mirror of
https://github.com/moby/moby.git
synced 2026-01-11 18:51:37 +00:00
migrate to github.com/moby/sys/user/userns
The userns package in libcontainer was integrated into the moby/sys/user
module at commit [3778ae603c706494fd1e2c2faf83b406e38d687d][1].
The userns package is used in many places, and currently either depends
on runc/libcontainer, or on containerd, both of which have a complex
dependency tree. This patch is part of a series of patches to unify the
implementations, and to migrate toward that implementation to simplify
the dependency tree.
[1]: 3778ae603c
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn
@@ -64,10 +64,14 @@ linters-settings:
|
||||
desc: Use "gotest.tools/v3/assert" instead
|
||||
- pkg: "github.com/stretchr/testify/suite"
|
||||
desc: Do not use
|
||||
- pkg: github.com/containerd/containerd/errdefs
|
||||
- pkg: "github.com/containerd/containerd/errdefs"
|
||||
desc: The errdefs package has moved to a separate module, https://github.com/containerd/errdefs
|
||||
- pkg: github.com/containerd/containerd/log
|
||||
- pkg: "github.com/containerd/containerd/log"
|
||||
desc: The logs package has moved to a separate module, https://github.com/containerd/log
|
||||
- pkg: "github.com/containerd/containerd/pkg/userns"
|
||||
desc: Use github.com/moby/sys/user/userns instead.
|
||||
- pkg: "github.com/opencontainers/runc/libcontainer/userns"
|
||||
desc: Use github.com/moby/sys/user/userns instead.
|
||||
revive:
|
||||
rules:
|
||||
# FIXME make sure all packages have a description. Currently, there's many packages without.
|
||||
|
||||
@@ -27,7 +27,6 @@ import (
|
||||
"github.com/containerd/containerd"
|
||||
"github.com/containerd/containerd/defaults"
|
||||
"github.com/containerd/containerd/pkg/dialer"
|
||||
"github.com/containerd/containerd/pkg/userns"
|
||||
"github.com/containerd/containerd/remotes/docker"
|
||||
"github.com/containerd/log"
|
||||
"github.com/distribution/reference"
|
||||
@@ -80,6 +79,7 @@ import (
|
||||
resolverconfig "github.com/moby/buildkit/util/resolver/config"
|
||||
"github.com/moby/buildkit/util/tracing"
|
||||
"github.com/moby/locker"
|
||||
"github.com/moby/sys/user/userns"
|
||||
"github.com/pkg/errors"
|
||||
"go.etcd.io/bbolt"
|
||||
"go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
|
||||
|
||||
@@ -18,7 +18,6 @@ import (
|
||||
"time"
|
||||
|
||||
"github.com/containerd/cgroups/v3"
|
||||
"github.com/containerd/containerd/pkg/userns"
|
||||
"github.com/containerd/log"
|
||||
"github.com/docker/docker/api/types/blkiodev"
|
||||
pblkiodev "github.com/docker/docker/api/types/blkiodev"
|
||||
@@ -43,6 +42,7 @@ import (
|
||||
"github.com/docker/docker/runconfig"
|
||||
volumemounts "github.com/docker/docker/volume/mounts"
|
||||
"github.com/moby/sys/mount"
|
||||
"github.com/moby/sys/user/userns"
|
||||
specs "github.com/opencontainers/runtime-spec/specs-go"
|
||||
"github.com/opencontainers/selinux/go-selinux"
|
||||
"github.com/opencontainers/selinux/go-selinux/label"
|
||||
|
||||
@@ -34,7 +34,6 @@ import (
|
||||
"sync"
|
||||
"unsafe"
|
||||
|
||||
"github.com/containerd/containerd/pkg/userns"
|
||||
"github.com/containerd/log"
|
||||
"github.com/docker/docker/daemon/graphdriver"
|
||||
"github.com/docker/docker/daemon/internal/fstype"
|
||||
@@ -43,6 +42,7 @@ import (
|
||||
"github.com/docker/docker/pkg/parsers"
|
||||
units "github.com/docker/go-units"
|
||||
"github.com/moby/sys/mount"
|
||||
"github.com/moby/sys/user/userns"
|
||||
"github.com/opencontainers/selinux/go-selinux/label"
|
||||
"github.com/pkg/errors"
|
||||
"golang.org/x/sys/unix"
|
||||
|
||||
@@ -12,9 +12,9 @@ import (
|
||||
"syscall"
|
||||
"time"
|
||||
|
||||
"github.com/containerd/containerd/pkg/userns"
|
||||
"github.com/docker/docker/pkg/pools"
|
||||
"github.com/docker/docker/pkg/system"
|
||||
"github.com/moby/sys/user/userns"
|
||||
"golang.org/x/sys/unix"
|
||||
)
|
||||
|
||||
|
||||
@@ -13,7 +13,6 @@ import (
|
||||
"path/filepath"
|
||||
"strings"
|
||||
|
||||
"github.com/containerd/containerd/pkg/userns"
|
||||
"github.com/containerd/log"
|
||||
"github.com/docker/docker/daemon/graphdriver"
|
||||
"github.com/docker/docker/daemon/graphdriver/overlayutils"
|
||||
@@ -27,6 +26,7 @@ import (
|
||||
"github.com/docker/docker/pkg/parsers/kernel"
|
||||
"github.com/moby/locker"
|
||||
"github.com/moby/sys/mount"
|
||||
"github.com/moby/sys/user/userns"
|
||||
"github.com/opencontainers/selinux/go-selinux/label"
|
||||
"github.com/pkg/errors"
|
||||
"golang.org/x/sys/unix"
|
||||
|
||||
@@ -10,9 +10,9 @@ import (
|
||||
"syscall"
|
||||
|
||||
"github.com/containerd/containerd/mount"
|
||||
"github.com/containerd/containerd/pkg/userns"
|
||||
"github.com/docker/docker/daemon/graphdriver/overlayutils"
|
||||
"github.com/docker/docker/pkg/system"
|
||||
"github.com/moby/sys/user/userns"
|
||||
"github.com/pkg/errors"
|
||||
"golang.org/x/sys/unix"
|
||||
)
|
||||
|
||||
@@ -14,7 +14,6 @@ import (
|
||||
"strings"
|
||||
"sync"
|
||||
|
||||
"github.com/containerd/containerd/pkg/userns"
|
||||
"github.com/containerd/continuity/fs"
|
||||
"github.com/containerd/log"
|
||||
"github.com/docker/docker/daemon/graphdriver"
|
||||
@@ -32,6 +31,7 @@ import (
|
||||
units "github.com/docker/go-units"
|
||||
"github.com/moby/locker"
|
||||
"github.com/moby/sys/mount"
|
||||
"github.com/moby/sys/user/userns"
|
||||
"github.com/opencontainers/selinux/go-selinux/label"
|
||||
"golang.org/x/sys/unix"
|
||||
)
|
||||
|
||||
@@ -9,9 +9,9 @@ import (
|
||||
"path"
|
||||
"path/filepath"
|
||||
|
||||
"github.com/containerd/containerd/pkg/userns"
|
||||
"github.com/containerd/log"
|
||||
"github.com/docker/docker/daemon/graphdriver"
|
||||
"github.com/moby/sys/user/userns"
|
||||
"github.com/pkg/errors"
|
||||
"golang.org/x/sys/unix"
|
||||
)
|
||||
|
||||
@@ -26,9 +26,9 @@ import (
|
||||
"path/filepath"
|
||||
|
||||
"github.com/containerd/containerd/mount"
|
||||
"github.com/containerd/containerd/pkg/userns"
|
||||
"github.com/containerd/log"
|
||||
"github.com/docker/docker/pkg/parsers/kernel"
|
||||
"github.com/moby/sys/user/userns"
|
||||
)
|
||||
|
||||
// NeedsUserXAttr returns whether overlayfs should be mounted with the "userxattr" mount option.
|
||||
|
||||
@@ -13,7 +13,6 @@ import (
|
||||
"github.com/containerd/containerd/containers"
|
||||
coci "github.com/containerd/containerd/oci"
|
||||
"github.com/containerd/containerd/pkg/apparmor"
|
||||
"github.com/containerd/containerd/pkg/userns"
|
||||
"github.com/containerd/log"
|
||||
containertypes "github.com/docker/docker/api/types/container"
|
||||
"github.com/docker/docker/container"
|
||||
@@ -30,6 +29,7 @@ import (
|
||||
"github.com/moby/sys/mount"
|
||||
"github.com/moby/sys/mountinfo"
|
||||
"github.com/moby/sys/user"
|
||||
"github.com/moby/sys/user/userns"
|
||||
"github.com/opencontainers/runc/libcontainer/cgroups"
|
||||
specs "github.com/opencontainers/runtime-spec/specs-go"
|
||||
"github.com/pkg/errors"
|
||||
|
||||
@@ -6,8 +6,8 @@ import (
|
||||
"path/filepath"
|
||||
"strings"
|
||||
|
||||
"github.com/containerd/containerd/pkg/userns"
|
||||
"github.com/docker/docker/pkg/system"
|
||||
"github.com/moby/sys/user/userns"
|
||||
"github.com/pkg/errors"
|
||||
"golang.org/x/sys/unix"
|
||||
)
|
||||
|
||||
@@ -9,9 +9,9 @@ import (
|
||||
"syscall"
|
||||
"testing"
|
||||
|
||||
"github.com/containerd/containerd/pkg/userns"
|
||||
"github.com/docker/docker/pkg/system"
|
||||
"github.com/google/go-cmp/cmp/cmpopts"
|
||||
"github.com/moby/sys/user/userns"
|
||||
"golang.org/x/sys/unix"
|
||||
"gotest.tools/v3/assert"
|
||||
is "gotest.tools/v3/assert/cmp"
|
||||
|
||||
@@ -17,9 +17,9 @@ import (
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/containerd/containerd/pkg/userns"
|
||||
"github.com/docker/docker/pkg/idtools"
|
||||
"github.com/docker/docker/pkg/ioutils"
|
||||
"github.com/moby/sys/user/userns"
|
||||
"gotest.tools/v3/assert"
|
||||
is "gotest.tools/v3/assert/cmp"
|
||||
"gotest.tools/v3/skip"
|
||||
|
||||
@@ -14,8 +14,8 @@ import (
|
||||
"syscall"
|
||||
"testing"
|
||||
|
||||
"github.com/containerd/containerd/pkg/userns"
|
||||
"github.com/docker/docker/pkg/system"
|
||||
"github.com/moby/sys/user/userns"
|
||||
"golang.org/x/sys/unix"
|
||||
"gotest.tools/v3/assert"
|
||||
is "gotest.tools/v3/assert/cmp"
|
||||
|
||||
@@ -6,8 +6,8 @@ import (
|
||||
"io"
|
||||
"path/filepath"
|
||||
|
||||
"github.com/containerd/containerd/pkg/userns"
|
||||
"github.com/docker/docker/pkg/archive"
|
||||
"github.com/moby/sys/user/userns"
|
||||
)
|
||||
|
||||
// applyLayerHandler parses a diff in the standard layer format from `layer`, and
|
||||
|
||||
@@ -10,8 +10,8 @@ import (
|
||||
"strings"
|
||||
"sync"
|
||||
|
||||
"github.com/containerd/containerd/pkg/userns"
|
||||
"github.com/containerd/log"
|
||||
"github.com/moby/sys/user/userns"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
|
||||
@@ -8,8 +8,8 @@ import (
|
||||
|
||||
"github.com/containerd/cgroups/v3"
|
||||
cgroupsV2 "github.com/containerd/cgroups/v3/cgroup2"
|
||||
"github.com/containerd/containerd/pkg/userns"
|
||||
"github.com/containerd/log"
|
||||
"github.com/moby/sys/user/userns"
|
||||
)
|
||||
|
||||
func newV2(options ...Opt) *SysInfo {
|
||||
|
||||
@@ -9,11 +9,11 @@ import (
|
||||
"runtime"
|
||||
"strings"
|
||||
|
||||
"github.com/containerd/containerd/pkg/userns"
|
||||
"github.com/docker/docker/api/types"
|
||||
"github.com/docker/docker/internal/rootless/mountopts"
|
||||
"github.com/docker/docker/internal/sliceutil"
|
||||
"github.com/docker/docker/oci"
|
||||
"github.com/moby/sys/user/userns"
|
||||
specs "github.com/opencontainers/runtime-spec/specs-go"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
@@ -60,8 +60,8 @@ import (
|
||||
"sync"
|
||||
"unsafe"
|
||||
|
||||
"github.com/containerd/containerd/pkg/userns"
|
||||
"github.com/containerd/log"
|
||||
"github.com/moby/sys/user/userns"
|
||||
"github.com/pkg/errors"
|
||||
"golang.org/x/sys/unix"
|
||||
)
|
||||
|
||||
16
vendor/github.com/moby/sys/user/userns/userns.go
generated
vendored
Normal file
16
vendor/github.com/moby/sys/user/userns/userns.go
generated
vendored
Normal file
@@ -0,0 +1,16 @@
|
||||
// Package userns provides utilities to detect whether we are currently running
|
||||
// in a Linux user namespace.
|
||||
//
|
||||
// This code was migrated from [libcontainer/runc], which based its implementation
|
||||
// on code from [lcx/incus].
|
||||
//
|
||||
// [libcontainer/runc]: https://github.com/opencontainers/runc/blob/3778ae603c706494fd1e2c2faf83b406e38d687d/libcontainer/userns/userns_linux.go#L12-L49
|
||||
// [lcx/incus]: https://github.com/lxc/incus/blob/e45085dd42f826b3c8c3228e9733c0b6f998eafe/shared/util.go#L678-L700
|
||||
package userns
|
||||
|
||||
// RunningInUserNS detects whether we are currently running in a Linux
|
||||
// user namespace and memoizes the result. It returns false on non-Linux
|
||||
// platforms.
|
||||
func RunningInUserNS() bool {
|
||||
return inUserNS()
|
||||
}
|
||||
53
vendor/github.com/moby/sys/user/userns/userns_linux.go
generated
vendored
Normal file
53
vendor/github.com/moby/sys/user/userns/userns_linux.go
generated
vendored
Normal file
@@ -0,0 +1,53 @@
|
||||
package userns
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"fmt"
|
||||
"os"
|
||||
"sync"
|
||||
)
|
||||
|
||||
var inUserNS = sync.OnceValue(runningInUserNS)
|
||||
|
||||
// runningInUserNS detects whether we are currently running in a user namespace.
|
||||
//
|
||||
// This code was migrated from [libcontainer/runc] and based on an implementation
|
||||
// from [lcx/incus].
|
||||
//
|
||||
// [libcontainer/runc]: https://github.com/opencontainers/runc/blob/3778ae603c706494fd1e2c2faf83b406e38d687d/libcontainer/userns/userns_linux.go#L12-L49
|
||||
// [lcx/incus]: https://github.com/lxc/incus/blob/e45085dd42f826b3c8c3228e9733c0b6f998eafe/shared/util.go#L678-L700
|
||||
func runningInUserNS() bool {
|
||||
file, err := os.Open("/proc/self/uid_map")
|
||||
if err != nil {
|
||||
// This kernel-provided file only exists if user namespaces are supported.
|
||||
return false
|
||||
}
|
||||
defer file.Close()
|
||||
|
||||
buf := bufio.NewReader(file)
|
||||
l, _, err := buf.ReadLine()
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
|
||||
return uidMapInUserNS(string(l))
|
||||
}
|
||||
|
||||
func uidMapInUserNS(uidMap string) bool {
|
||||
if uidMap == "" {
|
||||
// File exist but empty (the initial state when userns is created,
|
||||
// see user_namespaces(7)).
|
||||
return true
|
||||
}
|
||||
|
||||
var a, b, c int64
|
||||
if _, err := fmt.Sscanf(uidMap, "%d %d %d", &a, &b, &c); err != nil {
|
||||
// Assume we are in a regular, non user namespace.
|
||||
return false
|
||||
}
|
||||
|
||||
// As per user_namespaces(7), /proc/self/uid_map of
|
||||
// the initial user namespace shows 0 0 4294967295.
|
||||
initNS := a == 0 && b == 0 && c == 4294967295
|
||||
return !initNS
|
||||
}
|
||||
8
vendor/github.com/moby/sys/user/userns/userns_linux_fuzzer.go
generated
vendored
Normal file
8
vendor/github.com/moby/sys/user/userns/userns_linux_fuzzer.go
generated
vendored
Normal file
@@ -0,0 +1,8 @@
|
||||
//go:build linux && gofuzz
|
||||
|
||||
package userns
|
||||
|
||||
func FuzzUIDMap(uidmap []byte) int {
|
||||
_ = uidMapInUserNS(string(uidmap))
|
||||
return 1
|
||||
}
|
||||
6
vendor/github.com/moby/sys/user/userns/userns_unsupported.go
generated
vendored
Normal file
6
vendor/github.com/moby/sys/user/userns/userns_unsupported.go
generated
vendored
Normal file
@@ -0,0 +1,6 @@
|
||||
//go:build !linux
|
||||
|
||||
package userns
|
||||
|
||||
// inUserNS is a stub for non-Linux systems. Always returns false.
|
||||
func inUserNS() bool { return false }
|
||||
1
vendor/modules.txt
vendored
1
vendor/modules.txt
vendored
@@ -979,6 +979,7 @@ github.com/moby/sys/symlink
|
||||
# github.com/moby/sys/user v0.2.0
|
||||
## explicit; go 1.21
|
||||
github.com/moby/sys/user
|
||||
github.com/moby/sys/user/userns
|
||||
# github.com/moby/term v0.5.0
|
||||
## explicit; go 1.18
|
||||
github.com/moby/term
|
||||
|
||||
Reference in New Issue
Block a user