Skip to content

Commit

Permalink
When running under podman use keep-groups to maintain the groups of t…
Browse files Browse the repository at this point in the history
…he user

Some of the permissions of the user depend on her extra groups.
Not maintaining the entire groups list can prevent some operations

Signed-off-by: Ygal Blum <[email protected]>
  • Loading branch information
ygalblum authored and eranco74 committed May 11, 2023
1 parent 493d52c commit 46c1562
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 0 deletions.
3 changes: 3 additions & 0 deletions skipper/runner.py
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,9 @@ def _run_nested(fqdn_image, environment, command, interactive, name, net, publis
except KeyError:
pass

if utils.get_runtime_command() == "podman":
cmd += ['--group-add', 'keep-groups']

if use_cache:
cmd += ['-e', 'SKIPPER_USE_CACHE_IMAGE=True']

Expand Down
5 changes: 5 additions & 0 deletions tests/test_runner_podman.py
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ def test_run_simple_command_nested_network_exist(self, resource_filename_mock, c
'-e', 'SKIPPER_UID=%(user_uid)s' % dict(user_uid=USER_ID),
'-e', 'HOME=%(homedir)s' % dict(homedir=HOME_DIR),
'-e', 'CONTAINER_RUNTIME_COMMAND=%(runtime_command)s' % dict(runtime_command=utils.get_runtime_command()),
'--group-add', 'keep-groups',
'-v', get_volume_mapping('%(homedir)s/.netrc:%(homedir)s/.netrc:ro' % dict(homedir=HOME_DIR)),
'-v', get_volume_mapping('%(homedir)s/.gitconfig:%(homedir)s/.gitconfig:ro' % dict(homedir=HOME_DIR)),
'-v', get_volume_mapping('%(homedir)s/.docker/config.json:%(homedir)s/.docker/config.json:ro' % dict(homedir=HOME_DIR)),
Expand Down Expand Up @@ -123,6 +124,7 @@ def test_run_simple_command_nested_network_not_exist(self, resource_filename_moc
'-e', 'SKIPPER_UID=%(user_uid)s' % dict(user_uid=USER_ID),
'-e', 'HOME=%(homedir)s' % dict(homedir=HOME_DIR),
'-e', 'CONTAINER_RUNTIME_COMMAND=%(runtime_command)s' % dict(runtime_command=utils.get_runtime_command()),
'--group-add', 'keep-groups',
'-v', get_volume_mapping('%(homedir)s/.netrc:%(homedir)s/.netrc:ro' % dict(homedir=HOME_DIR)),
'-v', get_volume_mapping('%(homedir)s/.gitconfig:%(homedir)s/.gitconfig:ro' % dict(homedir=HOME_DIR)),
'-v', get_volume_mapping('%(homedir)s/.docker/config.json:%(homedir)s/.docker/config.json:ro' % dict(homedir=HOME_DIR)),
Expand Down Expand Up @@ -164,6 +166,7 @@ def test_run_complex_command_nested(self, resource_filename_mock, check_output_m
'-e', 'SKIPPER_UID=%(user_uid)s' % dict(user_uid=USER_ID),
'-e', 'HOME=%(homedir)s' % dict(homedir=HOME_DIR),
'-e', 'CONTAINER_RUNTIME_COMMAND=%(runtime_command)s' % dict(runtime_command=utils.get_runtime_command()),
'--group-add', 'keep-groups',
'-v', get_volume_mapping('%(homedir)s/.netrc:%(homedir)s/.netrc:ro' % dict(homedir=HOME_DIR)),
'-v', get_volume_mapping('%(homedir)s/.gitconfig:%(homedir)s/.gitconfig:ro' % dict(homedir=HOME_DIR)),
'-v', get_volume_mapping('%(homedir)s/.docker/config.json:%(homedir)s/.docker/config.json:ro' % dict(homedir=HOME_DIR)),
Expand Down Expand Up @@ -209,6 +212,7 @@ def test_run_non_existent_unauthorized_volume(self, resource_filename_mock,
'-e', 'SKIPPER_UID=%(user_uid)s' % dict(user_uid=USER_ID),
'-e', 'HOME=%(homedir)s' % dict(homedir=HOME_DIR),
'-e', 'CONTAINER_RUNTIME_COMMAND=%(runtime_command)s' % dict(runtime_command=utils.get_runtime_command()),
'--group-add', 'keep-groups',
'-v', get_volume_mapping('%(homedir)s/.netrc:%(homedir)s/.netrc:ro' % dict(homedir=HOME_DIR)),
'-v', get_volume_mapping('%(homedir)s/.gitconfig:%(homedir)s/.gitconfig:ro' % dict(homedir=HOME_DIR)),
'-v', get_volume_mapping('%(homedir)s/.docker/config.json:%(homedir)s/.docker/config.json:ro' % dict(homedir=HOME_DIR)),
Expand Down Expand Up @@ -252,6 +256,7 @@ def test_run_complex_command_nested_with_env(self, resource_filename_mock, check
'-e', 'SKIPPER_UID=%(user_uid)s' % dict(user_uid=USER_ID),
'-e', 'HOME=%(homedir)s' % dict(homedir=HOME_DIR),
'-e', 'CONTAINER_RUNTIME_COMMAND=%(runtime_command)s' % dict(runtime_command=utils.get_runtime_command()),
'--group-add', 'keep-groups',
'-v', get_volume_mapping('%(homedir)s/.netrc:%(homedir)s/.netrc:ro' % dict(homedir=HOME_DIR)),
'-v', get_volume_mapping('%(homedir)s/.gitconfig:%(homedir)s/.gitconfig:ro' % dict(homedir=HOME_DIR)),
'-v', get_volume_mapping('%(homedir)s/.docker/config.json:%(homedir)s/.docker/config.json:ro' % dict(homedir=HOME_DIR)),
Expand Down

0 comments on commit 46c1562

Please sign in to comment.