pkg/userns: deprecate and migrate to github.com/moby/sys/user/userns

The userns package in libcontainer was integrated into the moby/sys/user module at commit [3778ae603c706494fd1e2c2faf83b406e38d687d][1]. This patch deprecates the containerd fork of that package, and adds it as an alias for the moby/sys/user/userns package. [1]: 3778ae603c Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-16 21:50:24 +02:00 · 2024-07-16 21:50:24 +02:00 · 8437c567d8
commit 8437c567d8
parent 40a315b95c
20 changed files with 112 additions and 84 deletions
--- a/cmd/containerd-shim-runc-v2/task/service.go
+++ b/cmd/containerd-shim-runc-v2/task/service.go
@ -24,6 +24,8 @@ import (
 	"os"
 	"sync"

+	"github.com/moby/sys/user/userns"
+
 	"github.com/containerd/cgroups/v3"
 	"github.com/containerd/cgroups/v3/cgroup1"
 	cgroupsv2 "github.com/containerd/cgroups/v3/cgroup2"
@ -44,7 +46,6 @@ import (
 	"github.com/containerd/containerd/v2/pkg/shutdown"
 	"github.com/containerd/containerd/v2/pkg/stdio"
 	"github.com/containerd/containerd/v2/pkg/sys/reaper"
-	"github.com/containerd/containerd/v2/pkg/userns"
 	"github.com/containerd/errdefs"
 	runcC "github.com/containerd/go-runc"
 	"github.com/containerd/log"
--- a/core/diff/apply/apply_linux.go
+++ b/core/diff/apply/apply_linux.go
@ -23,12 +23,12 @@ import (
 	"os"
 	"strings"

+	"github.com/moby/sys/user/userns"
+	"golang.org/x/sys/unix"
+
 	"github.com/containerd/containerd/v2/core/mount"
 	"github.com/containerd/containerd/v2/pkg/archive"
-	"github.com/containerd/containerd/v2/pkg/userns"
 	"github.com/containerd/errdefs"
-
-	"golang.org/x/sys/unix"
 )

 func apply(ctx context.Context, mounts []mount.Mount, r io.Reader, sync bool) (retErr error) {
--- a/core/mount/mount_linux.go
+++ b/core/mount/mount_linux.go
@ -28,8 +28,8 @@ import (
 	"strings"
 	"time"

-	"github.com/containerd/containerd/v2/pkg/userns"
 	"github.com/containerd/log"
+	"github.com/moby/sys/user/userns"
 	"golang.org/x/sys/unix"
 )

--- a/internal/cri/server/podsandbox/sandbox_run_linux.go
+++ b/internal/cri/server/podsandbox/sandbox_run_linux.go
@ -23,6 +23,7 @@ import (
 	"strings"

 	"github.com/containerd/containerd/v2/pkg/oci"
+	"github.com/moby/sys/user/userns"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
 	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/selinux/go-selinux"
@ -32,7 +33,6 @@ import (
 	"github.com/containerd/containerd/v2/core/snapshots"
 	"github.com/containerd/containerd/v2/internal/cri/annotations"
 	customopts "github.com/containerd/containerd/v2/internal/cri/opts"
-	"github.com/containerd/containerd/v2/pkg/userns"
 )

 func (c *Controller) sandboxContainerSpec(id string, config *runtime.PodSandboxConfig,
--- a/internal/cri/server/podsandbox/sandbox_run_linux_test.go
+++ b/internal/cri/server/podsandbox/sandbox_run_linux_test.go
@ -22,6 +22,7 @@ import (
 	"strconv"
 	"testing"

+	"github.com/moby/sys/user/userns"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
 	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/selinux/go-selinux"
@ -33,7 +34,6 @@ import (
 	"github.com/containerd/containerd/v2/internal/cri/annotations"
 	"github.com/containerd/containerd/v2/internal/cri/opts"
 	ostesting "github.com/containerd/containerd/v2/pkg/os/testing"
-	"github.com/containerd/containerd/v2/pkg/userns"
 )

 func getRunPodSandboxTestData() (*runtime.PodSandboxConfig, *imagespec.ImageConfig, func(*testing.T, string, *runtimespec.Spec)) {
--- a/internal/cri/server/service_linux.go
+++ b/internal/cri/server/service_linux.go
@ -19,12 +19,12 @@ package server
 import (
 	"fmt"

+	"github.com/moby/sys/user/userns"
 	"github.com/opencontainers/selinux/go-selinux"
 	"tags.cncf.io/container-device-interface/pkg/cdi"

 	"github.com/containerd/containerd/v2/pkg/cap"
 	"github.com/containerd/containerd/v2/pkg/kernelversion"
-	"github.com/containerd/containerd/v2/pkg/userns"
 	"github.com/containerd/go-cni"
 	"github.com/containerd/log"
 )
--- a/pkg/archive/tar.go
+++ b/pkg/archive/tar.go
@ -29,9 +29,10 @@ import (
 	"syscall"
 	"time"

+	"github.com/moby/sys/user/userns"
+
 	"github.com/containerd/containerd/v2/pkg/archive/tarheader"
 	"github.com/containerd/containerd/v2/pkg/epoch"
-	"github.com/containerd/containerd/v2/pkg/userns"
 	"github.com/containerd/continuity/fs"
 	"github.com/containerd/log"
 )
--- a/pkg/archive/tar_unix.go
+++ b/pkg/archive/tar_unix.go
@ -27,10 +27,11 @@ import (
 	"strings"
 	"syscall"

-	"github.com/containerd/containerd/v2/pkg/userns"
+	"github.com/moby/sys/user/userns"
+	"golang.org/x/sys/unix"
+
 	"github.com/containerd/continuity/fs"
 	"github.com/containerd/continuity/sysx"
-	"golang.org/x/sys/unix"
 )

 func chmodTarEntry(perm os.FileMode) os.FileMode {
--- a/pkg/oci/utils_unix.go
+++ b/pkg/oci/utils_unix.go
@ -24,7 +24,7 @@ import (
 	"os"
 	"path/filepath"

-	"github.com/containerd/containerd/v2/pkg/userns"
+	"github.com/moby/sys/user/userns"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"golang.org/x/sys/unix"
 )
--- a/pkg/oci/utils_unix_test.go
+++ b/pkg/oci/utils_unix_test.go
@ -25,9 +25,8 @@ import (
 	"runtime"
 	"testing"

+	"github.com/moby/sys/user/userns"
 	"github.com/stretchr/testify/assert"
-
-	"github.com/containerd/containerd/v2/pkg/userns"
 )

 func cleanupTest() {
--- a/pkg/sys/oom_linux.go
+++ b/pkg/sys/oom_linux.go
@ -22,7 +22,7 @@ import (
 	"strconv"
 	"strings"

-	"github.com/containerd/containerd/v2/pkg/userns"
+	"github.com/moby/sys/user/userns"
 	"golang.org/x/sys/unix"
 )

--- a/pkg/sys/oom_linux_test.go
+++ b/pkg/sys/oom_linux_test.go
@ -24,7 +24,7 @@ import (
 	"testing"
 	"time"

-	"github.com/containerd/containerd/v2/pkg/userns"
+	"github.com/moby/sys/user/userns"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
--- a/pkg/userns/userns_unsupported.go
+++ b/pkg/userns/userns_unsupported.go
@ -1,5 +1,3 @@
-//go:build !linux
-
 /*
   Copyright The containerd Authors.

@ -16,10 +14,16 @@
   limitations under the License.
 */

+// Deprecated: use github.com/moby/sys/user/userns
 package userns

-// RunningInUserNS is a stub for non-Linux systems
-// Always returns false
+import "github.com/moby/sys/user/userns"
+
+// RunningInUserNS detects whether we are currently running in a Linux
+// user namespace and memoizes the result. It returns false on non-Linux
+// platforms.
+//
+// Deprecated: use [userns.RunningInUserNS].
 func RunningInUserNS() bool {
-	return false
+	return userns.RunningInUserNS()
 }
--- a/pkg/userns/userns_linux.go
+++ b/pkg/userns/userns_linux.go
@ -1,62 +0,0 @@
-/*
-   Copyright The containerd Authors.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-*/
-
-package userns
-
-import (
-	"bufio"
-	"fmt"
-	"os"
-	"sync"
-)
-
-var (
-	inUserNS bool
-	nsOnce   sync.Once
-)
-
-// RunningInUserNS detects whether we are currently running in a user namespace.
-// Originally copied from github.com/lxc/lxd/shared/util.go
-func RunningInUserNS() bool {
-	nsOnce.Do(func() {
-		file, err := os.Open("/proc/self/uid_map")
-		if err != nil {
-			// This kernel-provided file only exists if user namespaces are supported
-			return
-		}
-		defer file.Close()
-
-		buf := bufio.NewReader(file)
-		l, _, err := buf.ReadLine()
-		if err != nil {
-			return
-		}
-
-		line := string(l)
-		var a, b, c int64
-		fmt.Sscanf(line, "%d %d %d", &a, &b, &c)
-
-		/*
-		 * We assume we are in the initial user namespace if we have a full
-		 * range - 4294967295 uids starting at uid 0.
-		 */
-		if a == 0 && b == 0 && c == 4294967295 {
-			return
-		}
-		inUserNS = true
-	})
-	return inUserNS
-}
--- a/plugins/snapshots/overlay/overlayutils/check.go
+++ b/plugins/snapshots/overlay/overlayutils/check.go
@ -24,11 +24,11 @@ import (
 	"path/filepath"
 	"syscall"

+	"github.com/moby/sys/user/userns"
 	"golang.org/x/sys/unix"

 	"github.com/containerd/containerd/v2/core/mount"
 	kernel "github.com/containerd/containerd/v2/pkg/kernelversion"
-	"github.com/containerd/containerd/v2/pkg/userns"
 	"github.com/containerd/continuity/fs"
 	"github.com/containerd/log"
 )
--- a/vendor/github.com/moby/sys/user/userns/userns.go
+++ b/vendor/github.com/moby/sys/user/userns/userns.go
@ -0,0 +1,16 @@
+// Package userns provides utilities to detect whether we are currently running
+// in a Linux user namespace.
+//
+// This code was migrated from [libcontainer/runc], which based its implementation
+// on code from [lcx/incus].
+//
+// [libcontainer/runc]: https://github.com/opencontainers/runc/blob/3778ae603c706494fd1e2c2faf83b406e38d687d/libcontainer/userns/userns_linux.go#L12-L49
+// [lcx/incus]: https://github.com/lxc/incus/blob/e45085dd42f826b3c8c3228e9733c0b6f998eafe/shared/util.go#L678-L700
+package userns
+
+// RunningInUserNS detects whether we are currently running in a Linux
+// user namespace and memoizes the result. It returns false on non-Linux
+// platforms.
+func RunningInUserNS() bool {
+	return inUserNS()
+}
--- a/vendor/github.com/moby/sys/user/userns/userns_linux.go
+++ b/vendor/github.com/moby/sys/user/userns/userns_linux.go
@ -0,0 +1,53 @@
+package userns
+
+import (
+	"bufio"
+	"fmt"
+	"os"
+	"sync"
+)
+
+var inUserNS = sync.OnceValue(runningInUserNS)
+
+// runningInUserNS detects whether we are currently running in a user namespace.
+//
+// This code was migrated from [libcontainer/runc] and based on an implementation
+// from [lcx/incus].
+//
+// [libcontainer/runc]: https://github.com/opencontainers/runc/blob/3778ae603c706494fd1e2c2faf83b406e38d687d/libcontainer/userns/userns_linux.go#L12-L49
+// [lcx/incus]: https://github.com/lxc/incus/blob/e45085dd42f826b3c8c3228e9733c0b6f998eafe/shared/util.go#L678-L700
+func runningInUserNS() bool {
+	file, err := os.Open("/proc/self/uid_map")
+	if err != nil {
+		// This kernel-provided file only exists if user namespaces are supported.
+		return false
+	}
+	defer file.Close()
+
+	buf := bufio.NewReader(file)
+	l, _, err := buf.ReadLine()
+	if err != nil {
+		return false
+	}
+
+	return uidMapInUserNS(string(l))
+}
+
+func uidMapInUserNS(uidMap string) bool {
+	if uidMap == "" {
+		// File exist but empty (the initial state when userns is created,
+		// see user_namespaces(7)).
+		return true
+	}
+
+	var a, b, c int64
+	if _, err := fmt.Sscanf(uidMap, "%d %d %d", &a, &b, &c); err != nil {
+		// Assume we are in a regular, non user namespace.
+		return false
+	}
+
+	// As per user_namespaces(7), /proc/self/uid_map of
+	// the initial user namespace shows 0 0 4294967295.
+	initNS := a == 0 && b == 0 && c == 4294967295
+	return !initNS
+}
--- a/vendor/github.com/moby/sys/user/userns/userns_linux_fuzzer.go
+++ b/vendor/github.com/moby/sys/user/userns/userns_linux_fuzzer.go
@ -0,0 +1,8 @@
+//go:build linux && gofuzz
+
+package userns
+
+func FuzzUIDMap(uidmap []byte) int {
+	_ = uidMapInUserNS(string(uidmap))
+	return 1
+}
--- a/vendor/github.com/moby/sys/user/userns/userns_unsupported.go
+++ b/vendor/github.com/moby/sys/user/userns/userns_unsupported.go
@ -0,0 +1,6 @@
+//go:build !linux
+
+package userns
+
+// inUserNS is a stub for non-Linux systems. Always returns false.
+func inUserNS() bool { return false }
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -367,6 +367,7 @@ github.com/moby/sys/symlink
 # github.com/moby/sys/user v0.2.0
 ## explicit; go 1.21
 github.com/moby/sys/user
+github.com/moby/sys/user/userns
 # github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
 ## explicit
 github.com/modern-go/concurrent