Skip to content
This repository has been archived by the owner on Mar 9, 2022. It is now read-only.

Commit

Permalink
Add RunAsGroup support.
Browse files Browse the repository at this point in the history
Signed-off-by: Lantao Liu <[email protected]>
  • Loading branch information
Random-Liu committed Mar 30, 2018
1 parent f99f0be commit b50b5ca
Show file tree
Hide file tree
Showing 3 changed files with 141 additions and 38 deletions.
39 changes: 35 additions & 4 deletions pkg/server/container_create.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ package server
import (
"os"
"path/filepath"
"strconv"
"strings"
"time"

Expand Down Expand Up @@ -219,11 +220,16 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta
// Set container username. This could only be done by containerd, because it needs
// access to the container rootfs. Pass user name to containerd, and let it overwrite
// the spec for us.
if uid := securityContext.GetRunAsUser(); uid != nil {
specOpts = append(specOpts, oci.WithUserID(uint32(uid.GetValue())))
userstr, err := generateUserString(
securityContext.GetRunAsUsername(),
securityContext.GetRunAsUser(),
securityContext.GetRunAsGroup(),
)
if err != nil {
return nil, errors.Wrap(err, "failed to generate user string")
}
if username := securityContext.GetRunAsUsername(); username != "" {
specOpts = append(specOpts, oci.WithUsername(username))
if userstr != "" {
specOpts = append(specOpts, oci.WithUser(userstr))
}

apparmorSpecOpts, err := generateApparmorSpecOpts(
Expand Down Expand Up @@ -884,3 +890,28 @@ func ensureSharedOrSlave(path string, lookupMount func(string) (mount.Info, erro
}
return errors.Errorf("path %q is mounted on %q but it is not a shared or slave mount", path, mountInfo.Mountpoint)
}

// generateUserString generates valid user string based on OCI Image Spec v1.0.0.
// TODO(random-liu): Add group name support in CRI.
func generateUserString(username string, uid, gid *runtime.Int64Value) (string, error) {
var userstr, groupstr string
if uid != nil {
userstr = strconv.FormatInt(uid.GetValue(), 10)
}
if username != "" {
userstr = username
}
if gid != nil {
groupstr = strconv.FormatInt(gid.GetValue(), 10)
}
if userstr == "" {
if groupstr != "" {
return "", errors.Errorf("user group %q is specified without user", groupstr)
}
return "", nil
}
if groupstr != "" {
userstr = userstr + ":" + groupstr
}
return userstr, nil
}
12 changes: 10 additions & 2 deletions pkg/server/sandbox_run.go
Original file line number Diff line number Diff line change
Expand Up @@ -145,8 +145,16 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox
logrus.Debugf("Sandbox container spec: %+v", spec)

var specOpts []oci.SpecOpts
if uid := securityContext.GetRunAsUser(); uid != nil {
specOpts = append(specOpts, oci.WithUserID(uint32(uid.GetValue())))
userstr, err := generateUserString(
"",
securityContext.GetRunAsUser(),
securityContext.GetRunAsGroup(),
)
if err != nil {
return nil, errors.Wrap(err, "failed to generate user string")
}
if userstr != "" {
specOpts = append(specOpts, oci.WithUser(userstr))
}

seccompSpecOpts, err := generateSeccompSpecOpts(
Expand Down
128 changes: 96 additions & 32 deletions vendor/github.com/containerd/containerd/oci/spec_opts_unix.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit b50b5ca

Please sign in to comment.