libcontainer/userns: simplify, and separate from "user" package.#2868
libcontainer/userns: simplify, and separate from "user" package.#2868AkihiroSuda merged 1 commit intoopencontainers:mainfrom
Conversation
thaJeztah
force-pushed
the
userns_simplify
branch
2 times, most recently
from
7bd6133 to
36a717a
Compare
|
centos7 failure is a flake; filed #2907 CI restarted. |
|
Looks like it passed this time ✅ |
thaJeztah
force-pushed
the
userns_simplify
branch
2 times, most recently
from
cfc5f86 to
ad6c041
Compare
|
Ok, rebase fixed that; all ✅ again 😅 |
|
LGTM overall, left a single nit about ignoring error from Sscanf (not super important) |
thaJeztah
force-pushed
the
userns_simplify
branch
from
ad6c041 to
252ca0d
Compare
libcontainer/userns/userns_linux.go
Outdated
| */ | ||
| if len(uidmap) == 1 && uidmap[0].ID == 0 && uidmap[0].ParentID == 0 && uidmap[0].Count == 4294967295 { | ||
| if err == nil && a == 0 && b == 0 && c == 4294967295 { | ||
| return false | ||
| } | ||
| return true |
There was a problem hiding this comment.
Made this change per suggestion in #2868 (comment)
Looking at the logic now, I'm wondering if return true is "correct" if we have an error; is it ok to assume that we are in userns if we receive an error, or should we assume the reverse?
I guess if this file is not parsable, it means things are non-functional anyway, so perhaps not an issue (but looking from the other perspective; if the file-mapping is not-parsable, we likely won't be able to be using user-namespaces, in which case false would make more sense)
@AkihiroSuda @kolyshkin wdyt?
There was a problem hiding this comment.
Alternative would be:
func uidMapInUserNS(uidMap string) bool {
var a, b, c int64
_, err := fmt.Sscanf(uidMap, "%d %d %d", &a, &b, &c)
if err != nil {
return false
}
/*
* We assume we are in the initial user namespace if we have a full
* range - 4294967295 uids starting at uid 0.
*/
if a == 0 && b == 0 && c == 4294967295 {
return false
}
return true
}
There was a problem hiding this comment.
One other way would be to panic() if we can't parse this. That is too radical I think.
As to whether return true or false in case we're not sure, I'd say emit a warning and return false as e.g. cgroups/fs drivers use true to skip devices setting, and we don't want that.
So I like your last version, which can be further simplified by doing
initns := a == 0 && b == 0 && c == 4294967295
return !initnsI'd also replace the comment ("We assume we are ...") with a reference to user_namespaces(7):
// As per user_namespaces(7), /proc/self/uid_map of
// the initial user namespace shows 0 0 4294967295.
There was a problem hiding this comment.
Yes, I think in lxc, they don't check uidMap == "", so they return true when got an EOF error.
But we checked this, so return false is correct, I think it will never happen.
thaJeztah
force-pushed
the
userns_simplify
branch
4 times, most recently
from
6914ea0 to
e1eb92b
Compare
|
@kolyshkin updated per your suggestions, PTAL |
thaJeztah
force-pushed
the
userns_simplify
branch
from
e1eb92b to
1eb9b53
Compare
|
rebased to get a fresh run of CI |
|
@thaJeztah this needs another rebase because of a recent regression |
thaJeztah
force-pushed
the
userns_simplify
branch
from
1eb9b53 to
482b48c
Compare
|
👍 rebased to trigger CI again |
thaJeztah
force-pushed
the
userns_simplify
branch
from
482b48c to
dcad12f
Compare
|
rebased again; @kolyshkin @AkihiroSuda PTAL |
thaJeztah
force-pushed
the
userns_simplify
branch
from
dcad12f to
56e20d7
Compare
|
@kolyshkin @AkihiroSuda PTAL |
thaJeztah
force-pushed
the
userns_simplify
branch
from
56e20d7 to
74abebf
Compare
thaJeztah
force-pushed
the
userns_simplify
branch
from
74abebf to
814cfd4
Compare
thaJeztah
force-pushed
the
userns_simplify
branch
from
814cfd4 to
226e518
Compare
thaJeztah
force-pushed
the
userns_simplify
branch
from
226e518 to
6c1720f
Compare
libcontainer/userns/userns_linux.go
Outdated
|
|
||
| // runningInUserNS detects whether we are currently running in a user namespace. | ||
| // Originally copied from github.com/lxc/lxd/shared/util.go | ||
| // Originally copied from github.com/lxc/lxd/shared/util.go. |
There was a problem hiding this comment.
This link is gone now. Now it's in here: https://github.com/lxc/incus/blob/main/shared/util.go#L678-L700
There was a problem hiding this comment.
Thx; updated to use a permalink
This makes libcontainer/userns self-dependent, largely returning to the original implementation from lxc. The `uiMapInUserNS` is kept as a separate function for unit-testing and fuzzing. Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
force-pushed
the
userns_simplify
branch
from
6c1720f to
d8e9ed3
Compare
|
@kolyshkin @lifubang good to go? |
|
@thaJeztah |
|
@AkihiroSuda hm.. good one, not sure if we discussed that option. I know containerd has similar code (could've been a fork of this package?) But now that containerd already depends on moby/sys/user, perhaps it would make sense to move it; if we do, we should probably check if containerd has fixes/changes that we want to integrate (and vice-versa). |
5 participants
follow-up to #2850
(only last commit is new)mergedThis makes libcontainer/userns self-dependent, largely returning to the original implementation from lxc. The
uiMapInUserNSis kept as a separate function for unit-testing and fuzzing.