-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feature(main): add container storage
Signed-off-by: cuisongliu <[email protected]>
- Loading branch information
1 parent
2888d8d
commit 41636e1
Showing
9 changed files
with
181 additions
and
41 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
//go:build !linux | ||
// +build !linux | ||
|
||
package sync | ||
|
||
func reexecIfNecessaryForImages(inputImageNames ...string) error { | ||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
package sync | ||
|
||
import ( | ||
"github.com/containers/image/v5/transports/alltransports" | ||
"github.com/containers/storage/pkg/unshare" | ||
"github.com/pkg/errors" | ||
"github.com/syndtr/gocapability/capability" | ||
) | ||
|
||
var neededCapabilities = []capability.Cap{ | ||
capability.CAP_CHOWN, | ||
capability.CAP_DAC_OVERRIDE, | ||
capability.CAP_FOWNER, | ||
capability.CAP_FSETID, | ||
capability.CAP_MKNOD, | ||
capability.CAP_SETFCAP, | ||
} | ||
|
||
func maybeReexec() error { | ||
// With Skopeo we need only the subset of the root capabilities necessary | ||
// for pulling an image to the storage. Do not attempt to create a namespace | ||
// if we already have the capabilities we need. | ||
capabilities, err := capability.NewPid(0) | ||
if err != nil { | ||
return errors.Wrapf(err, "error reading the current capabilities sets") | ||
} | ||
for _, cap := range neededCapabilities { | ||
if !capabilities.Get(capability.EFFECTIVE, cap) { | ||
// We miss a capability we need, create a user namespaces | ||
unshare.MaybeReexecUsingUserNamespace(true) | ||
return nil | ||
} | ||
} | ||
return nil | ||
} | ||
|
||
func reexecIfNecessaryForImages(imageNames ...string) error { | ||
// Check if container-storage is used before doing unshare | ||
for _, imageName := range imageNames { | ||
transport := alltransports.TransportFromImageName(imageName) | ||
// Hard-code the storage name to avoid a reference on c/image/storage. | ||
// See https://github.com/containers/skopeo/issues/771#issuecomment-563125006. | ||
if transport != nil && transport.Name() == "containers-storage" { | ||
return maybeReexec() | ||
} | ||
} | ||
return nil | ||
} |