From ac85091ecdc023cd45d8f1e73b3ca92f603c8ba2 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Fri, 29 Mar 2019 16:54:06 +0100 Subject: [PATCH] skopeo: create a userns when running rootless Closes: https://github.com/containers/skopeo/issues/623 Signed-off-by: Giuseppe Scrivano --- cmd/skopeo/copy.go | 1 + cmd/skopeo/delete.go | 5 +++-- cmd/skopeo/inspect.go | 1 + cmd/skopeo/layers.go | 1 + cmd/skopeo/main.go | 2 +- cmd/skopeo/unshare.go | 6 ++++++ cmd/skopeo/unshare_linux.go | 7 +++++++ cmd/skopeo/utils.go | 5 +++++ 8 files changed, 25 insertions(+), 3 deletions(-) create mode 100644 cmd/skopeo/unshare.go create mode 100644 cmd/skopeo/unshare_linux.go diff --git a/cmd/skopeo/copy.go b/cmd/skopeo/copy.go index 1ada969d..9e1d093b 100644 --- a/cmd/skopeo/copy.go +++ b/cmd/skopeo/copy.go @@ -50,6 +50,7 @@ func copyCmd(global *globalOptions) cli.Command { `, strings.Join(transports.ListNames(), ", ")), ArgsUsage: "SOURCE-IMAGE DESTINATION-IMAGE", Action: commandAction(opts.run), + Before: needsRexec, // FIXME: Do we need to namespace the GPG aspect? Flags: append(append(append([]cli.Flag{ cli.StringSliceFlag{ diff --git a/cmd/skopeo/delete.go b/cmd/skopeo/delete.go index 07a7cea2..2072f556 100644 --- a/cmd/skopeo/delete.go +++ b/cmd/skopeo/delete.go @@ -24,8 +24,9 @@ func deleteCmd(global *globalOptions) cli.Command { image: imageOpts, } return cli.Command{ - Name: "delete", - Usage: "Delete image IMAGE-NAME", + Before: needsRexec, + Name: "delete", + Usage: "Delete image IMAGE-NAME", Description: fmt.Sprintf(` Delete an "IMAGE_NAME" from a transport diff --git a/cmd/skopeo/inspect.go b/cmd/skopeo/inspect.go index 9c524b5f..e17af1e0 100644 --- a/cmd/skopeo/inspect.go +++ b/cmd/skopeo/inspect.go @@ -62,6 +62,7 @@ func inspectCmd(global *globalOptions) cli.Command { Destination: &opts.raw, }, }, sharedFlags...), imageFlags...), + Before: needsRexec, Action: commandAction(opts.run), } } diff --git a/cmd/skopeo/layers.go b/cmd/skopeo/layers.go index 5c236dc3..3a09d8bd 100644 --- a/cmd/skopeo/layers.go +++ b/cmd/skopeo/layers.go @@ -32,6 +32,7 @@ func layersCmd(global *globalOptions) cli.Command { Name: "layers", Usage: "Get layers of IMAGE-NAME", ArgsUsage: "IMAGE-NAME [LAYER...]", + Before: needsRexec, Hidden: true, Action: commandAction(opts.run), Flags: append(sharedFlags, imageFlags...), diff --git a/cmd/skopeo/main.go b/cmd/skopeo/main.go index fb56568c..7fd86d92 100644 --- a/cmd/skopeo/main.go +++ b/cmd/skopeo/main.go @@ -99,7 +99,7 @@ func createApp() (*cli.App, *globalOptions) { } // before is run by the cli package for any command, before running the command-specific handler. -func (opts *globalOptions) before(_ *cli.Context) error { +func (opts *globalOptions) before(ctx *cli.Context) error { if opts.debug { logrus.SetLevel(logrus.DebugLevel) } diff --git a/cmd/skopeo/unshare.go b/cmd/skopeo/unshare.go new file mode 100644 index 00000000..ce1aa1a6 --- /dev/null +++ b/cmd/skopeo/unshare.go @@ -0,0 +1,6 @@ +// +build !linux + +package main + +func maybeReexec() { +} diff --git a/cmd/skopeo/unshare_linux.go b/cmd/skopeo/unshare_linux.go new file mode 100644 index 00000000..bffa4fe3 --- /dev/null +++ b/cmd/skopeo/unshare_linux.go @@ -0,0 +1,7 @@ +package main + +import "github.com/containers/buildah/pkg/unshare" + +func maybeReexec() { + unshare.MaybeReexecUsingUserNamespace(false) +} diff --git a/cmd/skopeo/utils.go b/cmd/skopeo/utils.go index d2636479..85e8b5d2 100644 --- a/cmd/skopeo/utils.go +++ b/cmd/skopeo/utils.go @@ -16,6 +16,11 @@ type errorShouldDisplayUsage struct { error } +func needsRexec(c *cli.Context) error { + maybeReexec() + return nil +} + // commandAction intermediates between the cli.ActionFunc interface and the real handler, // primarily to ensure that cli.Context is not available to the handler, which in turn // makes sure that the cli.String() etc. flag access functions are not used,