Support multiple users/groups mapped for the rootless case

[giuseppe]

Take advantage of the newuidmap/newgidmap tools to allow multiple users/groups to be mapped into the new user namespace in the rootless case.

This is what I've tried here (only the relevant bits showed for config.json):

	"args": [
	    "cat", "/proc/self/uid_map"
	],
...
        "uidMappings": [
            {
                "hostID": 1000,
                "containerID": 0,
                "size": 1
            },
            {
                "hostID": 110000,
                "containerID": 1,
                "size": 255
            }
        ],
        "gidMappings": [
            {
                "hostID": 1000,
                "containerID": 0,
                "size": 1
            }
        ],

$ whoami
gscrivano

$ grep ^gscrivano /etc/subuid
gscrivano:110000:65536

$ runc run foo
         0       1000          1
         1     110000        255

[teddyking]

Hey @giuseppe, I opened a PR looking to add this same functionality a couple of months ago: #1403. There's a discussion ongoing in the linked PR, would be great to hear your thoughts on that as well. It looks like we were both heading down the same path here.

[cyphar]

I have a couple of comments, as well as some semantic questions that we need to discuss.

[cyphar]

I'm not convinced that dropping this makes sense. Even in the multiple-uid case, really we should be making it so that we emit an error if the uid=... or gid=... options reference unmapped users. The errors are far too cryptic if you ignore it.

[cyphar]

... so all of these removed tests should stay, and we should add new tests making sure that multiple-mapping cases are still treated sanely.

[cyphar]

Please format this (all of your changes) in the Linux kernel style (sans the 80-column restriction).

[cyphar]

asprintf?

[giuseppe]

IMO it would be wasteful to allocate dynamic memory when we know it will be just to format an int

[cyphar]

It's just because I don't like that you've hard-coded the length of pid_fmt to be 11.

Personally I like @teddyking's approach to the formatting a bit more (we send most of the information from Go with a netlink message rather than formatting everything in C). I prefer that because the context in which this C code is run is quite fragile and I get less worried if we do things in Go when possible. I'll read through his PR again and point out which bits seem good to me.

[giuseppe]

AFAICS #1403 is doing a very similar thing for preparing the argv for newuidmap/newgidmap

The main difference is that here I am not using strtok and parsing the string inline without allocating any memory. I've avoided input validation here as it would be superfluous since newuidmap/newgidmap do that already.

[cyphar]

do
    waitpid(child, &status, 0);
while (errno == EINTR);

If not, just put the ; on a bare newline so it's more clear it's an empty loop.

[giuseppe]

yes, fixed and add an error check

[cyphar]

I'm not sure how I feel about hard-coding the /usr/bin/newuidmap. At this point, $PATH should still be trustworthy (so execvp could work), but maybe @crosbymichael knows better than me.

[giuseppe]

I've changed it to execvp so that PATH is honored.

[williammartin]

One thing we'd quite like to bring over from #1403 is the ability to specify --newuidmap and --newgidmap binary locations. It's seems to be in line with the --criuPath and it's our preferred way to be explicit in Garden. We can also wait for this to get merged and PR the flags separately if y'all want to keep this PR smaller, but it would be good to get buy in for that approach now.

[cyphar]

This is not correct, as it will mean that if you run runc as root with XDG_RUNTIME_DIR set, then the spawned containers won't be visible by other runc management processes. Instead, this should be conditional based on whether you're an unprivileged user. Even then I'm still not convinced, because what if someone sets up /run/runc to be like /tmp (sticky-bit and world-writeable) in order for all users to access the same store of container state?

I agree that runc should obey XDG_RUNTIME_DIR, but I'm not entirely convinced that this is correct (especially since changing XDG_RUNTIME_DIR will make it more difficult for other people to manage the runc containers spawned by someone with XDG_RUNTIME_DIR set.

@crosbymichael do you have any ideas on how this should work nicely?

[giuseppe]

I've changed it to be used only when geteuid() !=0. I think a shared directory for all users is a very uncommon use case, while most users would probably prefer to have runc working out of the box and behave like other applications that use XDG_RUNTIME_DIR. The first case is still possible though by overriding the root directory, and I think it is preferable to require extra configuration for an uncommon use like a shared directory for all users.

[cyphar]

Why not always try to use newuidmap and newgidmap rather than making it conditional on is_rootless? (Though maybe you're right here.)

[giuseppe]

I am using newuidmap and newgidmap only after an EPERM. When running as root that should never happen

[cyphar]

Right, so then the is_rootless check is unecessary (which is what I meant)?

[giuseppe]

sure I can remove that. I've pushed a new version where I drop it.

[giuseppe]

@teddyking yes, we got to something very similar :) An extra point for considering this the right approach, and for the maintainers to pick what they prefer from both implementations

[giuseppe]

is there anything I can do to get this moving forward?

[cyphar]

Yeah, there's a few things left that we can take from #1403. I'll list them as a checklist below.

• Switch to passing the ($PATH expanded) path of newuidmap and newgidmap via netlink. I don't think they need to be user-visible options at the moment, but I don't like hardcoding them in nsexec.
• Add some tests for this functionality, if possible (you could use what Use newuidmap to allow multiple ID mappings when running rootless #1403 has as inspiration). If you don't feel like doing it, I can work on it after this is merged.

I'll also add some in-line comments. Sorry for not reviewing this in a while, I've been looking at the other rootless-container-related PR for cgroup handling most recently.

[cyphar]

is_rootless is still here, even though it isn't used anymore.

[cyphar]

... and it's still here too.

[cyphar]

Completely stylistic, but I think this is more readable (same applies for update_uidmap):

if (write_file(map, map_len, "/proc/%d/gid_map", pid) < 0) {
	if (errno != EPERM)
		bail("failed to update /proc/%d/gid_map", pid);
	if (try_mapping_tool("newgidmap", pid, map, map_len))
		bail("failed to use newgid map on %d", pid);
}

[cyphar]

This doesn't handle the case where XDG_RUNTIME_DIR is unspecified safely. If it's not set, just use /run/runc as usual.

[cyphar]

I don't like the ignoring of errors, nor strings.Replace here. Can we just do something like

var uid int
n, err := fmt.Sscanf(opt, "uid=%d", &uid)
if n != 1 || err != nil {
    // Ignore unknown mount options.
    continue
}
if !hasIDMapping(uid, config.UidMappings) {
    return fmt.Errorf("cannot specify uid= mount options for unmapped uid in rootless containers")
}

And the same for the other option.

[cyphar]

Is it possible to do this with strtok?

[cyphar]

While it would never be an issue, use snprintf(pid_fmt, 16, ...).

[cyphar]

Also I believe this needs a rebase, because the test failures are happening due to shfmt (which we no longer use).

[giuseppe]

@cyphar Thanks for the fixes! They LGTM

[cyphar]

@giuseppe I've pulled some of the changes from #1403, and rewrote some others to work better in the test framework. Now all of this code is tested as an integration suite run. 😸

[cyphar]

LGTM.

/cc @opencontainers/runc-maintainers

[cyphar]

LGTM (again, needed rebase).

/cc @opencontainers/runc-maintainers

[crosbymichael]

LGTM

[AkihiroSuda]

Added runc spec support for optionally generating a config with multiple uidMappings and gidMappings: #1692