Commit graph

19 commits

Author SHA1 Message Date
Jan Garcia
c1bd5e9144 Use user paths for plugin discovery in rootless mode
Signed-off-by: Jan Garcia <github-public@n-garcia.com>
2023-01-09 16:26:06 +01:00
Sebastiaan van Stijn
686be57d0a
Update to Go 1.17.0, and gofmt with Go 1.17
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-24 23:33:27 +02:00
Kir Kolyshkin
7ef475fc16 pkg/homedir: clarify Get() docs wrt static linking
This clarifies comments about static linking made in commit a8608b5b67.

1. There are two ways to create a static binary, one is to disable
cgo, the other is to set linker flags. When cgo is disabled,
there is no need to use osusergo build tag.

2. osusergo only needs to be set when linking against glibc.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2019-10-24 16:39:24 -07:00
Kir Kolyshkin
80e338a18d Revert "homedir: add cgo or osusergo buildtag constraints for unix"
TL;DR: there is no way to do this right.

We do know that in some combination of build tags set (or unset),
linker flags, environment variables, and libc implementation,
this package won't work right. In fact, there is one specific
combination:

1. `CGO_ENABLED=1` (or unset)
2. static binary is being built (e.g. `go build` is run with `-extldflags -static`)
3. `go build` links the binary against glibc
4. `osusergo` is not set

This particular combination results in the following legitimate linker warning:

> cgo_lookup_unix.go: warning: Using 'getpwuid_r' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking

If this warning is ignored and the resulting binary is used on a system
with files from a different glibc version (or without those files), it
could result in a segfault.

The commit being reverted tried to guard against such possibility,
but the problem is, we can only use build tags to account for items
1 and 4 from the above list, while items 2 and 3 do not result in
any build tags being set or unset, making this guard excessive.

Remove it.

This reverts commit 023b072288.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2019-10-24 13:13:09 -07:00
Tibor Vass
023b072288 homedir: add cgo or osusergo buildtag constraints for unix
This is to ensure that users of the homedir package cannot
compile statically (CGO_ENABLED=0) without also setting the osusergo
build tag.

Signed-off-by: Tibor Vass <tibor@docker.com>
2019-09-26 21:09:36 +00:00
Tibor Vass
a8608b5b67 homedir: remove idtools and libcontainer's user package dependencies
About github.com/opencontainers/runc/libcontainer/user:

According to 195d8d544a
this package has two functions:
- Have a static implementation of user lookup, which is now supported in the
  os/user stdlib package with the osusergo build tag, but wasn't at the time.
- Have extra functions that os/user doesn't have, but none of those are used
  in homedir.

Since https://github.com/moby/moby/pull/11287, homedir depended directly on
libcontainer's user package for CurrentUser().
This is being replaced with os/user.Current(), because all of our static
binaries are compiled with the osusergo tag, and for dynamic libraries it
is more correct to use libc's implementation than parsing /etc/passwd.

About github.com/docker/docker/pkg/idtools:

Only dependency was from GetStatic() which uses idtools.LookupUID(uid).
The implementation of idtools.LookupUID just calls to
github.com/opencontainers/runc/libcontainer/user.LookupUid or fallbacks
to exec-ing to getent (since https://github.com/moby/moby/pull/27599).

This patch replaces calls to homedir.GetStatic by homedir.Get(), opting out
of supporting nss lookups in static binaries via exec-ing to getent for
the homedir package.

If homedir package users need to support nss lookups, they are advised
to compile dynamically instead.

Signed-off-by: Tibor Vass <tibor@docker.com>
2019-09-24 00:32:13 +00:00
Akihiro Suda
ec87479b7e allow running dockerd in an unprivileged user namespace (rootless mode)
Please refer to `docs/rootless.md`.

TLDR:
 * Make sure `/etc/subuid` and `/etc/subgid` contain the entry for you
 * `dockerd-rootless.sh --experimental`
 * `docker -H unix://$XDG_RUNTIME_DIR/docker.sock run ...`

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2019-02-04 00:24:27 +09:00
Daniel Nephin
4f0d95fa6e Add canonical import comment
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-02-05 16:51:57 -05:00
Sebastiaan van Stijn
6ed1163c98
Remove redundant build-tags
Files that are suffixed with `_linux.go` or `_windows.go` are
already only built on Linux / Windows, so these build-tags
were redundant.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-12-18 17:41:53 +01:00
Justin Cormack
b7bd959294 Split homedir files by operating system
libcontainer/user does not build at all on Windows any more, and
this was breaking the client on Windows with upstream `runc`. As
these functions are not used anyway, just split out and stop
checking `runtime`.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2017-07-10 14:10:43 +01:00
Akihiro Suda
b86e3bee5a gcplogs: forcibly set HOME on static UNIX binary
Fix #29344

If HOME is not set, the gcplogs logging driver will call os/user.Current() via oauth2/google.
However, in static binary, os/user.Current() leads to segfault due to a glibc issue that won't be fixed
in a short term. (golang/go#13470, https://sourceware.org/bugzilla/show_bug.cgi?id=19341)
So we forcibly set HOME so as to avoid call to os/user/Current().

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2016-12-29 03:17:26 +00:00
Antonio Murdaca
863b571617 Revert "resolve the config file from the sudo user"
This reverts commit afde6450ee.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-02-29 13:51:43 +01:00
Antonio Murdaca
afde6450ee resolve the config file from the sudo user
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-02-24 15:41:00 +01:00
Alexander Morozov
c86189d554 Update libcontainer
Replaced github.com/docker/libcontainer with
github.com/opencontainers/runc/libcontaier.
Also I moved AppArmor profile generation to docker.

Main idea of this update is to fix mounting cgroups inside containers.
After updating docker on CI we can even remove dind.

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-07-16 16:02:26 -07:00
Dan Walsh
42aec0c771 If $HOME is not set, return homedir from /etc/passwd
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
2015-03-10 10:00:22 -04:00
Arnaud Porterie
89bdaa35e0 Remove subdirectories MAINTAINERS files
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
2015-03-06 18:21:51 -08:00
Doug Davis
116367eb07 Fix for help when $HOME is /
estesp noticed that when $HOME is / the ~ substitutions messes up
becuase it tries to replace all paths that start with "/" with "~".
This fixes it so that it will only replace it when $HOME isn't "/".

Signed-off-by: Doug Davis <dug@us.ibm.com>
2015-02-19 22:21:17 -08:00
Ahmet Alp Balkan
8ca37e4760 pkg/homedir: implement GetShortcutString()
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
2015-02-18 22:56:03 -08:00
Ahmet Alp Balkan
f9ae2d4fd4 Export $HOME lookup to pkg/homedir
Signed-off-by: Ahmet Alp Balkan <ahmetb@microsoft.com>
2015-02-06 11:42:45 -08:00