From 472f21b923ef512e8bebaece83a7d9c206b1e0a7 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 18 Jun 2021 11:01:24 +0200 Subject: [PATCH] replace uses of deprecated containerd/sys.RunningInUserNS() This utility was moved to a separate package, which has no dependencies. Signed-off-by: Sebastiaan van Stijn --- daemon/daemon.go | 4 ++-- daemon/daemon_unix.go | 6 +++--- daemon/graphdriver/aufs/aufs.go | 4 ++-- daemon/graphdriver/copy/copy.go | 4 ++-- daemon/graphdriver/fuse-overlayfs/fuseoverlayfs.go | 4 ++-- daemon/graphdriver/overlay2/check.go | 4 ++-- daemon/graphdriver/overlayutils/userxattr.go | 4 ++-- daemon/oci_linux.go | 6 +++--- pkg/archive/archive_linux_test.go | 4 ++-- pkg/archive/archive_test.go | 4 ++-- pkg/archive/archive_unix.go | 4 ++-- pkg/archive/archive_unix_test.go | 4 ++-- pkg/chrootarchive/chroot_linux.go | 4 ++-- pkg/chrootarchive/diff_unix.go | 6 +++--- pkg/sysinfo/cgroup2_linux.go | 4 ++-- quota/projectquota.go | 4 ++-- 16 files changed, 35 insertions(+), 35 deletions(-) diff --git a/daemon/daemon.go b/daemon/daemon.go index 6840805db7..e6c0425e02 100644 --- a/daemon/daemon.go +++ b/daemon/daemon.go @@ -27,8 +27,8 @@ import ( "github.com/containerd/containerd" "github.com/containerd/containerd/defaults" "github.com/containerd/containerd/pkg/dialer" + "github.com/containerd/containerd/pkg/userns" "github.com/containerd/containerd/remotes/docker" - "github.com/containerd/containerd/sys" "github.com/docker/docker/api/types" containertypes "github.com/docker/docker/api/types/container" "github.com/docker/docker/api/types/swarm" @@ -1053,7 +1053,7 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S sysInfo := d.RawSysInfo(false) // Check if Devices cgroup is mounted, it is hard requirement for container security, // on Linux. - if runtime.GOOS == "linux" && !sysInfo.CgroupDevicesEnabled && !sys.RunningInUserNS() { + if runtime.GOOS == "linux" && !sysInfo.CgroupDevicesEnabled && !userns.RunningInUserNS() { return nil, errors.New("Devices cgroup isn't mounted") } diff --git a/daemon/daemon_unix.go b/daemon/daemon_unix.go index d2ff343431..4818d06f60 100644 --- a/daemon/daemon_unix.go +++ b/daemon/daemon_unix.go @@ -20,7 +20,7 @@ import ( "github.com/containerd/cgroups" statsV1 "github.com/containerd/cgroups/stats/v1" statsV2 "github.com/containerd/cgroups/v2/stats" - "github.com/containerd/containerd/sys" + "github.com/containerd/containerd/pkg/userns" "github.com/docker/docker/api/types" "github.com/docker/docker/api/types/blkiodev" pblkiodev "github.com/docker/docker/api/types/blkiodev" @@ -1645,7 +1645,7 @@ func setMayDetachMounts() error { // Setting may_detach_mounts does not work in an // unprivileged container. Ignore the error, but log // it if we appear not to be in that situation. - if !sys.RunningInUserNS() { + if !userns.RunningInUserNS() { logrus.Debugf("Permission denied writing %q to /proc/sys/fs/may_detach_mounts", "1") } return nil @@ -1668,7 +1668,7 @@ func setupOOMScoreAdj(score int) error { // Setting oom_score_adj does not work in an // unprivileged container. Ignore the error, but log // it if we appear not to be in that situation. - if !sys.RunningInUserNS() { + if !userns.RunningInUserNS() { logrus.Debugf("Permission denied writing %q to /proc/self/oom_score_adj", stringScore) } return nil diff --git a/daemon/graphdriver/aufs/aufs.go b/daemon/graphdriver/aufs/aufs.go index b007274e13..36bcead216 100644 --- a/daemon/graphdriver/aufs/aufs.go +++ b/daemon/graphdriver/aufs/aufs.go @@ -35,7 +35,7 @@ import ( "strings" "sync" - "github.com/containerd/containerd/sys" + "github.com/containerd/containerd/pkg/userns" "github.com/docker/docker/daemon/graphdriver" "github.com/docker/docker/pkg/archive" "github.com/docker/docker/pkg/chrootarchive" @@ -174,7 +174,7 @@ func supportsAufs() error { // proc/filesystems for when aufs is supported exec.Command("modprobe", "aufs").Run() - if sys.RunningInUserNS() { + if userns.RunningInUserNS() { return ErrAufsNested } diff --git a/daemon/graphdriver/copy/copy.go b/daemon/graphdriver/copy/copy.go index 98188070c4..5aa4dd91bc 100644 --- a/daemon/graphdriver/copy/copy.go +++ b/daemon/graphdriver/copy/copy.go @@ -11,7 +11,7 @@ import ( "syscall" "time" - "github.com/containerd/containerd/sys" + "github.com/containerd/containerd/pkg/userns" "github.com/docker/docker/pkg/pools" "github.com/docker/docker/pkg/system" "golang.org/x/sys/unix" @@ -184,7 +184,7 @@ func DirCopy(srcDir, dstDir string, copyMode Mode, copyXattrs bool) error { } case mode&os.ModeDevice != 0: - if sys.RunningInUserNS() { + if userns.RunningInUserNS() { // cannot create a device if running in user namespace return nil } diff --git a/daemon/graphdriver/fuse-overlayfs/fuseoverlayfs.go b/daemon/graphdriver/fuse-overlayfs/fuseoverlayfs.go index 782e8be984..c945ad9234 100644 --- a/daemon/graphdriver/fuse-overlayfs/fuseoverlayfs.go +++ b/daemon/graphdriver/fuse-overlayfs/fuseoverlayfs.go @@ -14,7 +14,7 @@ import ( "path/filepath" "strings" - "github.com/containerd/containerd/sys" + "github.com/containerd/containerd/pkg/userns" "github.com/docker/docker/daemon/graphdriver" "github.com/docker/docker/daemon/graphdriver/overlayutils" "github.com/docker/docker/pkg/archive" @@ -468,7 +468,7 @@ func (d *Driver) ApplyDiff(id string, parent string, diff io.Reader) (size int64 GIDMaps: d.gidMaps, // Use AUFS whiteout format: https://github.com/containers/storage/blob/39a8d5ed9843844eafb5d2ba6e6a7510e0126f40/drivers/overlay/overlay.go#L1084-L1089 WhiteoutFormat: archive.AUFSWhiteoutFormat, - InUserNS: sys.RunningInUserNS(), + InUserNS: userns.RunningInUserNS(), }); err != nil { return 0, err } diff --git a/daemon/graphdriver/overlay2/check.go b/daemon/graphdriver/overlay2/check.go index 9641ed47ec..e18da0d7b0 100644 --- a/daemon/graphdriver/overlay2/check.go +++ b/daemon/graphdriver/overlay2/check.go @@ -10,7 +10,7 @@ import ( "path/filepath" "syscall" - "github.com/containerd/containerd/sys" + "github.com/containerd/containerd/pkg/userns" "github.com/docker/docker/pkg/system" "github.com/pkg/errors" "golang.org/x/sys/unix" @@ -24,7 +24,7 @@ import ( // When running in a user namespace, returns errRunningInUserNS // immediately. func doesSupportNativeDiff(d string) error { - if sys.RunningInUserNS() { + if userns.RunningInUserNS() { return errors.New("running in a user namespace") } diff --git a/daemon/graphdriver/overlayutils/userxattr.go b/daemon/graphdriver/overlayutils/userxattr.go index 7f19dcb7ed..df9c8a4cd3 100644 --- a/daemon/graphdriver/overlayutils/userxattr.go +++ b/daemon/graphdriver/overlayutils/userxattr.go @@ -26,7 +26,7 @@ import ( "path/filepath" "github.com/containerd/containerd/mount" - "github.com/containerd/containerd/sys" + "github.com/containerd/containerd/pkg/userns" "github.com/docker/docker/pkg/parsers/kernel" "github.com/sirupsen/logrus" ) @@ -51,7 +51,7 @@ import ( // // The "userxattr" support is not exposed in "/sys/module/overlay/parameters". func NeedsUserXAttr(d string) (bool, error) { - if !sys.RunningInUserNS() { + if !userns.RunningInUserNS() { // we are the real root (i.e., the root in the initial user NS), // so we do never need "userxattr" opt. return false, nil diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go index ada90dcdb8..6358450d37 100644 --- a/daemon/oci_linux.go +++ b/daemon/oci_linux.go @@ -15,7 +15,7 @@ import ( "github.com/containerd/containerd/containers" coci "github.com/containerd/containerd/oci" "github.com/containerd/containerd/pkg/apparmor" - "github.com/containerd/containerd/sys" + "github.com/containerd/containerd/pkg/userns" containertypes "github.com/docker/docker/api/types/container" "github.com/docker/docker/container" daemonconfig "github.com/docker/docker/daemon/config" @@ -652,7 +652,7 @@ func WithMounts(daemon *Daemon, c *container.Container) coci.SpecOpts { // "mount" when we bind-mount. The reason for this is that at the point // when runc sets up the root filesystem, it is already inside a user // namespace, and thus cannot change any flags that are locked. - if daemon.configStore.RemappedRoot != "" || sys.RunningInUserNS() { + if daemon.configStore.RemappedRoot != "" || userns.RunningInUserNS() { unprivOpts, err := getUnprivilegedMountFlags(m.Source) if err != nil { return err @@ -873,7 +873,7 @@ func WithDevices(daemon *Daemon, c *container.Container) coci.SpecOpts { var devs []specs.LinuxDevice devPermissions := s.Linux.Resources.Devices - if c.HostConfig.Privileged && !sys.RunningInUserNS() { + if c.HostConfig.Privileged && !userns.RunningInUserNS() { hostDevices, err := devices.HostDevices() if err != nil { return err diff --git a/pkg/archive/archive_linux_test.go b/pkg/archive/archive_linux_test.go index 800fda61eb..941d4e443c 100644 --- a/pkg/archive/archive_linux_test.go +++ b/pkg/archive/archive_linux_test.go @@ -7,7 +7,7 @@ import ( "syscall" "testing" - "github.com/containerd/containerd/sys" + "github.com/containerd/containerd/pkg/userns" "github.com/docker/docker/pkg/system" "golang.org/x/sys/unix" "gotest.tools/v3/assert" @@ -25,7 +25,7 @@ import ( // └── f1 # whiteout, 0644 func setupOverlayTestDir(t *testing.T, src string) { skip.If(t, os.Getuid() != 0, "skipping test that requires root") - skip.If(t, sys.RunningInUserNS(), "skipping test that requires initial userns (trusted.overlay.opaque xattr cannot be set in userns, even with Ubuntu kernel)") + skip.If(t, userns.RunningInUserNS(), "skipping test that requires initial userns (trusted.overlay.opaque xattr cannot be set in userns, even with Ubuntu kernel)") // Create opaque directory containing single file and permission 0700 err := os.Mkdir(filepath.Join(src, "d1"), 0700) assert.NilError(t, err) diff --git a/pkg/archive/archive_test.go b/pkg/archive/archive_test.go index d7632e1f06..af29640658 100644 --- a/pkg/archive/archive_test.go +++ b/pkg/archive/archive_test.go @@ -17,7 +17,7 @@ import ( "testing" "time" - "github.com/containerd/containerd/sys" + "github.com/containerd/containerd/pkg/userns" "github.com/docker/docker/pkg/idtools" "github.com/docker/docker/pkg/ioutils" "gotest.tools/v3/assert" @@ -1251,7 +1251,7 @@ func TestReplaceFileTarWrapper(t *testing.T) { // version of this package that was built with <=go17 are still readable. func TestPrefixHeaderReadable(t *testing.T) { skip.If(t, runtime.GOOS != "windows" && os.Getuid() != 0, "skipping test that requires root") - skip.If(t, sys.RunningInUserNS(), "skipping test that requires more than 010000000 UIDs, which is unlikely to be satisfied when running in userns") + skip.If(t, userns.RunningInUserNS(), "skipping test that requires more than 010000000 UIDs, which is unlikely to be satisfied when running in userns") // https://gist.github.com/stevvooe/e2a790ad4e97425896206c0816e1a882#file-out-go var testFile = []byte("\x1f\x8b\x08\x08\x44\x21\x68\x59\x00\x03\x74\x2e\x74\x61\x72\x00\x4b\xcb\xcf\x67\xa0\x35\x30\x80\x00\x86\x06\x10\x47\x01\xc1\x37\x40\x00\x54\xb6\xb1\xa1\xa9\x99\x09\x48\x25\x1d\x40\x69\x71\x49\x62\x91\x02\xe5\x76\xa1\x79\x84\x21\x91\xd6\x80\x72\xaf\x8f\x82\x51\x30\x0a\x46\x36\x00\x00\xf0\x1c\x1e\x95\x00\x06\x00\x00") diff --git a/pkg/archive/archive_unix.go b/pkg/archive/archive_unix.go index ef774fe6b7..412cd5a3b0 100644 --- a/pkg/archive/archive_unix.go +++ b/pkg/archive/archive_unix.go @@ -10,7 +10,7 @@ import ( "strings" "syscall" - "github.com/containerd/containerd/sys" + "github.com/containerd/containerd/pkg/userns" "github.com/docker/docker/pkg/idtools" "github.com/docker/docker/pkg/system" "golang.org/x/sys/unix" @@ -92,7 +92,7 @@ func handleTarTypeBlockCharFifo(hdr *tar.Header, path string) error { } err := system.Mknod(path, mode, int(system.Mkdev(hdr.Devmajor, hdr.Devminor))) - if errors.Is(err, syscall.EPERM) && sys.RunningInUserNS() { + if errors.Is(err, syscall.EPERM) && userns.RunningInUserNS() { // In most cases, cannot create a device if running in user namespace err = nil } diff --git a/pkg/archive/archive_unix_test.go b/pkg/archive/archive_unix_test.go index c5767785c6..b401520c44 100644 --- a/pkg/archive/archive_unix_test.go +++ b/pkg/archive/archive_unix_test.go @@ -14,7 +14,7 @@ import ( "syscall" "testing" - "github.com/containerd/containerd/sys" + "github.com/containerd/containerd/pkg/userns" "github.com/docker/docker/pkg/system" "golang.org/x/sys/unix" "gotest.tools/v3/assert" @@ -204,7 +204,7 @@ func getInode(path string) (uint64, error) { func TestTarWithBlockCharFifo(t *testing.T) { skip.If(t, os.Getuid() != 0, "skipping test that requires root") - skip.If(t, sys.RunningInUserNS(), "skipping test that requires initial userns") + skip.If(t, userns.RunningInUserNS(), "skipping test that requires initial userns") origin, err := ioutil.TempDir("", "docker-test-tar-hardlink") assert.NilError(t, err) diff --git a/pkg/chrootarchive/chroot_linux.go b/pkg/chrootarchive/chroot_linux.go index 1c560ce59f..1caba48db7 100644 --- a/pkg/chrootarchive/chroot_linux.go +++ b/pkg/chrootarchive/chroot_linux.go @@ -6,7 +6,7 @@ import ( "os" "path/filepath" - "github.com/containerd/containerd/sys" + "github.com/containerd/containerd/pkg/userns" "github.com/moby/sys/mount" "github.com/moby/sys/mountinfo" "golang.org/x/sys/unix" @@ -20,7 +20,7 @@ import ( // This is similar to how libcontainer sets up a container's rootfs func chroot(path string) (err error) { // if the engine is running in a user namespace we need to use actual chroot - if sys.RunningInUserNS() { + if userns.RunningInUserNS() { return realChroot(path) } if err := unix.Unshare(unix.CLONE_NEWNS); err != nil { diff --git a/pkg/chrootarchive/diff_unix.go b/pkg/chrootarchive/diff_unix.go index c64efefcdc..9b45fd88dc 100644 --- a/pkg/chrootarchive/diff_unix.go +++ b/pkg/chrootarchive/diff_unix.go @@ -13,7 +13,7 @@ import ( "path/filepath" "runtime" - "github.com/containerd/containerd/sys" + "github.com/containerd/containerd/pkg/userns" "github.com/docker/docker/pkg/archive" "github.com/docker/docker/pkg/reexec" "github.com/docker/docker/pkg/system" @@ -36,7 +36,7 @@ func applyLayer() { runtime.LockOSThread() flag.Parse() - inUserns := sys.RunningInUserNS() + inUserns := userns.RunningInUserNS() if err := chroot(flag.Arg(0)); err != nil { fatal(err) } @@ -95,7 +95,7 @@ func applyLayerHandler(dest string, layer io.Reader, options *archive.TarOptions } if options == nil { options = &archive.TarOptions{} - if sys.RunningInUserNS() { + if userns.RunningInUserNS() { options.InUserNS = true } } diff --git a/pkg/sysinfo/cgroup2_linux.go b/pkg/sysinfo/cgroup2_linux.go index 432356b498..1ea3cd51d9 100644 --- a/pkg/sysinfo/cgroup2_linux.go +++ b/pkg/sysinfo/cgroup2_linux.go @@ -7,7 +7,7 @@ import ( "strings" cgroupsV2 "github.com/containerd/cgroups/v2" - "github.com/containerd/containerd/sys" + "github.com/containerd/containerd/pkg/userns" "github.com/opencontainers/runc/libcontainer/cgroups" "github.com/sirupsen/logrus" ) @@ -164,6 +164,6 @@ func applyPIDSCgroupInfoV2(info *SysInfo, controllers map[string]struct{}, _ str } func applyDevicesCgroupInfoV2(info *SysInfo, controllers map[string]struct{}, _ string) []string { - info.CgroupDevicesEnabled = !sys.RunningInUserNS() + info.CgroupDevicesEnabled = !userns.RunningInUserNS() return nil } diff --git a/quota/projectquota.go b/quota/projectquota.go index b8ffe64aaf..5996d54854 100644 --- a/quota/projectquota.go +++ b/quota/projectquota.go @@ -58,7 +58,7 @@ import ( "sync" "unsafe" - "github.com/containerd/containerd/sys" + "github.com/containerd/containerd/pkg/userns" "github.com/pkg/errors" "github.com/sirupsen/logrus" "golang.org/x/sys/unix" @@ -118,7 +118,7 @@ func NewControl(basePath string) (*Control, error) { // If we are running in a user namespace quota won't be supported for // now since makeBackingFsDev() will try to mknod(). // - if sys.RunningInUserNS() { + if userns.RunningInUserNS() { return nil, ErrQuotaNotSupported }