diff --git a/Makefile b/Makefile index 293736b652..6cf72c6c48 100644 --- a/Makefile +++ b/Makefile @@ -86,6 +86,7 @@ install.tools: go get -u $(BUILDFLAGS) github.com/cpuguy83/go-md2man go get -u $(BUILDFLAGS) github.com/vbatts/git-validation go get -u $(BUILDFLAGS) gopkg.in/alecthomas/gometalinter.v1 + go get -u $(BUILDFLAGS) github.com/pquerna/ffjson gometalinter.v1 -i help: ## this help diff --git a/drivers/aufs/aufs.go b/drivers/aufs/aufs.go index ff367a1262..bee4a598ea 100644 --- a/drivers/aufs/aufs.go +++ b/drivers/aufs/aufs.go @@ -416,7 +416,7 @@ func atomicRemove(source string) error { // Get returns the rootfs path for the id. // This will mount the dir at its given path -func (a *Driver) Get(id, mountLabel string) (string, error) { +func (a *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) { a.locker.Lock(id) defer a.locker.Unlock(id) parents, err := a.getParentLayerPaths(id) @@ -728,3 +728,8 @@ func useDirperm() bool { func (a *Driver) UpdateLayerIDMap(id string, toContainer, toHost *idtools.IDMappings, mountLabel string) error { return fmt.Errorf("aufs doesn't support changing ID mappings") } + +// SupportsShifting tells whether the driver support shifting of the UIDs/GIDs in an userNS +func (a *Driver) SupportsShifting() bool { + return false +} diff --git a/drivers/aufs/aufs_test.go b/drivers/aufs/aufs_test.go index 4fc4eb235b..59be868d1c 100644 --- a/drivers/aufs/aufs_test.go +++ b/drivers/aufs/aufs_test.go @@ -44,7 +44,7 @@ func testInit(dir string, t testing.TB) graphdriver.Driver { } func driverGet(d *Driver, id string, mntLabel string) (string, error) { - return d.Get(id, mntLabel) + return d.Get(id, mntLabel, nil, nil) } func newDriver(t testing.TB) *Driver { @@ -171,7 +171,7 @@ func TestGetWithoutParent(t *testing.T) { t.Fatal(err) } - diffPath, err := d.Get("1", "") + diffPath, err := d.Get("1", "", nil, nil) if err != nil { t.Fatal(err) } @@ -224,7 +224,7 @@ func TestMountedTrueResponse(t *testing.T) { err = d.Create("2", "1", nil) require.NoError(t, err) - _, err = d.Get("2", "") + _, err = d.Get("2", "", nil, nil) require.NoError(t, err) response, err := d.mounted(d.pathCache["2"]) @@ -249,7 +249,7 @@ func TestMountWithParent(t *testing.T) { } }() - mntPath, err := d.Get("2", "") + mntPath, err := d.Get("2", "", nil, nil) if err != nil { t.Fatal(err) } @@ -280,7 +280,7 @@ func TestRemoveMountedDir(t *testing.T) { } }() - mntPath, err := d.Get("2", "") + mntPath, err := d.Get("2", "", nil, nil) if err != nil { t.Fatal(err) } @@ -760,7 +760,7 @@ func BenchmarkConcurrentAccess(b *testing.B) { for i := 0; i < b.N; i++ { innerGroup.Add(1) go func() { - d.Get(id, "") + d.Get(id, "", nil, nil) d.Put(id) innerGroup.Done() }() diff --git a/drivers/btrfs/btrfs.go b/drivers/btrfs/btrfs.go index 842079a1c8..2dd81b0c0d 100644 --- a/drivers/btrfs/btrfs.go +++ b/drivers/btrfs/btrfs.go @@ -634,7 +634,7 @@ func (d *Driver) Remove(id string) error { } // Get the requested filesystem id. -func (d *Driver) Get(id, mountLabel string) (string, error) { +func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) { dir := d.subvolumesDirID(id) st, err := os.Stat(dir) if err != nil { diff --git a/drivers/btrfs/btrfs_test.go b/drivers/btrfs/btrfs_test.go index 0aab78b15a..53a17b3b93 100644 --- a/drivers/btrfs/btrfs_test.go +++ b/drivers/btrfs/btrfs_test.go @@ -35,7 +35,7 @@ func TestBtrfsSubvolDelete(t *testing.T) { } defer graphtest.PutDriver(t) - dir, err := d.Get("test", "") + dir, err := d.Get("test", "", nil, nil) if err != nil { t.Fatal(err) } diff --git a/drivers/chown.go b/drivers/chown.go index bcba12de96..168bb7e345 100644 --- a/drivers/chown.go +++ b/drivers/chown.go @@ -114,7 +114,7 @@ func NewNaiveLayerIDMapUpdater(driver ProtoDriver) LayerIDMapUpdater { // same "container" IDs. func (n *naiveLayerIDMapUpdater) UpdateLayerIDMap(id string, toContainer, toHost *idtools.IDMappings, mountLabel string) error { driver := n.ProtoDriver - layerFs, err := driver.Get(id, mountLabel) + layerFs, err := driver.Get(id, mountLabel, nil, nil) if err != nil { return err } @@ -124,3 +124,8 @@ func (n *naiveLayerIDMapUpdater) UpdateLayerIDMap(id string, toContainer, toHost return ChownPathByMaps(layerFs, toContainer, toHost) } + +// SupportsShifting tells whether the driver support shifting of the UIDs/GIDs in an userNS +func (n *naiveLayerIDMapUpdater) SupportsShifting() bool { + return false +} diff --git a/drivers/devmapper/driver.go b/drivers/devmapper/driver.go index a4ec6ebfdb..4aaca65084 100644 --- a/drivers/devmapper/driver.go +++ b/drivers/devmapper/driver.go @@ -163,7 +163,7 @@ func (d *Driver) Remove(id string) error { } // Get mounts a device with given id into the root filesystem -func (d *Driver) Get(id, mountLabel string) (string, error) { +func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) { d.locker.Lock(id) defer d.locker.Unlock(id) mp := path.Join(d.home, "mnt", id) diff --git a/drivers/driver.go b/drivers/driver.go index 1b4ad336d5..40b911ab79 100644 --- a/drivers/driver.go +++ b/drivers/driver.go @@ -66,8 +66,9 @@ type ProtoDriver interface { Remove(id string) error // Get returns the mountpoint for the layered filesystem referred // to by this id. You can optionally specify a mountLabel or "". + // Optionally it gets the mappings used to create the layer. // Returns the absolute path to the mounted layered filesystem. - Get(id, mountLabel string) (dir string, err error) + Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (dir string, err error) // Put releases the system resources for the specified id, // e.g, unmounting layered filesystem. Put(id string) error @@ -118,6 +119,10 @@ type LayerIDMapUpdater interface { // relative to a parent layer, but before this method is called, may be discarded // by Diff(). UpdateLayerIDMap(id string, toContainer, toHost *idtools.IDMappings, mountLabel string) error + + // SupportsShifting tells whether the driver support shifting of the UIDs/GIDs in a + // image and it is not required to Chown the files when running in an user namespace. + SupportsShifting() bool } // Driver is the interface for layered/snapshot file system drivers. diff --git a/drivers/fsdiff.go b/drivers/fsdiff.go index 9c11a069c8..64541e269c 100644 --- a/drivers/fsdiff.go +++ b/drivers/fsdiff.go @@ -51,7 +51,7 @@ func (gdw *NaiveDiffDriver) Diff(id string, idMappings *idtools.IDMappings, pare parentMappings = &idtools.IDMappings{} } - layerFs, err := driver.Get(id, mountLabel) + layerFs, err := driver.Get(id, mountLabel, nil, nil) if err != nil { return nil, err } @@ -78,7 +78,7 @@ func (gdw *NaiveDiffDriver) Diff(id string, idMappings *idtools.IDMappings, pare }), nil } - parentFs, err := driver.Get(parent, mountLabel) + parentFs, err := driver.Get(parent, mountLabel, nil, nil) if err != nil { return nil, err } @@ -119,7 +119,7 @@ func (gdw *NaiveDiffDriver) Changes(id string, idMappings *idtools.IDMappings, p parentMappings = &idtools.IDMappings{} } - layerFs, err := driver.Get(id, mountLabel) + layerFs, err := driver.Get(id, mountLabel, nil, nil) if err != nil { return nil, err } @@ -128,7 +128,7 @@ func (gdw *NaiveDiffDriver) Changes(id string, idMappings *idtools.IDMappings, p parentFs := "" if parent != "" { - parentFs, err = driver.Get(parent, mountLabel) + parentFs, err = driver.Get(parent, mountLabel, nil, nil) if err != nil { return nil, err } @@ -149,7 +149,7 @@ func (gdw *NaiveDiffDriver) ApplyDiff(id string, applyMappings *idtools.IDMappin } // Mount the root filesystem so we can apply the diff/layer. - layerFs, err := driver.Get(id, mountLabel) + layerFs, err := driver.Get(id, mountLabel, nil, nil) if err != nil { return } @@ -189,7 +189,7 @@ func (gdw *NaiveDiffDriver) DiffSize(id string, idMappings *idtools.IDMappings, return } - layerFs, err := driver.Get(id, mountLabel) + layerFs, err := driver.Get(id, mountLabel, nil, nil) if err != nil { return } diff --git a/drivers/graphtest/graphbench_unix.go b/drivers/graphtest/graphbench_unix.go index 827d0af484..08517de617 100644 --- a/drivers/graphtest/graphbench_unix.go +++ b/drivers/graphtest/graphbench_unix.go @@ -44,7 +44,7 @@ func DriverBenchGetEmpty(b *testing.B, drivername string, driveroptions ...strin b.ResetTimer() for i := 0; i < b.N; i++ { - _, err := driver.Get(base, "") + _, err := driver.Get(base, "", nil, nil) b.StopTimer() if err != nil { b.Fatalf("Error getting mount: %s", err) @@ -235,7 +235,7 @@ func DriverBenchDeepLayerRead(b *testing.B, layerCount int, drivername string, d b.Fatal(err) } - root, err := driver.Get(topLayer, "") + root, err := driver.Get(topLayer, "", nil, nil) if err != nil { b.Fatal(err) } diff --git a/drivers/graphtest/graphtest_unix.go b/drivers/graphtest/graphtest_unix.go index 806fcd719b..125e572ef4 100644 --- a/drivers/graphtest/graphtest_unix.go +++ b/drivers/graphtest/graphtest_unix.go @@ -99,7 +99,7 @@ func DriverTestCreateEmpty(t testing.TB, drivername string, driverOptions ...str t.Fatal("Newly created image doesn't exist") } - dir, err := driver.Get("empty", "") + dir, err := driver.Get("empty", "", nil, nil) require.NoError(t, err) verifyFile(t, dir, 0755|os.ModeDir, 0, 0) @@ -327,7 +327,7 @@ func DriverTestSetQuota(t *testing.T, drivername string) { t.Fatal(err) } - mountPath, err := driver.Get("zfsTest", "") + mountPath, err := driver.Get("zfsTest", "", nil, nil) if err != nil { t.Fatal(err) } @@ -357,7 +357,7 @@ func DriverTestEcho(t testing.TB, drivername string, driverOptions ...string) { t.Fatal(err) } - if root, err = driver.Get(base, ""); err != nil { + if root, err = driver.Get(base, "", nil, nil); err != nil { t.Fatal(err) } @@ -392,7 +392,7 @@ func DriverTestEcho(t testing.TB, drivername string, driverOptions ...string) { t.Fatal(err) } - if root, err = driver.Get(second, ""); err != nil { + if root, err = driver.Get(second, "", nil, nil); err != nil { t.Fatal(err) } @@ -418,7 +418,7 @@ func DriverTestEcho(t testing.TB, drivername string, driverOptions ...string) { t.Fatal(err) } - if root, err = driver.Get(third, ""); err != nil { + if root, err = driver.Get(third, "", nil, nil); err != nil { t.Fatal(err) } diff --git a/drivers/graphtest/testutil.go b/drivers/graphtest/testutil.go index b50fbc187c..d26aed35f8 100644 --- a/drivers/graphtest/testutil.go +++ b/drivers/graphtest/testutil.go @@ -30,7 +30,7 @@ func randomContent(size int, seed int64) []byte { } func addFiles(drv graphdriver.Driver, layer string, seed int64) error { - root, err := drv.Get(layer, "") + root, err := drv.Get(layer, "", nil, nil) if err != nil { return err } @@ -50,7 +50,7 @@ func addFiles(drv graphdriver.Driver, layer string, seed int64) error { } func checkFile(drv graphdriver.Driver, layer, filename string, content []byte) error { - root, err := drv.Get(layer, "") + root, err := drv.Get(layer, "", nil, nil) if err != nil { return err } @@ -69,7 +69,7 @@ func checkFile(drv graphdriver.Driver, layer, filename string, content []byte) e } func addFile(drv graphdriver.Driver, layer, filename string, content []byte) error { - root, err := drv.Get(layer, "") + root, err := drv.Get(layer, "", nil, nil) if err != nil { return err } @@ -79,7 +79,7 @@ func addFile(drv graphdriver.Driver, layer, filename string, content []byte) err } func addDirectory(drv graphdriver.Driver, layer, dir string) error { - root, err := drv.Get(layer, "") + root, err := drv.Get(layer, "", nil, nil) if err != nil { return err } @@ -89,7 +89,7 @@ func addDirectory(drv graphdriver.Driver, layer, dir string) error { } func removeAll(drv graphdriver.Driver, layer string, names ...string) error { - root, err := drv.Get(layer, "") + root, err := drv.Get(layer, "", nil, nil) if err != nil { return err } @@ -104,7 +104,7 @@ func removeAll(drv graphdriver.Driver, layer string, names ...string) error { } func checkFileRemoved(drv graphdriver.Driver, layer, filename string) error { - root, err := drv.Get(layer, "") + root, err := drv.Get(layer, "", nil, nil) if err != nil { return err } @@ -120,7 +120,7 @@ func checkFileRemoved(drv graphdriver.Driver, layer, filename string) error { } func addManyFiles(drv graphdriver.Driver, layer string, count int, seed int64) error { - root, err := drv.Get(layer, "") + root, err := drv.Get(layer, "", nil, nil) if err != nil { return err } @@ -143,7 +143,7 @@ func addManyFiles(drv graphdriver.Driver, layer string, count int, seed int64) e } func changeManyFiles(drv graphdriver.Driver, layer string, count int, seed int64) ([]archive.Change, error) { - root, err := drv.Get(layer, "") + root, err := drv.Get(layer, "", nil, nil) if err != nil { return nil, err } @@ -194,7 +194,7 @@ func changeManyFiles(drv graphdriver.Driver, layer string, count int, seed int64 } func checkManyFiles(drv graphdriver.Driver, layer string, count int, seed int64) error { - root, err := drv.Get(layer, "") + root, err := drv.Get(layer, "", nil, nil) if err != nil { return err } @@ -248,7 +248,7 @@ func checkChanges(expected, actual []archive.Change) error { } func addLayerFiles(drv graphdriver.Driver, layer, parent string, i int) error { - root, err := drv.Get(layer, "") + root, err := drv.Get(layer, "", nil, nil) if err != nil { return err } @@ -289,7 +289,7 @@ func addManyLayers(drv graphdriver.Driver, baseLayer string, count int) (string, } func checkManyLayers(drv graphdriver.Driver, layer string, count int) error { - root, err := drv.Get(layer, "") + root, err := drv.Get(layer, "", nil, nil) if err != nil { return err } diff --git a/drivers/graphtest/testutil_unix.go b/drivers/graphtest/testutil_unix.go index 919485006a..a399ef92bd 100644 --- a/drivers/graphtest/testutil_unix.go +++ b/drivers/graphtest/testutil_unix.go @@ -40,7 +40,7 @@ func createBase(t testing.TB, driver graphdriver.Driver, name string) { err := driver.CreateReadWrite(name, "", nil) require.NoError(t, err) - dir, err := driver.Get(name, "") + dir, err := driver.Get(name, "", nil, nil) require.NoError(t, err) defer driver.Put(name) @@ -54,7 +54,7 @@ func createBase(t testing.TB, driver graphdriver.Driver, name string) { } func verifyBase(t testing.TB, driver graphdriver.Driver, name string) { - dir, err := driver.Get(name, "") + dir, err := driver.Get(name, "", nil, nil) require.NoError(t, err) defer driver.Put(name) diff --git a/drivers/overlay/overlay.go b/drivers/overlay/overlay.go index c59544aab1..323d7c2747 100644 --- a/drivers/overlay/overlay.go +++ b/drivers/overlay/overlay.go @@ -3,6 +3,7 @@ package overlay import ( + "bytes" "fmt" "io" "io/ioutil" @@ -590,6 +591,32 @@ func (d *Driver) getLowerDirs(id string) ([]string, error) { return lowersArray, nil } +func (d *Driver) optsAppendMappings(opts string, uidMaps, gidMaps []idtools.IDMap) string { + if uidMaps == nil { + uidMaps = d.uidMaps + } + if gidMaps == nil { + gidMaps = d.gidMaps + } + if uidMaps != nil { + var uids, gids bytes.Buffer + for _, i := range uidMaps { + if uids.Len() > 0 { + uids.WriteString(":") + } + uids.WriteString(fmt.Sprintf("%d:%d:%d", i.ContainerID, i.HostID, i.Size)) + } + for _, i := range gidMaps { + if gids.Len() > 0 { + gids.WriteString(":") + } + gids.WriteString(fmt.Sprintf("%d:%d:%d", i.ContainerID, i.HostID, i.Size)) + } + return fmt.Sprintf("%s,uidmapping=%s,gidmapping=%s", opts, uids.String(), gids.String()) + } + return opts +} + // Remove cleans the directories that are created for this id. func (d *Driver) Remove(id string) error { d.locker.Lock(id) @@ -615,7 +642,11 @@ func (d *Driver) Remove(id string) error { } // Get creates and mounts the required file system for the given id and returns the mount path. -func (d *Driver) Get(id, mountLabel string) (_ string, retErr error) { +func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (_ string, retErr error) { + return d.get(id, mountLabel, false, uidMaps, gidMaps) +} + +func (d *Driver) get(id, mountLabel string, disableShifting bool, uidMaps, gidMaps []idtools.IDMap) (_ string, retErr error) { d.locker.Lock(id) defer d.locker.Unlock(id) dir := d.dir(id) @@ -719,24 +750,25 @@ func (d *Driver) Get(id, mountLabel string) (_ string, retErr error) { // the page size. The mount syscall fails if the mount data cannot // fit within a page and relative links make the mount data much // smaller at the expense of requiring a fork exec to chroot. - if len(mountData) > pageSize || d.options.mountProgram != "" { + if d.options.mountProgram != "" { + mountFunc = func(source string, target string, mType string, flags uintptr, label string) error { + if !disableShifting { + label = d.optsAppendMappings(label, uidMaps, gidMaps) + } + + mountProgram := exec.Command(d.options.mountProgram, "-o", label, target) + mountProgram.Dir = d.home + return mountProgram.Run() + } + } else if len(mountData) > pageSize { //FIXME: We need to figure out to get this to work with additional stores opts = fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", strings.Join(relLowers, ":"), path.Join(id, "diff"), path.Join(id, "work")) mountData = label.FormatMountLabel(opts, mountLabel) if len(mountData) > pageSize { return "", fmt.Errorf("cannot mount layer, mount label too large %d", len(mountData)) } - - if d.options.mountProgram != "" { - mountFunc = func(source string, target string, mType string, flags uintptr, label string) error { - mountProgram := exec.Command(d.options.mountProgram, "-o", label, target) - mountProgram.Dir = d.home - return mountProgram.Run() - } - } else { - mountFunc = func(source string, target string, mType string, flags uintptr, label string) error { - return mountFrom(d.home, source, target, mType, flags, label) - } + mountFunc = func(source string, target string, mType string, flags uintptr, label string) error { + return mountFrom(d.home, source, target, mType, flags, label) } mountTarget = path.Join(id, "merged") } @@ -920,7 +952,7 @@ func (d *Driver) UpdateLayerIDMap(id string, toContainer, toHost *idtools.IDMapp } // Mount the new layer and handle ownership changes and possible copy_ups in it. - layerFs, err := d.Get(id, mountLabel) + layerFs, err := d.get(id, mountLabel, true, nil, nil) if err != nil { return err } @@ -957,6 +989,14 @@ func (d *Driver) UpdateLayerIDMap(id string, toContainer, toHost *idtools.IDMapp return nil } +// SupportsShifting tells whether the driver support shifting of the UIDs/GIDs in an userNS +func (d *Driver) SupportsShifting() bool { + if os.Getenv("_TEST_FORCE_SUPPORT_SHIFTING") == "yes-please" { + return true + } + return d.options.mountProgram != "" +} + // dumbJoin is more or less a dumber version of filepath.Join, but one which // won't Clean() the path, allowing us to append ".." as a component and trust // pathname resolution to do some non-obvious work. diff --git a/drivers/vfs/driver.go b/drivers/vfs/driver.go index ed9f70094a..115afb8141 100644 --- a/drivers/vfs/driver.go +++ b/drivers/vfs/driver.go @@ -137,7 +137,7 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts, ro bool label.SetFileLabel(dir, mountLabel) } if parent != "" { - parentDir, err := d.Get(parent, "") + parentDir, err := d.Get(parent, "", nil, nil) if err != nil { return fmt.Errorf("%s: %s", parent, err) } @@ -179,7 +179,7 @@ func (d *Driver) Remove(id string) error { } // Get returns the directory for the given id. -func (d *Driver) Get(id, mountLabel string) (string, error) { +func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) { dir := d.dir(id) if st, err := os.Stat(dir); err != nil { return "", err diff --git a/drivers/windows/windows.go b/drivers/windows/windows.go index 15c90b54dc..9d9aac701c 100644 --- a/drivers/windows/windows.go +++ b/drivers/windows/windows.go @@ -362,7 +362,7 @@ func (d *Driver) Remove(id string) error { } // Get returns the rootfs path for the id. This will mount the dir at its given path. -func (d *Driver) Get(id, mountLabel string) (string, error) { +func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) { panicIfUsedByLcow() logrus.Debugf("WindowsGraphDriver Get() id %s mountLabel %s", id, mountLabel) var dir string @@ -620,7 +620,7 @@ func (d *Driver) DiffSize(id string, idMappings *idtools.IDMappings, parent stri return } - layerFs, err := d.Get(id, "") + layerFs, err := d.Get(id, "", nil, nil) if err != nil { return } @@ -954,6 +954,11 @@ func (d *Driver) UpdateLayerIDMap(id string, toContainer, toHost *idtools.IDMapp return fmt.Errorf("windows doesn't support changing ID mappings") } +// SupportsShifting tells whether the driver support shifting of the UIDs/GIDs in an userNS +func (d *Driver) SupportsShifting() bool { + return false +} + type storageOptions struct { size uint64 } diff --git a/drivers/zfs/zfs.go b/drivers/zfs/zfs.go index 598cc0699f..b8ae59a61e 100644 --- a/drivers/zfs/zfs.go +++ b/drivers/zfs/zfs.go @@ -360,7 +360,7 @@ func (d *Driver) Remove(id string) error { } // Get returns the mountpoint for the given id after creating the target directories if necessary. -func (d *Driver) Get(id, mountLabel string) (string, error) { +func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) { mountpoint := d.mountPath(id) if count := d.ctr.Increment(mountpoint); count > 1 { return mountpoint, nil diff --git a/layers.go b/layers.go index 6760996d6b..c5f9262735 100644 --- a/layers.go +++ b/layers.go @@ -4,6 +4,7 @@ import ( "bytes" "compress/gzip" "encoding/json" + "fmt" "io" "io/ioutil" "os" @@ -208,7 +209,8 @@ type LayerStore interface { // Mount mounts a layer for use. If the specified layer is the parent of other // layers, it should not be written to. An SELinux label to be applied to the // mount can be specified to override the one configured for the layer. - Mount(id, mountLabel string) (string, error) + // The mappings used by the container can be specified. + Mount(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) // Unmount unmounts a layer when it is no longer in use. Unmount(id string, force bool) (bool, error) @@ -635,7 +637,7 @@ func (r *layerStore) Mounted(id string) (int, error) { return layer.MountCount, nil } -func (r *layerStore) Mount(id, mountLabel string) (string, error) { +func (r *layerStore) Mount(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) { if !r.IsReadWrite() { return "", errors.Wrapf(ErrStoreIsReadOnly, "not allowed to update mount locations for layers at %q", r.mountspath()) } @@ -650,7 +652,13 @@ func (r *layerStore) Mount(id, mountLabel string) (string, error) { if mountLabel == "" { mountLabel = layer.MountLabel } - mountpoint, err := r.driver.Get(id, mountLabel) + + if (uidMaps != nil || gidMaps != nil) && !r.driver.SupportsShifting() { + if !reflect.DeepEqual(uidMaps, layer.UIDMap) || !reflect.DeepEqual(gidMaps, layer.GIDMap) { + return "", fmt.Errorf("cannot mount layer %v: shifting not enabled", layer.ID) + } + } + mountpoint, err := r.driver.Get(id, mountLabel, uidMaps, gidMaps) if mountpoint != "" && err == nil { if layer.MountPoint != "" { delete(r.bymount, layer.MountPoint) @@ -937,7 +945,7 @@ func (r *layerStore) newFileGetter(id string) (drivers.FileGetCloser, error) { if getter, ok := r.driver.(drivers.DiffGetterDriver); ok { return getter.DiffGetter(id) } - path, err := r.Mount(id, "") + path, err := r.Mount(id, "", nil, nil) if err != nil { return nil, err } diff --git a/storage.conf b/storage.conf index b0ca16283e..8a57f592d5 100644 --- a/storage.conf +++ b/storage.conf @@ -56,6 +56,13 @@ mountopt = "nodev" # remap-user = "storage" # remap-group = "storage" +# If specified, use OSTree to deduplicate files with the overlay backend +ostree_repo = "" + +# Set to skip a PRIVATE bind mount on the storage home directory. Only supported by +# certain container storage drivers +skip_mount_home = "false" + [storage.options.thinpool] # Storage Options for thinpool @@ -124,10 +131,3 @@ mountopt = "nodev" # attempt to complete IO when ENOSPC (no space) error is returned by # underlying storage device. # xfs_nospace_max_retries = "0" - -# If specified, use OSTree to deduplicate files with the overlay backend -ostree_repo = "" - -# Set to skip a PRIVATE bind mount on the storage home directory. Only supported by -# certain container storage drivers -skip_mount_home = "false" diff --git a/store.go b/store.go index c7e2d48ea9..33b91a3538 100644 --- a/store.go +++ b/store.go @@ -896,13 +896,18 @@ func (s *store) PutLayer(id, parent string, names []string, mountLabel string, w gidMap = s.gidMap } } - layerOptions := &LayerOptions{ - IDMappingOptions: IDMappingOptions{ - HostUIDMapping: options.HostUIDMapping, - HostGIDMapping: options.HostGIDMapping, - UIDMap: copyIDMap(uidMap), - GIDMap: copyIDMap(gidMap), - }, + var layerOptions *LayerOptions + if s.graphDriver.SupportsShifting() { + layerOptions = &LayerOptions{IDMappingOptions: IDMappingOptions{HostUIDMapping: true, HostGIDMapping: true, UIDMap: nil, GIDMap: nil}} + } else { + layerOptions = &LayerOptions{ + IDMappingOptions: IDMappingOptions{ + HostUIDMapping: options.HostUIDMapping, + HostGIDMapping: options.HostGIDMapping, + UIDMap: copyIDMap(uidMap), + GIDMap: copyIDMap(gidMap), + }, + } } return rlstore.Put(id, parentLayer, names, mountLabel, nil, layerOptions, writeable, nil, diff) } @@ -964,6 +969,10 @@ func (s *store) CreateImage(id string, names []string, layer, metadata string, o func (s *store) imageTopLayerForMapping(image *Image, ristore ROImageStore, readWrite bool, rlstore LayerStore, lstores []ROLayerStore, options IDMappingOptions) (*Layer, error) { layerMatchesMappingOptions := func(layer *Layer, options IDMappingOptions) bool { + // If the driver supports shifting and the layer has no mappings, we can use it. + if s.graphDriver.SupportsShifting() && len(layer.UIDMap) == 0 && len(layer.GIDMap) == 0 { + return true + } // If we want host mapping, and the layer uses mappings, it's not the best match. if options.HostUIDMapping && len(layer.UIDMap) != 0 { return false @@ -1036,16 +1045,22 @@ func (s *store) imageTopLayerForMapping(image *Image, ristore ROImageStore, read } rc, err := layerHomeStore.Diff("", layer.ID, &diffOptions) if err != nil { - return nil, errors.Wrapf(err, "error reading layer %q to create an ID-mapped version of it") + return nil, errors.Wrapf(err, "error reading layer %q to create an ID-mapped version of it", layer.ID) } defer rc.Close() - layerOptions := LayerOptions{ - IDMappingOptions: IDMappingOptions{ - HostUIDMapping: options.HostUIDMapping, - HostGIDMapping: options.HostGIDMapping, - UIDMap: copyIDMap(options.UIDMap), - GIDMap: copyIDMap(options.GIDMap), - }, + + var layerOptions LayerOptions + if s.graphDriver.SupportsShifting() { + layerOptions = LayerOptions{IDMappingOptions: IDMappingOptions{HostUIDMapping: true, HostGIDMapping: true, UIDMap: nil, GIDMap: nil}} + } else { + layerOptions = LayerOptions{ + IDMappingOptions: IDMappingOptions{ + HostUIDMapping: options.HostUIDMapping, + HostGIDMapping: options.HostGIDMapping, + UIDMap: copyIDMap(options.UIDMap), + GIDMap: copyIDMap(options.GIDMap), + }, + } } mappedLayer, _, err := rlstore.Put("", parentLayer, nil, layer.MountLabel, nil, &layerOptions, false, nil, rc) if err != nil { @@ -1089,6 +1104,8 @@ func (s *store) CreateContainer(id string, names []string, image, layer, metadat imageID := "" uidMap := options.UIDMap gidMap := options.GIDMap + + idMappingsOptions := options.IDMappingOptions if image != "" { var imageHomeStore ROImageStore istore, err := s.ImageStore() @@ -1121,7 +1138,7 @@ func (s *store) CreateContainer(id string, names []string, image, layer, metadat if err != nil { return nil, err } - ilayer, err := s.imageTopLayerForMapping(cimage, imageHomeStore, imageHomeStore == istore, rlstore, lstores, options.IDMappingOptions) + ilayer, err := s.imageTopLayerForMapping(cimage, imageHomeStore, imageHomeStore == istore, rlstore, lstores, idMappingsOptions) if err != nil { return nil, err } @@ -1140,13 +1157,18 @@ func (s *store) CreateContainer(id string, names []string, image, layer, metadat gidMap = s.gidMap } } - layerOptions := &LayerOptions{ - IDMappingOptions: IDMappingOptions{ - HostUIDMapping: options.HostUIDMapping, - HostGIDMapping: options.HostGIDMapping, - UIDMap: copyIDMap(uidMap), - GIDMap: copyIDMap(gidMap), - }, + var layerOptions *LayerOptions + if s.graphDriver.SupportsShifting() { + layerOptions = &LayerOptions{IDMappingOptions: IDMappingOptions{HostUIDMapping: true, HostGIDMapping: true, UIDMap: nil, GIDMap: nil}} + } else { + layerOptions = &LayerOptions{ + IDMappingOptions: IDMappingOptions{ + HostUIDMapping: idMappingsOptions.HostUIDMapping, + HostGIDMapping: idMappingsOptions.HostGIDMapping, + UIDMap: copyIDMap(uidMap), + GIDMap: copyIDMap(gidMap), + }, + } } clayer, err := rlstore.Create(layer, imageTopLayer, nil, "", nil, layerOptions, true) if err != nil { @@ -1164,10 +1186,10 @@ func (s *store) CreateContainer(id string, names []string, image, layer, metadat } options = &ContainerOptions{ IDMappingOptions: IDMappingOptions{ - HostUIDMapping: len(clayer.UIDMap) == 0, - HostGIDMapping: len(clayer.GIDMap) == 0, - UIDMap: copyIDMap(clayer.UIDMap), - GIDMap: copyIDMap(clayer.GIDMap), + HostUIDMapping: len(options.UIDMap) == 0, + HostGIDMapping: len(options.GIDMap) == 0, + UIDMap: copyIDMap(options.UIDMap), + GIDMap: copyIDMap(options.GIDMap), }, } container, err := rcstore.Create(id, names, imageID, layer, metadata, options) @@ -2230,8 +2252,11 @@ func (s *store) Version() ([][2]string, error) { } func (s *store) Mount(id, mountLabel string) (string, error) { - if layerID, err := s.ContainerLayerID(id); err == nil { - id = layerID + container, err := s.Container(id) + var uidMap, gidMap []idtools.IDMap + if err == nil { + uidMap, gidMap = container.UIDMap, container.GIDMap + id = container.LayerID } rlstore, err := s.LayerStore() if err != nil { @@ -2243,7 +2268,7 @@ func (s *store) Mount(id, mountLabel string) (string, error) { rlstore.Load() } if rlstore.Exists(id) { - return rlstore.Mount(id, mountLabel) + return rlstore.Mount(id, mountLabel, uidMap, gidMap) } return "", ErrLayerUnknown } diff --git a/tests/idmaps.bats b/tests/idmaps.bats index 45cf654ccb..c6690a97d3 100644 --- a/tests/idmaps.bats +++ b/tests/idmaps.bats @@ -753,3 +753,45 @@ load helpers echo ntops:$ntops [ $ntops -eq 1 ] } + +@test "idmaps-create-mapped-container-shifting" { + case "$STORAGE_DRIVER" in + overlay*) + ;; + *) + skip "not supported by driver $STORAGE_DRIVER" + ;; + esac + + run storage --debug=false create-layer + [ "$status" -eq 0 ] + [ "$output" != "" ] + layer="$output" + # Mount the layer. + run storage --debug=false mount $layer + [ "$status" -eq 0 ] + [ "$output" != "" ] + lowermount="$output" + # Put a file in the layer. + createrandom "$lowermount"/file + storage unmount $layer + + imagename=idmappedimage-shifting + storage create-image --name=$imagename $layer + + _TEST_FORCE_SUPPORT_SHIFTING=yes-please run storage --debug=false create-container --uidmap 0:1000:1000 --gidmap 0:1000:1000 $imagename + echo "$output" + [ "$status" -eq 0 ] + [ "$output" != "" ] + + container="$output" + + # Mount the container. + run storage --debug=false mount $container + echo "$output" + [ "$status" -eq 0 ] + dir="$output" + test "$(stat -c%u:%g $dir/file)" == "0:0" + run storage --debug=false unmount "$container" + [ "$status" -eq 0 ] +}