remove group name from identity mapping

NewIdentityMapping took group name as an argument, and used the group name also to parse the /etc/sub{uid,gui}. But as per linux man pages, the sub{uid,gid} file maps username or uid, not a group name. Therefore, all occurrences where mapping is used need to consider only username and uid. Code trying to map using gid and group name in the daemon is also removed. Signed-off-by: Akhil Mohan <akhil.mohan@mayadata.io>
2020-05-24 18:59:06 +05:30 · 2020-05-24 18:59:06 +05:30 · 7ad0da7051
commit 7ad0da7051
parent e5a679cfd2
4 changed files with 52 additions and 56 deletions
--- a/daemon/daemon_unix.go
+++ b/daemon/daemon_unix.go
@ -1207,36 +1207,15 @@ func setupRemappedRoot(config *config.Config) (*idtools.IdentityMapping, error)
 			logrus.Warn("User namespaces: root cannot be remapped with itself; user namespaces are OFF")
 			return &idtools.IdentityMapping{}, nil
 		}
-		logrus.Infof("User namespaces: ID ranges will be mapped to subuid/subgid ranges of: %s:%s", username, groupname)
+		logrus.Infof("User namespaces: ID ranges will be mapped to subuid/subgid ranges of: %s", username)
 		// update remapped root setting now that we have resolved them to actual names
 		config.RemappedRoot = fmt.Sprintf("%s:%s", username, groupname)

-		// try with username:groupname, uid:groupname, username:gid, uid:gid,
-		// but keep the original error message (err)
-		mappings, err := idtools.NewIdentityMapping(username, groupname)
-		if err == nil {
-			return mappings, nil
-		}
-		user, lookupErr := idtools.LookupUser(username)
-		if lookupErr != nil {
+		mappings, err := idtools.NewIdentityMapping(username)
+		if err != nil {
 			return nil, errors.Wrap(err, "Can't create ID mappings")
 		}
-		logrus.Infof("Can't create ID mappings with username:groupname %s:%s, try uid:groupname %d:%s", username, groupname, user.Uid, groupname)
-		mappings, lookupErr = idtools.NewIdentityMapping(fmt.Sprintf("%d", user.Uid), groupname)
-		if lookupErr == nil {
-			return mappings, nil
-		}
-		logrus.Infof("Can't create ID mappings with uid:groupname %d:%s, try username:gid %s:%d", user.Uid, groupname, username, user.Gid)
-		mappings, lookupErr = idtools.NewIdentityMapping(username, fmt.Sprintf("%d", user.Gid))
-		if lookupErr == nil {
-			return mappings, nil
-		}
-		logrus.Infof("Can't create ID mappings with username:gid %s:%d, try uid:gid %d:%d", username, user.Gid, user.Uid, user.Gid)
-		mappings, lookupErr = idtools.NewIdentityMapping(fmt.Sprintf("%d", user.Uid), fmt.Sprintf("%d", user.Gid))
-		if lookupErr == nil {
-			return mappings, nil
-		}
-		return nil, errors.Wrap(err, "Can't create ID mappings")
+		return mappings, nil
 	}
 	return &idtools.IdentityMapping{}, nil
 }
--- a/pkg/idtools/idtools.go
+++ b/pkg/idtools/idtools.go
@ -114,31 +114,6 @@ type IdentityMapping struct {
 	gids []IDMap
 }

-// NewIdentityMapping takes a requested user and group name and
-// using the data from /etc/sub{uid,gid} ranges, creates the
-// proper uid and gid remapping ranges for that user/group pair
-func NewIdentityMapping(username, groupname string) (*IdentityMapping, error) {
-	subuidRanges, err := parseSubuid(username)
-	if err != nil {
-		return nil, err
-	}
-	subgidRanges, err := parseSubgid(groupname)
-	if err != nil {
-		return nil, err
-	}
-	if len(subuidRanges) == 0 {
-		return nil, fmt.Errorf("No subuid ranges found for user %q", username)
-	}
-	if len(subgidRanges) == 0 {
-		return nil, fmt.Errorf("No subgid ranges found for group %q", groupname)
-	}
-
-	return &IdentityMapping{
-		uids: createIDMap(subuidRanges),
-		gids: createIDMap(subgidRanges),
-	}, nil
-}
-
 // NewIDMappingsFromMaps creates a new mapping from two slices
 // Deprecated: this is a temporary shim while transitioning to IDMapping
 func NewIDMappingsFromMaps(uids []IDMap, gids []IDMap) *IdentityMapping {
--- a/pkg/idtools/idtools_unix.go
+++ b/pkg/idtools/idtools_unix.go
@ -8,12 +8,14 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"sync"
 	"syscall"

 	"github.com/docker/docker/pkg/system"
 	"github.com/opencontainers/runc/libcontainer/user"
+	"github.com/pkg/errors"
 )

 var (
@ -229,3 +231,48 @@ func lazyChown(p string, uid, gid int, stat *system.StatT) error {
 	}
 	return os.Chown(p, uid, gid)
 }
+
+// NewIdentityMapping takes a requested username and
+// using the data from /etc/sub{uid,gid} ranges, creates the
+// proper uid and gid remapping ranges for that user/group pair
+func NewIdentityMapping(username string) (*IdentityMapping, error) {
+	usr, err := LookupUser(username)
+	if err != nil {
+		return nil, fmt.Errorf("Could not get user for username %s: %v", username, err)
+	}
+
+	uid := strconv.Itoa(usr.Uid)
+
+	subuidRangesWithUserName, err := parseSubuid(username)
+	if err != nil {
+		return nil, err
+	}
+	subgidRangesWithUserName, err := parseSubgid(username)
+	if err != nil {
+		return nil, err
+	}
+
+	subuidRangesWithUID, err := parseSubuid(uid)
+	if err != nil {
+		return nil, err
+	}
+	subgidRangesWithUID, err := parseSubgid(uid)
+	if err != nil {
+		return nil, err
+	}
+
+	subuidRanges := append(subuidRangesWithUserName, subuidRangesWithUID...)
+	subgidRanges := append(subgidRangesWithUserName, subgidRangesWithUID...)
+
+	if len(subuidRanges) == 0 {
+		return nil, errors.Errorf("no subuid ranges found for user %q", username)
+	}
+	if len(subgidRanges) == 0 {
+		return nil, errors.Errorf("no subgid ranges found for user %q", username)
+	}
+
+	return &IdentityMapping{
+		uids: createIDMap(subuidRanges),
+		gids: createIDMap(subgidRanges),
+	}, nil
+}
--- a/pkg/idtools/idtools_unix_test.go
+++ b/pkg/idtools/idtools_unix_test.go
@ -321,12 +321,7 @@ func TestNewIDMappings(t *testing.T) {
 	tempUser, err := user.Lookup(tempUser)
 	assert.Check(t, err)

-	gids, err := tempUser.GroupIds()
-	assert.Check(t, err)
-	group, err := user.LookupGroupId(gids[0])
-	assert.Check(t, err)
-
-	idMapping, err := NewIdentityMapping(tempUser.Username, group.Name)
+	idMapping, err := NewIdentityMapping(tempUser.Username)
 	assert.Check(t, err)

 	rootUID, rootGID, err := GetRootUIDGID(idMapping.UIDs(), idMapping.GIDs())