fix stdio permission error for runc run without detach

lifubang · lifubang · commit 10adde365d31 · 2024-10-29T18:35:59.000+08:00
Signed-off-by: lifubang &lt;lifubang@acmcoder.com&gt;
diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go
@@ -917,7 +917,7 @@ func getPipeFds(pid int) ([]string, error) {
 // opposite side for each. Do not use this if you want to have a pseudoterminal
 // set up for you by libcontainer (TODO: fix that too).
 // TODO: This is mostly unnecessary, and should be handled by clients.
-func (p *Process) InitializeIO(rootuid, rootgid int) (i *IO, err error) {
+func (p *Process) InitializeIO(containerUID, containerGID int) (i *IO, err error) {
 	var fds []uintptr
 	i = &IO{}
 	// cleanup in case of an error
@@ -949,7 +949,7 @@ func (p *Process) InitializeIO(rootuid, rootgid int) (i *IO, err error) {
 	p.Stderr, i.Stderr = w, r
 	// change ownership of the pipes in case we are in a user namespace
 	for _, fd := range fds {
-		if err := unix.Fchown(int(fd), rootuid, rootgid); err != nil {
+		if err := unix.Fchown(int(fd), containerUID, containerGID); err != nil {
 			return nil, &os.PathError{Op: "fchown", Path: "fd " + strconv.Itoa(int(fd)), Err: err}
 		}
 	}
diff --git a/tty.go b/tty.go
@@ -31,8 +31,8 @@ func (t *tty) copyIO(w io.Writer, r io.ReadCloser) {
 
 // setup pipes for the process so that advanced features like c/r are able to easily checkpoint
 // and restore the process's IO without depending on a host specific path or device
-func setupProcessPipes(p *libcontainer.Process, rootuid, rootgid int) (*tty, error) {
-	i, err := p.InitializeIO(rootuid, rootgid)
+func setupProcessPipes(p *libcontainer.Process, containerUID, containerGID int) (*tty, error) {
+	i, err := p.InitializeIO(containerUID, containerGID)
 	if err != nil {
 		return nil, err
 	}
diff --git a/utils_linux.go b/utils_linux.go
@@ -94,7 +94,7 @@ func newProcess(p specs.Process) (*libcontainer.Process, error) {
 }
 
 // setupIO modifies the given process config according to the options.
-func setupIO(process *libcontainer.Process, rootuid, rootgid int, createTTY, detach bool, sockpath string) (*tty, error) {
+func setupIO(process *libcontainer.Process, containerUID, containerGID int, createTTY, detach bool, sockpath string) (*tty, error) {
 	if createTTY {
 		process.Stdin = nil
 		process.Stdout = nil
@@ -140,7 +140,7 @@ func setupIO(process *libcontainer.Process, rootuid, rootgid int, createTTY, det
 		inheritStdio(process)
 		return &tty{}, nil
 	}
-	return setupProcessPipes(process, rootuid, rootgid)
+	return setupProcessPipes(process, containerUID, containerGID)
 }
 
 // createPidFile creates a file containing the PID,
@@ -237,11 +237,11 @@ func (r *runner) run(config *specs.Process) (int, error) {
 		}
 		process.ExtraFiles = append(process.ExtraFiles, os.NewFile(uintptr(i), "PreserveFD:"+strconv.Itoa(i)))
 	}
-	rootuid, err := r.container.Config().HostRootUID()
+	containerUID, err := r.container.Config().HostUID(int(config.User.UID))
 	if err != nil {
 		return -1, err
 	}
-	rootgid, err := r.container.Config().HostRootGID()
+	containerGID, err := r.container.Config().HostGID(int(config.User.GID))
 	if err != nil {
 		return -1, err
 	}
@@ -250,7 +250,7 @@ func (r *runner) run(config *specs.Process) (int, error) {
 	// with detaching containers, and then we get a tty after the container has
 	// started.
 	handler := newSignalHandler(r.enableSubreaper, r.notifySocket)
-	tty, err := setupIO(process, rootuid, rootgid, config.Terminal, detach, r.consoleSocket)
+	tty, err := setupIO(process, containerUID, containerGID, config.Terminal, detach, r.consoleSocket)
 	if err != nil {
 		return -1, err
 	}

Original file line number	Diff line number	Diff line change
`@@ -94,7 +94,7 @@ func newProcess(p specs.Process) (*libcontainer.Process, error) {`
`94`	`94`	`}`
`95`	`95`
`96`	`96`	`// setupIO modifies the given process config according to the options.`
`97`		`-func setupIO(process libcontainer.Process, rootuid, rootgid int, createTTY, detach bool, sockpath string) (tty, error) {`
	`97`	`+func setupIO(process libcontainer.Process, containerUID, containerGID int, createTTY, detach bool, sockpath string) (tty, error) {`
`98`	`98`	`if createTTY {`
`99`	`99`	`process.Stdin = nil`
`100`	`100`	`process.Stdout = nil`
`@@ -140,7 +140,7 @@ func setupIO(process *libcontainer.Process, rootuid, rootgid int, createTTY, det`
`140`	`140`	`inheritStdio(process)`
`141`	`141`	`return &tty{}, nil`
`142`	`142`	`}`
`143`		`- return setupProcessPipes(process, rootuid, rootgid)`
	`143`	`+ return setupProcessPipes(process, containerUID, containerGID)`
`144`	`144`	`}`
`145`	`145`
`146`	`146`	`// createPidFile creates a file containing the PID,`
`@@ -237,11 +237,11 @@ func (r runner) run(config specs.Process) (int, error) {`
`237`	`237`	`}`
`238`	`238`	`process.ExtraFiles = append(process.ExtraFiles, os.NewFile(uintptr(i), "PreserveFD:"+strconv.Itoa(i)))`
`239`	`239`	`}`
`240`		`- rootuid, err := r.container.Config().HostRootUID()`
	`240`	`+ containerUID, err := r.container.Config().HostUID(int(config.User.UID))`
`241`	`241`	`if err != nil {`
`242`	`242`	`return -1, err`
`243`	`243`	`}`
`244`		`- rootgid, err := r.container.Config().HostRootGID()`
	`244`	`+ containerGID, err := r.container.Config().HostGID(int(config.User.GID))`
`245`	`245`	`if err != nil {`
`246`	`246`	`return -1, err`
`247`	`247`	`}`
`@@ -250,7 +250,7 @@ func (r runner) run(config specs.Process) (int, error) {`
`250`	`250`	`// with detaching containers, and then we get a tty after the container has`
`251`	`251`	`// started.`
`252`	`252`	`handler := newSignalHandler(r.enableSubreaper, r.notifySocket)`
`253`		`- tty, err := setupIO(process, rootuid, rootgid, config.Terminal, detach, r.consoleSocket)`
	`253`	`+ tty, err := setupIO(process, containerUID, containerGID, config.Terminal, detach, r.consoleSocket)`
`254`	`254`	`if err != nil {`
`255`	`255`	`return -1, err`
`256`	`256`	`}`