mirror of
https://github.com/opencontainers/runc.git
synced 2025-10-05 15:37:02 +08:00
7dc2486889
This addresses the following TODO in the code (added back in 2015
by commit 845fc65e5):
> // TODO: fix libcontainer's API to better support uid/gid in a typesafe way.
Historically, libcontainer internally uses strings for user, group, and
additional (aka supplementary) groups.
Yet, runc receives those credentials as part of runtime-spec's process,
which uses integers for all of them (see [1], [2]).
What happens next is:
1. runc start/run/exec converts those credentials to strings (a User
string containing "UID:GID", and a []string for additional GIDs) and
passes those onto runc init.
2. runc init converts them back to int, in the most complicated way
possible (parsing container's /etc/passwd and /etc/group).
All this conversion and, especially, parsing is totally unnecessary,
but is performed on every container exec (and start).
The only benefit of all this is, a libcontainer user could use user and
group names instead of numeric IDs (but runc itself is not using this
feature, and we don't know if there are any other users of this).
Let's remove this back and forth translation, hopefully increasing
runc exec performance.
The only remaining need to parse /etc/passwd is to set HOME environment
variable for a specified UID, in case $HOME is not explicitly set in
process.Env. This can now be done right in prepareEnv, which simplifies
the code flow a lot. Alas, we can not use standard os/user.LookupId, as
it could cache host's /etc/passwd or the current user (even with the
osusergo tag).
PS Note that the structures being changed (initConfig and Process) are
never saved to disk as JSON by runc, so there is no compatibility issue
for runc users.
Still, this is a breaking change in libcontainer, but we never promised
that libcontainer API will be stable (and there's a special package
that can handle it -- github.com/moby/sys/user). Reflect this in
CHANGELOG.
For 3998.
[1]: https://github.com/opencontainers/runtime-spec/blob/v1.0.2/config.md#posix-platform-user
[2]: https://github.com/opencontainers/runtime-spec/blob/v1.0.2/specs-go/config.go#L86
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
89 lines
2.3 KiB
Go
89 lines
2.3 KiB
Go
package libcontainer
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"os"
|
|
"slices"
|
|
"strings"
|
|
|
|
"github.com/moby/sys/user"
|
|
"github.com/sirupsen/logrus"
|
|
)
|
|
|
|
// prepareEnv processes a list of environment variables, preparing it
|
|
// for direct consumption by unix.Exec. In particular, it:
|
|
// - validates each variable is in the NAME=VALUE format and
|
|
// contains no \0 (nil) bytes;
|
|
// - removes any duplicates (keeping only the last value for each key)
|
|
// - sets PATH for the current process, if found in the list;
|
|
// - adds HOME to returned environment, if not found in the list.
|
|
//
|
|
// Returns the prepared environment.
|
|
func prepareEnv(env []string, uid int) ([]string, error) {
|
|
if env == nil {
|
|
return nil, nil
|
|
}
|
|
// Deduplication code based on dedupEnv from Go 1.22 os/exec.
|
|
|
|
// Construct the output in reverse order, to preserve the
|
|
// last occurrence of each key.
|
|
out := make([]string, 0, len(env))
|
|
saw := make(map[string]bool, len(env))
|
|
for n := len(env); n > 0; n-- {
|
|
kv := env[n-1]
|
|
i := strings.IndexByte(kv, '=')
|
|
if i == -1 {
|
|
return nil, errors.New("invalid environment variable: missing '='")
|
|
}
|
|
if i == 0 {
|
|
return nil, errors.New("invalid environment variable: name cannot be empty")
|
|
}
|
|
key := kv[:i]
|
|
if saw[key] { // Duplicate.
|
|
continue
|
|
}
|
|
saw[key] = true
|
|
if strings.IndexByte(kv, 0) >= 0 {
|
|
return nil, fmt.Errorf("invalid environment variable %q: contains nul byte (\\x00)", key)
|
|
}
|
|
if key == "PATH" {
|
|
// Needs to be set as it is used for binary lookup.
|
|
if err := os.Setenv("PATH", kv[i+1:]); err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
out = append(out, kv)
|
|
}
|
|
// Restore the original order.
|
|
slices.Reverse(out)
|
|
|
|
// If HOME is not found in env, get it from container's /etc/passwd and add.
|
|
if !saw["HOME"] {
|
|
home, err := getUserHome(uid)
|
|
if err != nil {
|
|
// For backward compatibility, don't return an error, but merely log it.
|
|
logrus.WithError(err).Debugf("HOME not set in process.env, and getting UID %d homedir failed", uid)
|
|
}
|
|
|
|
out = append(out, "HOME="+home)
|
|
}
|
|
|
|
return out, nil
|
|
}
|
|
|
|
func getUserHome(uid int) (string, error) {
|
|
const defaultHome = "/" // Default value, return this with any error.
|
|
|
|
u, err := user.LookupUid(uid)
|
|
if err != nil {
|
|
// ErrNoPasswdEntries is kinda expected as any UID can be specified.
|
|
if errors.Is(err, user.ErrNoPasswdEntries) {
|
|
err = nil
|
|
}
|
|
return defaultHome, err
|
|
}
|
|
|
|
return u.Home, nil
|
|
}
|