userns: skip the nobody user

improve the heuristic to detect the user namespace size needed to run an image. Hardcode the nobody user value to 65534, which is the value used by the kernel, and ignore this value when parsing /etc/passwd and /etc/group. Closes: #1472 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> (cherry picked from commit b876a48)
containers · Jan 20, 2023 · 038679c · 038679c
1 parent c747cbb
commit 038679c
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/userns.go b/userns.go
@@ -78,6 +78,10 @@ func (s *store) getAvailableIDs() (*idSet, *idSet, error) {
 	return u, g, nil
 }
 
+// nobodyUser returns the UID and GID of the "nobody" user.  Hardcode its value
+// for simplicity.
+const nobodyUser = 65534
+
 // parseMountedFiles returns the maximum UID and GID found in the /etc/passwd and
 // /etc/group files.
 func parseMountedFiles(containerMount, passwdFile, groupFile string) uint32 {
@@ -98,10 +102,10 @@ func parseMountedFiles(containerMount, passwdFile, groupFile string) uint32 {
 			if u.Name == "nobody" {
 				continue
 			}
-			if u.Uid > size {
+			if u.Uid > size && u.Uid != nobodyUser {
 				size = u.Uid
 			}
-			if u.Gid > size {
+			if u.Gid > size && u.Gid != nobodyUser {
 				size = u.Gid
 			}
 		}
@@ -113,7 +117,7 @@ func parseMountedFiles(containerMount, passwdFile, groupFile string) uint32 {
 			if g.Name == "nobody" {
 				continue
 			}
-			if g.Gid > size {
+			if g.Gid > size && g.Gid != nobodyUser {
 				size = g.Gid
 			}
 		}