github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

correct container "/" ownership with userns

Browse Source 
Previously "`/`" in a container was always owned by `root:root` (0/0), even if
`withRemappedSnapshot` had been used. Meaning that if `withUserNamespace` is
used then `/` can be remapped to `nobody:nogroup` (65534/65534).

The fix is is twofold:

- incrementFS should operate on the root of the tree.
- when creating a new snapshot we must propagate the ownership of the topmost
  "lower" directory into the new "upper".

Signed-off-by: Ian Campbell <ian.campbell@docker.com>
This commit is contained in:
Ian Campbell
2017-08-14 16:01:40 +01:00
parent 77035a6e65
commit ebafab47ca
2 changed files with 22 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
spec_unix.go
View File

@@ -171,9 +171,6 @@ func incrementFS(root string, uidInc, gidInc uint32) filepath.WalkFunc {
if err != nil {
return err
}
if root == path {
return nil
}
var (
stat = info.Sys().(*syscall.Stat_t)
u, g = int(stat.Uid + uidInc), int(stat.Gid + gidInc)