diff --git a/container_linux_test.go b/container_linux_test.go index 9953e7133..ece24bf66 100644 --- a/container_linux_test.go +++ b/container_linux_test.go @@ -1432,9 +1432,9 @@ func testUserNamespaces(t *testing.T, readonlyRootFS bool) { }), )} if readonlyRootFS { - opts = append([]NewContainerOpts{WithRemappedSnapshotView(id, image, 1000, 2000, remapperChown)}, opts...) + opts = append([]NewContainerOpts{WithRemappedSnapshotView(id, image, 1000, 2000)}, opts...) } else { - opts = append([]NewContainerOpts{WithRemappedSnapshot(id, image, 1000, 2000, remapperChown)}, opts...) + opts = append([]NewContainerOpts{WithRemappedSnapshot(id, image, 1000, 2000)}, opts...) } container, err := client.NewContainer(ctx, id, opts...) diff --git a/container_opts_unix.go b/container_opts_unix.go index 04be00cd1..b109a10ec 100644 --- a/container_opts_unix.go +++ b/container_opts_unix.go @@ -28,35 +28,22 @@ import ( "github.com/containerd/containerd/containers" "github.com/containerd/containerd/errdefs" "github.com/containerd/containerd/mount" - "github.com/containerd/containerd/snapshots" "github.com/opencontainers/image-spec/identity" ) -// Remapper specifies the type of remapping to be done -type Remapper string - -const ( - remapperChown Remapper = "chown" - remapperSnapshotter Remapper = "snapshotter" -) - // WithRemappedSnapshot creates a new snapshot and remaps the uid/gid for the // filesystem to be used by a container with user namespaces -func WithRemappedSnapshot(id string, i Image, uid, gid uint32, remapper Remapper) NewContainerOpts { - return withRemappedSnapshotBase(id, i, uid, gid, false, remapper) +func WithRemappedSnapshot(id string, i Image, uid, gid uint32) NewContainerOpts { + return withRemappedSnapshotBase(id, i, uid, gid, false) } // WithRemappedSnapshotView is similar to WithRemappedSnapshot but rootfs is mounted as read-only. -func WithRemappedSnapshotView(id string, i Image, uid, gid uint32, remapper Remapper) NewContainerOpts { - return withRemappedSnapshotBase(id, i, uid, gid, true, remapper) +func WithRemappedSnapshotView(id string, i Image, uid, gid uint32) NewContainerOpts { + return withRemappedSnapshotBase(id, i, uid, gid, true) } -func withRemappedSnapshotBase(id string, i Image, uid, gid uint32, readonly bool, remapper Remapper) NewContainerOpts { +func withRemappedSnapshotBase(id string, i Image, uid, gid uint32, readonly bool) NewContainerOpts { return func(ctx context.Context, client *Client, c *containers.Container) error { - if remapper != remapperChown && remapper != remapperSnapshotter { - return fmt.Errorf("remapper must be either '%s' or '%s'", remapperChown, remapperSnapshotter) - } - diffIDs, err := i.(*image).i.RootFS(ctx, client.ContentStore(), client.platform) if err != nil { return err @@ -65,7 +52,6 @@ func withRemappedSnapshotBase(id string, i Image, uid, gid uint32, readonly bool var ( parent = identity.ChainID(diffIDs).String() usernsID = fmt.Sprintf("%s-%d-%d", parent, uid, gid) - opts = []snapshots.Opt{} ) c.Snapshotter, err = client.resolveSnapshotterName(ctx, c.Snapshotter) if err != nil { @@ -75,15 +61,8 @@ func withRemappedSnapshotBase(id string, i Image, uid, gid uint32, readonly bool if err != nil { return err } - if remapper == remapperSnapshotter { - opts = append(opts, - snapshots.WithLabels(map[string]string{ - "containerd.io/snapshot/uidmapping": fmt.Sprintf("%d:%d:%d", 0, uid, 65535), - "containerd.io/snapshot/gidmapping": fmt.Sprintf("%d:%d:%d", 0, gid, 65535), - })) - } if _, err := snapshotter.Stat(ctx, usernsID); err == nil { - if _, err := snapshotter.Prepare(ctx, id, usernsID, opts...); err == nil { + if _, err := snapshotter.Prepare(ctx, id, usernsID); err == nil { c.SnapshotKey = id c.Image = i.Name() return nil @@ -91,23 +70,21 @@ func withRemappedSnapshotBase(id string, i Image, uid, gid uint32, readonly bool return err } } - mounts, err := snapshotter.Prepare(ctx, usernsID+"-remap", parent, opts...) + mounts, err := snapshotter.Prepare(ctx, usernsID+"-remap", parent) if err != nil { return err } - if remapper == remapperChown { - if err := remapRootFS(ctx, mounts, uid, gid); err != nil { - snapshotter.Remove(ctx, usernsID) - return err - } + if err := remapRootFS(ctx, mounts, uid, gid); err != nil { + snapshotter.Remove(ctx, usernsID) + return err } - if err := snapshotter.Commit(ctx, usernsID, usernsID+"-remap", opts...); err != nil { + if err := snapshotter.Commit(ctx, usernsID, usernsID+"-remap"); err != nil { return err } if readonly { - _, err = snapshotter.View(ctx, id, usernsID, opts...) + _, err = snapshotter.View(ctx, id, usernsID) } else { - _, err = snapshotter.Prepare(ctx, id, usernsID, opts...) + _, err = snapshotter.Prepare(ctx, id, usernsID) } if err != nil { return err diff --git a/snapshotter_opts_unix.go b/snapshotter_opts_unix.go new file mode 100644 index 000000000..1964379d4 --- /dev/null +++ b/snapshotter_opts_unix.go @@ -0,0 +1,35 @@ +// +build !windows + +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package containerd + +import ( + "fmt" + + "github.com/containerd/containerd/snapshots" +) + +// WithRemapperLabels creates the labels used by any supporting snapshotter +// to shift the filesystem ownership (user namespace mapping) automatically; currently +// supported by the fuse-overlayfs snapshotter +func WithRemapperLabels(ctrUID, hostUID, ctrGID, hostGID, length uint32) snapshots.Opt { + return snapshots.WithLabels(map[string]string{ + "containerd.io/snapshot/uidmapping": fmt.Sprintf("%d:%d:%d", ctrUID, hostUID, length), + "containerd.io/snapshot/gidmapping": fmt.Sprintf("%d:%d:%d", ctrGID, hostGID, length), + }) +}