Fix docker exec to be user namespaced properly

For now a hack for the 1.6.1-userns branch (modifying vendored code) to enable user namespace join on exec. This will be more thorougly corrected (for other use cases) in a PR for opencontainers/runc#105. Docker-DCO-1.1-Signed-off-by: Phil Estes <[email protected]>
estesp · Aug 26, 2015 · 15ebbb9 · 15ebbb9
1 parent e627b44
commit 15ebbb9
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 3 deletions.
diff --git a/daemon/execdriver/native/exec.go b/daemon/execdriver/native/exec.go
@@ -10,6 +10,7 @@ import (
 
 	"github.com/docker/docker/daemon/execdriver"
 	"github.com/docker/libcontainer"
+	"github.com/docker/libcontainer/configs"
 	_ "github.com/docker/libcontainer/nsenter"
 	"github.com/docker/libcontainer/utils"
 )
@@ -24,15 +25,21 @@ func (d *driver) Exec(c *execdriver.Command, processConfig *execdriver.ProcessCo
 	var term execdriver.Terminal
 	var err error
 
+	user := c.ProcessConfig.User
+	config := active.Config()
+	if config.Namespaces.Contains(configs.NEWUSER) {
+		//if user namespaces are enabled, set user to "0" so uid/gid set to 0
+		user = "0"
+	}
+
 	p := &libcontainer.Process{
 		Args: append([]string{processConfig.Entrypoint}, processConfig.Arguments...),
 		Env:  c.ProcessConfig.Env,
 		Cwd:  c.WorkingDir,
-		User: c.ProcessConfig.User,
+		User: user,
 	}
 
 	if processConfig.Tty {
-		config := active.Config()
 		rootuid, err := config.HostUID()
 		if err != nil {
 			return -1, err

diff --git a/vendor/src/github.com/docker/libcontainer/nsenter/nsexec.c b/vendor/src/github.com/docker/libcontainer/nsenter/nsexec.c
@@ -62,7 +62,7 @@ static int clone_parent(jmp_buf * env)
 
 void nsexec()
 {
-	char *namespaces[] = { "ipc", "uts", "net", "pid", "mnt" };
+	char *namespaces[] = { "ipc", "uts", "net", "pid", "mnt", "user" };
 	const int num = sizeof(namespaces) / sizeof(char *);
 	jmp_buf env;
 	char buf[PATH_MAX], *val;