Browse code
pkg/archive: use containerd/sys to detect UserNamespaces
The implementation in libcontainer/system is quite complicated,
and we only use it to detect if user-namespaces are enabled.
In addition, the implementation in containerd uses a sync.Once,
so that detection (and reading/parsing `/proc/self/uid_map`) is
only performed once.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Sebastiaan van Stijn authored on 2020/06/15 20:06:47Showing 4 changed files
- pkg/archive/archive_linux_test.go
- pkg/archive/archive_test.go
- pkg/archive/archive_unix.go
- pkg/archive/archive_unix_test.go
| ... | ... |
@@ -9,10 +9,10 @@ import ( |
| 9 | 9 |
"syscall" |
| 10 | 10 |
"testing" |
| 11 | 11 |
|
| 12 |
+ "github.com/containerd/containerd/sys" |
|
| 12 | 13 |
"github.com/docker/docker/pkg/reexec" |
| 13 | 14 |
"github.com/docker/docker/pkg/system" |
| 14 | 15 |
"github.com/moby/sys/mount" |
| 15 |
- rsystem "github.com/opencontainers/runc/libcontainer/system" |
|
| 16 | 16 |
"github.com/pkg/errors" |
| 17 | 17 |
"golang.org/x/sys/unix" |
| 18 | 18 |
"gotest.tools/v3/assert" |
| ... | ... |
@@ -30,7 +30,7 @@ import ( |
| 30 | 30 |
// └── f1 # whiteout, 0644 |
| 31 | 31 |
func setupOverlayTestDir(t *testing.T, src string) {
|
| 32 | 32 |
skip.If(t, os.Getuid() != 0, "skipping test that requires root") |
| 33 |
- skip.If(t, rsystem.RunningInUserNS(), "skipping test that requires initial userns (trusted.overlay.opaque xattr cannot be set in userns, even with Ubuntu kernel)") |
|
| 33 |
+ skip.If(t, sys.RunningInUserNS(), "skipping test that requires initial userns (trusted.overlay.opaque xattr cannot be set in userns, even with Ubuntu kernel)") |
|
| 34 | 34 |
// Create opaque directory containing single file and permission 0700 |
| 35 | 35 |
err := os.Mkdir(filepath.Join(src, "d1"), 0700) |
| 36 | 36 |
assert.NilError(t, err) |
| ... | ... |
@@ -248,7 +248,7 @@ func isOpaque(dir string) error {
|
| 248 | 248 |
|
| 249 | 249 |
func TestReexecUserNSOverlayWhiteoutConverter(t *testing.T) {
|
| 250 | 250 |
skip.If(t, os.Getuid() != 0, "skipping test that requires root") |
| 251 |
- skip.If(t, rsystem.RunningInUserNS(), "skipping test that requires initial userns") |
|
| 251 |
+ skip.If(t, sys.RunningInUserNS(), "skipping test that requires initial userns") |
|
| 252 | 252 |
if err := supportsUserNSOverlay(); err != nil {
|
| 253 | 253 |
t.Skipf("skipping test that requires kernel support for overlay-in-userns: %v", err)
|
| 254 | 254 |
} |
| ... | ... |
@@ -16,9 +16,9 @@ import ( |
| 16 | 16 |
"testing" |
| 17 | 17 |
"time" |
| 18 | 18 |
|
| 19 |
+ "github.com/containerd/containerd/sys" |
|
| 19 | 20 |
"github.com/docker/docker/pkg/idtools" |
| 20 | 21 |
"github.com/docker/docker/pkg/ioutils" |
| 21 |
- rsystem "github.com/opencontainers/runc/libcontainer/system" |
|
| 22 | 22 |
"gotest.tools/v3/assert" |
| 23 | 23 |
is "gotest.tools/v3/assert/cmp" |
| 24 | 24 |
"gotest.tools/v3/skip" |
| ... | ... |
@@ -1230,7 +1230,7 @@ func TestReplaceFileTarWrapper(t *testing.T) {
|
| 1230 | 1230 |
// version of this package that was built with <=go17 are still readable. |
| 1231 | 1231 |
func TestPrefixHeaderReadable(t *testing.T) {
|
| 1232 | 1232 |
skip.If(t, runtime.GOOS != "windows" && os.Getuid() != 0, "skipping test that requires root") |
| 1233 |
- skip.If(t, rsystem.RunningInUserNS(), "skipping test that requires more than 010000000 UIDs, which is unlikely to be satisfied when running in userns") |
|
| 1233 |
+ skip.If(t, sys.RunningInUserNS(), "skipping test that requires more than 010000000 UIDs, which is unlikely to be satisfied when running in userns") |
|
| 1234 | 1234 |
// https://gist.github.com/stevvooe/e2a790ad4e97425896206c0816e1a882#file-out-go |
| 1235 | 1235 |
var testFile = []byte("\x1f\x8b\x08\x08\x44\x21\x68\x59\x00\x03\x74\x2e\x74\x61\x72\x00\x4b\xcb\xcf\x67\xa0\x35\x30\x80\x00\x86\x06\x10\x47\x01\xc1\x37\x40\x00\x54\xb6\xb1\xa1\xa9\x99\x09\x48\x25\x1d\x40\x69\x71\x49\x62\x91\x02\xe5\x76\xa1\x79\x84\x21\x91\xd6\x80\x72\xaf\x8f\x82\x51\x30\x0a\x46\x36\x00\x00\xf0\x1c\x1e\x95\x00\x06\x00\x00")
|
| 1236 | 1236 |
|
| ... | ... |
@@ -10,9 +10,9 @@ import ( |
| 10 | 10 |
"strings" |
| 11 | 11 |
"syscall" |
| 12 | 12 |
|
| 13 |
+ "github.com/containerd/containerd/sys" |
|
| 13 | 14 |
"github.com/docker/docker/pkg/idtools" |
| 14 | 15 |
"github.com/docker/docker/pkg/system" |
| 15 |
- rsystem "github.com/opencontainers/runc/libcontainer/system" |
|
| 16 | 16 |
"golang.org/x/sys/unix" |
| 17 | 17 |
) |
| 18 | 18 |
|
| ... | ... |
@@ -81,7 +81,7 @@ func getFileUIDGID(stat interface{}) (idtools.Identity, error) {
|
| 81 | 81 |
// handleTarTypeBlockCharFifo is an OS-specific helper function used by |
| 82 | 82 |
// createTarFile to handle the following types of header: Block; Char; Fifo |
| 83 | 83 |
func handleTarTypeBlockCharFifo(hdr *tar.Header, path string) error {
|
| 84 |
- if rsystem.RunningInUserNS() {
|
|
| 84 |
+ if sys.RunningInUserNS() {
|
|
| 85 | 85 |
// cannot create a device if running in user namespace |
| 86 | 86 |
return nil |
| 87 | 87 |
} |
| ... | ... |
@@ -13,8 +13,8 @@ import ( |
| 13 | 13 |
"syscall" |
| 14 | 14 |
"testing" |
| 15 | 15 |
|
| 16 |
+ "github.com/containerd/containerd/sys" |
|
| 16 | 17 |
"github.com/docker/docker/pkg/system" |
| 17 |
- rsystem "github.com/opencontainers/runc/libcontainer/system" |
|
| 18 | 18 |
"golang.org/x/sys/unix" |
| 19 | 19 |
"gotest.tools/v3/assert" |
| 20 | 20 |
is "gotest.tools/v3/assert/cmp" |
| ... | ... |
@@ -184,7 +184,7 @@ func getInode(path string) (uint64, error) {
|
| 184 | 184 |
|
| 185 | 185 |
func TestTarWithBlockCharFifo(t *testing.T) {
|
| 186 | 186 |
skip.If(t, os.Getuid() != 0, "skipping test that requires root") |
| 187 |
- skip.If(t, rsystem.RunningInUserNS(), "skipping test that requires initial userns") |
|
| 187 |
+ skip.If(t, sys.RunningInUserNS(), "skipping test that requires initial userns") |
|
| 188 | 188 |
origin, err := ioutil.TempDir("", "docker-test-tar-hardlink")
|
| 189 | 189 |
assert.NilError(t, err) |
| 190 | 190 |
|