From 4534a7afc31abb39730f41e9311f0eee6b4eda25 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Mon, 15 Jun 2020 13:06:08 +0200 Subject: [PATCH] daemon: use containerd/sys to detect UserNamespaces The implementation in libcontainer/system is quite complicated, and we only use it to detect if user-namespaces are enabled. In addition, the implementation in containerd uses a sync.Once, so that detection (and reading/parsing `/proc/self/uid_map`) is only performed once. Signed-off-by: Sebastiaan van Stijn --- daemon/daemon.go | 4 ++-- daemon/daemon_unix.go | 6 +++--- daemon/graphdriver/aufs/aufs.go | 4 ++-- daemon/graphdriver/copy/copy.go | 4 ++-- daemon/graphdriver/fuse-overlayfs/fuseoverlayfs.go | 4 ++-- daemon/graphdriver/overlay2/overlay.go | 4 ++-- daemon/graphdriver/quota/projectquota.go | 4 ++-- daemon/oci_linux.go | 4 ++-- 8 files changed, 17 insertions(+), 17 deletions(-) diff --git a/daemon/daemon.go b/daemon/daemon.go index 7a17ec1f4a..3ea3069888 100644 --- a/daemon/daemon.go +++ b/daemon/daemon.go @@ -27,6 +27,7 @@ import ( "github.com/containerd/containerd/defaults" "github.com/containerd/containerd/pkg/dialer" "github.com/containerd/containerd/remotes/docker" + "github.com/containerd/containerd/sys" "github.com/docker/docker/api/types" containertypes "github.com/docker/docker/api/types/container" "github.com/docker/docker/api/types/swarm" @@ -42,7 +43,6 @@ import ( "github.com/docker/docker/errdefs" bkconfig "github.com/moby/buildkit/cmd/buildkitd/config" "github.com/moby/buildkit/util/resolver" - rsystem "github.com/opencontainers/runc/libcontainer/system" "github.com/sirupsen/logrus" // register graph drivers @@ -1040,7 +1040,7 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S sysInfo := d.RawSysInfo(false) // Check if Devices cgroup is mounted, it is hard requirement for container security, // on Linux. - if runtime.GOOS == "linux" && !sysInfo.CgroupDevicesEnabled && !rsystem.RunningInUserNS() { + if runtime.GOOS == "linux" && !sysInfo.CgroupDevicesEnabled && !sys.RunningInUserNS() { return nil, errors.New("Devices cgroup isn't mounted") } diff --git a/daemon/daemon_unix.go b/daemon/daemon_unix.go index 294726768c..1a577276ef 100644 --- a/daemon/daemon_unix.go +++ b/daemon/daemon_unix.go @@ -18,6 +18,7 @@ import ( statsV1 "github.com/containerd/cgroups/stats/v1" statsV2 "github.com/containerd/cgroups/v2/stats" + "github.com/containerd/containerd/sys" "github.com/docker/docker/api/types" "github.com/docker/docker/api/types/blkiodev" pblkiodev "github.com/docker/docker/api/types/blkiodev" @@ -44,7 +45,6 @@ import ( lntypes "github.com/docker/libnetwork/types" "github.com/moby/sys/mount" "github.com/opencontainers/runc/libcontainer/cgroups" - rsystem "github.com/opencontainers/runc/libcontainer/system" specs "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" @@ -1668,7 +1668,7 @@ func setMayDetachMounts() error { // Setting may_detach_mounts does not work in an // unprivileged container. Ignore the error, but log // it if we appear not to be in that situation. - if !rsystem.RunningInUserNS() { + if !sys.RunningInUserNS() { logrus.Debugf("Permission denied writing %q to /proc/sys/fs/may_detach_mounts", "1") } return nil @@ -1688,7 +1688,7 @@ func setupOOMScoreAdj(score int) error { // Setting oom_score_adj does not work in an // unprivileged container. Ignore the error, but log // it if we appear not to be in that situation. - if !rsystem.RunningInUserNS() { + if !sys.RunningInUserNS() { logrus.Debugf("Permission denied writing %q to /proc/self/oom_score_adj", stringScore) } return nil diff --git a/daemon/graphdriver/aufs/aufs.go b/daemon/graphdriver/aufs/aufs.go index f87f673544..1238466414 100644 --- a/daemon/graphdriver/aufs/aufs.go +++ b/daemon/graphdriver/aufs/aufs.go @@ -35,6 +35,7 @@ import ( "strings" "sync" + "github.com/containerd/containerd/sys" "github.com/docker/docker/daemon/graphdriver" "github.com/docker/docker/pkg/archive" "github.com/docker/docker/pkg/chrootarchive" @@ -44,7 +45,6 @@ import ( "github.com/docker/docker/pkg/locker" "github.com/docker/docker/pkg/system" "github.com/moby/sys/mount" - rsystem "github.com/opencontainers/runc/libcontainer/system" "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -177,7 +177,7 @@ func supportsAufs() error { // proc/filesystems for when aufs is supported exec.Command("modprobe", "aufs").Run() - if rsystem.RunningInUserNS() { + if sys.RunningInUserNS() { return ErrAufsNested } diff --git a/daemon/graphdriver/copy/copy.go b/daemon/graphdriver/copy/copy.go index 6cb90e86f4..d3f502fe36 100644 --- a/daemon/graphdriver/copy/copy.go +++ b/daemon/graphdriver/copy/copy.go @@ -11,9 +11,9 @@ import ( "syscall" "time" + "github.com/containerd/containerd/sys" "github.com/docker/docker/pkg/pools" "github.com/docker/docker/pkg/system" - rsystem "github.com/opencontainers/runc/libcontainer/system" "golang.org/x/sys/unix" ) @@ -184,7 +184,7 @@ func DirCopy(srcDir, dstDir string, copyMode Mode, copyXattrs bool) error { } case mode&os.ModeDevice != 0: - if rsystem.RunningInUserNS() { + if sys.RunningInUserNS() { // cannot create a device if running in user namespace return nil } diff --git a/daemon/graphdriver/fuse-overlayfs/fuseoverlayfs.go b/daemon/graphdriver/fuse-overlayfs/fuseoverlayfs.go index 5a93783802..f0055c1c5a 100644 --- a/daemon/graphdriver/fuse-overlayfs/fuseoverlayfs.go +++ b/daemon/graphdriver/fuse-overlayfs/fuseoverlayfs.go @@ -14,6 +14,7 @@ import ( "path/filepath" "strings" + "github.com/containerd/containerd/sys" "github.com/docker/docker/daemon/graphdriver" "github.com/docker/docker/daemon/graphdriver/overlayutils" "github.com/docker/docker/pkg/archive" @@ -25,7 +26,6 @@ import ( "github.com/docker/docker/pkg/parsers/kernel" "github.com/docker/docker/pkg/system" "github.com/moby/sys/mount" - rsystem "github.com/opencontainers/runc/libcontainer/system" "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -475,7 +475,7 @@ func (d *Driver) ApplyDiff(id string, parent string, diff io.Reader) (size int64 GIDMaps: d.gidMaps, // Use AUFS whiteout format: https://github.com/containers/storage/blob/39a8d5ed9843844eafb5d2ba6e6a7510e0126f40/drivers/overlay/overlay.go#L1084-L1089 WhiteoutFormat: archive.AUFSWhiteoutFormat, - InUserNS: rsystem.RunningInUserNS(), + InUserNS: sys.RunningInUserNS(), }); err != nil { return 0, err } diff --git a/daemon/graphdriver/overlay2/overlay.go b/daemon/graphdriver/overlay2/overlay.go index 71b904d690..ba94d800a3 100644 --- a/daemon/graphdriver/overlay2/overlay.go +++ b/daemon/graphdriver/overlay2/overlay.go @@ -15,6 +15,7 @@ import ( "strings" "sync" + "github.com/containerd/containerd/sys" "github.com/docker/docker/daemon/graphdriver" "github.com/docker/docker/daemon/graphdriver/overlayutils" "github.com/docker/docker/daemon/graphdriver/quota" @@ -29,7 +30,6 @@ import ( "github.com/docker/docker/pkg/system" units "github.com/docker/go-units" "github.com/moby/sys/mount" - rsystem "github.com/opencontainers/runc/libcontainer/system" "github.com/opencontainers/selinux/go-selinux/label" "github.com/sirupsen/logrus" "golang.org/x/sys/unix" @@ -683,7 +683,7 @@ func (d *Driver) ApplyDiff(id string, parent string, diff io.Reader) (size int64 UIDMaps: d.uidMaps, GIDMaps: d.gidMaps, WhiteoutFormat: archive.OverlayWhiteoutFormat, - InUserNS: rsystem.RunningInUserNS(), + InUserNS: sys.RunningInUserNS(), }); err != nil { return 0, err } diff --git a/daemon/graphdriver/quota/projectquota.go b/daemon/graphdriver/quota/projectquota.go index 550a7127b1..28330aeb40 100644 --- a/daemon/graphdriver/quota/projectquota.go +++ b/daemon/graphdriver/quota/projectquota.go @@ -57,7 +57,7 @@ import ( "path/filepath" "unsafe" - rsystem "github.com/opencontainers/runc/libcontainer/system" + "github.com/containerd/containerd/sys" "github.com/pkg/errors" "github.com/sirupsen/logrus" "golang.org/x/sys/unix" @@ -90,7 +90,7 @@ func NewControl(basePath string) (*Control, error) { // If we are running in a user namespace quota won't be supported for // now since makeBackingFsDev() will try to mknod(). // - if rsystem.RunningInUserNS() { + if sys.RunningInUserNS() { return nil, ErrQuotaNotSupported } diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go index be9a296428..da1de47470 100644 --- a/daemon/oci_linux.go +++ b/daemon/oci_linux.go @@ -14,6 +14,7 @@ import ( "github.com/containerd/containerd/containers" coci "github.com/containerd/containerd/oci" + "github.com/containerd/containerd/sys" containertypes "github.com/docker/docker/api/types/container" "github.com/docker/docker/container" daemonconfig "github.com/docker/docker/daemon/config" @@ -28,7 +29,6 @@ import ( "github.com/opencontainers/runc/libcontainer/apparmor" "github.com/opencontainers/runc/libcontainer/cgroups" "github.com/opencontainers/runc/libcontainer/devices" - rsystem "github.com/opencontainers/runc/libcontainer/system" "github.com/opencontainers/runc/libcontainer/user" specs "github.com/opencontainers/runtime-spec/specs-go" "github.com/pkg/errors" @@ -857,7 +857,7 @@ func WithDevices(daemon *Daemon, c *container.Container) coci.SpecOpts { var devs []specs.LinuxDevice devPermissions := s.Linux.Resources.Devices - if c.HostConfig.Privileged && !rsystem.RunningInUserNS() { + if c.HostConfig.Privileged && !sys.RunningInUserNS() { hostDevices, err := devices.HostDevices() if err != nil { return err