-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve uid shifting via chown. #44
Conversation
utils.go
Outdated
@@ -723,28 +723,13 @@ func mntSrcUidShiftNeeded(mntSrc string, uid, gid uint32) (bool, uint32, uint32, | |||
mntSrcUid = st.Uid | |||
mntSrcGid = st.Gid | |||
|
|||
// If the host uid assigned to the container is higher than the uid | |||
// of the dir being mounted into the container, then we perform uid | |||
// If the host uid assigned to the container's root user differs from the the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/the the/the/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
utils.go
Outdated
|
||
needChown = false | ||
break | ||
if uid != st.Uid && gid != st.Gid { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't this an OR op?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point, I changed it to OR. In practice it won't make a difference, because the chown happens on host dirs that get mounted into the container's special dirs (e.g., /var/lib/docker) and for those we always expect the uid:gid to match. But it's clearer / more correct to do the OR instead of AND.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LG
Check comments.
Sysbox performs uid-shifting using chown for host dirs that are mounted into certain special dirs in the container (e.g., /var/lib/docker, /var/lib/kubelet, etc.) Prior to this change, the uid shifting via chown worked well when the host dir was initially owned by root:root. In this case, when the container started, Sysbox would shift uids to match the container's root user (e.g., 165536:165536); later when the container stopped, Sysbox would revert the uids back to the original one (i.e, root:root). However, we've seen situations where the uid revert may not occur because the host dir gets detached from the host. In this case, a subsequent creation of a container where said host dir is again mounted into a special dir in the container, would result in Sysbox not performing or mishandling the uid shifting. This commit fixes this by ensuring that Sysbox always performs the uid shifting regardless of the original uid associated with the host dir being mounted into the container. Signed-off-by: Cesar Talledo <ctalledo@nestybox.com>
Sysbox performs uid-shifting using chown for host dirs that are mounted into
certain special dirs in the container (e.g., /var/lib/docker, /var/lib/kubelet,
etc.)
Prior to this change, the uid shifting via chown worked well when the host dir
was initially owned by root:root. In this case, when the container started,
Sysbox would shift uids to match the container's root user (e.g.,
165536:165536); later when the container stopped, Sysbox would revert the uids
back to the original one (i.e, root:root).
However, we've seen situations where the uid revert may not occur because the
host dir gets detached from the host. In this case, a subsequent creation of a
container where said host dir is again mounted into a special dir in the
container, would result in Sysbox not performing or mishandling the uid
shifting.
This commit fixes this by ensuring that Sysbox always performs the uid
shifting regardless of the original uid associated with the host dir
being mounted into the container.
Signed-off-by: Cesar Talledo ctalledo@nestybox.com