Add username to /etc/passwd inside of container if --userns keep-id #6829
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
mheon
reviewed
Jun 30, 2020
libpod/container.go
Outdated
| NetNsCtr string `json:"netNsCtr,omitempty"` | ||
| PIDNsCtr string `json:"pidNsCtr,omitempty"` | ||
| UserNsCtr string `json:"userNsCtr,omitempty"` | ||
| UserNsKeepId bool |
There was a problem hiding this comment.
This should be elsewhere, have a JSON tag, and a comment describing what it does
mheon
reviewed
Jun 30, 2020
libpod/options.go
Outdated
| @@ -844,6 +844,19 @@ func WithPIDNSFrom(nsCtr *Container) CtrCreateOption { | |||
| } | |||
| } | |||
|
|
|||
| // WithUserNSKeepID indicates that container should add user entry to passwd | |||
| // file, since the UID will be mapped into the container, via user namespace | |||
| func WithUserNSKeepId() CtrCreateOption { | |||
There was a problem hiding this comment.
Can we rename this? Maybe "WithAddCurrentUserToPasswd" or something more clear about what it does?
vrothberg
reviewed
Jul 1, 2020
libpod/container_internal_linux.go
Outdated
| } | ||
| if err == nil { | ||
| return "", nil | ||
| originPasswdFile := filepath.Join(c.state.Mountpoint, "/etc/passwd") |
There was a problem hiding this comment.
I think it's time to either break this code into a separate function or move it into a pkg/passwd.
It was already really hard to brain-parse the code before but now we have four nested branches that let my brain parser overflow.
Breaking the code into a separate function would simplify it (as we can use returns), we could add unit tests and ideally add more comments.
rhatdan
force-pushed
the
keepid
branch
4 times, most recently
from
1be270f to
2f00a31
Compare
mheon
reviewed
Jul 1, 2020
libpod/container.go
Outdated
| @@ -278,6 +278,9 @@ type ContainerConfig struct { | |||
| User string `json:"user,omitempty"` | |||
| // Additional groups to add | |||
| Groups []string `json:"groups,omitempty"` | |||
| // AddCurrentUserPasswdEntry indicates that the current user passwd entry | |||
| // should be added to the /etc/passwd within the container | |||
| AddCurrentUserPasswdEntry bool | |||
There was a problem hiding this comment.
Can this have an omitempty so we minimize the amount of stuff saved to the DB?
rhatdan
force-pushed
the
keepid
branch
10 times, most recently
from
904bc1b to
1eccb19
Compare
|
Looks like a bug in the tests. I'll check out the PR and have a look. |
vrothberg
reviewed
Jul 7, 2020
There was a problem hiding this comment.
Yep, tests need some tweaking:
diff --git a/libpod/container_internal_linux_test.go b/libpod/container_internal_linux_test.go
index 5d92ff6c612c..078cc53a73c9 100644
--- a/libpod/container_internal_linux_test.go
+++ b/libpod/container_internal_linux_test.go
@@ -7,6 +7,7 @@ import (
"os"
"testing"
+ spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/stretchr/testify/assert"
)
@@ -20,6 +21,7 @@ func TestGenerateUserPasswdEntry(t *testing.T) {
c := Container{
config: &ContainerConfig{
User: "123:456",
+ Spec: &spec.Spec{},
},
state: &ContainerState{
Mountpoint: "/does/not/exist/tmp/",
@@ -29,12 +31,12 @@ func TestGenerateUserPasswdEntry(t *testing.T) {
if err != nil {
t.Fatal(err)
}
- assert.Equal(t, user, "123:x:123:456:container user:/:bin/sh\n")
+ assert.Equal(t, user, "123:x:123:456:container user:/:/bin/sh\n")
c.config.User = "567"
user, err = c.generateUserPasswdEntry()
if err != nil {
t.Fatal(err)
}
- assert.Equal(t, user, "567:x:567:567:container user:/:bin/sh\n")
+ assert.Equal(t, user, "567:x:567:0:container user:/:/bin/sh\n")
} 
If I enter a continer with --userns keep-id, my UID will be present inside of the container, but most likely my user will not be defined. This patch will take information about the user and stick it into the container. Signed-off-by: Daniel J Walsh <[email protected]>
|
/lgtm |
edsantiago
added a commit
to edsantiago/libpod
that referenced
this pull request
Jul 14, 2020
- Issue containers#6735 : problem with multiple namespaces; confirms combinations of --userns=keep-id, --privileged, --user=XX - Issue containers#6829 : --userns=keep-id will add a /etc/passwd entry - Issue containers#6593 : podman exec, with --userns=keep-id, errors (test is currently skipped because issue remains live) ...and, addendum: add new helper function, remove_same_dev_warning. Some CI systems issue a warning on podman run --privileged: WARNING: The same type, major and minor should not be used for multiple devices. We already had special-case code to ignore than in the SELinux test, but now we're seeing it in the new run tests I added, so I've refactored the "ignore this warning" code and written tests for the removal code. Signed-off-by: Ed Santiago <[email protected]>
vrothberg
pushed a commit
to vrothberg/libpod
that referenced
this pull request
Aug 11, 2020
- Issue containers#6735 : problem with multiple namespaces; confirms combinations of --userns=keep-id, --privileged, --user=XX - Issue containers#6829 : --userns=keep-id will add a /etc/passwd entry - Issue containers#6593 : podman exec, with --userns=keep-id, errors (test is currently skipped because issue remains live) ...and, addendum: add new helper function, remove_same_dev_warning. Some CI systems issue a warning on podman run --privileged: WARNING: The same type, major and minor should not be used for multiple devices. We already had special-case code to ignore than in the SELinux test, but now we're seeing it in the new run tests I added, so I've refactored the "ignore this warning" code and written tests for the removal code. Signed-off-by: Ed Santiago <[email protected]>
|
Shouldn't it also have created the group? See #6829 :) |
debarshiray
added a commit
to debarshiray/toolbox
that referenced
this pull request
Aug 30, 2020
Since Podman 2.0.5, containers that were created with
'podman create --userns=keep-id ...' automatically get the user added
to /etc/passwd [1]. However, this user isn't as fully configured as it
needs to be. The home directory is specified as "/" and the shell is
/bin/sh.
Therefore, the entry point needs to call usermod(8) to update the user,
instead of using useradd(8) to create it.
[1] Podman commit 6c6670f12a3e6b91
containers/podman#6829
containers#523
debarshiray
added a commit
to debarshiray/toolbox
that referenced
this pull request
Aug 30, 2020
Since Podman 2.0.5, containers that were created with
'podman create --userns=keep-id ...' automatically get the user added
to /etc/passwd [1]. However, this user isn't as fully configured as it
needs to be. The home directory is specified as '/' and the shell is
/bin/sh.
Note that Podman doesn't add the user's login group to /etc/group [2].
This leads to the following error when entering the container:
/usr/bin/id: cannot find name for group ID 1000
It's expected that this will be fixed in Podman itself.
Therefore, the entry point needs to call usermod(8) to update the user,
instead of using useradd(8) to create it.
[1] Podman commit 6c6670f12a3e6b91
containers/podman#6829
[2] containers/podman#7389
containers#523
debarshiray
added a commit
to debarshiray/toolbox
that referenced
this pull request
Aug 30, 2020
Since Podman 2.0.5, containers that were created with
'podman create --userns=keep-id ...' automatically get the user added
to /etc/passwd [1]. However, this user isn't as fully configured as it
needs to be. The home directory is specified as '/' and the shell is
/bin/sh.
Note that Podman doesn't add the user's login group to /etc/group [2].
This leads to the following error when entering the container:
/usr/bin/id: cannot find name for group ID 1000
It's expected that this will be fixed in Podman itself.
Therefore, the entry point needs to call usermod(8) to update the user,
instead of using useradd(8) to create it.
[1] Podman commit 6c6670f12a3e6b91
containers/podman#6829
[2] containers/podman#7389
containers#523
debarshiray
added a commit
to debarshiray/toolbox
that referenced
this pull request
Aug 30, 2020
Since Podman 2.0.5, containers that were created with
'podman create --userns=keep-id ...' automatically get the user added
to /etc/passwd [1]. However, this user isn't as fully configured as it
needs to be. The home directory is specified as '/' and the shell is
/bin/sh.
Note that Podman doesn't add the user's login group to /etc/group [2].
This leads to the following error when entering the container:
/usr/bin/id: cannot find name for group ID 1000
It's expected that this will be fixed in Podman itself.
Therefore, the entry point needs to call usermod(8) to update the user,
instead of using useradd(8) to create it.
[1] Podman commit 6c6670f12a3e6b91
containers/podman#6829
[2] containers/podman#7389
containers#523
debarshiray
added a commit
to debarshiray/toolbox
that referenced
this pull request
Aug 30, 2020
Since Podman 2.0.5, containers that were created with
'podman create --userns=keep-id ...' automatically get the user added
to /etc/passwd [1]. However, this user isn't as fully configured as it
needs to be. The home directory is specified as '/' and the shell is
/bin/sh.
Note that Podman doesn't add the user's login group to /etc/group [2].
This leads to the following error message when entering the container:
/usr/bin/id: cannot find name for group ID 1000
It's expected that this will be fixed in Podman itself.
Therefore, the entry point needs to call usermod(8) to update the user,
instead of using useradd(8) to create it.
[1] Podman commit 6c6670f12a3e6b91
containers/podman#6829
[2] containers/podman#7389
containers#523
github-actions
bot
added
the
locked - please file new issue/PR
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
If I enter a continer with --userns keep-id, my UID will be present
inside of the container, but most likely my user will not be defined.
This patch will take information about the user and stick it into the
container.
Signed-off-by: Daniel J Walsh [email protected]