Allow users to add host user accounts to /etc/passwd #12627
Conversation
openshift-ci
bot
added
the
approved
| #### **--hostuser**=*name* | ||
|
|
||
| Add host user account to /etc/passwd within container. Username or UID must | ||
| exists on the host system. |
There was a problem hiding this comment.
Please make it more clear that this does not set the user in the container to be the new UID or GID.
Does this work with rootless Podman, considering UID/GID mapping means the UID/GID won't actually match the one on the host? Probably need a warning about that.
Also should mention explicitly that UID is allowed.
There was a problem hiding this comment.
Should we change the UID to match the UID on the host? within the user namespace?
IE Adding dwalsh (UID=3267) would end up as UID=0 within the container.
|
Does |
|
./bin/podman run --hostuser dwalsh --user dwalsh alpine grep dwalsh /etc/passwd Does not work. I will take a look. |
rhatdan
force-pushed
the
passwd
branch
2 times, most recently
from
e0ec610 to
29b8beb
Compare
docs/source/markdown/podman-run.1.md
Outdated
| #### **--hostuser**=*name* | ||
|
|
||
| Add host user account to /etc/passwd within container. Username or UID must | ||
| exists on the host system. |
There was a problem hiding this comment.
If you take above, do the same here.
rhatdan
force-pushed
the
passwd
branch
3 times, most recently
from
d570235 to
123e6b8
Compare
|
@giuseppe WDYT, should the UIDs be modified based on the user namespace within the container? |
libpod/container_internal_linux.go
Outdated
| // Returns password entry (as a string that can be appended to /etc/passwd) and | ||
| // any error that occurred. | ||
| func (c *Container) generatePasswdEntry() (string, error) { | ||
| passwdString := "" | ||
|
|
||
| addedUID := 0 | ||
| for _, userid := range c.config.HostUsers { | ||
| // Assume UID look up first, if it fails lookup by username | ||
| u, err := user.LookupId(userid) |
There was a problem hiding this comment.
maybe make a function for this since done a few times. similar to https://github.com/containers/podman/blob/dbdf4761abb6d68169c8fdd24bd0c44d38c1c5f8/pkg/domain/infra/abi/images.go#L839-L844 once this merges you can use this
rhatdan
force-pushed
the
passwd
branch
2 times, most recently
from
e930052 to
a3b309b
Compare
|
I think we shouldn't do any conversion to the ids in the namespace. |
| @@ -711,6 +711,18 @@ EOF | |||
| run_podman rmi nomtab | |||
| } | |||
|
|
|||
| @test "podman run --hostuser tests" { | |||
| skip_if_not_rootless "test whether hostuser is successfully added" | |||
There was a problem hiding this comment.
Mainly because I am not sure how to figure out a user which is not in the container to add to the container. If you are running rootless, I can add the current user.
If running as root, I could add a user to the system and then use that, but I am not crazy about modifying a system when users run the tests.
@edsantiago Any ideas?
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giuseppe, rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@containers/podman-maintainers PTAL |
| Add a user account to /etc/passwd from the host to the container. The Username | ||
| or UID must exists on the host system. |
There was a problem hiding this comment.
| Add a user account to /etc/passwd from the host to the container. The Username | |
| or UID must exists on the host system. | |
| Add a user account to /etc/passwd from the host to the container. The username | |
| or UID must exist on the host system. |
Same below.
Some containers require certain user account(s) to exist within the container when they are run. This option will allow callers to add a bunch of passwd entries from the host to the container even if the entries are not in the local /etc/passwd file on the host. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1935831 Signed-off-by: Daniel J Walsh <[email protected]>
|
/lgtm |
github-actions
bot
added
the
locked - please file new issue/PR
Some containers require certain user account(s) to exist within the
container when they are run. This option will allow callers to add a
bunch of passwd entries from the host to the container even if the
entries are not in the local /etc/passwd file on the host.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1935831
Signed-off-by: Daniel J Walsh [email protected]
What this PR does / why we need it:
How to verify it
Which issue(s) this PR fixes:
Special notes for your reviewer: