Skip to content

fix: check user/group in container start #1716

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 16, 2018
Merged

fix: check user/group in container start #1716

merged 1 commit into from
Jul 16, 2018

Conversation

@Ace-Tang
Copy link
Contributor

@Ace-Tang Ace-Tang commented Jul 11, 2018

user parameter passed by pouch run --user is not validate in container
start process, since we just try to find file in BaseFS, but BaseFS is
created in containerd, so we pass the validate. Fix this by find file in
image container use.
Add function Get which has GetUser and GetAdditionalGids function as a
interface in pkg/user package.

Signed-off-by: Ace-Tang [email protected]

Ⅰ. Describe what this PR did

Ⅱ. Does this pull request fix one issue?

Ⅲ. Describe how you did it

Ⅳ. Describe how to verify it

Ⅴ. Special notes for reviews

@pouchrobot pouchrobot added kind/bug This is bug report for project size/XL labels Jul 11, 2018
@codecov-io
Copy link

codecov-io commented Jul 11, 2018
edited
Loading

Codecov Report

Merging #1716 into master will increase coverage by 0.15%.
The diff coverage is 88.88%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1716      +/-   ##
==========================================
+ Coverage   41.62%   41.78%   +0.15%     
==========================================
  Files         278      278              
  Lines       18225    18244      +19     
==========================================
+ Hits         7586     7623      +37     
+ Misses       9709     9695      -14     
+ Partials      930      926       -4
Impacted Files Coverage Δ
daemon/mgr/container_types.go 81.39% <100%> (+5.27%) ⬆️
daemon/mgr/container_exec.go 70.83% <100%> (+0.3%) ⬆️
daemon/mgr/spec_process.go 67.77% <100%> (+4.23%) ⬆️
pkg/utils/utils.go 89.74% <100%> (+0.17%) ⬆️
daemon/mgr/container.go 52.3% <33.33%> (-0.48%) ⬇️
pkg/user/user.go 75.75% <88.88%> (+10.2%) ⬆️
daemon/logger/jsonfile/utils.go 71.54% <0%> (-1.63%) ⬇️
daemon/mgr/system.go 76.72% <0%> (+1.72%) ⬆️
... and 3 more

HusterWan
HusterWan reviewed Jul 12, 2018
View reviewed changes
daemon/mgr/container_types.go

// GetSpecificBasePath accepts a given path, look for whether the path is exist
// within container, if has, returns container base path like BaseFS, if not, return empty string
func (c *Container) GetSpecificBasePath(path string) string {
Copy link
Contributor

@HusterWan HusterWan Jul 12, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

feel weird ! can we judge whether the baseFS is mounted?

Copy link
Contributor Author

@Ace-Tang Ace-Tang Jul 12, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The function is used to get specified file from container, BaseFs is not created when container start, so we can only try image path.

Copy link
Contributor

@HusterWan HusterWan Jul 12, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i still have another question: can we ensure passwd file exists in UpperDir?

Or can we mount the mergedDir when we found it not mounted, then we can ensure the passwd file exists in MergedDir.

it's just my advice, you can think about it again, thanks a lot @Ace-Tang

Copy link
Contributor Author

@Ace-Tang Ace-Tang Jul 12, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

when we run a container, merged dir is not created yet until pouch pass create options to containerd, then containerd created it and mount. Add this function cause we can only find file in image when container in start process.

Copy link
Contributor Author

@Ace-Tang Ace-Tang Jul 12, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also think this pr can fix if merged dir is un-mounted by error.

HusterWan
HusterWan reviewed Jul 13, 2018
View reviewed changes
daemon/mgr/container_types.go Outdated
"github.com/alibaba/pouch/cri/stream/remotecommand"
"github.com/alibaba/pouch/pkg/meta"
"github.com/alibaba/pouch/pkg/utils"
"github.com/containerd/containerd/mount"
Copy link
Contributor

@HusterWan HusterWan Jul 13, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please put this line to third-party package

HusterWan
HusterWan reviewed Jul 13, 2018
View reviewed changes
daemon/mgr/container_types.go
return c.BaseFS
}

// then try lower and upper directory, since overlay filesystem support only.
Copy link
Contributor

@HusterWan HusterWan Jul 13, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a good solution to fix mergeDir not mounted 👋

@Ace-Tang
Copy link
Contributor Author

Ace-Tang commented Jul 13, 2018

@HusterWan ,Updated. Beside, I have test a occasion that umount container rootfs to see if exec will successful.

#./pouch ps
Name     ID       Status        Created      Image                                          Runtime
f7fdec   f7fdec   Up 17 hours   3 days ago   registry.hub.docker.com/library/busybox:1.25   runc

#./pouch exec f7fdec echo 1
1

#mount -l | grep overlay
/dev/sda5 on /home/docker/overlay type ext4 (rw,relatime,grpquota,data=ordered) [/home]
/dev/sda5 on /home/docker/overlay2 type ext4 (rw,relatime,grpquota,data=ordered) [/home]
overlay on /home/docker/overlay/f894c1a86b8cc750e44ec8bd42242c06def8f3ff33b36c3ba323374dcfe58a8d/merged type overlay (rw,relatime,lowerdir=/home/docker/overlay/8aa06fac0dc3119bc3da5fd19ce08270346e06757cbe964152fc7e179bce5fe6/root,upperdir=/home/docker/overlay/f894c1a86b8cc750e44ec8bd42242c06def8f3ff33b36c3ba323374dcfe58a8d/upper,workdir=/home/docker/overlay/f894c1a86b8cc750e44ec8bd42242c06def8f3ff33b36c3ba323374dcfe58a8d/work)
overlay on /var/lib/pouch/containerd/state/io.containerd.runtime.v1.linux/default/f7fdec4eff4f4206de5424f0c4f5b8498ba63b09e53ebc3125c03107cdf35490/rootfs type overlay (rw,relatime,lowerdir=/var/lib/pouch/containerd/root/io.containerd.snapshotter.v1.overlayfs/snapshots/1/fs,upperdir=/var/lib/pouch/containerd/root/io.containerd.snapshotter.v1.overlayfs/snapshots/513/fs,workdir=/var/lib/pouch/containerd/root/io.containerd.snapshotter.v1.overlayfs/snapshots/513/work)

#umount /var/lib/pouch/containerd/state/io.containerd.runtime.v1.linux/default/f7fdec4eff4f4206de5424f0c4f5b8498ba63b09e53ebc3125c03107cdf35490/rootfs

#mount -l | grep overlay
/dev/sda5 on /home/docker/overlay type ext4 (rw,relatime,grpquota,data=ordered) [/home]
/dev/sda5 on /home/docker/overlay2 type ext4 (rw,relatime,grpquota,data=ordered) [/home]
overlay on /home/docker/overlay/f894c1a86b8cc750e44ec8bd42242c06def8f3ff33b36c3ba323374dcfe58a8d/merged type overlay (rw,relatime,lowerdir=/home/docker/overlay/8aa06fac0dc3119bc3da5fd19ce08270346e06757cbe964152fc7e179bce5fe6/root,upperdir=/home/docker/overlay/f894c1a86b8cc750e44ec8bd42242c06def8f3ff33b36c3ba323374dcfe58a8d/upper,workdir=/home/docker/overlay/f894c1a86b8cc750e44ec8bd42242c06def8f3ff33b36c3ba323374dcfe58a8d/work)

#./pouch exec f7fdec echo 1
1

@Ace-Tang
fix: check user/group in container start
9ad617e 
user parameter passed by pouch run --user is not validate in container
start process, since we just try to find file in BaseFS, but BaseFS is
created in containerd, so we pass the validate. Fix this by find file in
image container use.
Add function Get which has GetUser and GetAdditionalGids function as a
interface in pkg/user package.

Signed-off-by: Ace-Tang <[email protected]>
@HusterWan
Copy link
Contributor

HusterWan commented Jul 16, 2018

lgtm

@pouchrobot pouchrobot added the LGTM one maintainer or community participant agrees to merge the pull reuqest. label Jul 16, 2018
@HusterWan HusterWan merged commit f016ecd into AliyunContainerService:master Jul 16, 2018
@pouchrobot pouchrobot mentioned this pull request Jul 19, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@YaoZengzeng YaoZengzeng Awaiting requested review from YaoZengzeng

1 more reviewer

@HusterWan HusterWan HusterWan left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

kind/bug This is bug report for project LGTM one maintainer or community participant agrees to merge the pull reuqest. size/XL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Ace-Tang @codecov-io @HusterWan @pouchrobot