Start a sandbox process in a new userns only if CAP_SETUID is set
In addition, it fixes a race condition in TestMultiContainerGoferStop. There are two scripts copy the same set of files into the same directory and sometime one of this command fails with EXIST. PiperOrigin-RevId: 230011247 Change-Id: I9289f72e65dc407cdcd0e6cd632a509e01f43e9c
This commit is contained in:
parent
c063a1350f
commit
c0a981629c
|
@ -739,11 +739,6 @@ func TestMultiContainerGoferStop(t *testing.T) {
|
||||||
t.Fatal("error finding test_app:", err)
|
t.Fatal("error finding test_app:", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
dir, err := ioutil.TempDir(testutil.TmpDir(), "gofer-stop-test")
|
|
||||||
if err != nil {
|
|
||||||
t.Fatal("ioutil.TempDir failed:", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
// Setup containers. Root container just reaps children, while the others
|
// Setup containers. Root container just reaps children, while the others
|
||||||
// perform some IOs. Children are executed in 3 batches of 10. Within the
|
// perform some IOs. Children are executed in 3 batches of 10. Within the
|
||||||
// batch there is overlap between containers starting and being destroyed. In
|
// batch there is overlap between containers starting and being destroyed. In
|
||||||
|
@ -751,6 +746,12 @@ func TestMultiContainerGoferStop(t *testing.T) {
|
||||||
cmds := [][]string{{app, "reaper"}}
|
cmds := [][]string{{app, "reaper"}}
|
||||||
const batchSize = 10
|
const batchSize = 10
|
||||||
for i := 0; i < 3*batchSize; i++ {
|
for i := 0; i < 3*batchSize; i++ {
|
||||||
|
dir, err := ioutil.TempDir(testutil.TmpDir(), "gofer-stop-test")
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal("ioutil.TempDir failed:", err)
|
||||||
|
}
|
||||||
|
defer os.RemoveAll(dir)
|
||||||
|
|
||||||
cmd := "find /bin -type f | head | xargs -I SRC cp SRC " + dir
|
cmd := "find /bin -type f | head | xargs -I SRC cp SRC " + dir
|
||||||
cmds = append(cmds, []string{"sh", "-c", cmd})
|
cmds = append(cmds, []string{"sh", "-c", cmd})
|
||||||
}
|
}
|
||||||
|
|
|
@ -500,15 +500,15 @@ func (s *Sandbox) createSandboxProcess(spec *specs.Spec, conf *boot.Config, bund
|
||||||
return fmt.Errorf("can't run sandbox process in minimal chroot since we don't have CAP_SYS_ADMIN")
|
return fmt.Errorf("can't run sandbox process in minimal chroot since we don't have CAP_SYS_ADMIN")
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
log.Infof("Sandbox will be started in new user namespace")
|
|
||||||
nss = append(nss, specs.LinuxNamespace{Type: specs.UserNamespace})
|
|
||||||
|
|
||||||
// If we have CAP_SETUID and CAP_SETGID, then we can also run
|
// If we have CAP_SETUID and CAP_SETGID, then we can also run
|
||||||
// as user nobody.
|
// as user nobody.
|
||||||
if conf.TestOnlyAllowRunAsCurrentUserWithoutChroot {
|
if conf.TestOnlyAllowRunAsCurrentUserWithoutChroot {
|
||||||
log.Warningf("Running sandbox in test mode as current user (uid=%d gid=%d). This is only safe in tests!", os.Getuid(), os.Getgid())
|
log.Warningf("Running sandbox in test mode as current user (uid=%d gid=%d). This is only safe in tests!", os.Getuid(), os.Getgid())
|
||||||
log.Warningf("Running sandbox in test mode without chroot. This is only safe in tests!")
|
log.Warningf("Running sandbox in test mode without chroot. This is only safe in tests!")
|
||||||
} else if specutils.HasCapabilities(capability.CAP_SETUID, capability.CAP_SETGID) {
|
} else if specutils.HasCapabilities(capability.CAP_SETUID, capability.CAP_SETGID) {
|
||||||
|
log.Infof("Sandbox will be started in new user namespace")
|
||||||
|
nss = append(nss, specs.LinuxNamespace{Type: specs.UserNamespace})
|
||||||
|
|
||||||
// Map nobody in the new namespace to nobody in the parent namespace.
|
// Map nobody in the new namespace to nobody in the parent namespace.
|
||||||
//
|
//
|
||||||
// A sandbox process will construct an empty
|
// A sandbox process will construct an empty
|
||||||
|
|
Loading…
Reference in New Issue