 0, HostID: gid, Size: 65536}}
|
||||
return withRemappedSnapshotBase(id, i, uidmaps, gidmaps, false)
|
||||
}
|
||||
|
||||
// WithUserNSRemappedSnapshot creates a new snapshot and remaps the uid/gid for the
|
||||
// filesystem to be used by a container with user namespaces
|
||||
func WithUserNSRemappedSnapshot(id string, i Image, uidmaps, gidmaps []specs.LinuxIDMapping) NewContainerOpts {
|
||||
return withRemappedSnapshotBase(id, i, uidmaps, gidmaps, false)
|
||||
}
|
||||
|
||||
// WithRemappedSnapshotView is similar to WithRemappedSnapshot but rootfs is mounted as read-only.
|
||||
func WithRemappedSnapshotView(id string, i Image, uid, gid uint32) NewContainerOpts {
|
||||
return withRemappedSnapshotBase(id, i, uid, gid, true)
|
||||
uidmaps := []specs.LinuxIDMapping{{ContainerID: 0, HostID: uid, Size: 65536}}
|
||||
gidmaps := []specs.LinuxIDMapping{{ContainerID: 0, HostID: gid, Size: 65536}}
|
||||
return withRemappedSnapshotBase(id, i, uidmaps, gidmaps, true)
|
||||
}
|
||||
|
||||
func withRemappedSnapshotBase(id string, i Image, uid, gid uint32, readonly bool) NewContainerOpts {
|
||||
// WithUserNSRemappedSnapshotView is similar to WithUserNSRemappedSnapshot but rootfs is mounted as read-only.
|
||||
func WithUserNSRemappedSnapshotView(id string, i Image, uidmaps, gidmaps []specs.LinuxIDMapping) NewContainerOpts {
|
||||
return withRemappedSnapshotBase(id, i, uidmaps, gidmaps, true)
|
||||
}
|
||||
|
||||
func withRemappedSnapshotBase(id string, i Image, uidmaps, gidmaps []specs.LinuxIDMapping, readonly bool) NewContainerOpts {
|
||||
return func(ctx context.Context, client *Client, c *containers.Container) error {
|
||||
diffIDs, err := i.(*image).i.RootFS(ctx, client.ContentStore(), client.platform)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
var (
|
||||
parent = identity.ChainID(diffIDs).String()
|
||||
usernsID = fmt.Sprintf("%s-%d-%d", parent, uid, gid)
|
||||
)
|
||||
rsn := remappedSnapshot{
|
||||
Parent: identity.ChainID(diffIDs).String(),
|
||||
IDMap: userns.IDMap{UidMap: uidmaps, GidMap: gidmaps},
|
||||
}
|
||||
usernsID, err := rsn.ID()
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to remap snapshot: %w", err)
|
||||
}
|
||||
|
||||
c.Snapshotter, err = client.resolveSnapshotterName(ctx, c.Snapshotter)
|
||||
if err != nil {
|
||||
return err
|
||||
@@ -70,11 +93,11 @@ func withRemappedSnapshotBase(id string, i Image, uid, gid uint32, readonly bool
|
||||
return err
|
||||
}
|
||||
}
|
||||
mounts, err := snapshotter.Prepare(ctx, usernsID+"-remap", parent)
|
||||
mounts, err := snapshotter.Prepare(ctx, usernsID+"-remap", rsn.Parent)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if err := remapRootFS(ctx, mounts, uid, gid); err != nil {
|
||||
if err := remapRootFS(ctx, mounts, rsn.IDMap); err != nil {
|
||||
snapshotter.Remove(ctx, usernsID)
|
||||
return err
|
||||
}
|
||||
@@ -95,22 +118,30 @@ func withRemappedSnapshotBase(id string, i Image, uid, gid uint32, readonly bool
|
||||
}
|
||||
}
|
||||
|
||||
func remapRootFS(ctx context.Context, mounts []mount.Mount, uid, gid uint32) error {
|
||||
func remapRootFS(ctx context.Context, mounts []mount.Mount, idMap userns.IDMap) error {
|
||||
return mount.WithTempMount(ctx, mounts, func(root string) error {
|
||||
return filepath.Walk(root, incrementFS(root, uid, gid))
|
||||
return filepath.Walk(root, chown(root, idMap))
|
||||
})
|
||||
}
|
||||
|
||||
func incrementFS(root string, uidInc, gidInc uint32) filepath.WalkFunc {
|
||||
func chown(root string, idMap userns.IDMap) filepath.WalkFunc {
|
||||
return func(path string, info os.FileInfo, err error) error {
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
var (
|
||||
stat = info.Sys().(*syscall.Stat_t)
|
||||
u, g = int(stat.Uid + uidInc), int(stat.Gid + gidInc)
|
||||
)
|
||||
stat := info.Sys().(*syscall.Stat_t)
|
||||
h, cerr := idMap.ToHost(userns.User{Uid: stat.Uid, Gid: stat.Gid})
|
||||
if cerr != nil {
|
||||
return cerr
|
||||
}
|
||||
// be sure the lchown the path as to not de-reference the symlink to a host file
|
||||
return os.Lchown(path, u, g)
|
||||
if cerr = os.Lchown(path, int(h.Uid), int(h.Gid)); cerr != nil {
|
||||
return cerr
|
||||
}
|
||||
// we must retain special permissions such as setuid, setgid and sticky bits
|
||||
if mode := info.Mode(); mode&os.ModeSymlink == 0 && mode&(os.ModeSetuid|os.ModeSetgid|os.ModeSticky) != 0 {
|
||||
return os.Chmod(path, mode)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
@@ -20,9 +20,14 @@ package client
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"slices"
|
||||
|
||||
"github.com/containerd/containerd/v2/core/snapshots"
|
||||
"github.com/containerd/containerd/v2/internal/userns"
|
||||
"github.com/opencontainers/go-digest"
|
||||
"github.com/opencontainers/runtime-spec/specs-go"
|
||||
)
|
||||
|
||||
const (
|
||||
@@ -58,15 +63,15 @@ func resolveSnapshotOptions(ctx context.Context, client *Client, snapshotterName
|
||||
}
|
||||
|
||||
needsRemap := false
|
||||
var uidMap, gidMap string
|
||||
var uidMapLabel, gidMapLabel string
|
||||
|
||||
if value, ok := local.Labels[snapshots.LabelSnapshotUIDMapping]; ok {
|
||||
needsRemap = true
|
||||
uidMap = value
|
||||
uidMapLabel = value
|
||||
}
|
||||
if value, ok := local.Labels[snapshots.LabelSnapshotGIDMapping]; ok {
|
||||
needsRemap = true
|
||||
gidMap = value
|
||||
gidMapLabel = value
|
||||
}
|
||||
|
||||
if !needsRemap {
|
||||
@@ -84,24 +89,32 @@ func resolveSnapshotOptions(ctx context.Context, client *Client, snapshotterName
|
||||
return "", fmt.Errorf("snapshotter %q doesn't support idmap mounts on this host, configure `slow_chown` to allow a slower and expensive fallback", snapshotterName)
|
||||
}
|
||||
|
||||
var ctrUID, hostUID, length uint32
|
||||
_, err = fmt.Sscanf(uidMap, "%d:%d:%d", &ctrUID, &hostUID, &length)
|
||||
var uidMap, gidMap specs.LinuxIDMapping
|
||||
_, err = fmt.Sscanf(uidMapLabel, "%d:%d:%d", &uidMap.ContainerID, &uidMap.HostID, &uidMap.Size)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("uidMap unparsable: %w", err)
|
||||
return "", fmt.Errorf("uidMapLabel unparsable: %w", err)
|
||||
}
|
||||
|
||||
var ctrGID, hostGID, lengthGID uint32
|
||||
_, err = fmt.Sscanf(gidMap, "%d:%d:%d", &ctrGID, &hostGID, &lengthGID)
|
||||
_, err = fmt.Sscanf(gidMapLabel, "%d:%d:%d", &gidMap.ContainerID, &gidMap.HostID, &gidMap.Size)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("gidMap unparsable: %w", err)
|
||||
return "", fmt.Errorf("gidMapLabel unparsable: %w", err)
|
||||
}
|
||||
|
||||
if ctrUID != 0 || ctrGID != 0 {
|
||||
return "", fmt.Errorf("Container UID/GID of 0 only supported currently (%d/%d)", ctrUID, ctrGID)
|
||||
if uidMap.ContainerID != 0 || gidMap.ContainerID != 0 {
|
||||
return "", fmt.Errorf("Container UID/GID of 0 only supported currently (%d/%d)", uidMap.ContainerID, gidMap.ContainerID)
|
||||
}
|
||||
|
||||
rsn := remappedSnapshot{
|
||||
Parent: parent,
|
||||
IDMap: userns.IDMap{
|
||||
UidMap: []specs.LinuxIDMapping{uidMap},
|
||||
GidMap: []specs.LinuxIDMapping{gidMap},
|
||||
},
|
||||
}
|
||||
usernsID, err := rsn.ID()
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("failed to remap snapshot: %w", err)
|
||||
}
|
||||
|
||||
// TODO(dgl): length isn't taken into account for the intermediate snapshot id.
|
||||
usernsID := fmt.Sprintf("%s-%d-%d", parent, hostUID, hostGID)
|
||||
if _, err := snapshotter.Stat(ctx, usernsID); err == nil {
|
||||
return usernsID, nil
|
||||
}
|
||||
@@ -109,8 +122,8 @@ func resolveSnapshotOptions(ctx context.Context, client *Client, snapshotterName
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
// TODO(dgl): length isn't taken into account here yet either.
|
||||
if err := remapRootFS(ctx, mounts, hostUID, hostGID); err != nil {
|
||||
|
||||
if err := remapRootFS(ctx, mounts, rsn.IDMap); err != nil {
|
||||
snapshotter.Remove(ctx, usernsID+"-remap")
|
||||
return "", err
|
||||
}
|
||||
@@ -120,3 +133,27 @@ func resolveSnapshotOptions(ctx context.Context, client *Client, snapshotterName
|
||||
|
||||
return usernsID, nil
|
||||
}
|
||||
|
||||
type remappedSnapshot struct {
|
||||
Parent string `json:"Parent"`
|
||||
IDMap userns.IDMap `json:"IDMap"`
|
||||
}
|
||||
|
||||
func (s *remappedSnapshot) ID() (string, error) {
|
||||
compare := func(a, b specs.LinuxIDMapping) int {
|
||||
if a.ContainerID < b.ContainerID {
|
||||
return -1
|
||||
} else if a.ContainerID == b.ContainerID {
|
||||
return 0
|
||||
}
|
||||
return 1
|
||||
}
|
||||
slices.SortStableFunc(s.IDMap.UidMap, compare)
|
||||
slices.SortStableFunc(s.IDMap.GidMap, compare)
|
||||
|
||||
buf, err := json.Marshal(s)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
return digest.FromBytes(buf).String(), nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user