don't try to create devices in a user namespace by hallyn · Pull Request #19182 · moby/moby

hallyn · 2016-01-08T09:00:33Z

If docker is being run inside a user namespace, it won't be able
to create devices. Since libcontainer will try to bind mount the
devices anyway this is fine - ignore it.

Signed-off-by: Serge Hallyn serge.hallyn@ubuntu.com

estesp · 2016-01-08T16:26:32Z

Hey @hallyn; this seems reasonable at first blush, but if you want the lxd import to work, you will need to modify hack/vendor.sh, run it, and then add a commit for the changes to ./vendor that will occur when your package and its dependencies are cloned in.

jessfraz · 2016-01-08T17:22:48Z

pkg/archive/archive_unix.go

we shouldn't have to import a lib for this functionality though :) this shouldnt be hard to test by checking proc or something

True. I went and looked at the function; it reads /proc/self/uid_map with some validation that maps are actually in use. As much as code reuse is good, vendoring in that tree seems potentially overkill. This may be a useful as a utility fn across the engine--what do you think of adding the same function to Docker @hallyn?

On Fri, Jan 08, 2016 at 09:27:46AM -0800, Phil Estes wrote:

@@ -57,6 +58,10 @@ func minor(device uint64) uint64 {
// handleTarTypeBlockCharFifo is an OS-specific helper function used by
// createTarFile to handle the following types of header: Block; Char; Fifo
func handleTarTypeBlockCharFifo(hdr *tar.Header, path string) error {

if shared.RunningInUserNS() {

True. I went and looked at the function; it reads /proc/self/uid_map with some validation that maps are actually in use. As much as code reuse is good, vendoring in that tree seems potentially overkill. This may be a useful as a utility fn across the engine--what do you think of adding the same function to Docker @hallyn?

100% agreed - since I'm not particularly familiar with the coding style I
was hoping someone who was would reply with a counter-PR and avoid any
bike-shedding :)

But I'll go ahead and take a stab in a few hours

hallyn · 2016-01-08T18:11:51Z

Hi - I will put a shared function in opencontainer
(maybe in github.com/opencontainers/runc/libcontainer/utils)
and re-use it here once accepted there.

cpuguy83 · 2016-01-08T18:14:20Z

That would be preferable over importing lxd for one function.
Thanks!

hallyn · 2016-01-12T00:23:35Z

So I would guess that the failures are due to my updating the vendor libcontainer source. I don't know how to best handle that.

I could simply copy the RunningInUserNS() function into docker's own system package and use it from there, but sharing it from libcontainer seemed cleaner. But I'm not up to fixing failures from a libcontainer update.

What is preferred?

cyphar · 2016-01-12T05:50:52Z

I can see the same issues in #19250, it looks like there's some upstream bug in libcontainer. I'm happy to take a look to see what I can do about it. Once #19250 is merged, you can rebase.

Also, you should have two separate commits IMO (one for the vendor update and one for using the new bits in Docker) -- it makes it much nicer for people in the future who are trying to bisect.

hallyn · 2016-01-12T05:56:09Z

awesome, thanks

hallyn · 2016-01-15T19:39:34Z

@crosbymichael hi - this is also waiting for the libcontainer bump, as #19250 is.

hallyn · 2016-01-18T18:02:44Z

@cypher

thank - i'll split it into two commits, and i think i'll post two competing branches. One which has the second commit updating vendor, and one which puts the needed function into docker's system library itself.

cyphar · 2016-01-19T01:01:42Z

@hallyn There's no need to do two PRs, just split it into two commits in the same PR (just because it makes bisecting much, much easier).

hallyn · 2016-01-19T18:58:35Z

@cyphar, no, that was going to be two different, conflicting PRs. I decided to just do the one which moves the function into docker's own pkg/system and see what feedback that gets.

hallyn · 2016-01-19T21:14:57Z

The 'experimental' test failure looks to my untrained eye like a transient network error. Could that be?

If we are running in a user namespace, don't try to mknod as it won't be allowed. libcontainer will bind-mount the host's devices over files in the container anyway, so it's not needed. This adds a RunningInUserNS function to docker/pkg/system. The same function exists in libcontainer, but that cannot currently be imported due to unrelated bugs. Once those bugs are fixed there is no reason why we could not start using the one from libcontainer. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

tiborvass · 2016-01-21T20:53:23Z

@estesp what should we do with this? move to code review?

estesp · 2016-01-21T21:13:11Z

So, I think the only issue is that this same function has been added to libcontainer (opencontainers/runc#458) by @hallyn and, even though we are somewhat stuck until post-1.10 on doing a full libcontainer vendor update, it seems reasonable to wait for that rather than duplicate the function again in pkg/system. Is there any rush to have this in Docker for 1.10? If not, then I think we should wait on the vendor update to libcontainer post-release, and use the libcontainer function from the 2 calls in this PR.

tiborvass · 2016-01-21T21:14:37Z

@estesp no, no rush, just trying to get the count of PRs down. So can we close this one then per your comment?

estesp · 2016-01-21T21:25:42Z

@tiborvass I think that's fine. @hallyn once we have a libcontainer update feel free to create a new PR using the imported function from libcontainer. Thanks!

tiborvass · 2016-01-21T21:45:50Z

Thanks @estesp and @hallyn
closing then

GordonTheTurtle added the status/0-triage label Jan 8, 2016

estesp added status/1-design-review and removed status/0-triage labels Jan 8, 2016

jessfraz reviewed Jan 8, 2016
View reviewed changes

hallyn mentioned this pull request Jan 8, 2016

Handle running nested in a user namespace opencontainers/runc#458

Merged

hallyn force-pushed the userns.1 branch 5 times, most recently from 80e1422 to 6723fd5 Compare January 11, 2016 21:56

cyphar mentioned this pull request Jan 13, 2016

vendor: libcontainer: update libcontainer #19250

Closed

hallyn force-pushed the userns.1 branch from 6723fd5 to de1567e Compare January 18, 2016 19:06

hallyn force-pushed the userns.1 branch 3 times, most recently from 7c2b2c9 to a007deb Compare January 19, 2016 03:29

hallyn force-pushed the userns.1 branch 2 times, most recently from 34e9069 to cfff8ef Compare January 19, 2016 19:21

hallyn force-pushed the userns.1 branch from cfff8ef to 5f09d77 Compare January 20, 2016 08:19

tiborvass closed this Jan 21, 2016

Conversation

hallyn commented Jan 8, 2016

Uh oh!

estesp commented Jan 8, 2016

Uh oh!

jessfraz Jan 8, 2016

Choose a reason for hiding this comment

Uh oh!

estesp Jan 8, 2016

Choose a reason for hiding this comment

Uh oh!

hallyn Jan 8, 2016

Choose a reason for hiding this comment

Uh oh!

hallyn commented Jan 8, 2016

Uh oh!

cpuguy83 commented Jan 8, 2016

Uh oh!

hallyn commented Jan 12, 2016

Uh oh!

cyphar commented Jan 12, 2016

Uh oh!

hallyn commented Jan 12, 2016 via email

Uh oh!

hallyn commented Jan 15, 2016

Uh oh!

hallyn commented Jan 18, 2016

Uh oh!

cyphar commented Jan 19, 2016

Uh oh!

hallyn commented Jan 19, 2016

Uh oh!

hallyn commented Jan 19, 2016

Uh oh!

tiborvass commented Jan 21, 2016

Uh oh!

estesp commented Jan 21, 2016

Uh oh!

tiborvass commented Jan 21, 2016

Uh oh!

estesp commented Jan 21, 2016

Uh oh!

tiborvass commented Jan 21, 2016

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants