github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Make unique snapshotter opt for label-assisted remapping

Browse Source 
Provide a snapshotter opt to add labels used by any supporting
snapshotter to handle user namespace filesystem remapping. Currently
supported by the fuse-overlayfs snapshotter, and others can use this
information as well.

Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
This commit is contained in:
Phil Estes 2020-05-15 16:33:15 -04:00
parent 331793118f
commit c76bf55047
No known key found for this signature in database
GPG Key ID: 0F386284C03A1162
3 changed files with 50 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
container_linux_test.go
View File

@ -1432,9 +1432,9 @@ func testUserNamespaces(t *testing.T, readonlyRootFS bool) {
}), }),
)} )}
if readonlyRootFS { if readonlyRootFS {
opts = append([]NewContainerOpts{WithRemappedSnapshotView(id, image, 1000, 2000, remapperChown)}, opts...) opts = append([]NewContainerOpts{WithRemappedSnapshotView(id, image, 1000, 2000)}, opts...)
} else { } else {
opts = append([]NewContainerOpts{WithRemappedSnapshot(id, image, 1000, 2000, remapperChown)}, opts...) opts = append([]NewContainerOpts{WithRemappedSnapshot(id, image, 1000, 2000)}, opts...)
} }
container, err := client.NewContainer(ctx, id, opts...) container, err := client.NewContainer(ctx, id, opts...)

49
container_opts_unix.go
View File

@ -28,35 +28,22 @@ import (
"github.com/containerd/containerd/containers" "github.com/containerd/containerd/containers"
"github.com/containerd/containerd/errdefs" "github.com/containerd/containerd/errdefs"
"github.com/containerd/containerd/mount" "github.com/containerd/containerd/mount"
"github.com/containerd/containerd/snapshots"
"github.com/opencontainers/image-spec/identity" "github.com/opencontainers/image-spec/identity"
) )
// Remapper specifies the type of remapping to be done
type Remapper string
const (
remapperChown Remapper = "chown"
remapperSnapshotter Remapper = "snapshotter"
)
// WithRemappedSnapshot creates a new snapshot and remaps the uid/gid for the // WithRemappedSnapshot creates a new snapshot and remaps the uid/gid for the
// filesystem to be used by a container with user namespaces // filesystem to be used by a container with user namespaces
func WithRemappedSnapshot(id string, i Image, uid, gid uint32, remapper Remapper) NewContainerOpts { func WithRemappedSnapshot(id string, i Image, uid, gid uint32) NewContainerOpts {
return withRemappedSnapshotBase(id, i, uid, gid, false, remapper) return withRemappedSnapshotBase(id, i, uid, gid, false)
} }
// WithRemappedSnapshotView is similar to WithRemappedSnapshot but rootfs is mounted as read-only. // WithRemappedSnapshotView is similar to WithRemappedSnapshot but rootfs is mounted as read-only.
func WithRemappedSnapshotView(id string, i Image, uid, gid uint32, remapper Remapper) NewContainerOpts { func WithRemappedSnapshotView(id string, i Image, uid, gid uint32) NewContainerOpts {
return withRemappedSnapshotBase(id, i, uid, gid, true, remapper) return withRemappedSnapshotBase(id, i, uid, gid, true)
} }
func withRemappedSnapshotBase(id string, i Image, uid, gid uint32, readonly bool, remapper Remapper) NewContainerOpts { func withRemappedSnapshotBase(id string, i Image, uid, gid uint32, readonly bool) NewContainerOpts {
return func(ctx context.Context, client *Client, c *containers.Container) error { return func(ctx context.Context, client *Client, c *containers.Container) error {
if remapper != remapperChown && remapper != remapperSnapshotter {
return fmt.Errorf("remapper must be either '%s' or '%s'", remapperChown, remapperSnapshotter)
}
diffIDs, err := i.(*image).i.RootFS(ctx, client.ContentStore(), client.platform) diffIDs, err := i.(*image).i.RootFS(ctx, client.ContentStore(), client.platform)
if err != nil { if err != nil {
return err return err
@ -65,7 +52,6 @@ func withRemappedSnapshotBase(id string, i Image, uid, gid uint32, readonly bool
var ( var (
parent = identity.ChainID(diffIDs).String() parent = identity.ChainID(diffIDs).String()
usernsID = fmt.Sprintf("%s-%d-%d", parent, uid, gid) usernsID = fmt.Sprintf("%s-%d-%d", parent, uid, gid)
opts = []snapshots.Opt{}
) )
c.Snapshotter, err = client.resolveSnapshotterName(ctx, c.Snapshotter) c.Snapshotter, err = client.resolveSnapshotterName(ctx, c.Snapshotter)
if err != nil { if err != nil {
@ -75,15 +61,8 @@ func withRemappedSnapshotBase(id string, i Image, uid, gid uint32, readonly bool
if err != nil { if err != nil {
return err return err
} }
if remapper == remapperSnapshotter {
opts = append(opts,
snapshots.WithLabels(map[string]string{
"containerd.io/snapshot/uidmapping": fmt.Sprintf("%d:%d:%d", 0, uid, 65535),
"containerd.io/snapshot/gidmapping": fmt.Sprintf("%d:%d:%d", 0, gid, 65535),
}))
}
if _, err := snapshotter.Stat(ctx, usernsID); err == nil { if _, err := snapshotter.Stat(ctx, usernsID); err == nil {
if _, err := snapshotter.Prepare(ctx, id, usernsID, opts...); err == nil { if _, err := snapshotter.Prepare(ctx, id, usernsID); err == nil {
c.SnapshotKey = id c.SnapshotKey = id
c.Image = i.Name() c.Image = i.Name()
return nil return nil
@ -91,23 +70,21 @@ func withRemappedSnapshotBase(id string, i Image, uid, gid uint32, readonly bool
return err return err
} }
} }
mounts, err := snapshotter.Prepare(ctx, usernsID+"-remap", parent, opts...) mounts, err := snapshotter.Prepare(ctx, usernsID+"-remap", parent)
if err != nil { if err != nil {
return err return err
} }
if remapper == remapperChown { if err := remapRootFS(ctx, mounts, uid, gid); err != nil {
if err := remapRootFS(ctx, mounts, uid, gid); err != nil { snapshotter.Remove(ctx, usernsID)
snapshotter.Remove(ctx, usernsID) return err
return err
}
} }
if err := snapshotter.Commit(ctx, usernsID, usernsID+"-remap", opts...); err != nil { if err := snapshotter.Commit(ctx, usernsID, usernsID+"-remap"); err != nil {
return err return err
} }
if readonly { if readonly {
_, err = snapshotter.View(ctx, id, usernsID, opts...) _, err = snapshotter.View(ctx, id, usernsID)
} else { } else {
_, err = snapshotter.Prepare(ctx, id, usernsID, opts...) _, err = snapshotter.Prepare(ctx, id, usernsID)
} }
if err != nil { if err != nil {
return err return err

35
snapshotter_opts_unix.go Normal file
View File

@ -0,0 +1,35 @@
// +build !windows
/*
Copyright The containerd Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package containerd
import (
"fmt"
"github.com/containerd/containerd/snapshots"
)
// WithRemapperLabels creates the labels used by any supporting snapshotter
// to shift the filesystem ownership (user namespace mapping) automatically; currently
// supported by the fuse-overlayfs snapshotter
func WithRemapperLabels(ctrUID, hostUID, ctrGID, hostGID, length uint32) snapshots.Opt {
return snapshots.WithLabels(map[string]string{
"containerd.io/snapshot/uidmapping": fmt.Sprintf("%d:%d:%d", ctrUID, hostUID, length),
"containerd.io/snapshot/gidmapping": fmt.Sprintf("%d:%d:%d", ctrGID, hostGID, length),
})
}