Merge pull request containerd#1620 from mlaventure/runc-io-id

Allow setting the uid & gid of the io pipes

Author: estesp

container_linux_test.go

@@ -979,3 +979,93 @@ func TestContainerKillInitPidHost(t *testing.T) {
 		t.Error(err)
 	}
 }
+
+func TestUserNamespaces(t *testing.T) {
+	t.Parallel()
+	t.Run("WritableRootFS", func(t *testing.T) { testUserNamespaces(t, false) })
+	// see #1373 and runc#1572
+	t.Run("ReadonlyRootFS", func(t *testing.T) { testUserNamespaces(t, true) })
+}
+
+func testUserNamespaces(t *testing.T, readonlyRootFS bool) {
+	client, err := newClient(t, address)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer client.Close()
+
+	var (
+		image       Image
+		ctx, cancel = testContext()
+		id          = strings.Replace(t.Name(), "/", "-", -1)
+	)
+	defer cancel()
+
+	image, err = client.GetImage(ctx, testImage)
+	if err != nil {
+		t.Error(err)
+		return
+	}
+
+	opts := []NewContainerOpts{WithNewSpec(withImageConfig(image),
+		withExitStatus(7),
+		WithUserNamespace(0, 1000, 10000),
+	)}
+	if readonlyRootFS {
+		opts = append(opts, withRemappedSnapshotView(id, image, 1000, 1000))
+	} else {
+		opts = append(opts, withRemappedSnapshot(id, image, 1000, 1000))
+	}
+
+	container, err := client.NewContainer(ctx, id, opts...)
+	if err != nil {
+		t.Error(err)
+		return
+	}
+	defer container.Delete(ctx, WithSnapshotCleanup)
+
+	task, err := container.NewTask(ctx, Stdio, func(_ context.Context, client *Client, r *TaskInfo) error {
+		r.Options = &runcopts.CreateOptions{
+			IoUid: 1000,
+			IoGid: 1000,
+		}
+		return nil
+	})
+	if err != nil {
+		t.Error(err)
+		return
+	}
+	defer task.Delete(ctx)
+
+	statusC, err := task.Wait(ctx)
+	if err != nil {
+		t.Error(err)
+		return
+	}
+
+	if pid := task.Pid(); pid <= 0 {
+		t.Errorf("invalid task pid %d", pid)
+	}
+	if err := task.Start(ctx); err != nil {
+		t.Error(err)
+		task.Delete(ctx)
+		return
+	}
+	status := <-statusC
+	code, _, err := status.Result()
+	if err != nil {
+		t.Error(err)
+		return
+	}
+	if code != 7 {
+		t.Errorf("expected status 7 from wait but received %d", code)
+	}
+	deleteStatus, err := task.Delete(ctx)
+	if err != nil {
+		t.Error(err)
+		return
+	}
+	if ec := deleteStatus.ExitCode(); ec != 7 {
+		t.Errorf("expected status 7 from delete but received %d", ec)
+	}
+}

container_test.go

@@ -706,92 +706,6 @@ func TestContainerExecNoBinaryExists(t *testing.T) {
 	<-finishedC
 }
 
-func TestUserNamespaces(t *testing.T) {
-	t.Parallel()
-	t.Run("WritableRootFS", func(t *testing.T) { testUserNamespaces(t, false) })
-	// see #1373 and runc#1572
-	t.Run("ReadonlyRootFS", func(t *testing.T) { testUserNamespaces(t, true) })
-}
-
-func testUserNamespaces(t *testing.T, readonlyRootFS bool) {
-	client, err := newClient(t, address)
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer client.Close()
-
-	var (
-		image       Image
-		ctx, cancel = testContext()
-		id          = strings.Replace(t.Name(), "/", "-", -1)
-	)
-	defer cancel()
-
-	if runtime.GOOS != "windows" {
-		image, err = client.GetImage(ctx, testImage)
-		if err != nil {
-			t.Error(err)
-			return
-		}
-	}
-
-	opts := []NewContainerOpts{WithNewSpec(withImageConfig(image),
-		withExitStatus(7),
-		withUserNamespace(0, 1000, 10000),
-	)}
-	if readonlyRootFS {
-		opts = append(opts, withRemappedSnapshotView(id, image, 1000, 1000))
-	} else {
-		opts = append(opts, withRemappedSnapshot(id, image, 1000, 1000))
-	}
-
-	container, err := client.NewContainer(ctx, id, opts...)
-	if err != nil {
-		t.Error(err)
-		return
-	}
-	defer container.Delete(ctx, WithSnapshotCleanup)
-
-	task, err := container.NewTask(ctx, empty())
-	if err != nil {
-		t.Error(err)
-		return
-	}
-	defer task.Delete(ctx)
-
-	statusC, err := task.Wait(ctx)
-	if err != nil {
-		t.Error(err)
-		return
-	}
-
-	if pid := task.Pid(); pid <= 0 {
-		t.Errorf("invalid task pid %d", pid)
-	}
-	if err := task.Start(ctx); err != nil {
-		t.Error(err)
-		task.Delete(ctx)
-		return
-	}
-	status := <-statusC
-	code, _, err := status.Result()
-	if err != nil {
-		t.Error(err)
-		return
-	}
-	if code != 7 {
-		t.Errorf("expected status 7 from wait but received %d", code)
-	}
-	deleteStatus, err := task.Delete(ctx)
-	if err != nil {
-		t.Error(err)
-		return
-	}
-	if ec := deleteStatus.ExitCode(); ec != 7 {
-		t.Errorf("expected status 7 from delete but received %d", ec)
-	}
-}
-
 func TestWaitStoppedTask(t *testing.T) {
 	t.Parallel()
 

helpers_unix_test.go

@@ -40,7 +40,6 @@ func withExecArgs(s *specs.Process, args ...string) {
 }
 
 var (
-	withUserNamespace        = WithUserNamespace
 	withRemappedSnapshot     = WithRemappedSnapshot
 	withRemappedSnapshotView = WithRemappedSnapshotView
 	withNewSnapshot          = WithNewSnapshot

helpers_windows_test.go

@@ -53,10 +53,6 @@ func withNewSnapshot(id string, i Image) NewContainerOpts {
 	}
 }
 
-func withUserNamespace(u, g, s uint32) SpecOpts {
-	return withNoop
-}
-
 func withRemappedSnapshot(id string, i Image, u, g uint32) NewContainerOpts {
 	return func(ctx context.Context, client *Client, c *containers.Container) error {
 		return nil

linux/runcopts/next.pb.txt

@@ -98,6 +98,20 @@ file {
       type: TYPE_STRING
       json_name: "shimCgroup"
     }
+    field {
+      name: "io_uid"
+      number: 10
+      label: LABEL_OPTIONAL
+      type: TYPE_UINT32
+      json_name: "ioUid"
+    }
+    field {
+      name: "io_gid"
+      number: 11
+      label: LABEL_OPTIONAL
+      type: TYPE_UINT32
+      json_name: "ioGid"
+    }
   }
   message_type {
     name: "CheckpointOptions"

linux/runcopts/runc.pb.go

@@ -23,6 +23,8 @@ message CreateOptions {
 	string cgroups_mode = 7;
 	bool no_new_keyring = 8;
 	string shim_cgroup = 9;
+	uint32 io_uid = 10;
+	uint32 io_gid = 11;
 }
 
 message CheckpointOptions {