From 042a249e7374e0914d3008684645380d3e4eddb5 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Fri, 8 Mar 2019 15:00:20 +0100 Subject: [PATCH] rootless: honor --net host when running in rootless mode, do not use slirp4netns if --net host is specified. Closes: https://github.com/containers/buildah/issues/1223 Signed-off-by: Giuseppe Scrivano --- cmd/buildah/bud.go | 2 +- cmd/buildah/from.go | 2 +- imagebuildah/build.go | 29 +++++++++++++++-------------- pkg/parse/parse.go | 20 ++++++++++++++++++-- run.go | 4 +++- 5 files changed, 38 insertions(+), 19 deletions(-) diff --git a/cmd/buildah/bud.go b/cmd/buildah/bud.go index 013ba981f96..25afd54f6bc 100644 --- a/cmd/buildah/bud.go +++ b/cmd/buildah/bud.go @@ -228,7 +228,7 @@ func budCmd(c *cobra.Command, inputArgs []string, iopts budResults) error { if err != nil { return errors.Wrapf(err, "error parsing namespace-related options") } - usernsOption, idmappingOptions, err := parse.IDMappingOptions(c) + usernsOption, idmappingOptions, err := parse.IDMappingOptions(c, isolation) if err != nil { return errors.Wrapf(err, "error parsing ID mapping options") } diff --git a/cmd/buildah/from.go b/cmd/buildah/from.go index ae3746e70e3..884586bfb64 100644 --- a/cmd/buildah/from.go +++ b/cmd/buildah/from.go @@ -198,7 +198,7 @@ func fromCmd(c *cobra.Command, args []string, iopts fromReply) error { if err != nil { return errors.Wrapf(err, "error parsing namespace-related options") } - usernsOption, idmappingOptions, err := parse.IDMappingOptions(c) + usernsOption, idmappingOptions, err := parse.IDMappingOptions(c, isolation) if err != nil { return errors.Wrapf(err, "error parsing ID mapping options") } diff --git a/imagebuildah/build.go b/imagebuildah/build.go index 4f0ffac1c08..780a0f8a477 100644 --- a/imagebuildah/build.go +++ b/imagebuildah/build.go @@ -510,20 +510,21 @@ func (b *Executor) Run(run imagebuilder.Run, config docker.Config) error { stdin = devNull } options := buildah.RunOptions{ - Hostname: config.Hostname, - Runtime: b.runtime, - Args: b.runtimeArgs, - NoPivot: os.Getenv("BUILDAH_NOPIVOT") != "", - Mounts: convertMounts(b.transientMounts), - Env: config.Env, - User: config.User, - WorkingDir: config.WorkingDir, - Entrypoint: config.Entrypoint, - Cmd: config.Cmd, - Stdin: stdin, - Stdout: b.out, - Stderr: b.err, - Quiet: b.quiet, + Hostname: config.Hostname, + Runtime: b.runtime, + Args: b.runtimeArgs, + NoPivot: os.Getenv("BUILDAH_NOPIVOT") != "", + Mounts: convertMounts(b.transientMounts), + Env: config.Env, + User: config.User, + WorkingDir: config.WorkingDir, + Entrypoint: config.Entrypoint, + Cmd: config.Cmd, + Stdin: stdin, + Stdout: b.out, + Stderr: b.err, + Quiet: b.quiet, + NamespaceOptions: b.namespaceOptions, } if config.NetworkDisabled { options.ConfigureNetwork = buildah.NetworkDisabled diff --git a/pkg/parse/parse.go b/pkg/parse/parse.go index a26d1563195..c309f686a3f 100644 --- a/pkg/parse/parse.go +++ b/pkg/parse/parse.go @@ -9,6 +9,7 @@ import ( "github.com/spf13/cobra" "net" "os" + "os/exec" "path/filepath" "strconv" "strings" @@ -319,7 +320,7 @@ func getDockerAuth(creds string) (*types.DockerAuthConfig, error) { } // IDMappingOptions parses the build options related to user namespaces and ID mapping. -func IDMappingOptions(c *cobra.Command) (usernsOptions buildah.NamespaceOptions, idmapOptions *buildah.IDMappingOptions, err error) { +func IDMappingOptions(c *cobra.Command, isolation buildah.Isolation) (usernsOptions buildah.NamespaceOptions, idmapOptions *buildah.IDMappingOptions, err error) { user := c.Flag("userns-uid-map-user").Value.String() group := c.Flag("userns-gid-map-group").Value.String() // If only the user or group was specified, use the same value for the @@ -391,11 +392,26 @@ func IDMappingOptions(c *cobra.Command) (usernsOptions buildah.NamespaceOptions, if len(gidmap) == 0 && len(uidmap) != 0 { gidmap = uidmap } + + useSlirp4netns := false + + if isolation == buildah.IsolationOCIRootless { + _, err := exec.LookPath("slirp4netns") + if execerr, ok := err.(*exec.Error); ok && !strings.Contains(execerr.Error(), "not found") { + return nil, nil, errors.Wrapf(err, "cannot lookup slirp4netns %v", execerr) + } + if err == nil { + useSlirp4netns = true + } else { + logrus.Warningf("could not find slirp4netns. Using host network namespace") + } + } + // By default, having mappings configured means we use a user // namespace. Otherwise, we don't. usernsOption := buildah.NamespaceOption{ Name: string(specs.UserNamespace), - Host: len(uidmap) == 0 && len(gidmap) == 0, + Host: len(uidmap) == 0 && len(gidmap) == 0 && !useSlirp4netns, } // If the user specifically requested that we either use or don't use // user namespaces, override that default. diff --git a/run.go b/run.go index f56ce30b1c1..2fa3cd572e0 100644 --- a/run.go +++ b/run.go @@ -1765,7 +1765,9 @@ func runConfigureNetwork(isolation Isolation, options RunOptions, configureNetwo var netconf, undo []*libcni.NetworkConfigList if isolation == IsolationOCIRootless { - return setupRootlessNetwork(pid) + if ns := options.NamespaceOptions.Find(string(specs.NetworkNamespace)); ns != nil && !ns.Host { + return setupRootlessNetwork(pid) + } } // Scan for CNI configuration files. confdir := options.CNIConfigDir