Skip to content

Commit

Permalink
quadlet: support user mapping in pod unit
Browse files Browse the repository at this point in the history
Signed-off-by: Misaki Kasumi <[email protected]>
  • Loading branch information
ruihe774 committed Aug 22, 2024
1 parent 426aac3 commit 4fbfa7d
Show file tree
Hide file tree
Showing 8 changed files with 85 additions and 6 deletions.
2 changes: 1 addition & 1 deletion cmd/quadlet/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -658,7 +658,7 @@ func process() error {
case strings.HasSuffix(unit.Filename, ".build"):
service, err = quadlet.ConvertBuild(unit, unitsInfoMap)
case strings.HasSuffix(unit.Filename, ".pod"):
service, err = quadlet.ConvertPod(unit, unit.Filename, unitsInfoMap)
service, err = quadlet.ConvertPod(unit, unit.Filename, unitsInfoMap, isUserFlag)
default:
Logf("Unsupported file type %q", unit.Filename)
continue
Expand Down
34 changes: 34 additions & 0 deletions docs/source/markdown/podman-systemd.unit.5.md
Original file line number Diff line number Diff line change
Expand Up @@ -867,13 +867,18 @@ Valid options for `[Pod]` are listed below:
| **[Pod] options** | **podman container create equivalent** |
|-------------------------------------|----------------------------------------|
| ContainersConfModule=/etc/nvd\.conf | --module=/etc/nvd\.conf |
| GIDMap=0:10000:10 | --gidmap=0:10000:10 |
| GlobalArgs=--log-level=debug | --log-level=debug |
| Network=host | --network host |
| NetworkAlias=name | --network-alias name |
| PodmanArgs=\-\-cpus=2 | --cpus=2 |
| PodName=name | --name=name |
| PublishPort=50-59 | --publish 50-59 |
| ServiceName=name | Name the systemd unit `name.service` |
| SubGIDMap=gtest | --subgidname=gtest |
| SubUIDMap=utest | --subuidname=utest |
| UIDMap=0:10000:10 | --uidmap=0:10000:10 |
| UserNS=keep-id:uid=200,gid=210 | --userns keep-id:uid=200,gid=210 |
| Volume=/source:/dest | --volume /source:/dest |

Supported keys in the `[Pod]` section are:
Expand All @@ -884,6 +889,13 @@ Load the specified containers.conf(5) module. Equivalent to the Podman `--module

This key can be listed multiple times.

### `GIDMap=`

Create the pod in a new user namespace using the supplied GID mapping.
Equivalent to the Podman `--gidmap` option.

This key can be listed multiple times.

### `GlobalArgs=`

This key contains a list of arguments passed directly between `podman` and `pod`
Expand Down Expand Up @@ -966,6 +978,28 @@ Setting this key overrides this behavior by instructing Quadlet to use the provi

Note, the name should not include the `.service` file extension

### `SubGIDMap=`

Create the pod in a new user namespace using the map with name in the /etc/subgid file.
Equivalent to the Podman `--subgidname` option.

### `SubUIDMap=`

Create the pod in a new user namespace using the map with name in the /etc/subuid file.
Equivalent to the Podman `--subuidname` option.

### `UIDMap=`

Create the pod in a new user namespace using the supplied UID mapping.
Equivalent to the Podman `--uidmap` option.

This key can be listed multiple times.

### `UserNS=`

Set the user namespace mode for the pod. This is equivalent to the Podman `--userns` option and
generally has the form `MODE[:OPTIONS,...]`.

### `Volume=`

Mount a volume in the pod. This is equivalent to the Podman `--volume` option, and
Expand Down
15 changes: 14 additions & 1 deletion pkg/systemd/quadlet/quadlet.go
Original file line number Diff line number Diff line change
Expand Up @@ -380,13 +380,22 @@ var (

supportedPodKeys = map[string]bool{
KeyContainersConfModule: true,
KeyGIDMap: true,
KeyGlobalArgs: true,
KeyNetwork: true,
KeyNetworkAlias: true,
KeyPodName: true,
KeyPodmanArgs: true,
KeyPublishPort: true,
KeyRemapGid: true,
KeyRemapUid: true,
KeyRemapUidSize: true,
KeyRemapUsers: true,
KeyServiceName: true,
KeySubGIDMap: true,
KeySubUIDMap: true,
KeyUIDMap: true,
KeyUserNS: true,
KeyVolume: true,
}
)
Expand Down Expand Up @@ -1570,7 +1579,7 @@ func getServiceName(quadletUnitFile *parser.UnitFile, groupName string, defaultE
return removeExtension(quadletUnitFile.Filename, "", defaultExtraSuffix)
}

func ConvertPod(podUnit *parser.UnitFile, name string, unitsInfoMap map[string]*UnitInfo) (*parser.UnitFile, error) {
func ConvertPod(podUnit *parser.UnitFile, name string, unitsInfoMap map[string]*UnitInfo, isUser bool) (*parser.UnitFile, error) {
unitInfo, ok := unitsInfoMap[podUnit.Filename]
if !ok {
return nil, fmt.Errorf("internal error while processing pod %s", podUnit.Filename)
Expand Down Expand Up @@ -1639,6 +1648,10 @@ func ConvertPod(podUnit *parser.UnitFile, name string, unitsInfoMap map[string]*
"--replace",
)

if err := handleUserMappings(podUnit, PodGroup, execStartPre, isUser, true); err != nil {
return nil, err
}

if err := handlePublishPorts(podUnit, PodGroup, execStartPre); err != nil {
return nil, err
}
Expand Down
4 changes: 4 additions & 0 deletions test/e2e/quadlet/remap-auto.pod
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## assert-podman-pre-args --userns=auto

[Pod]
RemapUsers=auto
9 changes: 9 additions & 0 deletions test/e2e/quadlet/remap-auto2.pod
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
## assert-podman-pre-args "--userns=auto:uidmapping=0:10000:10,uidmapping=10:20000:10,gidmapping=0:10000:10,gidmapping=10:20000:10,size=20"

[Pod]
RemapUsers=auto
RemapUid=0:10000:10
RemapUid=10:20000:10
RemapGid=0:10000:10
RemapGid=10:20000:10
RemapUidSize=20
4 changes: 4 additions & 0 deletions test/e2e/quadlet/remap-keep-id.pod
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## assert-podman-pre-args --userns=keep-id

[Pod]
RemapUsers=keep-id
11 changes: 11 additions & 0 deletions test/e2e/quadlet/remap-manual.pod
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
## assert-podman-pre-args "--uidmap=0:10000:10"
## assert-podman-pre-args "--uidmap=10:20000:10"
## assert-podman-pre-args "--gidmap=0:10000:10"
## assert-podman-pre-args "--gidmap=10:20000:10"

[Pod]
RemapUsers=manual
RemapUid=0:10000:10
RemapUid=10:20000:10
RemapGid=0:10000:10
RemapGid=10:20000:10
12 changes: 8 additions & 4 deletions test/e2e/quadlet_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -998,11 +998,15 @@ BOGUS=foo
Entry("Build - TLSVerify Key", "tls-verify.build"),
Entry("Build - Variant Key", "variant.build"),

Entry("basic.pod", "basic.pod"),
Entry("name.pod", "name.pod"),
Entry("network.pod", "network.pod"),
Entry("podmanargs.pod", "podmanargs.pod"),
Entry("Pod - Basic", "basic.pod"),
Entry("Pod - Name", "name.pod"),
Entry("Pod - Network", "network.pod"),
Entry("Pod - PodmanArgs", "podmanargs.pod"),
Entry("Pod - NetworkAlias", "network-alias.pod"),
Entry("Pod - Remap auto", "remap-auto.pod"),
Entry("Pod - Remap auto2", "remap-auto2.pod"),
Entry("Pod - Remap keep-id", "remap-keep-id.pod"),
Entry("Pod - Remap manual", "remap-manual.pod"),
)

DescribeTable("Running expected warning quadlet test case",
Expand Down

0 comments on commit 4fbfa7d

Please sign in to comment.