correct container "/" ownership with userns
Previously "`/`" in a container was always owned by `root:root` (0/0), even if `withRemappedSnapshot` had been used. Meaning that if `withUserNamespace` is used then `/` can be remapped to `nobody:nogroup` (65534/65534). The fix is is twofold: - incrementFS should operate on the root of the tree. - when creating a new snapshot we must propagate the ownership of the topmost "lower" directory into the new "upper". Signed-off-by: Ian Campbell <ian.campbell@docker.com>
This commit is contained in:
Ian Campbell
parent
77035a6e65
commit
ebafab47ca
@ -9,6 +9,7 @@ import (
|
|||||||
"os"
|
"os"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"strings"
|
"strings"
|
||||||
|
"syscall"
|
||||||
|
|
||||||
"github.com/containerd/containerd/fs"
|
"github.com/containerd/containerd/fs"
|
||||||
"github.com/containerd/containerd/log"
|
"github.com/containerd/containerd/log"
|
||||||
@ -274,7 +275,8 @@ func (o *snapshotter) createSnapshot(ctx context.Context, kind snapshot.Kind, ke
|
|||||||
}
|
}
|
||||||
}()
|
}()
|
||||||
|
|
||||||
if err = os.MkdirAll(filepath.Join(td, "fs"), 0755); err != nil {
|
fs := filepath.Join(td, "fs")
|
||||||
|
if err = os.MkdirAll(fs, 0755); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -297,6 +299,25 @@ func (o *snapshotter) createSnapshot(ctx context.Context, kind snapshot.Kind, ke
|
|||||||
return nil, errors.Wrap(err, "failed to create active")
|
return nil, errors.Wrap(err, "failed to create active")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if len(s.ParentIDs) > 0 {
|
||||||
|
st, err := os.Stat(filepath.Join(o.upperPath(s.ParentIDs[0])))
|
||||||
|
if err != nil {
|
||||||
|
if rerr := t.Rollback(); rerr != nil {
|
||||||
|
log.G(ctx).WithError(rerr).Warn("Failure rolling back transaction")
|
||||||
|
}
|
||||||
|
return nil, errors.Wrap(err, "failed to stat parent")
|
||||||
|
}
|
||||||
|
|
||||||
|
stat := st.Sys().(*syscall.Stat_t)
|
||||||
|
|
||||||
|
if err := os.Lchown(fs, int(stat.Uid), int(stat.Gid)); err != nil {
|
||||||
|
if rerr := t.Rollback(); rerr != nil {
|
||||||
|
log.G(ctx).WithError(rerr).Warn("Failure rolling back transaction")
|
||||||
|
}
|
||||||
|
return nil, errors.Wrap(err, "failed to chown")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
path = filepath.Join(snapshotDir, s.ID)
|
path = filepath.Join(snapshotDir, s.ID)
|
||||||
if err = os.Rename(td, path); err != nil {
|
if err = os.Rename(td, path); err != nil {
|
||||||
if rerr := t.Rollback(); rerr != nil {
|
if rerr := t.Rollback(); rerr != nil {
|
||||||
|
|||||||
@ -171,9 +171,6 @@ func incrementFS(root string, uidInc, gidInc uint32) filepath.WalkFunc {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if root == path {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
var (
|
var (
|
||||||
stat = info.Sys().(*syscall.Stat_t)
|
stat = info.Sys().(*syscall.Stat_t)
|
||||||
u, g = int(stat.Uid + uidInc), int(stat.Gid + gidInc)
|
u, g = int(stat.Uid + uidInc), int(stat.Gid + gidInc)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user