Don't create devices if in a user namespace

If we are running in a user namespace, don't try to mknod as it won't be allowed. libcontainer will bind-mount the host's devices over files in the container anyway, so it's not needed. The chrootarchive package does a chroot (without mounting /proc) before its work, so we cannot check /proc/self/uid_map when we need to. So compute it in advance and pass it along with the tar options. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Upstream-commit: 617c352e9225b1d598e893aa5f89a8863808e4f2 Component: engine
2016-02-12 16:05:50 -08:00
parent 51e7a5bb32
commit cc5b6aa3dd
6 changed files with 36 additions and 6 deletions
--- a/components/engine/pkg/chrootarchive/diff_unix.go
+++ b/components/engine/pkg/chrootarchive/diff_unix.go
@ -15,6 +15,7 @@ import (
 	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/reexec"
 	"github.com/docker/docker/pkg/system"
+	rsystem "github.com/opencontainers/runc/libcontainer/system"
 )

 type applyLayerResponse struct {
@ -34,6 +35,7 @@ func applyLayer() {
 	runtime.LockOSThread()
 	flag.Parse()

+	inUserns := rsystem.RunningInUserNS()
 	if err := chroot(flag.Arg(0)); err != nil {
 		fatal(err)
 	}
@ -49,6 +51,10 @@ func applyLayer() {
 		fatal(err)
 	}

+	if inUserns {
+		options.InUserNS = true
+	}
+
 	if tmpDir, err = ioutil.TempDir("/", "temp-docker-extract"); err != nil {
 		fatal(err)
 	}
@ -88,6 +94,9 @@ func applyLayerHandler(dest string, layer archive.Reader, options *archive.TarOp
 	}
 	if options == nil {
 		options = &archive.TarOptions{}
+		if rsystem.RunningInUserNS() {
+			options.InUserNS = true
+		}
 	}
 	if options.ExcludePatterns == nil {
 		options.ExcludePatterns = []string{}