Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get correct username in pod when using --userns=keep-id #17174

Merged
merged 1 commit into from
Jan 24, 2023
Merged

Get correct username in pod when using --userns=keep-id #17174

merged 1 commit into from
Jan 24, 2023

Conversation

rhatdan
Copy link
Member

@rhatdan rhatdan commented Jan 20, 2023

Fixes: #17148

Signed-off-by: Daniel J Walsh [email protected]

Does this PR introduce a user-facing change?

Pods with --userns=keep-id will add entry including username to /etc/passwd within container.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 20, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 20, 2023
@TomSweeneyRedHat
Copy link
Member

Looks like a REST test needs some tweaking @rhatdan

giuseppe
giuseppe reviewed Jan 24, 2023
View reviewed changes
Copy link
Member

@giuseppe giuseppe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM once tests pass

@ashley-cui
Copy link
Member

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 24, 2023
@openshift-merge-robot openshift-merge-robot merged commit 8073e90 into containers:main Jan 24, 2023
edsantiago
edsantiago reviewed Jan 24, 2023
View reviewed changes
Copy link
Member

@edsantiago edsantiago left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Day late dollar short. One question inline.

test/system/170-run-userns.bats
if is_rootless; then
user=$(id -u)
run_podman pod create --userns keep-id
pid=$output
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Eek, am I the only one who read this as "process id" and got severely confused for a second or two?

test/e2e/pod_create_test.go
exec1 := podmanTest.Podman([]string{"exec", ctrName, "cat", "/etc/passwd"})
exec1.WaitWithDefaultTimeout()
Expect(exec1).Should(Exit(0))
Expect(exec1.OutputToString()).To(ContainSubstring("container"))
Expect(exec1.OutputToString()).To(ContainSubstring(u.Name))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just out of principle, I think a better test would be:

    .....{"exec", ctrName, "grep", "^"+u.Name+":", "/etc/passwd"})

or even (cleaner)

    .....{"exec", ... , "id", u.Name})

Basically, to avoid a false match on username against (something else in passwd). Not that I can think of a real-world example, so this is paranoia. Anyone concur/disagree? Should I open an update/cleanup PR?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we would probably catch it in the CI if the passwd file of any image breaks this test. Said so, nothing against paranoia and fixing it earlier :-)

This was referenced Jan 25, 2023
Open
Closed
edsantiago added a commit to edsantiago/libpod that referenced this pull request Jan 30, 2023
@edsantiago
e2e tests: fix incorrect os.User.Name
0e3524b 
Ha ha. This was supposed to be a trivial little followup to containers#17174:

   containers#17174 (comment)
      (safer username check when --userns=keep-id)

It got complicated. TL;DR we need to use User.Username, not User.Name.
The latter is GECOS! Tests were working because, on Fedora, GECOS
for root is "root". Found and fixed all 'u.Name' instances, but
if there are any references with a variable other than 'u', they
still need looking into.

Signed-off-by: Ed Santiago <[email protected]>
@edsantiago edsantiago mentioned this pull request Jan 30, 2023
Merged
@danishprakash danishprakash mentioned this pull request Mar 8, 2023
Merged
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 13, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 13, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@edsantiago edsantiago edsantiago left review comments

@giuseppe giuseppe giuseppe left review comments

Assignees

@ashley-cui ashley-cui

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. release-note
Projects
None yet
Milestone
No milestone
6 participants
@rhatdan @TomSweeneyRedHat @ashley-cui @giuseppe @edsantiago @openshift-merge-robot