diff options
author | Valerij Fredriksen <freva@users.noreply.github.com> | 2021-10-18 11:37:39 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-10-18 11:37:39 +0200 |
commit | 723f37c12807edd819ef6b5d94bcd0a3c9ddda1d (patch) | |
tree | 8d4863d4b984e0c235278726a9ddfb043bb991e4 /node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerUserPrincipalLookupService.java | |
parent | 5865b9bb80b540f6d252312fa6002300b2f1c9ee (diff) |
Revert "Reapply "Use ContainerPath""
Diffstat (limited to 'node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerUserPrincipalLookupService.java')
-rw-r--r-- | node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerUserPrincipalLookupService.java | 89 |
1 files changed, 49 insertions, 40 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerUserPrincipalLookupService.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerUserPrincipalLookupService.java index ae65f6a7f7f..893e86ca239 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerUserPrincipalLookupService.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerUserPrincipalLookupService.java @@ -1,7 +1,7 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.node.admin.task.util.fs; -import com.yahoo.vespa.hosted.node.admin.nodeagent.UserNamespace; +import com.google.common.collect.ImmutableBiMap; import java.io.IOException; import java.nio.file.attribute.GroupPrincipal; @@ -9,60 +9,58 @@ import java.nio.file.attribute.UserPrincipal; import java.nio.file.attribute.UserPrincipalLookupService; import java.nio.file.attribute.UserPrincipalNotFoundException; import java.util.Objects; +import java.util.Optional; /** * @author valerijf */ class ContainerUserPrincipalLookupService extends UserPrincipalLookupService { + /** Total number of UID/GID that are mapped for each container */ + private static final int ID_RANGE = 1 << 16; + + /** + * IDs outside the ID range are translated to the overflow ID before being written to disk: + * https://github.com/torvalds/linux/blob/5bfc75d92efd494db37f5c4c173d3639d4772966/Documentation/admin-guide/sysctl/fs.rst#overflowgid--overflowuid */ + static final int OVERFLOW_ID = 65_534; + + private static final ImmutableBiMap<String, Integer> CONTAINER_IDS_BY_NAME = ImmutableBiMap.<String, Integer>builder() + .put("root", 0) + .put("vespa", 1000) + .build(); + private final UserPrincipalLookupService baseFsUserPrincipalLookupService; - private final UserNamespace userNamespace; + private final int uidOffset; + private final int gidOffset; - ContainerUserPrincipalLookupService(UserPrincipalLookupService baseFsUserPrincipalLookupService, UserNamespace userNamespace) { - this.baseFsUserPrincipalLookupService = Objects.requireNonNull(baseFsUserPrincipalLookupService); - this.userNamespace = Objects.requireNonNull(userNamespace); + ContainerUserPrincipalLookupService(UserPrincipalLookupService baseFsUserPrincipalLookupService, int uidOffset, int gidOffset) { + this.baseFsUserPrincipalLookupService = baseFsUserPrincipalLookupService; + this.uidOffset = uidOffset; + this.gidOffset = gidOffset; } - public int userIdOnHost(int containerUid) { return userNamespace.userIdOnHost(containerUid); } - public int groupIdOnHost(int containerGid) { return userNamespace.groupIdOnHost(containerGid); } - public int userIdInContainer(int hostUid) { return userNamespace.userIdInContainer(hostUid); } - public int groupIdInContainer(int hostGid) { return userNamespace.groupIdInContainer(hostGid); } + public int containerUidToHostUid(int containerUid) { return containerIdToHostId(containerUid, uidOffset); } + public int containerGidToHostGid(int containerGid) { return containerIdToHostId(containerGid, gidOffset); } + public int hostUidToContainerUid(int hostUid) { return hostIdToContainerId(hostUid, uidOffset); } + public int hostGidToContainerGid(int hostGid) { return hostIdToContainerId(hostGid, gidOffset); } @Override public ContainerUserPrincipal lookupPrincipalByName(String name) throws IOException { - int containerUid = resolveName(name, userNamespace.vespaUser(), userNamespace.vespaUserId()); - String user = resolveId(containerUid, userNamespace.vespaUser(), userNamespace.vespaUserId()); - String hostUid = String.valueOf(userIdOnHost(containerUid)); - return new ContainerUserPrincipal(containerUid, user, baseFsUserPrincipalLookupService.lookupPrincipalByName(hostUid)); + int containerUid = resolve(name); + String hostUid = String.valueOf(containerUidToHostUid(containerUid)); + return new ContainerUserPrincipal(containerUid, baseFsUserPrincipalLookupService.lookupPrincipalByName(hostUid)); } @Override public ContainerGroupPrincipal lookupPrincipalByGroupName(String group) throws IOException { - int containerGid = resolveName(group, userNamespace.vespaGroup(), userNamespace.vespaGroupId()); - String name = resolveId(containerGid, userNamespace.vespaGroup(), userNamespace.vespaGroupId()); - String hostGid = String.valueOf(groupIdOnHost(containerGid)); - return new ContainerGroupPrincipal(containerGid, name, baseFsUserPrincipalLookupService.lookupPrincipalByGroupName(hostGid)); - } - - public ContainerUserPrincipal userPrincipal(int uid, UserPrincipal baseFsPrincipal) { - String name = resolveId(uid, userNamespace.vespaUser(), userNamespace.vespaUserId()); - return new ContainerUserPrincipal(uid, name, baseFsPrincipal); - } - - public ContainerGroupPrincipal groupPrincipal(int gid, GroupPrincipal baseFsPrincipal) { - String name = resolveId(gid, userNamespace.vespaGroup(), userNamespace.vespaGroupId()); - return new ContainerGroupPrincipal(gid, name, baseFsPrincipal); + int containerGid = resolve(group); + String hostGid = String.valueOf(containerGidToHostGid(containerGid)); + return new ContainerGroupPrincipal(containerGid, baseFsUserPrincipalLookupService.lookupPrincipalByGroupName(hostGid)); } - private String resolveId(int id, String vespaName, int vespaId) { - if (id == 0) return "root"; - if (id == vespaId) return vespaName; - return String.valueOf(id); - } - - private int resolveName(String name, String vespaName, int vespaId) throws UserPrincipalNotFoundException { - if (name.equals("root")) return 0; - if (name.equals(vespaName)) return vespaId; + private static int resolve(String name) throws UserPrincipalNotFoundException { + Integer id = CONTAINER_IDS_BY_NAME.get(name); + if (id != null) return id; try { return Integer.parseInt(name); @@ -76,9 +74,9 @@ class ContainerUserPrincipalLookupService extends UserPrincipalLookupService { private final String name; private final UserPrincipal baseFsPrincipal; - private NamedPrincipal(int id, String name, UserPrincipal baseFsPrincipal) { + private NamedPrincipal(int id, UserPrincipal baseFsPrincipal) { this.id = id; - this.name = Objects.requireNonNull(name); + this.name = Optional.ofNullable(CONTAINER_IDS_BY_NAME.inverse().get(id)).orElseGet(() -> Integer.toString(id)); this.baseFsPrincipal = Objects.requireNonNull(baseFsPrincipal); } @@ -115,12 +113,23 @@ class ContainerUserPrincipalLookupService extends UserPrincipalLookupService { } static final class ContainerUserPrincipal extends NamedPrincipal { - private ContainerUserPrincipal(int id, String name, UserPrincipal baseFsPrincipal) { super(id, name, baseFsPrincipal); } + ContainerUserPrincipal(int id, UserPrincipal baseFsPrincipal) { super(id, baseFsPrincipal); } } static final class ContainerGroupPrincipal extends NamedPrincipal implements GroupPrincipal { - private ContainerGroupPrincipal(int id, String name, GroupPrincipal baseFsPrincipal) { super(id, name, baseFsPrincipal); } + ContainerGroupPrincipal(int id, GroupPrincipal baseFsPrincipal) { super(id, baseFsPrincipal); } @Override public GroupPrincipal baseFsPrincipal() { return (GroupPrincipal) super.baseFsPrincipal(); } } + + private static int containerIdToHostId(int id, int idOffset) { + if (id < 0 || id > ID_RANGE) + throw new IllegalArgumentException("Invalid container id: " + id); + return idOffset + id; + } + + private static int hostIdToContainerId(int id, int idOffset) { + id = id - idOffset; + return id < 0 || id >= ID_RANGE ? OVERFLOW_ID : id; + } } |