Skip to content

Commit 442b456

Browse files
estespestesp
committed
Add user namespace (mapping) support to the Docker engine
Adds support for the daemon to handle user namespace maps as a per-daemon setting. Support for handling uid/gid mapping is added to the builder, archive/unarchive packages and functions, all graphdrivers (except Windows), and the test suite is updated to handle user namespace daemon rootgraph changes. Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
1 parent 9a3ab03 commit 442b456

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

56 files changed

+876
-201
lines changed

api/server/router/local/image.go

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,8 @@ import (
1818
"github.com/docker/docker/daemon/daemonbuilder"
1919
"github.com/docker/docker/graph"
2020
"github.com/docker/docker/graph/tags"
21+
"github.com/docker/docker/pkg/archive"
22+
"github.com/docker/docker/pkg/chrootarchive"
2123
"github.com/docker/docker/pkg/ioutils"
2224
"github.com/docker/docker/pkg/parsers"
2325
"github.com/docker/docker/pkg/progressreader"
@@ -393,7 +395,13 @@ func (s *router) postBuild(ctx context.Context, w http.ResponseWriter, r *http.R
393395
}
394396
}()
395397

396-
docker := daemonbuilder.Docker{s.daemon, output, authConfigs}
398+
uidMaps, gidMaps := s.daemon.GetUIDGIDMaps()
399+
defaultArchiver := &archive.Archiver{
400+
Untar: chrootarchive.Untar,
401+
UIDMaps: uidMaps,
402+
GIDMaps: gidMaps,
403+
}
404+
docker := daemonbuilder.Docker{s.daemon, output, authConfigs, defaultArchiver}
397405

398406
b, err := dockerfile.NewBuilder(buildConfig, docker, builder.DockerIgnoreContext{context}, nil)
399407
if err != nil {

daemon/config.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@ type CommonConfig struct {
3030
LogConfig runconfig.LogConfig
3131
Mtu int
3232
Pidfile string
33+
RemappedRoot string
3334
Root string
3435
TrustKeyPath string
3536
DefaultNetwork string

daemon/config_unix.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ type Config struct {
2727
CorsHeaders string
2828
EnableCors bool
2929
EnableSelinuxSupport bool
30+
RemappedRoot string
3031
SocketGroup string
3132
Ulimits map[string]*ulimit.Ulimit
3233
}
@@ -77,4 +78,6 @@ func (config *Config) InstallFlags(cmd *flag.FlagSet, usageFn func(string) strin
7778
cmd.BoolVar(&config.Bridge.EnableUserlandProxy, []string{"-userland-proxy"}, true, usageFn("Use userland proxy for loopback traffic"))
7879
cmd.BoolVar(&config.EnableCors, []string{"#api-enable-cors", "#-api-enable-cors"}, false, usageFn("Enable CORS headers in the remote API, this is deprecated by --api-cors-header"))
7980
cmd.StringVar(&config.CorsHeaders, []string{"-api-cors-header"}, "", usageFn("Set CORS headers in the remote API"))
81+
82+
config.attachExperimentalFlags(cmd, usageFn)
8083
}

daemon/container.go

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -553,7 +553,12 @@ func (container *Container) export() (archive.Archive, error) {
553553
return nil, err
554554
}
555555

556-
archive, err := archive.Tar(container.basefs, archive.Uncompressed)
556+
uidMaps, gidMaps := container.daemon.GetUIDGIDMaps()
557+
archive, err := archive.TarWithOptions(container.basefs, &archive.TarOptions{
558+
Compression: archive.Uncompressed,
559+
UIDMaps: uidMaps,
560+
GIDMaps: gidMaps,
561+
})
557562
if err != nil {
558563
container.Unmount()
559564
return nil, err

daemon/container_unix.go

Lines changed: 21 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ import (
2020
"github.com/docker/docker/daemon/network"
2121
derr "github.com/docker/docker/errors"
2222
"github.com/docker/docker/pkg/directory"
23+
"github.com/docker/docker/pkg/idtools"
2324
"github.com/docker/docker/pkg/nat"
2425
"github.com/docker/docker/pkg/stringid"
2526
"github.com/docker/docker/pkg/system"
@@ -302,6 +303,14 @@ func populateCommand(c *Container, env []string) error {
302303
processConfig.SysProcAttr = &syscall.SysProcAttr{Setsid: true}
303304
processConfig.Env = env
304305

306+
remappedRoot := &execdriver.User{}
307+
rootUID, rootGID := c.daemon.GetRemappedUIDGID()
308+
if rootUID != 0 {
309+
remappedRoot.UID = rootUID
310+
remappedRoot.GID = rootGID
311+
}
312+
uidMap, gidMap := c.daemon.GetUIDGIDMaps()
313+
305314
c.command = &execdriver.Command{
306315
ID: c.ID,
307316
Rootfs: c.rootfsPath(),
@@ -310,6 +319,9 @@ func populateCommand(c *Container, env []string) error {
310319
WorkingDir: c.Config.WorkingDir,
311320
Network: en,
312321
Ipc: ipc,
322+
UIDMapping: uidMap,
323+
GIDMapping: gidMap,
324+
RemappedRoot: remappedRoot,
313325
Pid: pid,
314326
UTS: uts,
315327
Resources: resources,
@@ -1343,19 +1355,23 @@ func (container *Container) hasMountFor(path string) bool {
13431355
}
13441356

13451357
func (container *Container) setupIpcDirs() error {
1358+
rootUID, rootGID := container.daemon.GetRemappedUIDGID()
13461359
if !container.hasMountFor("/dev/shm") {
13471360
shmPath, err := container.shmPath()
13481361
if err != nil {
13491362
return err
13501363
}
13511364

1352-
if err := os.MkdirAll(shmPath, 0700); err != nil {
1365+
if err := idtools.MkdirAllAs(shmPath, 0700, rootUID, rootGID); err != nil {
13531366
return err
13541367
}
13551368

13561369
if err := syscall.Mount("shm", shmPath, "tmpfs", uintptr(syscall.MS_NOEXEC|syscall.MS_NOSUID|syscall.MS_NODEV), label.FormatMountLabel("mode=1777,size=65536k", container.getMountLabel())); err != nil {
13571370
return fmt.Errorf("mounting shm tmpfs: %s", err)
13581371
}
1372+
if err := os.Chown(shmPath, rootUID, rootGID); err != nil {
1373+
return err
1374+
}
13591375
}
13601376

13611377
if !container.hasMountFor("/dev/mqueue") {
@@ -1364,13 +1380,16 @@ func (container *Container) setupIpcDirs() error {
13641380
return err
13651381
}
13661382

1367-
if err := os.MkdirAll(mqueuePath, 0700); err != nil {
1383+
if err := idtools.MkdirAllAs(mqueuePath, 0700, rootUID, rootGID); err != nil {
13681384
return err
13691385
}
13701386

13711387
if err := syscall.Mount("mqueue", mqueuePath, "mqueue", uintptr(syscall.MS_NOEXEC|syscall.MS_NOSUID|syscall.MS_NODEV), ""); err != nil {
13721388
return fmt.Errorf("mounting mqueue mqueue : %s", err)
13731389
}
1390+
if err := os.Chown(mqueuePath, rootUID, rootGID); err != nil {
1391+
return err
1392+
}
13741393
}
13751394

13761395
return nil

daemon/daemon.go

Lines changed: 47 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@ import (
3737
"github.com/docker/docker/pkg/discovery"
3838
"github.com/docker/docker/pkg/fileutils"
3939
"github.com/docker/docker/pkg/graphdb"
40+
"github.com/docker/docker/pkg/idtools"
4041
"github.com/docker/docker/pkg/ioutils"
4142
"github.com/docker/docker/pkg/namesgenerator"
4243
"github.com/docker/docker/pkg/nat"
@@ -121,6 +122,8 @@ type Daemon struct {
121122
discoveryWatcher discovery.Watcher
122123
root string
123124
shutdown bool
125+
uidMaps []idtools.IDMap
126+
gidMaps []idtools.IDMap
124127
}
125128

126129
// Get looks for a container using the provided information, which could be
@@ -632,6 +635,15 @@ func NewDaemon(config *Config, registryService *registry.Service) (daemon *Daemo
632635
// on Windows to dump Go routine stacks
633636
setupDumpStackTrap()
634637

638+
uidMaps, gidMaps, err := setupRemappedRoot(config)
639+
if err != nil {
640+
return nil, err
641+
}
642+
rootUID, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps)
643+
if err != nil {
644+
return nil, err
645+
}
646+
635647
// get the canonical path to the Docker root directory
636648
var realRoot string
637649
if _, err := os.Stat(config.Root); err != nil && os.IsNotExist(err) {
@@ -642,14 +654,13 @@ func NewDaemon(config *Config, registryService *registry.Service) (daemon *Daemo
642654
return nil, fmt.Errorf("Unable to get the full path to root (%s): %s", config.Root, err)
643655
}
644656
}
645-
config.Root = realRoot
646-
// Create the root directory if it doesn't exists
647-
if err := system.MkdirAll(config.Root, 0700); err != nil {
657+
658+
if err = setupDaemonRoot(config, realRoot, rootUID, rootGID); err != nil {
648659
return nil, err
649660
}
650661

651662
// set up the tmpDir to use a canonical path
652-
tmp, err := tempDir(config.Root)
663+
tmp, err := tempDir(config.Root, rootUID, rootGID)
653664
if err != nil {
654665
return nil, fmt.Errorf("Unable to get the TempDir under %s: %s", config.Root, err)
655666
}
@@ -663,7 +674,7 @@ func NewDaemon(config *Config, registryService *registry.Service) (daemon *Daemo
663674
graphdriver.DefaultDriver = config.GraphDriver
664675

665676
// Load storage driver
666-
driver, err := graphdriver.New(config.Root, config.GraphOptions)
677+
driver, err := graphdriver.New(config.Root, config.GraphOptions, uidMaps, gidMaps)
667678
if err != nil {
668679
return nil, fmt.Errorf("error initializing graphdriver: %v", err)
669680
}
@@ -696,7 +707,7 @@ func NewDaemon(config *Config, registryService *registry.Service) (daemon *Daemo
696707

697708
daemonRepo := filepath.Join(config.Root, "containers")
698709

699-
if err := system.MkdirAll(daemonRepo, 0700); err != nil {
710+
if err := idtools.MkdirAllAs(daemonRepo, 0700, rootUID, rootGID); err != nil && !os.IsExist(err) {
700711
return nil, err
701712
}
702713

@@ -706,13 +717,13 @@ func NewDaemon(config *Config, registryService *registry.Service) (daemon *Daemo
706717
}
707718

708719
logrus.Debug("Creating images graph")
709-
g, err := graph.NewGraph(filepath.Join(config.Root, "graph"), d.driver)
720+
g, err := graph.NewGraph(filepath.Join(config.Root, "graph"), d.driver, uidMaps, gidMaps)
710721
if err != nil {
711722
return nil, err
712723
}
713724

714725
// Configure the volumes driver
715-
volStore, err := configureVolumes(config)
726+
volStore, err := configureVolumes(config, rootUID, rootGID)
716727
if err != nil {
717728
return nil, err
718729
}
@@ -777,7 +788,7 @@ func NewDaemon(config *Config, registryService *registry.Service) (daemon *Daemo
777788

778789
var sysInitPath string
779790
if config.ExecDriver == "lxc" {
780-
initPath, err := configureSysInit(config)
791+
initPath, err := configureSysInit(config, rootUID, rootGID)
781792
if err != nil {
782793
return nil, err
783794
}
@@ -812,6 +823,8 @@ func NewDaemon(config *Config, registryService *registry.Service) (daemon *Daemo
812823
d.EventsService = eventsService
813824
d.volumes = volStore
814825
d.root = config.Root
826+
d.uidMaps = uidMaps
827+
d.gidMaps = gidMaps
815828

816829
if err := d.cleanupMounts(); err != nil {
817830
return nil, err
@@ -974,7 +987,11 @@ func (daemon *Daemon) diff(container *Container) (archive.Archive, error) {
974987
func (daemon *Daemon) createRootfs(container *Container) error {
975988
// Step 1: create the container directory.
976989
// This doubles as a barrier to avoid race conditions.
977-
if err := os.Mkdir(container.root, 0700); err != nil {
990+
rootUID, rootGID, err := idtools.GetRootUIDGID(daemon.uidMaps, daemon.gidMaps)
991+
if err != nil {
992+
return err
993+
}
994+
if err := idtools.MkdirAs(container.root, 0700, rootUID, rootGID); err != nil {
978995
return err
979996
}
980997
initID := fmt.Sprintf("%s-init", container.ID)
@@ -986,7 +1003,7 @@ func (daemon *Daemon) createRootfs(container *Container) error {
9861003
return err
9871004
}
9881005

989-
if err := setupInitLayer(initPath); err != nil {
1006+
if err := setupInitLayer(initPath, rootUID, rootGID); err != nil {
9901007
daemon.driver.Put(initID)
9911008
return err
9921009
}
@@ -1105,6 +1122,21 @@ func (daemon *Daemon) containerGraph() *graphdb.Database {
11051122
return daemon.containerGraphDB
11061123
}
11071124

1125+
// GetUIDGIDMaps returns the current daemon's user namespace settings
1126+
// for the full uid and gid maps which will be applied to containers
1127+
// started in this instance.
1128+
func (daemon *Daemon) GetUIDGIDMaps() ([]idtools.IDMap, []idtools.IDMap) {
1129+
return daemon.uidMaps, daemon.gidMaps
1130+
}
1131+
1132+
// GetRemappedUIDGID returns the current daemon's uid and gid values
1133+
// if user namespaces are in use for this daemon instance. If not
1134+
// this function will return "real" root values of 0, 0.
1135+
func (daemon *Daemon) GetRemappedUIDGID() (int, int) {
1136+
uid, gid, _ := idtools.GetRootUIDGID(daemon.uidMaps, daemon.gidMaps)
1137+
return uid, gid
1138+
}
1139+
11081140
// ImageGetCached returns the earliest created image that is a child
11091141
// of the image with imgID, that had the same config when it was
11101142
// created. nil is returned if a child cannot be found. An error is
@@ -1139,12 +1171,12 @@ func (daemon *Daemon) ImageGetCached(imgID string, config *runconfig.Config) (*i
11391171
}
11401172

11411173
// tempDir returns the default directory to use for temporary files.
1142-
func tempDir(rootDir string) (string, error) {
1174+
func tempDir(rootDir string, rootUID, rootGID int) (string, error) {
11431175
var tmpDir string
11441176
if tmpDir = os.Getenv("DOCKER_TMPDIR"); tmpDir == "" {
11451177
tmpDir = filepath.Join(rootDir, "tmp")
11461178
}
1147-
return tmpDir, system.MkdirAll(tmpDir, 0700)
1179+
return tmpDir, idtools.MkdirAllAs(tmpDir, 0700, rootUID, rootGID)
11481180
}
11491181

11501182
func (daemon *Daemon) setHostConfig(container *Container, hostConfig *runconfig.HostConfig) error {
@@ -1228,8 +1260,8 @@ func (daemon *Daemon) verifyContainerSettings(hostConfig *runconfig.HostConfig,
12281260
return verifyPlatformContainerSettings(daemon, hostConfig, config)
12291261
}
12301262

1231-
func configureVolumes(config *Config) (*store.VolumeStore, error) {
1232-
volumesDriver, err := local.New(config.Root)
1263+
func configureVolumes(config *Config, rootUID, rootGID int) (*store.VolumeStore, error) {
1264+
volumesDriver, err := local.New(config.Root, rootUID, rootGID)
12331265
if err != nil {
12341266
return nil, err
12351267
}

daemon/daemon_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -509,7 +509,7 @@ func initDaemonForVolumesTest(tmp string) (*Daemon, error) {
509509
volumes: store.New(),
510510
}
511511

512-
volumesDriver, err := local.New(tmp)
512+
volumesDriver, err := local.New(tmp, 0, 0)
513513
if err != nil {
514514
return nil, err
515515
}

daemon/daemon_unix.go

Lines changed: 12 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -15,10 +15,10 @@ import (
1515
"github.com/docker/docker/daemon/graphdriver"
1616
derr "github.com/docker/docker/errors"
1717
"github.com/docker/docker/pkg/fileutils"
18+
"github.com/docker/docker/pkg/idtools"
1819
"github.com/docker/docker/pkg/parsers"
1920
"github.com/docker/docker/pkg/parsers/kernel"
2021
"github.com/docker/docker/pkg/sysinfo"
21-
"github.com/docker/docker/pkg/system"
2222
"github.com/docker/docker/runconfig"
2323
"github.com/docker/docker/utils"
2424
"github.com/docker/libnetwork"
@@ -121,6 +121,11 @@ func verifyPlatformContainerSettings(daemon *Daemon, hostConfig *runconfig.HostC
121121
warnings := []string{}
122122
sysInfo := sysinfo.New(true)
123123

124+
warnings, err := daemon.verifyExperimentalContainerSettings(hostConfig, config)
125+
if err != nil {
126+
return warnings, err
127+
}
128+
124129
if hostConfig.LxcConf.Len() > 0 && !strings.Contains(daemon.ExecutionDriver().Name(), "lxc") {
125130
return warnings, fmt.Errorf("Cannot use --lxc-conf with execdriver: %s", daemon.ExecutionDriver().Name())
126131
}
@@ -275,7 +280,7 @@ func migrateIfDownlevel(driver graphdriver.Driver, root string) error {
275280
return migrateIfAufs(driver, root)
276281
}
277282

278-
func configureSysInit(config *Config) (string, error) {
283+
func configureSysInit(config *Config, rootUID, rootGID int) (string, error) {
279284
localCopy := filepath.Join(config.Root, "init", fmt.Sprintf("dockerinit-%s", dockerversion.VERSION))
280285
sysInitPath := utils.DockerInitPath(localCopy)
281286
if sysInitPath == "" {
@@ -284,7 +289,7 @@ func configureSysInit(config *Config) (string, error) {
284289

285290
if sysInitPath != localCopy {
286291
// When we find a suitable dockerinit binary (even if it's our local binary), we copy it into config.Root at localCopy for future use (so that the original can go away without that being a problem, for example during a package upgrade).
287-
if err := os.Mkdir(filepath.Dir(localCopy), 0700); err != nil && !os.IsExist(err) {
292+
if err := idtools.MkdirAs(filepath.Dir(localCopy), 0700, rootUID, rootGID); err != nil && !os.IsExist(err) {
288293
return "", err
289294
}
290295
if _, err := fileutils.CopyFile(sysInitPath, localCopy); err != nil {
@@ -455,7 +460,7 @@ func initBridgeDriver(controller libnetwork.NetworkController, config *Config) e
455460
//
456461
// This extra layer is used by all containers as the top-most ro layer. It protects
457462
// the container from unwanted side-effects on the rw layer.
458-
func setupInitLayer(initLayer string) error {
463+
func setupInitLayer(initLayer string, rootUID, rootGID int) error {
459464
for pth, typ := range map[string]string{
460465
"/dev/pts": "dir",
461466
"/dev/shm": "dir",
@@ -478,12 +483,12 @@ func setupInitLayer(initLayer string) error {
478483

479484
if _, err := os.Stat(filepath.Join(initLayer, pth)); err != nil {
480485
if os.IsNotExist(err) {
481-
if err := system.MkdirAll(filepath.Join(initLayer, filepath.Dir(pth)), 0755); err != nil {
486+
if err := idtools.MkdirAllAs(filepath.Join(initLayer, filepath.Dir(pth)), 0755, rootUID, rootGID); err != nil {
482487
return err
483488
}
484489
switch typ {
485490
case "dir":
486-
if err := system.MkdirAll(filepath.Join(initLayer, pth), 0755); err != nil {
491+
if err := idtools.MkdirAllAs(filepath.Join(initLayer, pth), 0755, rootUID, rootGID); err != nil {
487492
return err
488493
}
489494
case "file":
@@ -492,6 +497,7 @@ func setupInitLayer(initLayer string) error {
492497
return err
493498
}
494499
f.Close()
500+
f.Chown(rootUID, rootGID)
495501
default:
496502
if err := os.Symlink(typ, filepath.Join(initLayer, pth)); err != nil {
497503
return err

0 commit comments

Comments
 (0)