Validate that we're in rootful podman
As this is a footgun that multiple people have run into. Signed-off-by: Colin Walters <walters@verbum.org>
This commit is contained in:
Colin Walters
Simon de Vlieger
parent
402c3955b9
commit
214fcda30e
2 changed files with 59 additions and 1 deletions
|
|
@ -7,7 +7,9 @@ import (
|
|||
"os/exec"
|
||||
"path/filepath"
|
||||
|
||||
"github.com/osbuild/bootc-image-builder/bib/internal/podmanutil"
|
||||
"github.com/osbuild/bootc-image-builder/bib/internal/utils"
|
||||
"golang.org/x/sys/unix"
|
||||
)
|
||||
|
||||
// EnsureEnvironment mutates external filesystem state as necessary
|
||||
|
|
@ -74,5 +76,23 @@ func EnsureEnvironment() error {
|
|||
// Validate checks that the environment is supported (e.g. caller set up the
|
||||
// container correctly)
|
||||
func Validate() error {
|
||||
isRootless, err := podmanutil.IsRootless()
|
||||
if err != nil {
|
||||
return fmt.Errorf("checking rootless: %w", err)
|
||||
}
|
||||
if isRootless {
|
||||
return fmt.Errorf("this command must be run in rootful (not rootless) podman")
|
||||
}
|
||||
|
||||
// Having /sys be writable is an easy to check proxy for privileges; more effective
|
||||
// is really looking for CAP_SYS_ADMIN, but that involves more Go libraries.
|
||||
var stvfsbuf unix.Statfs_t
|
||||
if err := unix.Statfs("/sys", &stvfsbuf); err != nil {
|
||||
return fmt.Errorf("failed to stat /sys: %w", err)
|
||||
}
|
||||
if (stvfsbuf.Flags & unix.ST_RDONLY) > 0 {
|
||||
return fmt.Errorf("this command requires a privileged container")
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue