Browse code
pkg/chrootarchive: use containerd/sys to detect UserNamespaces
The implementation in libcontainer/system is quite complicated,
and we only use it to detect if user-namespaces are enabled.
In addition, the implementation in containerd uses a sync.Once,
so that detection (and reading/parsing `/proc/self/uid_map`) is
only performed once.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Sebastiaan van Stijn authored on 2020/06/15 20:07:23Showing 2 changed files
| ... | ... |
@@ -6,9 +6,9 @@ import ( |
| 6 | 6 |
"os" |
| 7 | 7 |
"path/filepath" |
| 8 | 8 |
|
| 9 |
+ "github.com/containerd/containerd/sys" |
|
| 9 | 10 |
"github.com/moby/sys/mount" |
| 10 | 11 |
"github.com/moby/sys/mountinfo" |
| 11 |
- rsystem "github.com/opencontainers/runc/libcontainer/system" |
|
| 12 | 12 |
"golang.org/x/sys/unix" |
| 13 | 13 |
) |
| 14 | 14 |
|
| ... | ... |
@@ -20,7 +20,7 @@ import ( |
| 20 | 20 |
// This is similar to how libcontainer sets up a container's rootfs |
| 21 | 21 |
func chroot(path string) (err error) {
|
| 22 | 22 |
// if the engine is running in a user namespace we need to use actual chroot |
| 23 |
- if rsystem.RunningInUserNS() {
|
|
| 23 |
+ if sys.RunningInUserNS() {
|
|
| 24 | 24 |
return realChroot(path) |
| 25 | 25 |
} |
| 26 | 26 |
if err := unix.Unshare(unix.CLONE_NEWNS); err != nil {
|
| ... | ... |
@@ -13,10 +13,10 @@ import ( |
| 13 | 13 |
"path/filepath" |
| 14 | 14 |
"runtime" |
| 15 | 15 |
|
| 16 |
+ "github.com/containerd/containerd/sys" |
|
| 16 | 17 |
"github.com/docker/docker/pkg/archive" |
| 17 | 18 |
"github.com/docker/docker/pkg/reexec" |
| 18 | 19 |
"github.com/docker/docker/pkg/system" |
| 19 |
- rsystem "github.com/opencontainers/runc/libcontainer/system" |
|
| 20 | 20 |
) |
| 21 | 21 |
|
| 22 | 22 |
type applyLayerResponse struct {
|
| ... | ... |
@@ -36,7 +36,7 @@ func applyLayer() {
|
| 36 | 36 |
runtime.LockOSThread() |
| 37 | 37 |
flag.Parse() |
| 38 | 38 |
|
| 39 |
- inUserns := rsystem.RunningInUserNS() |
|
| 39 |
+ inUserns := sys.RunningInUserNS() |
|
| 40 | 40 |
if err := chroot(flag.Arg(0)); err != nil {
|
| 41 | 41 |
fatal(err) |
| 42 | 42 |
} |
| ... | ... |
@@ -95,7 +95,7 @@ func applyLayerHandler(dest string, layer io.Reader, options *archive.TarOptions |
| 95 | 95 |
} |
| 96 | 96 |
if options == nil {
|
| 97 | 97 |
options = &archive.TarOptions{}
|
| 98 |
- if rsystem.RunningInUserNS() {
|
|
| 98 |
+ if sys.RunningInUserNS() {
|
|
| 99 | 99 |
options.InUserNS = true |
| 100 | 100 |
} |
| 101 | 101 |
} |