oci: correctly use user.GetExecUser interface

A nil interface in Go is not the same as a nil pointer that satisfies
the interface. libcontainer/user has special handling for missing
/etc/{passwd,group} files but this is all based on nil interface checks,
which were broken by Docker's usage of the API.

When combined with some recent changes in runc that made read errors
actually be returned to the caller, this results in spurrious -EINVAL
errors when we should detect the situation as "there is no passwd file".

Signed-off-by: Aleksa Sarai <asarai@suse.de>
(cherry picked from commit 3108ae6226)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Aleksa Sarai 2020-07-29 12:43:43 +10:00 committed by Sebastiaan van Stijn
parent 7d597ee2c9
commit 83baeafc3c
No known key found for this signature in database
GPG key ID: 76698F39D527CE8C

View file

@ -157,7 +157,14 @@ func readUserFile(c *container.Container, p string) (io.ReadCloser, error) {
if err != nil {
return nil, err
}
return os.Open(fp)
fh, err := os.Open(fp)
if err != nil {
// This is needed because a nil *os.File is different to a nil
// io.ReadCloser and this causes GetExecUser to not detect that the
// container file is missing.
return nil, err
}
return fh, nil
}
func getUser(c *container.Container, username string) (uint32, uint32, []uint32, error) {