[lxc-devel] [lxd/master] allow uidmaps to be parsed from alternate roots

Thu Jun 21 15:01:49 UTC 2018

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 444 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180621/460a5699/attachment.bin>
-------------- next part --------------
From a1c243ae27ef2ab958fb35919e3231fa0e5630fc Mon Sep 17 00:00:00 2001
From: Tycho Andersen <tycho at tycho.ws>
Date: Wed, 21 Feb 2018 09:29:30 -0700
Subject: [PATCH] allow uidmaps to be parsed from alternate roots

Since this code is handy, let's allow it to parse other roots on the
filesystem than just /.

Signed-off-by: Tycho Andersen <tycho at tycho.ws>
---
 lxd/main_activateifneeded.go   |  2 +-
 lxd/main_init_interactive.go   |  2 +-
 lxd/util/sys.go                |  2 +-
 shared/idmap/idmapset_linux.go | 11 +++++++----
 4 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/lxd/main_activateifneeded.go b/lxd/main_activateifneeded.go
index 760478f0a..01806aef8 100644
--- a/lxd/main_activateifneeded.go
+++ b/lxd/main_activateifneeded.go
@@ -85,7 +85,7 @@ func (c *cmdActivateifneeded) Run(cmd *cobra.Command, args []string) error {
 	}
 
 	// Load the idmap for unprivileged containers
-	d.os.IdmapSet, err = idmap.DefaultIdmapSet("")
+	d.os.IdmapSet, err = idmap.DefaultIdmapSet("", "")
 	if err != nil {
 		return err
 	}
diff --git a/lxd/main_init_interactive.go b/lxd/main_init_interactive.go
index 73ae50d59..24a940c76 100644
--- a/lxd/main_init_interactive.go
+++ b/lxd/main_init_interactive.go
@@ -586,7 +586,7 @@ your Linux distribution and run "lxd init" again afterwards.
 
 func (c *cmdInit) askDaemon(config *initData, d lxd.ContainerServer) error {
 	// Detect lack of uid/gid
-	idmapset, err := idmap.DefaultIdmapSet("")
+	idmapset, err := idmap.DefaultIdmapSet("", "")
 	if (err != nil || len(idmapset.Idmap) == 0 || idmapset.Usable() != nil) && shared.RunningInUserNS() {
 		fmt.Printf(`
 We detected that you are running inside an unprivileged container.
diff --git a/lxd/util/sys.go b/lxd/util/sys.go
index 681ee79c2..2b227b2f8 100644
--- a/lxd/util/sys.go
+++ b/lxd/util/sys.go
@@ -40,7 +40,7 @@ func GetArchitectures() ([]int, error) {
 
 // GetIdmapSet reads the uid/gid allocation.
 func GetIdmapSet() *idmap.IdmapSet {
-	idmapSet, err := idmap.DefaultIdmapSet("")
+	idmapSet, err := idmap.DefaultIdmapSet("", "")
 	if err != nil {
 		logger.Warn("Error reading default uid/gid map", log.Ctx{"err": err.Error()})
 		logger.Warnf("Only privileged containers will be able to run")
diff --git a/shared/idmap/idmapset_linux.go b/shared/idmap/idmapset_linux.go
index f284ea2a6..a13572410 100644
--- a/shared/idmap/idmapset_linux.go
+++ b/shared/idmap/idmapset_linux.go
@@ -660,7 +660,7 @@ func getFromProc(fname string) ([][]int64, error) {
 /*
  * Create a new default idmap
  */
-func DefaultIdmapSet(username string) (*IdmapSet, error) {
+func DefaultIdmapSet(rootfs string, username string) (*IdmapSet, error) {
 	idmapset := new(IdmapSet)
 
 	if username == "" {
@@ -672,9 +672,12 @@ func DefaultIdmapSet(username string) (*IdmapSet, error) {
 		username = currentUser.Username
 	}
 
-	if shared.PathExists("/etc/subuid") && shared.PathExists("/etc/subgid") {
+	// Check if shadow's uidmap tools are installed
+	subuidPath := path.Join(rootfs, "/etc/subuid")
+	subgidPath := path.Join(rootfs, "/etc/subgid")
+	if shared.PathExists(subuidPath) && shared.PathExists(subgidPath) {
 		// Parse the shadow uidmap
-		entries, err := getFromShadow("/etc/subuid", username)
+		entries, err := getFromShadow(subuidPath, username)
 		if err != nil {
 			return nil, err
 		}
@@ -693,7 +696,7 @@ func DefaultIdmapSet(username string) (*IdmapSet, error) {
 		}
 
 		// Parse the shadow gidmap
-		entries, err = getFromShadow("/etc/subgid", username)
+		entries, err = getFromShadow(subgidPath, username)
 		if err != nil {
 			return nil, err
 		}
