[lxc-devel] [lxd/master] allow uidmaps to be parsed from alternate roots
tych0 on Github
lxc-bot at linuxcontainers.org
Thu Jun 21 15:01:49 UTC 2018
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 444 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180621/460a5699/attachment.bin>
-------------- next part --------------
From a1c243ae27ef2ab958fb35919e3231fa0e5630fc Mon Sep 17 00:00:00 2001
From: Tycho Andersen <tycho at tycho.ws>
Date: Wed, 21 Feb 2018 09:29:30 -0700
Subject: [PATCH] allow uidmaps to be parsed from alternate roots
Since this code is handy, let's allow it to parse other roots on the
filesystem than just /.
Signed-off-by: Tycho Andersen <tycho at tycho.ws>
---
lxd/main_activateifneeded.go | 2 +-
lxd/main_init_interactive.go | 2 +-
lxd/util/sys.go | 2 +-
shared/idmap/idmapset_linux.go | 11 +++++++----
4 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/lxd/main_activateifneeded.go b/lxd/main_activateifneeded.go
index 760478f0a..01806aef8 100644
--- a/lxd/main_activateifneeded.go
+++ b/lxd/main_activateifneeded.go
@@ -85,7 +85,7 @@ func (c *cmdActivateifneeded) Run(cmd *cobra.Command, args []string) error {
}
// Load the idmap for unprivileged containers
- d.os.IdmapSet, err = idmap.DefaultIdmapSet("")
+ d.os.IdmapSet, err = idmap.DefaultIdmapSet("", "")
if err != nil {
return err
}
diff --git a/lxd/main_init_interactive.go b/lxd/main_init_interactive.go
index 73ae50d59..24a940c76 100644
--- a/lxd/main_init_interactive.go
+++ b/lxd/main_init_interactive.go
@@ -586,7 +586,7 @@ your Linux distribution and run "lxd init" again afterwards.
func (c *cmdInit) askDaemon(config *initData, d lxd.ContainerServer) error {
// Detect lack of uid/gid
- idmapset, err := idmap.DefaultIdmapSet("")
+ idmapset, err := idmap.DefaultIdmapSet("", "")
if (err != nil || len(idmapset.Idmap) == 0 || idmapset.Usable() != nil) && shared.RunningInUserNS() {
fmt.Printf(`
We detected that you are running inside an unprivileged container.
diff --git a/lxd/util/sys.go b/lxd/util/sys.go
index 681ee79c2..2b227b2f8 100644
--- a/lxd/util/sys.go
+++ b/lxd/util/sys.go
@@ -40,7 +40,7 @@ func GetArchitectures() ([]int, error) {
// GetIdmapSet reads the uid/gid allocation.
func GetIdmapSet() *idmap.IdmapSet {
- idmapSet, err := idmap.DefaultIdmapSet("")
+ idmapSet, err := idmap.DefaultIdmapSet("", "")
if err != nil {
logger.Warn("Error reading default uid/gid map", log.Ctx{"err": err.Error()})
logger.Warnf("Only privileged containers will be able to run")
diff --git a/shared/idmap/idmapset_linux.go b/shared/idmap/idmapset_linux.go
index f284ea2a6..a13572410 100644
--- a/shared/idmap/idmapset_linux.go
+++ b/shared/idmap/idmapset_linux.go
@@ -660,7 +660,7 @@ func getFromProc(fname string) ([][]int64, error) {
/*
* Create a new default idmap
*/
-func DefaultIdmapSet(username string) (*IdmapSet, error) {
+func DefaultIdmapSet(rootfs string, username string) (*IdmapSet, error) {
idmapset := new(IdmapSet)
if username == "" {
@@ -672,9 +672,12 @@ func DefaultIdmapSet(username string) (*IdmapSet, error) {
username = currentUser.Username
}
- if shared.PathExists("/etc/subuid") && shared.PathExists("/etc/subgid") {
+ // Check if shadow's uidmap tools are installed
+ subuidPath := path.Join(rootfs, "/etc/subuid")
+ subgidPath := path.Join(rootfs, "/etc/subgid")
+ if shared.PathExists(subuidPath) && shared.PathExists(subgidPath) {
// Parse the shadow uidmap
- entries, err := getFromShadow("/etc/subuid", username)
+ entries, err := getFromShadow(subuidPath, username)
if err != nil {
return nil, err
}
@@ -693,7 +696,7 @@ func DefaultIdmapSet(username string) (*IdmapSet, error) {
}
// Parse the shadow gidmap
- entries, err = getFromShadow("/etc/subgid", username)
+ entries, err = getFromShadow(subgidPath, username)
if err != nil {
return nil, err
}
More information about the lxc-devel
mailing list