Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

testutils: newNS() works in a rootless user namespace #401

Merged
merged 1 commit into from
Oct 23, 2019
Merged

testutils: newNS() works in a rootless user namespace #401

merged 1 commit into from
Oct 23, 2019

Conversation

giuseppe
Copy link
Contributor

When running in a user namespace created by an unprivileged user the
owner of /var/run will be reported as the unknown user (as defined in
/proc/sys/kernel/overflowuid) so any access to the directory will
fail.

If the XDG_RUNTIME_DIR environment variable is set, check whether the
current user is also the owner of /var/run. If the owner is different
than the current user, use the $XDG_RUNTIME_DIR/netns directory.

Signed-off-by: Giuseppe Scrivano gscrivan@redhat.com

@giuseppe
Copy link
Contributor Author

@dcbw PTAL

jellonek
jellonek reviewed Oct 18, 2019
View reviewed changes
Copy link
Member

@jellonek jellonek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO very reasonable. Can you add a test case for that in this PR?

@squeed
Copy link
Member

squeed commented Oct 18, 2019

Makes sense - is there any documentation about this?

@giuseppe giuseppe force-pushed the run-in-a-userns branch 3 times, most recently from 2140f8a to d0431b7 Compare October 19, 2019 09:44
@giuseppe
testutils: newNS() works in a rootless user namespace
85083ea 
When running in a user namespace created by an unprivileged user the
owner of /var/run will be reported as the unknown user (as defined in
/proc/sys/kernel/overflowuid) so any access to the directory will
fail.

If the XDG_RUNTIME_DIR environment variable is set, check whether the
current user is also the owner of /var/run.  If the owner is different
than the current user, use the $XDG_RUNTIME_DIR/netns directory.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe
Copy link
Contributor Author

I've added some tests to travis for running as non privileged user.

I needed to upgrade the version of Ubuntu to Xenial as we need unshare -r for creating the user namespace.

@giuseppe
Copy link
Contributor Author

Makes sense - is there any documentation about this?

I can add that. What would the best place be?

mars1024
mars1024 approved these changes Oct 21, 2019
View reviewed changes
Copy link
Member

@mars1024 mars1024 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@bboreham
Copy link
Contributor

I found a detailed description of XDG_RUNTIME_DIR at https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html

@matthewdupre matthewdupre merged commit 1880421 into containernetworking:master Oct 23, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mars1024 mars1024 mars1024 approved these changes

@dcbw dcbw dcbw approved these changes

@jellonek jellonek jellonek approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@giuseppe @squeed @bboreham @jellonek @dcbw @mars1024 @matthewdupre