Skip to content

Commit

Permalink
run: add container gid to additional groups
Browse files Browse the repository at this point in the history
When container is created with specific uid and gid also add container
gid to supplementary/additional group.

Signed-off-by: Aditya R <[email protected]>
  • Loading branch information
flouthoc authored and nalind committed Sep 19, 2022
1 parent 6796205 commit 0a49c9c
Show file tree
Hide file tree
Showing 4 changed files with 34 additions and 0 deletions.
1 change: 1 addition & 0 deletions run_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -1981,6 +1981,7 @@ func (b *Builder) configureUIDGID(g *generate.Generator, mountPoint string, opti
}
g.SetProcessUID(user.UID)
g.SetProcessGID(user.GID)
g.AddProcessAdditionalGid(user.GID)
for _, gid := range user.AdditionalGids {
g.AddProcessAdditionalGid(gid)
}
Expand Down
16 changes: 16 additions & 0 deletions tests/bud.bats
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,22 @@ symlink(subdir)"
check_options_flag_err "--userns=cnt1"
}

@test "build test has gid in supplemental groups" {
_prefetch alpine
run_buildah build $WITH_POLICY_JSON -t source -f $BUDFILES/supplemental-groups/Dockerfile
# gid 1000 must be in supplemental groups
expect_output --substring "Groups: 1000"
}

@test "build test if supplemental groups has gid with --isolation chroot" {
test -z "${BUILDAH_ISOLATION}" || skip "BUILDAH_ISOLATION=${BUILDAH_ISOLATION} overrides --isolation"

_prefetch alpine
run_buildah build --isolation chroot $WITH_POLICY_JSON -t source -f $BUDFILES/supplemental-groups/Dockerfile
# gid 1000 must be in supplemental groups
expect_output --substring "Groups: 1000"
}

@test "bud with --layers and --no-cache flags" {
_prefetch alpine
cp -a ${TESTSDIR}/bud/use-layers ${TESTDIR}/use-layers
Expand Down
3 changes: 3 additions & 0 deletions tests/bud/supplemental-groups/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
FROM alpine
USER 1000:1000
RUN cat /proc/$$/status
14 changes: 14 additions & 0 deletions tests/run.bats
Original file line number Diff line number Diff line change
Expand Up @@ -274,6 +274,20 @@ function configure_and_check_user() {
expect_output "888:888"
}

@test "run --user and verify gid in supplemental groups" {
skip_if_no_runtime

# Create the container.
_prefetch alpine
run_buildah from $WITH_POLICY_JSON alpine
ctr="$output"

# Run with uid:gid 1000:1000 and verify if gid is present in additional groups
run_buildah run --user 1000:1000 "$ctr" cat /proc/self/status
# gid 1000 must be in additional/supplemental groups
expect_output --substring "Groups: 1000 "
}

@test "run --mount" {
skip_if_no_runtime

Expand Down

0 comments on commit 0a49c9c

Please sign in to comment.