github.com/reds/docker@v1.11.2-rc1/pkg/idtools/idtools.go (about)

     1  package idtools
     2  
     3  import (
     4  	"bufio"
     5  	"fmt"
     6  	"os"
     7  	"sort"
     8  	"strconv"
     9  	"strings"
    10  )
    11  
    12  // IDMap contains a single entry for user namespace range remapping. An array
    13  // of IDMap entries represents the structure that will be provided to the Linux
    14  // kernel for creating a user namespace.
    15  type IDMap struct {
    16  	ContainerID int `json:"container_id"`
    17  	HostID      int `json:"host_id"`
    18  	Size        int `json:"size"`
    19  }
    20  
    21  type subIDRange struct {
    22  	Start  int
    23  	Length int
    24  }
    25  
    26  type ranges []subIDRange
    27  
    28  func (e ranges) Len() int           { return len(e) }
    29  func (e ranges) Swap(i, j int)      { e[i], e[j] = e[j], e[i] }
    30  func (e ranges) Less(i, j int) bool { return e[i].Start < e[j].Start }
    31  
    32  const (
    33  	subuidFileName string = "/etc/subuid"
    34  	subgidFileName string = "/etc/subgid"
    35  )
    36  
    37  // MkdirAllAs creates a directory (include any along the path) and then modifies
    38  // ownership to the requested uid/gid.  If the directory already exists, this
    39  // function will still change ownership to the requested uid/gid pair.
    40  func MkdirAllAs(path string, mode os.FileMode, ownerUID, ownerGID int) error {
    41  	return mkdirAs(path, mode, ownerUID, ownerGID, true, true)
    42  }
    43  
    44  // MkdirAllNewAs creates a directory (include any along the path) and then modifies
    45  // ownership ONLY of newly created directories to the requested uid/gid. If the
    46  // directories along the path exist, no change of ownership will be performed
    47  func MkdirAllNewAs(path string, mode os.FileMode, ownerUID, ownerGID int) error {
    48  	return mkdirAs(path, mode, ownerUID, ownerGID, true, false)
    49  }
    50  
    51  // MkdirAs creates a directory and then modifies ownership to the requested uid/gid.
    52  // If the directory already exists, this function still changes ownership
    53  func MkdirAs(path string, mode os.FileMode, ownerUID, ownerGID int) error {
    54  	return mkdirAs(path, mode, ownerUID, ownerGID, false, true)
    55  }
    56  
    57  // GetRootUIDGID retrieves the remapped root uid/gid pair from the set of maps.
    58  // If the maps are empty, then the root uid/gid will default to "real" 0/0
    59  func GetRootUIDGID(uidMap, gidMap []IDMap) (int, int, error) {
    60  	var uid, gid int
    61  
    62  	if uidMap != nil {
    63  		xUID, err := ToHost(0, uidMap)
    64  		if err != nil {
    65  			return -1, -1, err
    66  		}
    67  		uid = xUID
    68  	}
    69  	if gidMap != nil {
    70  		xGID, err := ToHost(0, gidMap)
    71  		if err != nil {
    72  			return -1, -1, err
    73  		}
    74  		gid = xGID
    75  	}
    76  	return uid, gid, nil
    77  }
    78  
    79  // ToContainer takes an id mapping, and uses it to translate a
    80  // host ID to the remapped ID. If no map is provided, then the translation
    81  // assumes a 1-to-1 mapping and returns the passed in id
    82  func ToContainer(hostID int, idMap []IDMap) (int, error) {
    83  	if idMap == nil {
    84  		return hostID, nil
    85  	}
    86  	for _, m := range idMap {
    87  		if (hostID >= m.HostID) && (hostID <= (m.HostID + m.Size - 1)) {
    88  			contID := m.ContainerID + (hostID - m.HostID)
    89  			return contID, nil
    90  		}
    91  	}
    92  	return -1, fmt.Errorf("Host ID %d cannot be mapped to a container ID", hostID)
    93  }
    94  
    95  // ToHost takes an id mapping and a remapped ID, and translates the
    96  // ID to the mapped host ID. If no map is provided, then the translation
    97  // assumes a 1-to-1 mapping and returns the passed in id #
    98  func ToHost(contID int, idMap []IDMap) (int, error) {
    99  	if idMap == nil {
   100  		return contID, nil
   101  	}
   102  	for _, m := range idMap {
   103  		if (contID >= m.ContainerID) && (contID <= (m.ContainerID + m.Size - 1)) {
   104  			hostID := m.HostID + (contID - m.ContainerID)
   105  			return hostID, nil
   106  		}
   107  	}
   108  	return -1, fmt.Errorf("Container ID %d cannot be mapped to a host ID", contID)
   109  }
   110  
   111  // CreateIDMappings takes a requested user and group name and
   112  // using the data from /etc/sub{uid,gid} ranges, creates the
   113  // proper uid and gid remapping ranges for that user/group pair
   114  func CreateIDMappings(username, groupname string) ([]IDMap, []IDMap, error) {
   115  	subuidRanges, err := parseSubuid(username)
   116  	if err != nil {
   117  		return nil, nil, err
   118  	}
   119  	subgidRanges, err := parseSubgid(groupname)
   120  	if err != nil {
   121  		return nil, nil, err
   122  	}
   123  	if len(subuidRanges) == 0 {
   124  		return nil, nil, fmt.Errorf("No subuid ranges found for user %q", username)
   125  	}
   126  	if len(subgidRanges) == 0 {
   127  		return nil, nil, fmt.Errorf("No subgid ranges found for group %q", groupname)
   128  	}
   129  
   130  	return createIDMap(subuidRanges), createIDMap(subgidRanges), nil
   131  }
   132  
   133  func createIDMap(subidRanges ranges) []IDMap {
   134  	idMap := []IDMap{}
   135  
   136  	// sort the ranges by lowest ID first
   137  	sort.Sort(subidRanges)
   138  	containerID := 0
   139  	for _, idrange := range subidRanges {
   140  		idMap = append(idMap, IDMap{
   141  			ContainerID: containerID,
   142  			HostID:      idrange.Start,
   143  			Size:        idrange.Length,
   144  		})
   145  		containerID = containerID + idrange.Length
   146  	}
   147  	return idMap
   148  }
   149  
   150  func parseSubuid(username string) (ranges, error) {
   151  	return parseSubidFile(subuidFileName, username)
   152  }
   153  
   154  func parseSubgid(username string) (ranges, error) {
   155  	return parseSubidFile(subgidFileName, username)
   156  }
   157  
   158  // parseSubidFile will read the appropriate file (/etc/subuid or /etc/subgid)
   159  // and return all found ranges for a specified username. If the special value
   160  // "ALL" is supplied for username, then all ranges in the file will be returned
   161  func parseSubidFile(path, username string) (ranges, error) {
   162  	var rangeList ranges
   163  
   164  	subidFile, err := os.Open(path)
   165  	if err != nil {
   166  		return rangeList, err
   167  	}
   168  	defer subidFile.Close()
   169  
   170  	s := bufio.NewScanner(subidFile)
   171  	for s.Scan() {
   172  		if err := s.Err(); err != nil {
   173  			return rangeList, err
   174  		}
   175  
   176  		text := strings.TrimSpace(s.Text())
   177  		if text == "" || strings.HasPrefix(text, "#") {
   178  			continue
   179  		}
   180  		parts := strings.Split(text, ":")
   181  		if len(parts) != 3 {
   182  			return rangeList, fmt.Errorf("Cannot parse subuid/gid information: Format not correct for %s file", path)
   183  		}
   184  		if parts[0] == username || username == "ALL" {
   185  			startid, err := strconv.Atoi(parts[1])
   186  			if err != nil {
   187  				return rangeList, fmt.Errorf("String to int conversion failed during subuid/gid parsing of %s: %v", path, err)
   188  			}
   189  			length, err := strconv.Atoi(parts[2])
   190  			if err != nil {
   191  				return rangeList, fmt.Errorf("String to int conversion failed during subuid/gid parsing of %s: %v", path, err)
   192  			}
   193  			rangeList = append(rangeList, subIDRange{startid, length})
   194  		}
   195  	}
   196  	return rangeList, nil
   197  }