Merge pull request #2428 from tonistiigi/default-user-groups
executor: make sure supplementary groups are set for unset usermaster
Tõnis Tiigi
GitHub
commit
539be17089
|
|
@ -1741,13 +1741,21 @@ func testUser(t *testing.T, sb integration.Sandbox) {
|
|||
st := llb.Image("busybox:latest").Run(llb.Shlex(`sh -c "mkdir -m 0777 /wd"`))
|
||||
|
||||
run := func(user, cmd string) {
|
||||
st = st.Run(llb.Shlex(cmd), llb.Dir("/wd"), llb.User(user))
|
||||
if user != "" {
|
||||
st = st.Run(llb.Shlex(cmd), llb.Dir("/wd"), llb.User(user))
|
||||
} else {
|
||||
st = st.Run(llb.Shlex(cmd), llb.Dir("/wd"))
|
||||
}
|
||||
}
|
||||
|
||||
run("daemon", `sh -c "id -nu > user"`)
|
||||
run("daemon:daemon", `sh -c "id -ng > group"`)
|
||||
run("daemon:nobody", `sh -c "id -ng > nobody"`)
|
||||
run("1:1", `sh -c "id -g > userone"`)
|
||||
run("root", `sh -c "id -Gn > root_supplementary"`)
|
||||
run("", `sh -c "id -Gn > default_supplementary"`)
|
||||
run("", `rm /etc/passwd /etc/group`) // test that default user still works
|
||||
run("", `sh -c "id -u > default_uid"`)
|
||||
|
||||
st = st.Run(llb.Shlex("cp -a /wd/. /out/"))
|
||||
out := st.AddMount("/out", llb.Scratch())
|
||||
|
|
@ -1771,19 +1779,32 @@ func testUser(t *testing.T, sb integration.Sandbox) {
|
|||
|
||||
dt, err := ioutil.ReadFile(filepath.Join(destDir, "user"))
|
||||
require.NoError(t, err)
|
||||
require.Contains(t, string(dt), "daemon")
|
||||
require.Equal(t, "daemon", strings.TrimSpace(string(dt)))
|
||||
|
||||
dt, err = ioutil.ReadFile(filepath.Join(destDir, "group"))
|
||||
require.NoError(t, err)
|
||||
require.Contains(t, string(dt), "daemon")
|
||||
require.Equal(t, "daemon", strings.TrimSpace(string(dt)))
|
||||
|
||||
dt, err = ioutil.ReadFile(filepath.Join(destDir, "nobody"))
|
||||
require.NoError(t, err)
|
||||
require.Contains(t, string(dt), "nobody")
|
||||
require.Equal(t, "nobody", strings.TrimSpace(string(dt)))
|
||||
|
||||
dt, err = ioutil.ReadFile(filepath.Join(destDir, "userone"))
|
||||
require.NoError(t, err)
|
||||
require.Contains(t, string(dt), "1")
|
||||
require.Equal(t, "1", strings.TrimSpace(string(dt)))
|
||||
|
||||
dt, err = ioutil.ReadFile(filepath.Join(destDir, "root_supplementary"))
|
||||
require.NoError(t, err)
|
||||
require.True(t, strings.HasPrefix(string(dt), "root "))
|
||||
require.True(t, strings.Contains(string(dt), "wheel"))
|
||||
|
||||
dt2, err := ioutil.ReadFile(filepath.Join(destDir, "default_supplementary"))
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, string(dt), string(dt2))
|
||||
|
||||
dt, err = ioutil.ReadFile(filepath.Join(destDir, "default_uid"))
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, "0", strings.TrimSpace(string(dt)))
|
||||
|
||||
checkAllReleasable(t, c, sb, true)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -118,27 +118,23 @@ func (w *containerdExecutor) Run(ctx context.Context, id string, root executor.M
|
|||
defer lm.Unmount()
|
||||
defer executor.MountStubsCleaner(rootfsPath, mounts)()
|
||||
|
||||
var sgids []uint32
|
||||
uid, gid, err := oci.ParseUIDGID(meta.User)
|
||||
uid, gid, sgids, err := oci.GetUser(rootfsPath, meta.User)
|
||||
if err != nil {
|
||||
uid, gid, sgids, err = oci.GetUser(rootfsPath, meta.User)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
||||
identity := idtools.Identity{
|
||||
UID: int(uid),
|
||||
GID: int(gid),
|
||||
}
|
||||
identity := idtools.Identity{
|
||||
UID: int(uid),
|
||||
GID: int(gid),
|
||||
}
|
||||
|
||||
newp, err := fs.RootPath(rootfsPath, meta.Cwd)
|
||||
if err != nil {
|
||||
return errors.Wrapf(err, "working dir %s points to invalid target", newp)
|
||||
}
|
||||
if _, err := os.Stat(newp); err != nil {
|
||||
if err := idtools.MkdirAllAndChown(newp, 0755, identity); err != nil {
|
||||
return errors.Wrapf(err, "failed to create working directory %s", newp)
|
||||
}
|
||||
newp, err := fs.RootPath(rootfsPath, meta.Cwd)
|
||||
if err != nil {
|
||||
return errors.Wrapf(err, "working dir %s points to invalid target", newp)
|
||||
}
|
||||
if _, err := os.Stat(newp); err != nil {
|
||||
if err := idtools.MkdirAllAndChown(newp, 0755, identity); err != nil {
|
||||
return errors.Wrapf(err, "failed to create working directory %s", newp)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -15,6 +15,12 @@ import (
|
|||
)
|
||||
|
||||
func GetUser(root, username string) (uint32, uint32, []uint32, error) {
|
||||
var isDefault bool
|
||||
if username == "" {
|
||||
username = "0"
|
||||
isDefault = true
|
||||
}
|
||||
|
||||
// fast path from uid/gid
|
||||
if uid, gid, err := ParseUIDGID(username); err == nil {
|
||||
return uid, gid, nil, nil
|
||||
|
|
@ -31,6 +37,9 @@ func GetUser(root, username string) (uint32, uint32, []uint32, error) {
|
|||
|
||||
execUser, err := user.GetExecUser(username, nil, passwdFile, groupFile)
|
||||
if err != nil {
|
||||
if isDefault {
|
||||
return 0, 0, nil, nil
|
||||
}
|
||||
return 0, 0, nil, err
|
||||
}
|
||||
var sgids []uint32
|
||||
|
|
|
|||
Loading…
Reference in New Issue