rootless: add rootless to kata

Gopkg.toml

@@ -32,15 +32,15 @@
 
 [[constraint]]
   name = "github.com/vishvananda/netlink"
-  revision = "c2a3de3b38bd00f07290c3c5e12b4dbc04ec8666"
+  revision = "c8c507c80ea28385caac72b682dd066e44943913"
 
 [[constraint]]
   name = "github.com/vishvananda/netns"
   revision = "86bef332bfc3b59b7624a600bd53009ce91a9829"
 
 [[constraint]]
   name = "golang.org/x/sys"
-  revision = "1d2aa6dbdea45adaaebb9905d0666e4537563829"
+  revision = "88d2dcc510266da9f7f8c7f34e1940716cab5f5c"
 
 [[constraint]]
   name = "github.com/sirupsen/logrus"

cli/main.go

@@ -18,6 +18,7 @@ import (
 	"syscall"
 
 	"github.com/kata-containers/runtime/pkg/katautils"
+	"github.com/kata-containers/runtime/pkg/rootless"
 	"github.com/kata-containers/runtime/pkg/signals"
 	vc "github.com/kata-containers/runtime/virtcontainers"
 	vf "github.com/kata-containers/runtime/virtcontainers/factory"
@@ -241,6 +242,9 @@ func setExternalLoggers(ctx context.Context, logger *logrus.Entry) {
 
 	// Set the katautils package logger
 	katautils.SetLogger(ctx, logger, originalLoggerLevel)
+
+	// Set the rootless package logger
+	rootless.SetLogger(ctx, logger)
 }
 
 // beforeSubcommands is the function to perform preliminary checks

pkg/katautils/oci.go

@@ -11,6 +11,9 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
+	"strings"
+
+	"github.com/kata-containers/runtime/pkg/rootless"
 )
 
 const ctrsMappingDirMode = os.FileMode(0750)
@@ -22,6 +25,11 @@ func SetCtrsMapTreePath(path string) {
 	ctrsMapTreePath = path
 }
 
+// doUpdatePath returns whether a ctrsMapTreePath needs to be updated with a rootless prefix
+func doUpdatePath() bool {
+	return rootless.IsRootless() && !strings.HasPrefix(ctrsMapTreePath, rootless.GetRootlessDir())
+}
+
 // FetchContainerIDMapping This function assumes it should find only one file inside the container
 // ID directory. If there are several files, we could not determine which
 // file name corresponds to the sandbox ID associated, and this would throw
@@ -31,6 +39,10 @@ func FetchContainerIDMapping(containerID string) (string, error) {
 		return "", fmt.Errorf("Missing container ID")
 	}
 
+	if doUpdatePath() {
+		SetCtrsMapTreePath(filepath.Join(rootless.GetRootlessDir(), ctrsMapTreePath))
+	}
+
 	dirPath := filepath.Join(ctrsMapTreePath, containerID)
 
 	files, err := ioutil.ReadDir(dirPath)
@@ -62,6 +74,9 @@ func AddContainerIDMapping(ctx context.Context, containerID, sandboxID string) e
 		return fmt.Errorf("Missing sandbox ID")
 	}
 
+	if doUpdatePath() {
+		SetCtrsMapTreePath(filepath.Join(rootless.GetRootlessDir(), ctrsMapTreePath))
+	}
 	parentPath := filepath.Join(ctrsMapTreePath, containerID)
 
 	if err := os.RemoveAll(parentPath); err != nil {
@@ -86,6 +101,9 @@ func DelContainerIDMapping(ctx context.Context, containerID string) error {
 		return fmt.Errorf("Missing container ID")
 	}
 
+	if doUpdatePath() {
+		SetCtrsMapTreePath(filepath.Join(rootless.GetRootlessDir(), ctrsMapTreePath))
+	}
 	path := filepath.Join(ctrsMapTreePath, containerID)
 
 	return os.RemoveAll(path)

pkg/rootless/rootless.go

@@ -0,0 +1,123 @@
+// Copyright (c) 2019 Intel Corporation
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+package rootless
+
+import (
+	"bufio"
+	"context"
+	"io"
+	"os"
+	"strconv"
+	"strings"
+	"sync"
+
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+var (
+	// initRootless states whether the isRootless variable
+	// has been set yet
+	initRootless bool
+
+	// isRootless states whether execution is rootless or not
+	isRootless bool
+
+	// lock for the initRootless and isRootless variables
+	rLock sync.Mutex
+
+	// XDG_RUNTIME_DIR defines the base directory relative to
+	// which user-specific non-essential runtime files are stored.
+	rootlessDir = os.Getenv("XDG_RUNTIME_DIR")
+
+	// uidMapPath defines the location of the uid_map file to
+	// determine whether a user is root or not
+	uidMapPath = "/proc/self/uid_map"
+
+	rootlessLog = logrus.WithFields(logrus.Fields{
+		"source": "rootless",
+	})
+)
+
+// SetLogger sets up a logger for the rootless pkg
+func SetLogger(ctx context.Context, logger *logrus.Entry) {
+	fields := rootlessLog.Data
+	rootlessLog = logger.WithFields(fields)
+}
+
+// setRootless reads a uid_map file, compares the UID of the
+// user inside the container vs on the host. If the host UID
+// is not root, but the container ID is, it can be determined
+// the user is running rootlessly.
+func setRootless() error {
+	initRootless = true
+	file, err := os.Open(uidMapPath)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+
+	buf := bufio.NewReader(file)
+	for {
+		line, _, err := buf.ReadLine()
+		if err != nil {
+			if err == io.EOF {
+				return nil
+			}
+			return err
+		}
+		if line == nil {
+			return nil
+		}
+
+		var parseError = errors.Errorf("Failed to parse uid map file %s", uidMapPath)
+		// if the container id (id[0]) is 0 (root inside the container)
+		// has a mapping to the host id (id[1]) that is not root, then
+		// it can be determined that the host user is running rootless
+		ids := strings.Fields(string(line))
+		// do some sanity checks
+		if len(ids) != 3 {
+			return parseError
+		}
+		userNSUid, err := strconv.ParseUint(ids[0], 10, 0)
+		if err != nil {
+			return parseError
+		}
+		hostUID, err := strconv.ParseUint(ids[1], 10, 0)
+		if err != nil {
+			return parseError
+		}
+		rangeUID, err := strconv.ParseUint(ids[1], 10, 0)
+		if err != nil || rangeUID == 0 {
+			return parseError
+		}
+
+		if userNSUid == 0 && hostUID != 0 {
+			rootlessLog.Info("Running as rootless")
+			isRootless = true
+			return nil
+		}
+	}
+}
+
+// IsRootless states whether kata is being ran with root or not
+func IsRootless() bool {
+	rLock.Lock()
+	if !initRootless {
+		err := setRootless()
+		if err != nil {
+			rootlessLog.WithError(err).Error("Unable to determine if running rootless")
+		}
+	}
+	rLock.Unlock()
+	return isRootless
+}
+
+// GetRootlessDir returns the path to the location for rootless
+// container and sandbox storage
+func GetRootlessDir() string {
+	return rootlessDir
+}