Fix subuid/subgid handling
This commit is contained in:
parent
c2cd5b12a0
commit
6ced9772ba
@ -13,6 +13,16 @@ def run(cmd, **kwargs):
|
|||||||
def out(cmd, **kwargs):
|
def out(cmd, **kwargs):
|
||||||
return run(cmd, stdout=subprocess.PIPE, text=True, **kwargs).stdout.rstrip()
|
return run(cmd, stdout=subprocess.PIPE, text=True, **kwargs).stdout.rstrip()
|
||||||
|
|
||||||
|
def get_subuidgid():
|
||||||
|
def get_first_sub(kind):
|
||||||
|
lines = out(['su', '-', 'spoc', '-c', f'podman unshare cat /proc/self/{kind}_map'])
|
||||||
|
for line in lines.splitlines():
|
||||||
|
columns = line.split()
|
||||||
|
if columns[0] == '1':
|
||||||
|
return int(columns[1])
|
||||||
|
return 0
|
||||||
|
return (get_first_sub('uid'), get_first_sub('gid'))
|
||||||
|
|
||||||
def get_apps():
|
def get_apps():
|
||||||
apps = {}
|
apps = {}
|
||||||
data = json.loads(out(['podman', 'pod', 'ps', '--format', 'json']))
|
data = json.loads(out(['podman', 'pod', 'ps', '--format', 'json']))
|
||||||
@ -41,13 +51,17 @@ def get_pod_status(app_name=None):
|
|||||||
return out(['podman', 'pod', 'ps', '--filter', app_filter])
|
return out(['podman', 'pod', 'ps', '--filter', app_filter])
|
||||||
|
|
||||||
def create_volume(app_name, vol_name):
|
def create_volume(app_name, vol_name):
|
||||||
run(['podman', 'volume', 'create', '--label', f'spoc.app={app_name}', vol_name])
|
subuid, subgid = get_subuidgid()
|
||||||
|
run(['podman', 'volume', 'create',
|
||||||
|
'--opt', f'o=uid={subuid},gid={subgid}',
|
||||||
|
'--label', f'spoc.app={app_name}', vol_name])
|
||||||
|
|
||||||
def remove_volume(vol_name):
|
def remove_volume(vol_name):
|
||||||
run(['podman', 'volume', 'rm', vol_name])
|
run(['podman', 'volume', 'rm', vol_name])
|
||||||
|
|
||||||
def create_pod(app_name, app_version):
|
def create_pod(app_name, app_version):
|
||||||
run(['podman', 'pod', 'create', '--name', app_name,
|
run(['podman', 'pod', 'create', '--name', app_name,
|
||||||
|
'--subuidname', 'spoc', '--subgidname', 'spoc',
|
||||||
'--label', f'spoc.app={app_name}', '--label', f'spoc.version={app_version}'])
|
'--label', f'spoc.app={app_name}', '--label', f'spoc.version={app_version}'])
|
||||||
|
|
||||||
def remove_pod(app_name):
|
def remove_pod(app_name):
|
||||||
@ -56,7 +70,7 @@ def remove_pod(app_name):
|
|||||||
|
|
||||||
def create_container(app_name, cnt_name, image, **kwargs):
|
def create_container(app_name, cnt_name, image, **kwargs):
|
||||||
cmd = ['podman', 'container', 'create', '--name', cnt_name, '--pod', app_name,
|
cmd = ['podman', 'container', 'create', '--name', cnt_name, '--pod', app_name,
|
||||||
'--subgidname', 'spoc', '--subgidname', 'spoc',
|
'--subuidname', 'spoc', '--subgidname', 'spoc',
|
||||||
'--restart', 'unless-stopped']
|
'--restart', 'unless-stopped']
|
||||||
env_file = kwargs.get('env_file')
|
env_file = kwargs.get('env_file')
|
||||||
if env_file:
|
if env_file:
|
||||||
|
|||||||
@ -22,6 +22,23 @@ def test_out(run):
|
|||||||
env=podman.ENV, arg1=123, arg2=True)
|
env=podman.ENV, arg1=123, arg2=True)
|
||||||
assert output == 'RESULT'
|
assert output == 'RESULT'
|
||||||
|
|
||||||
|
@patch('spoc.podman.out', return_value=' 0 1000 1\n 1 100000 65536')
|
||||||
|
def test_get_subuidgid(out):
|
||||||
|
subuidgid = podman.get_subuidgid()
|
||||||
|
|
||||||
|
assert subuidgid == (100000, 100000)
|
||||||
|
out.assert_has_calls([
|
||||||
|
call(['su', '-', 'spoc', '-c', 'podman unshare cat /proc/self/uid_map']),
|
||||||
|
call(['su', '-', 'spoc', '-c', 'podman unshare cat /proc/self/gid_map']),
|
||||||
|
])
|
||||||
|
|
||||||
|
@patch('spoc.podman.out', return_value='')
|
||||||
|
def test_get_subuidgid_no_id(out):
|
||||||
|
subuidgid = podman.get_subuidgid()
|
||||||
|
|
||||||
|
assert subuidgid == (0, 0)
|
||||||
|
assert out.call_count == 2
|
||||||
|
|
||||||
@patch('spoc.podman.out')
|
@patch('spoc.podman.out')
|
||||||
def test_get_apps(out):
|
def test_get_apps(out):
|
||||||
with open(os.path.join(TEST_DATA_DIR, 'podman_pod_ps.json'), encoding='utf-8') as f:
|
with open(os.path.join(TEST_DATA_DIR, 'podman_pod_ps.json'), encoding='utf-8') as f:
|
||||||
@ -78,10 +95,14 @@ def test_get_pod_status_all(out):
|
|||||||
assert status == 'RESULT'
|
assert status == 'RESULT'
|
||||||
|
|
||||||
@patch('spoc.podman.run')
|
@patch('spoc.podman.run')
|
||||||
def test_create_volume(run):
|
@patch('spoc.podman.get_subuidgid', return_value=(100000, 100000))
|
||||||
|
def test_create_volume(get_subuidgid, run):
|
||||||
podman.create_volume('someapp', 'someapp-vol')
|
podman.create_volume('someapp', 'someapp-vol')
|
||||||
|
|
||||||
expected_cmd = ['podman', 'volume', 'create', '--label', 'spoc.app=someapp', 'someapp-vol']
|
expected_cmd = ['podman', 'volume', 'create',
|
||||||
|
'--opt', 'o=uid=100000,gid=100000',
|
||||||
|
'--label', 'spoc.app=someapp', 'someapp-vol']
|
||||||
|
get_subuidgid.assert_called_once()
|
||||||
run.assert_called_once_with(expected_cmd)
|
run.assert_called_once_with(expected_cmd)
|
||||||
|
|
||||||
@patch('spoc.podman.run')
|
@patch('spoc.podman.run')
|
||||||
@ -96,6 +117,7 @@ def test_create_pod(run):
|
|||||||
podman.create_pod('someapp', '0.1')
|
podman.create_pod('someapp', '0.1')
|
||||||
|
|
||||||
expected_cmd = ['podman', 'pod', 'create', '--name', 'someapp',
|
expected_cmd = ['podman', 'pod', 'create', '--name', 'someapp',
|
||||||
|
'--subuidname', 'spoc', '--subgidname', 'spoc',
|
||||||
'--label', 'spoc.app=someapp', '--label', 'spoc.version=0.1']
|
'--label', 'spoc.app=someapp', '--label', 'spoc.version=0.1']
|
||||||
run.assert_called_once_with(expected_cmd)
|
run.assert_called_once_with(expected_cmd)
|
||||||
|
|
||||||
@ -117,7 +139,7 @@ def test_create_container(run):
|
|||||||
hosts={'cnt2', 'cnt3', 'cnt'})
|
hosts={'cnt2', 'cnt3', 'cnt'})
|
||||||
|
|
||||||
expected_cmd = ['podman', 'container', 'create', '--name', 'someapp-cnt', '--pod', 'someapp',
|
expected_cmd = ['podman', 'container', 'create', '--name', 'someapp-cnt', '--pod', 'someapp',
|
||||||
'--subgidname', 'spoc', '--subgidname', 'spoc',
|
'--subuidname', 'spoc', '--subgidname', 'spoc',
|
||||||
'--restart', 'unless-stopped', '--env-file', '/var/lib/spoc/someapp.env',
|
'--restart', 'unless-stopped', '--env-file', '/var/lib/spoc/someapp.env',
|
||||||
'--requires', 'someapp-cnt2,someapp-cnt3', '--volume', 'someapp-mnt:/mnt',
|
'--requires', 'someapp-cnt2,someapp-cnt3', '--volume', 'someapp-mnt:/mnt',
|
||||||
'--volume', 'someapp-srv:/srv', '--add-host', 'cnt:127.0.0.1',
|
'--volume', 'someapp-srv:/srv', '--add-host', 'cnt:127.0.0.1',
|
||||||
@ -130,7 +152,7 @@ def test_create_container_minimal(run):
|
|||||||
podman.create_container('someapp', 'someapp-cnt', 'example.com/someapp:0.23.6-210515')
|
podman.create_container('someapp', 'someapp-cnt', 'example.com/someapp:0.23.6-210515')
|
||||||
|
|
||||||
expected_cmd = ['podman', 'container', 'create', '--name', 'someapp-cnt', '--pod', 'someapp',
|
expected_cmd = ['podman', 'container', 'create', '--name', 'someapp-cnt', '--pod', 'someapp',
|
||||||
'--subgidname', 'spoc', '--subgidname', 'spoc',
|
'--subuidname', 'spoc', '--subgidname', 'spoc',
|
||||||
'--restart', 'unless-stopped', 'example.com/someapp:0.23.6-210515']
|
'--restart', 'unless-stopped', 'example.com/someapp:0.23.6-210515']
|
||||||
run.assert_called_once_with(expected_cmd)
|
run.assert_called_once_with(expected_cmd)
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user