Add RunAsGroup support.

pkg/server/container_create.go

@@ -19,6 +19,7 @@ package server
 import (
 	"os"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"time"
 
@@ -219,11 +220,16 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta
 	// Set container username. This could only be done by containerd, because it needs
 	// access to the container rootfs. Pass user name to containerd, and let it overwrite
 	// the spec for us.
-	if uid := securityContext.GetRunAsUser(); uid != nil {
-		specOpts = append(specOpts, oci.WithUserID(uint32(uid.GetValue())))
+	userstr, err := generateUserString(
+		securityContext.GetRunAsUsername(),
+		securityContext.GetRunAsUser(),
+		securityContext.GetRunAsGroup(),
+	)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to generate user string")
 	}
-	if username := securityContext.GetRunAsUsername(); username != "" {
-		specOpts = append(specOpts, oci.WithUsername(username))
+	if userstr != "" {
+		specOpts = append(specOpts, oci.WithUser(userstr))
 	}
 
 	apparmorSpecOpts, err := generateApparmorSpecOpts(
@@ -884,3 +890,28 @@ func ensureSharedOrSlave(path string, lookupMount func(string) (mount.Info, erro
 	}
 	return errors.Errorf("path %q is mounted on %q but it is not a shared or slave mount", path, mountInfo.Mountpoint)
 }
+
+// generateUserString generates valid user string based on OCI Image Spec v1.0.0.
+// TODO(random-liu): Add group name support in CRI.
+func generateUserString(username string, uid, gid *runtime.Int64Value) (string, error) {
+	var userstr, groupstr string
+	if uid != nil {
+		userstr = strconv.FormatInt(uid.GetValue(), 10)
+	}
+	if username != "" {
+		userstr = username
+	}
+	if gid != nil {
+		groupstr = strconv.FormatInt(gid.GetValue(), 10)
+	}
+	if userstr == "" {
+		if groupstr != "" {
+			return "", errors.Errorf("user group %q is specified without user", groupstr)
+		}
+		return "", nil
+	}
+	if groupstr != "" {
+		userstr = userstr + ":" + groupstr
+	}
+	return userstr, nil
+}

pkg/server/sandbox_run.go

@@ -145,8 +145,16 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox
 	logrus.Debugf("Sandbox container spec: %+v", spec)
 
 	var specOpts []oci.SpecOpts
-	if uid := securityContext.GetRunAsUser(); uid != nil {
-		specOpts = append(specOpts, oci.WithUserID(uint32(uid.GetValue())))
+	userstr, err := generateUserString(
+		"",
+		securityContext.GetRunAsUser(),
+		securityContext.GetRunAsGroup(),
+	)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to generate user string")
+	}
+	if userstr != "" {
+		specOpts = append(specOpts, oci.WithUser(userstr))
 	}
 
 	seccompSpecOpts, err := generateSeccompSpecOpts(

vendor.conf

@@ -4,7 +4,7 @@ github.com/boltdb/bolt e9cf4fae01b5a8ff89d0ec6b32f0d9c9f79aefdd
 github.com/BurntSushi/toml a368813c5e648fee92e5f6c30e3944ff9d5e8895
 github.com/containerd/cgroups fe281dd265766145e943a034aa41086474ea6130
 github.com/containerd/console cb7008ab3d8359b78c5f464cb7cf160107ad5925
-github.com/containerd/containerd v1.1.0-rc.0
+github.com/containerd/containerd c0f7fcd910a02cd388c089525d7ea17f9f229a43
 github.com/containerd/continuity 3e8f2ea4b190484acb976a5b378d373429639a1a
 github.com/containerd/fifo 3d5202aec260678c48179c56f40e6f38a095738c
 github.com/containerd/go-runc bcb223a061a3dd7de1a89c0b402a60f4dd9bd307