Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Podman run --passwd #12664

Merged
merged 1 commit into from
Dec 22, 2021
Merged

Podman run --passwd #12664

merged 1 commit into from
Dec 22, 2021

Conversation

cdoern
Copy link
Contributor

@cdoern cdoern commented Dec 20, 2021
edited
Loading

added support for a new flag --passwd which, when false, prohibits podman from creating entries in
/etc/passwd and /etc/groups allowing users to modify those files in the container entrypoint

resolves #11805

Signed-off-by: cdoern [email protected]

vrothberg
vrothberg reviewed Dec 20, 2021
View reviewed changes
Copy link
Member

@vrothberg vrothberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other than the nit, LGTM

cmd/podman/containers/run.go Outdated Show resolved Hide resolved
@cdoern cdoern force-pushed the noManagePasswd branch 3 times, most recently from a147298 to 99d8639 Compare December 20, 2021 17:56
@cdoern
Copy link
Contributor Author

cdoern commented Dec 20, 2021

@containers/podman-maintainers PTAL

@rhatdan
Copy link
Member

rhatdan commented Dec 21, 2021

/approve

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 21, 2021
@cdoern cdoern changed the title Podman run --no-manage-passwd Podman run --passwd Dec 21, 2021
rhatdan
rhatdan reviewed Dec 21, 2021
View reviewed changes
libpod/container_config.go Outdated
@@ -163,6 +163,8 @@ type ContainerRootFSConfig struct {
// Volatile specifies whether the container storage can be optimized
// at the cost of not syncing all the dirty files in memory.
Volatile bool `json:"volatile,omitempty"`
// ManagePasswd allows to user to override podman's passwd/group file setup
ManagePasswd bool `json:"manage_password,omitempty"`
Copy link
Member

@rhatdan rhatdan Dec 21, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why ManagePasswd as opposed to Passwd?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought it was more descriptive than just passwrd especially in the config, I can change it back if you disagree.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You mean for podman inspect?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep, just realized I did not add a way to see this in inspect, I will add that now

@TomSweeneyRedHat
Copy link
Member

Tests are very red. A couple of small man page nits.

@rhatdan
Copy link
Member

rhatdan commented Dec 21, 2021

I think it would be better all throughout to just call it passwd. I think the manage_passwd, ManagePasswd ... just confuses the PR.

@cdoern
Podman run --passwd
20ce6e5 
added support for a new flag --passwd which, when false prohibits podman from creating entries in
/etc/passwd and /etc/groups allowing users to modify those files in the container entrypoint

resolves containers#11805

Signed-off-by: cdoern <[email protected]>
@rhatdan
Copy link
Member

rhatdan commented Dec 22, 2021

/approve
/lgtm
/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 22, 2021
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Dec 22, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 22, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cdoern, rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@rhatdan
Copy link
Member

rhatdan commented Dec 22, 2021

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 22, 2021
@openshift-merge-robot openshift-merge-robot merged commit 85f21fb into containers:main Dec 22, 2021
mheon
mheon reviewed Dec 22, 2021
View reviewed changes
libpod/container_internal_linux.go
// If it already exists, delete so we can recreate
delete(c.state.BindMounts, "/etc/group")
c.state.BindMounts["/etc/group"] = newGroup
if c.config.Passwd != nil && *c.config.Passwd {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: this is going to break existing containers - if it is nil we have to run this code.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll open a PR to fix

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, sorry I missed that.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#12685 to fix

@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 22, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@TomSweeneyRedHat TomSweeneyRedHat TomSweeneyRedHat left review comments

@vrothberg vrothberg vrothberg left review comments

@mheon mheon mheon left review comments

@rhatdan rhatdan rhatdan left review comments

Assignees

@rhatdan rhatdan

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Podman is not compatible with user management inside container (i.e. with libnss-extrausers)
6 participants
@cdoern @rhatdan @TomSweeneyRedHat @mheon @vrothberg @openshift-merge-robot