This repository has been archived by the owner on Aug 14, 2020. It is now read-only.
spec: support supplementary GIDs #339
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
How exactly do you reconcile this with #340 ? |
|
You can have supplemental GIDs without doing an nsswitch lookup. On Tue, May 5, 2015 at 10:21 AM, Jonathan Boulle [email protected]
|
|
+1, supplemental GIDs are available as a systemd exec unit, but it would be great if I can put them in the appc manifest: http://www.freedesktop.org/software/systemd/man/systemd.exec.html#SupplementaryGroups= |
Allow users to specify supplementary group IDs (GIDs) in the app section of an ImageManifest. These indicate additional GIDs that the processes of the app should run with.
|
solid |
vbatts
added a commit
that referenced
this pull request
Sep 11, 2015
spec: support supplementary GIDs
jonboulle
added a commit
to jonboulle/rkt
that referenced
this pull request
Sep 24, 2015
Fixes rkt#1309. Per appc/spec#339, one of the nice things about supplementary gids is that they can be applied without requiring any nsswitch lookup. I thought it would be easy to achieve this using systemd.exec's SupplementaryGroups setting: http://www.freedesktop.org/software/systemd/man/systemd.exec.html#SupplementaryGroups= Unfortunately, this somewhat unexpectedly tries to resolve the groups given even if they are numeric gids (which isn't guaranteed to succeed), instead of just calling setgroups() (which is) as I'd hoped: https://github.com/systemd/systemd/blob/56c581598389739ba2a97baf896ea9277c278a1d/src/core/execute.c#L675 It looks like systemd is trying to be clever and reverse-lookup gid->groupname, which is annoying: https://github.com/systemd/systemd/blob/d11885c81419cac217ae132c1ef80733707ba650/src/basic/util.c#L3383 Throwing this up for feedback/ideas.
jonboulle
added a commit
to jonboulle/rkt
that referenced
this pull request
Sep 24, 2015
Fixes rkt#1309. Per appc/spec#339, one of the nice things about supplementary gids is that they can be applied without requiring any nsswitch lookup. I thought it would be easy to achieve this using systemd.exec's SupplementaryGroups setting: http://www.freedesktop.org/software/systemd/man/systemd.exec.html#SupplementaryGroups= Unfortunately, this somewhat unexpectedly tries to resolve the groups given even if they are numeric gids (which isn't guaranteed to succeed), instead of just calling setgroups() (which is) as I'd hoped: https://github.com/systemd/systemd/blob/56c581598389739ba2a97baf896ea9277c278a1d/src/core/execute.c#L675 It looks like systemd is trying to be clever and reverse-lookup gid->groupname, which is annoying: https://github.com/systemd/systemd/blob/d11885c81419cac217ae132c1ef80733707ba650/src/basic/util.c#L3383 Throwing this up for feedback/ideas.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Image manifest allows me to spec what GID to run as, but does not allow me to add supplemental groups. This is important for many reasons, not the least of which is disk quota management.