storage: fix drop-in config order and windows special case

common/docs/containers.conf.5.md

@@ -13,14 +13,14 @@ By default, the configuration is read from `$XDG_CONFIG_HOME/containers/containe
 
 In addition to containers.conf, drop-in files using the same format from the following directories are also read:
  - `$XDG_CONFIG_HOME/containers/containers.conf.d` (or from `$HOME/.config/containers/containers.conf.d` if `$XDG_CONFIG_HOME` is unset)
- - `/etc/containers/containers.conf.d`
  - `/etc/containers/containers.rootful.conf.d` (only when running as uid 0)
- - `/etc/containers/containers.rootless.conf.d` (only when running as uid > 0)
  - `/etc/containers/containers.rootless.conf.d/$UID` (only when running as uid > 0)
- - `/usr/share/containers/containers.conf.d`
+ - `/etc/containers/containers.rootless.conf.d` (only when running as uid > 0)
+ - `/etc/containers/containers.conf.d`
  - `/usr/share/containers/containers.rootful.conf.d` (only when running as uid 0)
- - `/usr/share/containers/containers.rootless.conf.d` (only when running as uid > 0)
  - `/usr/share/containers/containers.rootless.conf.d/$UID` (only when running as uid > 0)
+ - `/usr/share/containers/containers.rootless.conf.d` (only when running as uid > 0)
+ - `/usr/share/containers/containers.conf.d`
 
 The files must be using the `.conf` suffix, directories or files with other suffixes will be ignored.
 All files from these paths will be first collected and then sorted in alpha-numerical order.

image/docs/containers-certs.d.5.md

@@ -9,19 +9,20 @@ Directories are consulted in this order (highest priority first):
 
 - For both rootful and rootless:
   - `$XDG_CONFIG_HOME/containers/certs.d/` (or `$HOME/.config/containers/certs.d/` if `XDG_CONFIG_HOME` is unset)
-  - `/etc/containers/certs.d/`
 - For rootful (UID == 0):
   - `/etc/containers/certs.rootful.d/`
 - For rootless (UID > 0):
-  - `/etc/containers/certs.rootless.d/`
   - `/etc/containers/certs.rootless.d/<UID>/`
+  - `/etc/containers/certs.rootless.d/`
 - For both rootful and rootless:
-  - `/usr/share/containers/certs.d/`
+  - `/etc/containers/certs.d/`
 - For rootful (UID == 0):
   - `/usr/share/containers/certs.rootful.d/`
 - For rootless (UID > 0):
-  - `/usr/share/containers/certs.rootless.d/`
   - `/usr/share/containers/certs.rootless.d/<UID>/`
+  - `/usr/share/containers/certs.rootless.d/`
+- For both rootful and rootless:
+  - `/usr/share/containers/certs.d/`
 - Compatibility fallback:
   - `/etc/docker/certs.d/`
 

image/docs/containers-registries.conf.5.md

@@ -17,14 +17,15 @@ is set then the following drop-in directories will not be read.
 
 In addition to registries.conf, drop-in files using the same format from the following directories are also read:
  - `$XDG_CONFIG_HOME/containers/registries.conf.d` (or from `$HOME/.config/containers/registries.conf.d` if `$XDG_CONFIG_HOME` is unset)
- - `/etc/containers/registries.conf.d`
  - `/etc/containers/registries.rootful.conf.d` (only when running as uid 0)
- - `/etc/containers/registries.rootless.conf.d` (only when running as uid > 0)
  - `/etc/containers/registries.rootless.conf.d/$UID` (only when running as uid > 0)
- - `/usr/share/containers/registries.conf.d`
+ - `/etc/containers/registries.rootless.conf.d` (only when running as uid > 0)
+ - `/etc/containers/registries.conf.d`
  - `/usr/share/containers/registries.rootful.conf.d` (only when running as uid 0)
- - `/usr/share/containers/registries.rootless.conf.d` (only when running as uid > 0)
  - `/usr/share/containers/registries.rootless.conf.d/$UID` (only when running as uid > 0)
+ - `/usr/share/containers/registries.rootless.conf.d` (only when running as uid > 0)
+ - `/usr/share/containers/registries.conf.d`
+
 
 The files must be using the `.conf` suffix, directories or files with other suffixes will be ignored.
 All files from these paths will be first collected and then sorted in alpha-numerical order.

storage/pkg/configfile/parse.go

@@ -400,26 +400,32 @@ func readDropInsFromPaths(paths []string, suffix string) ([]string, error) {
 
 func getDropInPathsUnderMain(mainPath, suffix string, uid int) []string {
 	paths := make([]string, 0, 3)
-	paths = append(paths, mainPath+dropInSuffix)
 
-	rootless := uid > 0
-	var specialName string
-	if rootless {
-		specialName = "rootless"
-	} else {
-		specialName = "rootful"
-	}
-	// insert the name after the main config name but before the extension if it has one.
-	mainPath, cut := strings.CutSuffix(mainPath, suffix)
-	specialPath := mainPath + "." + specialName
-	if cut {
-		specialPath += suffix
-	}
-	specialPath += dropInSuffix
-	paths = append(paths, specialPath)
-	if rootless {
-		paths = append(paths, filepath.Join(specialPath, strconv.Itoa(uid)))
+	// Extra condition for windows where uid is always -1 per os.Getuid().
+	// In this case it makes no sense to give the rootful path, just ignore
+	// the special drop in locations.
+	if uid >= 0 {
+		rootless := uid > 0
+		var specialName string
+		if rootless {
+			specialName = "rootless"
+		} else {
+			specialName = "rootful"
+		}
+		// insert the name after the main config name but before the extension if it has one.
+		mainPath, cut := strings.CutSuffix(mainPath, suffix)
+		specialPath := mainPath + "." + specialName
+		if cut {
+			specialPath += suffix
+		}
+		specialPath += dropInSuffix
+		if rootless {
+			paths = append(paths, filepath.Join(specialPath, strconv.Itoa(uid)))
+		}
+		paths = append(paths, specialPath)
 	}
+
+	paths = append(paths, mainPath+dropInSuffix)
 	return paths
 }
 

storage/pkg/configfile/parse_test.go

@@ -27,63 +27,70 @@ func Test_getDropInPathsUnderMain(t *testing.T) {
 			mainPath: "/etc/containers/containers.conf",
 			suffix:   ".conf",
 			uid:      0,
-			want:     []string{"/etc/containers/containers.conf.d", "/etc/containers/containers.rootful.conf.d"},
+			want:     []string{"/etc/containers/containers.rootful.conf.d", "/etc/containers/containers.conf.d"},
 		},
 		{
 			name:     "basic rootless uid 500",
 			mainPath: "/etc/containers/containers.conf",
 			suffix:   ".conf",
 			uid:      500,
-			want:     []string{"/etc/containers/containers.conf.d", "/etc/containers/containers.rootless.conf.d", "/etc/containers/containers.rootless.conf.d/500"},
+			want:     []string{"/etc/containers/containers.rootless.conf.d/500", "/etc/containers/containers.rootless.conf.d", "/etc/containers/containers.conf.d"},
 		},
 		{
 			name:     "basic rootless uid 1234",
 			mainPath: "/etc/containers/containers.conf",
 			suffix:   ".conf",
 			uid:      1234,
-			want:     []string{"/etc/containers/containers.conf.d", "/etc/containers/containers.rootless.conf.d", "/etc/containers/containers.rootless.conf.d/1234"},
+			want:     []string{"/etc/containers/containers.rootless.conf.d/1234", "/etc/containers/containers.rootless.conf.d", "/etc/containers/containers.conf.d"},
 		},
 		{
 			name:     "path with extra dots",
 			mainPath: "/path.with.dots/containers.conf",
 			suffix:   ".conf",
 			uid:      0,
-			want:     []string{"/path.with.dots/containers.conf.d", "/path.with.dots/containers.rootful.conf.d"},
+			want:     []string{"/path.with.dots/containers.rootful.conf.d", "/path.with.dots/containers.conf.d"},
 		},
 		{
 			name:     "/usr rootful",
 			mainPath: "/usr/share/containers/containers.conf",
 			suffix:   ".conf",
 			uid:      0,
-			want:     []string{"/usr/share/containers/containers.conf.d", "/usr/share/containers/containers.rootful.conf.d"},
+			want:     []string{"/usr/share/containers/containers.rootful.conf.d", "/usr/share/containers/containers.conf.d"},
 		},
 		{
 			name:     "storage.conf",
 			mainPath: "/usr/share/containers/storage.conf",
 			suffix:   ".conf",
 			uid:      0,
-			want:     []string{"/usr/share/containers/storage.conf.d", "/usr/share/containers/storage.rootful.conf.d"},
+			want:     []string{"/usr/share/containers/storage.rootful.conf.d", "/usr/share/containers/storage.conf.d"},
 		},
 		{
 			name:     "storage.conf",
 			mainPath: "/usr/share/containers/storage.conf",
 			suffix:   ".conf",
 			uid:      0,
-			want:     []string{"/usr/share/containers/storage.conf.d", "/usr/share/containers/storage.rootful.conf.d"},
+			want:     []string{"/usr/share/containers/storage.rootful.conf.d", "/usr/share/containers/storage.conf.d"},
 		},
 		{
 			name:     "registries.d",
 			mainPath: "/usr/share/containers/registries",
 			suffix:   ".yaml",
 			uid:      0,
-			want:     []string{"/usr/share/containers/registries.d", "/usr/share/containers/registries.rootful.d"},
+			want:     []string{"/usr/share/containers/registries.rootful.d", "/usr/share/containers/registries.d"},
 		},
 		{
 			name:     "registries.d rootless",
 			mainPath: "/usr/share/containers/registries",
 			suffix:   ".yaml",
 			uid:      99,
-			want:     []string{"/usr/share/containers/registries.d", "/usr/share/containers/registries.rootless.d", "/usr/share/containers/registries.rootless.d/99"},
+			want:     []string{"/usr/share/containers/registries.rootless.d/99", "/usr/share/containers/registries.rootless.d", "/usr/share/containers/registries.d"},
+		},
+		{
+			name:     "uid -1 (like on windows)",
+			mainPath: "/etc/containers/containers.conf",
+			suffix:   ".conf",
+			uid:      -1,
+			want:     []string{"/etc/containers/containers.conf.d"},
 		},
 	}
 	t.Parallel()
@@ -774,6 +781,88 @@ func Test_Read(t *testing.T) {
 			},
 			want: []string{"explicit path", "explicit dir"},
 		},
+		{
+			name: "windows with user id -1",
+			arg: File{
+				Name:      "containers",
+				Extension: "conf",
+				UserId:    -1,
+			},
+			files: testfiles{
+				usr: map[string]string{
+					"containers.conf.d/true-1.conf":        "true-1",
+					"containers.rootless.conf.d/-1/a.conf": "a",
+					"containers.rootless.conf.d/b.conf":    "b",
+					"containers.rootful.conf.d/x.conf":     "x",
+				},
+				etc: map[string]string{
+					"containers.conf.d/true-2.conf":        "true-2",
+					"containers.rootless.conf.d/-1/c.conf": "c",
+					"containers.rootless.conf.d/d.conf":    "d",
+					"containers.rootful.conf.d/z.conf":     "z",
+				},
+			},
+			// Special drops in must be ignored for uid < 0,
+			// it only reads the main .conf.d locations.
+			want: []string{"true-1", "true-2"},
+		},
+		{
+			name: "rootless drop-in order",
+			arg: File{
+				Name:      "containers",
+				Extension: "conf",
+				UserId:    10,
+			},
+			files: testfiles{
+				usr: map[string]string{
+					"containers.conf.d/b.conf":             "b1",
+					"containers.rootless.conf.d/b.conf":    "b2",
+					"containers.rootless.conf.d/10/b.conf": "b3",
+				},
+				etc: map[string]string{
+					"containers.conf.d/a.conf":             "a1",
+					"containers.rootless.conf.d/a.conf":    "a2",
+					"containers.rootless.conf.d/10/a.conf": "a3",
+				},
+			},
+			want: []string{"a3", "b3"},
+		},
+		{
+			name: "rootful drop-in order",
+			arg: File{
+				Name:      "containers",
+				Extension: "conf",
+				UserId:    0,
+			},
+			files: testfiles{
+				usr: map[string]string{
+					"containers.conf.d/b.conf":         "b1",
+					"containers.rootful.conf.d/b.conf": "b2",
+				},
+				etc: map[string]string{
+					"containers.conf.d/a.conf":         "a1",
+					"containers.rootful.conf.d/a.conf": "a2",
+				},
+			},
+			want: []string{"a2", "b2"},
+		},
+		{
+			name: "drop-in order etc overwrites specific usr path",
+			arg: File{
+				Name:      "containers",
+				Extension: "conf",
+				UserId:    10,
+			},
+			files: testfiles{
+				usr: map[string]string{
+					"containers.rootless.conf.d/10/a.conf": "usr",
+				},
+				etc: map[string]string{
+					"containers.conf.d/a.conf": "etc",
+				},
+			},
+			want: []string{"etc"},
+		},
 	}
 
 	for _, tt := range tests {
@@ -979,10 +1068,10 @@ func TestGetSearchPaths(t *testing.T) {
 				},
 				DropInDirectories: []string{
 					"/home/containers/containers.conf.d",
-					adminOverrideConfigPath + "/containers.conf.d",
 					adminOverrideConfigPath + "/containers.rootful.conf.d",
-					systemConfigPath + "/containers.conf.d",
+					adminOverrideConfigPath + "/containers.conf.d",
 					systemConfigPath + "/containers.rootful.conf.d",
+					systemConfigPath + "/containers.conf.d",
 				},
 			},
 		},