Commit graph

9 commits

Author SHA1 Message Date
Vincent Demeester
acf7ce1aa0
Remove use of pkg/integration in pkg/idtools
This remove a dependency on `go-check` (and more) when using
`pkg/idtools`. `pkg/integration` should never be called from any other
package then `integration`.

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2016-11-08 17:21:02 +01:00
Phil Estes
6cb8392be9 Add support for looking up user/groups via getent
When processing the --userns-remap flag, add the
capability to call out to `getent` if the user and
group information is not found via local file
parsing code already in libcontainer/user.

Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-10-28 19:06:07 -04:00
Phil Estes
43a1df6be2
Don't start daemon in userns mode if graphdir inaccessible
Warn the user and fail daemon start if the graphdir path has any
elements which will deny access to the remapped root uid/gid.

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-08-24 11:25:30 -04:00
Phil Estes
c6f45fd2ee Lazy init useradd and remove init()
This should not have been in init() as it causes these lookups to happen
in all reexecs of the Docker binary. The only time it needs to be
resolved is when a user is added, which is extremely rare.

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-04-06 17:53:45 -04:00
Phil Estes
c18e7f3a04 Change subordinate range-owning user to be a system user
Change user/group creation to use flags to adduser/useradd to enforce it
being a system user. Use system user defaults that auto-create a
matching group. These changes allow us to remove all group creation
code, and in doing so we also removed the code that finds available uid,
gid integers and use post-creation query to gather the system-generated
uid and gid.

The only added complexity is that today distros don't auto-create
subordinate ID ranges for a new ID if it is a system ID, so we now need
to handle finding a free range and then calling the `usermod` tool to
add the ranges for that ID. Note that this requires the distro supports
the `-v` and `-w` flags on `usermod` for subordinate ID range additions.

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2016-03-16 18:44:10 -04:00
Antonio Murdaca
bf04d68db2 pkg: idtools: fix subid files parsing
Since Docker is already skipping newlines in /etc/sub{uid,gid},
this patch skips commented out lines - otherwise Docker fails to start.
Add unit test also.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-02-26 15:42:05 +01:00
Phil Estes
ae8c004dc1 Correct build-time directory creation with user namespaced daemon
This fixes errors in ownership on directory creation during build that
can cause inaccessible files depending on the paths in the Dockerfile
and non-existing directories in the starting image.

Add tests for the mkdir variants in pkg/idtools

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2015-10-20 08:59:48 -04:00
John Howard
bfe252b781 Windows: Daemon broken on master
Signed-off-by: John Howard <jhoward@microsoft.com>
2015-10-12 09:11:19 -07:00
Phil Estes
9a3ab0358e Add utility/support package for user namespace support
The `pkg/idtools` package supports the creation of user(s) for
retrieving /etc/sub{u,g}id ranges and creation of the UID/GID mappings
provided to clone() to add support for user namespaces in Docker.

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2015-10-09 17:44:47 -04:00