-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
libcontainer/userns: simplify, and separate from "user" package. #2868
Conversation
7bd6133
to
36a717a
Compare
centos7 failure is a flake; filed #2907 CI restarted. |
Looks like it passed this time ✅ |
cfc5f86
to
ad6c041
Compare
Ok, rebase fixed that; all ✅ again 😅 |
LGTM overall, left a single nit about ignoring error from Sscanf (not super important) |
ad6c041
to
252ca0d
Compare
libcontainer/userns/userns_linux.go
Outdated
if len(uidmap) == 1 && uidmap[0].ID == 0 && uidmap[0].ParentID == 0 && uidmap[0].Count == 4294967295 { | ||
if err == nil && a == 0 && b == 0 && c == 4294967295 { | ||
return false | ||
} | ||
return true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Made this change per suggestion in #2868 (comment)
Looking at the logic now, I'm wondering if return true
is "correct" if we have an error; is it ok to assume that we are in userns if we receive an error, or should we assume the reverse?
I guess if this file is not parsable, it means things are non-functional anyway, so perhaps not an issue (but looking from the other perspective; if the file-mapping is not-parsable, we likely won't be able to be using user-namespaces, in which case false
would make more sense)
@AkihiroSuda @kolyshkin wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alternative would be:
func uidMapInUserNS(uidMap string) bool {
var a, b, c int64
_, err := fmt.Sscanf(uidMap, "%d %d %d", &a, &b, &c)
if err != nil {
return false
}
/*
* We assume we are in the initial user namespace if we have a full
* range - 4294967295 uids starting at uid 0.
*/
if a == 0 && b == 0 && c == 4294967295 {
return false
}
return true
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One other way would be to panic()
if we can't parse this. That is too radical I think.
As to whether return true
or false
in case we're not sure, I'd say emit a warning and return false
as e.g. cgroups/fs drivers use true
to skip devices setting, and we don't want that.
So I like your last version, which can be further simplified by doing
initns := a == 0 && b == 0 && c == 4294967295
return !initns
I'd also replace the comment ("We assume we are ...") with a reference to user_namespaces(7)
:
// As per user_namespaces(7), /proc/self/uid_map of
// the initial user namespace shows 0 0 4294967295.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I think in lxc, they don't check uidMap == ""
, so they return true
when got an EOF
error.
But we checked this, so return false
is correct, I think it will never happen.
6914ea0
to
e1eb92b
Compare
@kolyshkin updated per your suggestions, PTAL |
e1eb92b
to
1eb9b53
Compare
rebased to get a fresh run of CI |
@thaJeztah this needs another rebase because of a recent regression |
1eb9b53
to
482b48c
Compare
👍 rebased to trigger CI again |
482b48c
to
dcad12f
Compare
rebased again; @kolyshkin @AkihiroSuda PTAL |
dcad12f
to
56e20d7
Compare
@kolyshkin @AkihiroSuda PTAL |
56e20d7
to
74abebf
Compare
74abebf
to
814cfd4
Compare
814cfd4
to
226e518
Compare
226e518
to
6c1720f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks!
libcontainer/userns/userns_linux.go
Outdated
@@ -12,26 +13,42 @@ var ( | |||
) | |||
|
|||
// runningInUserNS detects whether we are currently running in a user namespace. | |||
// Originally copied from github.com/lxc/lxd/shared/util.go | |||
// Originally copied from github.com/lxc/lxd/shared/util.go. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This link is gone now. Now it's in here: https://github.com/lxc/incus/blob/main/shared/util.go#L678-L700
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thx; updated to use a permalink
This makes libcontainer/userns self-dependent, largely returning to the original implementation from lxc. The `uiMapInUserNS` is kept as a separate function for unit-testing and fuzzing. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
6c1720f
to
d8e9ed3
Compare
@kolyshkin @lifubang good to go? |
@thaJeztah |
@AkihiroSuda hm.. good one, not sure if we discussed that option. I know containerd has similar code (could've been a fork of this package?) But now that containerd already depends on moby/sys/user, perhaps it would make sense to move it; if we do, we should probably check if containerd has fixes/changes that we want to integrate (and vice-versa). |
follow-up to #2850
(only last commit is new)mergedThis makes libcontainer/userns self-dependent, largely returning to the original implementation from lxc. The
uiMapInUserNS
is kept as a separate function for unit-testing and fuzzing.