From a651cdfbc342681208420053f5e28e392ef680a5 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 5 Dec 2022 14:10:12 +0100 Subject: [PATCH] runtime: do not chown idmapped volumes do not chown a volume when idmap is used. Closes: https://github.com/containers/podman/issues/16724 Signed-off-by: Giuseppe Scrivano --- libpod/runtime_ctr.go | 14 +++++++++++++- test/e2e/run_userns_test.go | 4 ++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go index 2c95d1942b03..f8e74c3df166 100644 --- a/libpod/runtime_ctr.go +++ b/libpod/runtime_ctr.go @@ -495,16 +495,21 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Contai logrus.Debugf("Creating new volume %s for container", vol.Name) // The volume does not exist, so we need to create it. - volOptions := []VolumeCreateOption{WithVolumeName(vol.Name), WithVolumeUID(ctr.RootUID()), WithVolumeGID(ctr.RootGID())} + volOptions := []VolumeCreateOption{WithVolumeName(vol.Name)} if isAnonymous { volOptions = append(volOptions, withSetAnon()) } + needsChown := true + // If volume-opts are set parse and add driver opts. if len(vol.Options) > 0 { isDriverOpts := false driverOpts := make(map[string]string) for _, opts := range vol.Options { + if opts == "idmap" { + needsChown = false + } if strings.HasPrefix(opts, "volume-opt") { isDriverOpts = true driverOptKey, driverOptValue, err := util.ParseDriverOpts(opts) @@ -519,6 +524,13 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Contai volOptions = append(volOptions, parsedOptions...) } } + + if needsChown { + volOptions = append(volOptions, WithVolumeUID(ctr.RootUID()), WithVolumeGID(ctr.RootGID())) + } else { + volOptions = append(volOptions, WithVolumeNoChown()) + } + newVol, err := r.newVolume(ctx, false, volOptions...) if err != nil { return nil, fmt.Errorf("creating named volume %q: %w", vol.Name, err) diff --git a/test/e2e/run_userns_test.go b/test/e2e/run_userns_test.go index 1ddf0b394b2b..951146889bdd 100644 --- a/test/e2e/run_userns_test.go +++ b/test/e2e/run_userns_test.go @@ -109,13 +109,13 @@ var _ = Describe("Podman UserNS support", func() { }) It("podman uidmapping and gidmapping with an idmapped volume", func() { - session := podmanTest.Podman([]string{"run", "--uidmap=0:1:500", "--gidmap=0:200:5000", "-v", "my-foo-volume:/foo:Z,idmap", "alpine", "echo", "hello"}) + session := podmanTest.Podman([]string{"run", "--uidmap=0:1:500", "--gidmap=0:200:5000", "-v", "my-foo-volume:/foo:Z,idmap", "alpine", "stat", "-c", "#%u:%g#", "/foo"}) session.WaitWithDefaultTimeout() if strings.Contains(session.ErrorToString(), "Operation not permitted") { Skip("not sufficiently privileged") } Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring("hello")) + Expect(session.OutputToString()).To(ContainSubstring("#0:0#")) }) It("podman uidmapping and gidmapping --net=host", func() {