libct/userns: split userns detection from idmap code

Commit 4316df8 isolated RunningInUserNS to a separate package to make it easier to consume without bringing in additional dependencies, and with the potential to move it separate in a similar fashion as libcontainer/user was moved to a separate module in commit ca32014. While RunningInUserNS is fairly trivial to implement, it (or variants of this utility) is used in many codebases, and moving to a separate module could consolidate those implementations, as well as making it easier to consume without large dependency trees (when being a package as part of a larger code base). Commit 1912d59 and follow-ups introduced cgo code into the userns package, and code introduced in those commits are not intended for external use, therefore complicating the potential of moving the userns package separate. This commit moves the new code to a separate package; some of this code was included in v1.1.11 and up, but I could not find external consumers of `GetUserNamespaceMappings` and `IsSameMapping`. The `Mapping` and `Handles` types (added in ba0b5e2) only exist in main and in non-stable releases (v1.2.0-rc.x), so don't need an alias / deprecation. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
opencontainers · Jun 29, 2024 · 97cc63c · 97cc63c
1 parent ab010ae
commit 97cc63c
Show file tree

Hide file tree

Showing 6 changed files with 10 additions and 10 deletions.
diff --git a/libcontainer/userns/userns_maps.c → libcontainer/idmap/userns_maps.c b/libcontainer/userns/userns_maps.c → libcontainer/idmap/userns_maps.c
diff --git a/libcontainer/userns/userns_maps_linux.go → libcontainer/idmap/userns_maps_linux.go b/libcontainer/userns/userns_maps_linux.go → libcontainer/idmap/userns_maps_linux.go
@@ -1,6 +1,6 @@
 //go:build linux
 
-package userns
+package idmap
 
 import (
 	"bufio"

diff --git a/libcontainer/userns/usernsfd_linux.go → libcontainer/idmap/usernsfd_linux.go b/libcontainer/userns/usernsfd_linux.go → libcontainer/idmap/usernsfd_linux.go
@@ -1,4 +1,4 @@
-package userns
+package idmap
 
 import (
 	"fmt"

diff --git a/libcontainer/userns/usernsfd_linux_test.go → libcontainer/idmap/usernsfd_linux_test.go b/libcontainer/userns/usernsfd_linux_test.go → libcontainer/idmap/usernsfd_linux_test.go
@@ -1,4 +1,4 @@
-package userns
+package idmap
 
 import (
 	"os"

diff --git a/libcontainer/integration/exec_test.go b/libcontainer/integration/exec_test.go
@@ -18,7 +18,7 @@ import (
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/opencontainers/runc/libcontainer/cgroups/systemd"
 	"github.com/opencontainers/runc/libcontainer/configs"
-	"github.com/opencontainers/runc/libcontainer/userns"
+	"github.com/opencontainers/runc/libcontainer/idmap"
 	"github.com/opencontainers/runc/libcontainer/utils"
 	"github.com/opencontainers/runtime-spec/specs-go"
 
@@ -724,7 +724,7 @@ func TestContainerState(t *testing.T) {
 		{Type: configs.NEWNS},
 		{Type: configs.NEWUTS},
 		// host for IPC
-		//{Type: configs.NEWIPC},
+		// {Type: configs.NEWIPC},
 		{Type: configs.NEWPID},
 		{Type: configs.NEWNET},
 	})
@@ -1555,7 +1555,7 @@ func TestInitJoinNetworkAndUser(t *testing.T) {
 	config2.Namespaces.Add(configs.NEWNET, netns1)
 	config2.Namespaces.Add(configs.NEWUSER, userns1)
 	// Emulate specconv.setupUserNamespace().
-	uidMap, gidMap, err := userns.GetUserNamespaceMappings(userns1)
+	uidMap, gidMap, err := idmap.GetUserNamespaceMappings(userns1)
 	ok(t, err)
 	config2.UIDMappings = uidMap
 	config2.GIDMappings = gidMap

diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
@@ -17,8 +17,8 @@ import (
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/devices"
+	"github.com/opencontainers/runc/libcontainer/idmap"
 	"github.com/opencontainers/runc/libcontainer/seccomp"
-	"github.com/opencontainers/runc/libcontainer/userns"
 	libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
@@ -1012,7 +1012,7 @@ func setupUserNamespace(spec *specs.Spec, config *configs.Config) error {
 		// Cache the current userns mappings in our configuration, so that we
 		// can calculate uid and gid mappings within runc. These mappings are
 		// never used for configuring the container if the path is set.
-		uidMap, gidMap, err := userns.GetUserNamespaceMappings(path)
+		uidMap, gidMap, err := idmap.GetUserNamespaceMappings(path)
 		if err != nil {
 			return fmt.Errorf("failed to cache mappings for userns: %w", err)
 		}
@@ -1028,8 +1028,8 @@ func setupUserNamespace(spec *specs.Spec, config *configs.Config) error {
 			// the userns. So (for now) we output a warning if the actual
 			// userns mappings match the configuration, otherwise we return an
 			// error.
-			if !userns.IsSameMapping(uidMap, config.UIDMappings) ||
-				!userns.IsSameMapping(gidMap, config.GIDMappings) {
+			if !idmap.IsSameMapping(uidMap, config.UIDMappings) ||
+				!idmap.IsSameMapping(gidMap, config.GIDMappings) {
 				return errors.New("user namespaces enabled, but both namespace path and non-matching mapping specified -- you may only provide one")
 			}
 			logrus.Warnf("config.json has both a userns path to join and a matching userns mapping specified -- you may only provide one. Future versions of runc may return an error with this configuration, please report a bug on <https://github.com/opencontainers/runc> if you see this warning and cannot update your configuration.")