From 223f60e926be427f18908b1b33c8d036e1847691 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 20 Feb 2023 14:05:04 +0100 Subject: [PATCH] libpod: always use direct mapping always use the direct mapping when writing the mappings for an idmapped mount. crun was previously using the reverse mapping, which is not correct and it is being addressed here: https://github.com/containers/crun/pull/1147 Signed-off-by: Giuseppe Scrivano (cherry picked from commit af8d649da7ff2fa2bcae1c9e7d169bba62e7013c) --- libpod/container_internal_common.go | 8 ++++---- libpod/container_internal_test.go | 20 ++++++++++---------- test/e2e/run_userns_test.go | 2 ++ 3 files changed, 16 insertions(+), 14 deletions(-) diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go index 3a0e46be7c..3752afe511 100644 --- a/libpod/container_internal_common.go +++ b/libpod/container_internal_common.go @@ -102,15 +102,15 @@ func parseIDMapMountOption(idMappings stypes.IDMappingOptions, option string) ([ gidMappings := make([]spec.LinuxIDMapping, len(gidMap)) for i, uidmap := range uidMap { uidMappings[i] = spec.LinuxIDMapping{ - HostID: uint32(uidmap.ContainerID), - ContainerID: uint32(uidmap.HostID), + HostID: uint32(uidmap.HostID), + ContainerID: uint32(uidmap.ContainerID), Size: uint32(uidmap.Size), } } for i, gidmap := range gidMap { gidMappings[i] = spec.LinuxIDMapping{ - HostID: uint32(gidmap.ContainerID), - ContainerID: uint32(gidmap.HostID), + HostID: uint32(gidmap.HostID), + ContainerID: uint32(gidmap.ContainerID), Size: uint32(gidmap.Size), } } diff --git a/libpod/container_internal_test.go b/libpod/container_internal_test.go index 167ffabe64..d8a4b04d7b 100644 --- a/libpod/container_internal_test.go +++ b/libpod/container_internal_test.go @@ -70,12 +70,12 @@ func TestParseIDMapMountOption(t *testing.T) { assert.Equal(t, len(uids), 1) assert.Equal(t, len(gids), 1) - assert.Equal(t, uids[0].ContainerID, uint32(1000)) - assert.Equal(t, uids[0].HostID, uint32(0)) + assert.Equal(t, uids[0].HostID, uint32(1000)) + assert.Equal(t, uids[0].ContainerID, uint32(0)) assert.Equal(t, uids[0].Size, uint32(10000)) - assert.Equal(t, gids[0].ContainerID, uint32(2000)) - assert.Equal(t, gids[0].HostID, uint32(0)) + assert.Equal(t, gids[0].HostID, uint32(2000)) + assert.Equal(t, gids[0].ContainerID, uint32(0)) assert.Equal(t, gids[0].Size, uint32(10000)) uids, gids, err = parseIDMapMountOption(options, "idmap=uids=0-1-10#10-11-10;gids=0-3-10") @@ -83,16 +83,16 @@ func TestParseIDMapMountOption(t *testing.T) { assert.Equal(t, len(uids), 2) assert.Equal(t, len(gids), 1) - assert.Equal(t, uids[0].ContainerID, uint32(1)) - assert.Equal(t, uids[0].HostID, uint32(0)) + assert.Equal(t, uids[0].HostID, uint32(1)) + assert.Equal(t, uids[0].ContainerID, uint32(0)) assert.Equal(t, uids[0].Size, uint32(10)) - assert.Equal(t, uids[1].ContainerID, uint32(11)) - assert.Equal(t, uids[1].HostID, uint32(10)) + assert.Equal(t, uids[1].HostID, uint32(11)) + assert.Equal(t, uids[1].ContainerID, uint32(10)) assert.Equal(t, uids[1].Size, uint32(10)) - assert.Equal(t, gids[0].ContainerID, uint32(3)) - assert.Equal(t, gids[0].HostID, uint32(0)) + assert.Equal(t, gids[0].HostID, uint32(3)) + assert.Equal(t, gids[0].ContainerID, uint32(0)) assert.Equal(t, gids[0].Size, uint32(10)) _, _, err = parseIDMapMountOption(options, "idmap=uids=0-1-10#10-11-10;gids=0-3-10;foobar=bar") diff --git a/test/e2e/run_userns_test.go b/test/e2e/run_userns_test.go index da58f6d206..17132e0efe 100644 --- a/test/e2e/run_userns_test.go +++ b/test/e2e/run_userns_test.go @@ -109,6 +109,8 @@ var _ = Describe("Podman UserNS support", func() { }) It("podman uidmapping and gidmapping with an idmapped volume", func() { + Skip("it depends on a breaking change in crun: https://github.com/containers/crun/pull/1147") + session := podmanTest.Podman([]string{"run", "--uidmap=0:1:500", "--gidmap=0:200:5000", "-v", "my-foo-volume:/foo:Z,idmap", "alpine", "stat", "-c", "#%u:%g#", "/foo"}) session.WaitWithDefaultTimeout() if strings.Contains(session.ErrorToString(), "Operation not permitted") {