fix: respect user namespace on rootfs creation

89luca89 · 89luca89 · commit c98a217ac35e · 2023-09-15T12:03:03.000+02:00
Signed-off-by: Luca Di Maio &lt;luca.dimaio1@gmail.com&gt;
diff --git a/pkg/dockerless/create.go b/pkg/dockerless/create.go
@@ -85,6 +85,7 @@ func (p *DockerlessProvider) Create(ctx context.Context, workspaceId string, run
 		p.Log.Debugf("unpacking layer %d of %d", index+1, len(manifest.Layers))
 
 		err = UntarFile(
+			workspaceId,
 			filepath.Join(imageDir, layerDigest),
 			containerDIR,
 		)
diff --git a/pkg/dockerless/exec.go b/pkg/dockerless/exec.go
@@ -27,8 +27,6 @@ func (p *DockerlessProvider) ExecuteCommand(ctx context.Context, workspaceId, us
 
 	pid = bytes.TrimSpace(pid)
 
-	p.Log.Debugf("found process %s", string(pid))
-
 	nsenter := "nsenter"
 	args := []string{
 		"-m",
@@ -57,8 +55,6 @@ func (p *DockerlessProvider) ExecuteCommand(ctx context.Context, workspaceId, us
 		args = append(args, []string{"su", "-l", uid, "-c", command}...)
 	}
 
-	p.Log.Debugf("executing: %s %s", nsenter, strings.Join(args, " "))
-
 	cmd := exec.Command(nsenter, args...)
 	environB, err := os.ReadFile(filepath.Join("/proc", string(pid), "environ"))
 	if err == nil {
diff --git a/pkg/dockerless/fileutils.go b/pkg/dockerless/fileutils.go
@@ -6,21 +6,53 @@ import (
 	"io"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"syscall"
 )
 
 // UntarFile will untar target file to target directory.
 // If userns is specified and it is keep-id, it will perform the
 // untarring in a new user namespace with user id maps set, in order to prevent
 // permission errors.
-func UntarFile(path string, target string) error {
+func UntarFile(workspaceId, path, target string) error {
 	// first ensure we can write
 	err := syscall.Access(path, 2)
 	if err != nil {
 		return err
 	}
 
-	cmd := exec.Command("tar", "--exclude=dev/*", "-xpf", path, "-C", target)
+	command := ""
+	var args []string
+
+	if os.Getuid() > 0 {
+		command = "rootlesskit"
+		args = []string{
+			"--pidns",
+			"--cgroupns",
+			"--utsns",
+			"--ipcns",
+			"--net",
+			"host",
+			"--state-dir",
+			filepath.Join("/tmp", "dockerless", workspaceId),
+		}
+	} else {
+		command = "unshare"
+		args = []string{
+			"-m",
+			"-p",
+			"-u",
+			"-f",
+			"--mount-proc",
+		}
+	}
+
+	args = append(args, []string{
+		"tar", "--exclude=dev/*", "-xpf", path, "-C", target,
+	}...,
+	)
+
+	cmd := exec.Command(command, args...)
 
 	out, err := cmd.CombinedOutput()
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -85,6 +85,7 @@ func (p *DockerlessProvider) Create(ctx context.Context, workspaceId string, run`
`85`	`85`	`p.Log.Debugf("unpacking layer %d of %d", index+1, len(manifest.Layers))`
`86`	`86`
`87`	`87`	`err = UntarFile(`
	`88`	`+ workspaceId,`
`88`	`89`	`filepath.Join(imageDir, layerDigest),`
`89`	`90`	`containerDIR,`
`90`	`91`	`)`