Browse code
oci: correctly use user.GetExecUser interface
A nil interface in Go is not the same as a nil pointer that satisfies
the interface. libcontainer/user has special handling for missing
/etc/{passwd,group} files but this is all based on nil interface checks,
which were broken by Docker's usage of the API.
When combined with some recent changes in runc that made read errors
actually be returned to the caller, this results in spurrious -EINVAL
errors when we should detect the situation as "there is no passwd file".
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Aleksa Sarai authored on 2020/07/29 11:43:43Showing 1 changed files
| ... | ... |
@@ -176,7 +176,14 @@ func readUserFile(c *container.Container, p string) (io.ReadCloser, error) {
|
| 176 | 176 |
if err != nil {
|
| 177 | 177 |
return nil, err |
| 178 | 178 |
} |
| 179 |
- return os.Open(fp) |
|
| 179 |
+ fh, err := os.Open(fp) |
|
| 180 |
+ if err != nil {
|
|
| 181 |
+ // This is needed because a nil *os.File is different to a nil |
|
| 182 |
+ // io.ReadCloser and this causes GetExecUser to not detect that the |
|
| 183 |
+ // container file is missing. |
|
| 184 |
+ return nil, err |
|
| 185 |
+ } |
|
| 186 |
+ return fh, nil |
|
| 180 | 187 |
} |
| 181 | 188 |
|
| 182 | 189 |
func getUser(c *container.Container, username string) (uint32, uint32, []uint32, error) {
|