pkg/chrootarchive: use containerd/sys to detect UserNamespaces

The implementation in libcontainer/system is quite complicated,
and we only use it to detect if user-namespaces are enabled.

In addition, the implementation in containerd uses a sync.Once,
so that detection (and reading/parsing `/proc/self/uid_map`) is
only performed once.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn 2020-06-15 13:07:23 +02:00
parent f7d5d70e44
commit 9ff990a2b9
No known key found for this signature in database
GPG key ID: 76698F39D527CE8C
2 changed files with 5 additions and 5 deletions

View file

@ -6,9 +6,9 @@ import (
"os"
"path/filepath"
"github.com/containerd/containerd/sys"
"github.com/moby/sys/mount"
"github.com/moby/sys/mountinfo"
rsystem "github.com/opencontainers/runc/libcontainer/system"
"golang.org/x/sys/unix"
)
@ -20,7 +20,7 @@ import (
// This is similar to how libcontainer sets up a container's rootfs
func chroot(path string) (err error) {
// if the engine is running in a user namespace we need to use actual chroot
if rsystem.RunningInUserNS() {
if sys.RunningInUserNS() {
return realChroot(path)
}
if err := unix.Unshare(unix.CLONE_NEWNS); err != nil {

View file

@ -13,10 +13,10 @@ import (
"path/filepath"
"runtime"
"github.com/containerd/containerd/sys"
"github.com/docker/docker/pkg/archive"
"github.com/docker/docker/pkg/reexec"
"github.com/docker/docker/pkg/system"
rsystem "github.com/opencontainers/runc/libcontainer/system"
)
type applyLayerResponse struct {
@ -36,7 +36,7 @@ func applyLayer() {
runtime.LockOSThread()
flag.Parse()
inUserns := rsystem.RunningInUserNS()
inUserns := sys.RunningInUserNS()
if err := chroot(flag.Arg(0)); err != nil {
fatal(err)
}
@ -95,7 +95,7 @@ func applyLayerHandler(dest string, layer io.Reader, options *archive.TarOptions
}
if options == nil {
options = &archive.TarOptions{}
if rsystem.RunningInUserNS() {
if sys.RunningInUserNS() {
options.InUserNS = true
}
}