-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add username to /etc/passwd inside of container if --userns keep-id #6829
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
libpod/container.go
Outdated
NetNsCtr string `json:"netNsCtr,omitempty"` | ||
PIDNsCtr string `json:"pidNsCtr,omitempty"` | ||
UserNsCtr string `json:"userNsCtr,omitempty"` | ||
UserNsKeepId bool |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be elsewhere, have a JSON tag, and a comment describing what it does
libpod/options.go
Outdated
@@ -844,6 +844,19 @@ func WithPIDNSFrom(nsCtr *Container) CtrCreateOption { | |||
} | |||
} | |||
|
|||
// WithUserNSKeepID indicates that container should add user entry to passwd | |||
// file, since the UID will be mapped into the container, via user namespace | |||
func WithUserNSKeepId() CtrCreateOption { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we rename this? Maybe "WithAddCurrentUserToPasswd" or something more clear about what it does?
libpod/container_internal_linux.go
Outdated
} | ||
if err == nil { | ||
return "", nil | ||
originPasswdFile := filepath.Join(c.state.Mountpoint, "/etc/passwd") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's time to either break this code into a separate function or move it into a pkg/passwd
.
It was already really hard to brain-parse the code before but now we have four nested branches that let my brain parser overflow.
Breaking the code into a separate function would simplify it (as we can use returns), we could add unit tests and ideally add more comments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
1be270f
to
2f00a31
Compare
libpod/container.go
Outdated
@@ -278,6 +278,9 @@ type ContainerConfig struct { | |||
User string `json:"user,omitempty"` | |||
// Additional groups to add | |||
Groups []string `json:"groups,omitempty"` | |||
// AddCurrentUserPasswdEntry indicates that the current user passwd entry | |||
// should be added to the /etc/passwd within the container | |||
AddCurrentUserPasswdEntry bool |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can this have an omitempty
so we minimize the amount of stuff saved to the DB?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
904bc1b
to
1eccb19
Compare
Looks like a bug in the tests. I'll check out the PR and have a look. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, tests need some tweaking:
diff --git a/libpod/container_internal_linux_test.go b/libpod/container_internal_linux_test.go
index 5d92ff6c612c..078cc53a73c9 100644
--- a/libpod/container_internal_linux_test.go
+++ b/libpod/container_internal_linux_test.go
@@ -7,6 +7,7 @@ import (
"os"
"testing"
+ spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/stretchr/testify/assert"
)
@@ -20,6 +21,7 @@ func TestGenerateUserPasswdEntry(t *testing.T) {
c := Container{
config: &ContainerConfig{
User: "123:456",
+ Spec: &spec.Spec{},
},
state: &ContainerState{
Mountpoint: "/does/not/exist/tmp/",
@@ -29,12 +31,12 @@ func TestGenerateUserPasswdEntry(t *testing.T) {
if err != nil {
t.Fatal(err)
}
- assert.Equal(t, user, "123:x:123:456:container user:/:bin/sh\n")
+ assert.Equal(t, user, "123:x:123:456:container user:/:/bin/sh\n")
c.config.User = "567"
user, err = c.generateUserPasswdEntry()
if err != nil {
t.Fatal(err)
}
- assert.Equal(t, user, "567:x:567:567:container user:/:bin/sh\n")
+ assert.Equal(t, user, "567:x:567:0:container user:/:/bin/sh\n")
}
If I enter a continer with --userns keep-id, my UID will be present inside of the container, but most likely my user will not be defined. This patch will take information about the user and stick it into the container. Signed-off-by: Daniel J Walsh <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
/lgtm |
- Issue containers#6735 : problem with multiple namespaces; confirms combinations of --userns=keep-id, --privileged, --user=XX - Issue containers#6829 : --userns=keep-id will add a /etc/passwd entry - Issue containers#6593 : podman exec, with --userns=keep-id, errors (test is currently skipped because issue remains live) ...and, addendum: add new helper function, remove_same_dev_warning. Some CI systems issue a warning on podman run --privileged: WARNING: The same type, major and minor should not be used for multiple devices. We already had special-case code to ignore than in the SELinux test, but now we're seeing it in the new run tests I added, so I've refactored the "ignore this warning" code and written tests for the removal code. Signed-off-by: Ed Santiago <[email protected]>
- Issue containers#6735 : problem with multiple namespaces; confirms combinations of --userns=keep-id, --privileged, --user=XX - Issue containers#6829 : --userns=keep-id will add a /etc/passwd entry - Issue containers#6593 : podman exec, with --userns=keep-id, errors (test is currently skipped because issue remains live) ...and, addendum: add new helper function, remove_same_dev_warning. Some CI systems issue a warning on podman run --privileged: WARNING: The same type, major and minor should not be used for multiple devices. We already had special-case code to ignore than in the SELinux test, but now we're seeing it in the new run tests I added, so I've refactored the "ignore this warning" code and written tests for the removal code. Signed-off-by: Ed Santiago <[email protected]>
Shouldn't it also have created the group? See #6829 :) |
Since Podman 2.0.5, containers that were created with 'podman create --userns=keep-id ...' automatically get the user added to /etc/passwd [1]. However, this user isn't as fully configured as it needs to be. The home directory is specified as "/" and the shell is /bin/sh. Therefore, the entry point needs to call usermod(8) to update the user, instead of using useradd(8) to create it. [1] Podman commit 6c6670f12a3e6b91 containers/podman#6829 containers#523
Since Podman 2.0.5, containers that were created with 'podman create --userns=keep-id ...' automatically get the user added to /etc/passwd [1]. However, this user isn't as fully configured as it needs to be. The home directory is specified as '/' and the shell is /bin/sh. Note that Podman doesn't add the user's login group to /etc/group [2]. This leads to the following error when entering the container: /usr/bin/id: cannot find name for group ID 1000 It's expected that this will be fixed in Podman itself. Therefore, the entry point needs to call usermod(8) to update the user, instead of using useradd(8) to create it. [1] Podman commit 6c6670f12a3e6b91 containers/podman#6829 [2] containers/podman#7389 containers#523
Since Podman 2.0.5, containers that were created with 'podman create --userns=keep-id ...' automatically get the user added to /etc/passwd [1]. However, this user isn't as fully configured as it needs to be. The home directory is specified as '/' and the shell is /bin/sh. Note that Podman doesn't add the user's login group to /etc/group [2]. This leads to the following error when entering the container: /usr/bin/id: cannot find name for group ID 1000 It's expected that this will be fixed in Podman itself. Therefore, the entry point needs to call usermod(8) to update the user, instead of using useradd(8) to create it. [1] Podman commit 6c6670f12a3e6b91 containers/podman#6829 [2] containers/podman#7389 containers#523
Since Podman 2.0.5, containers that were created with 'podman create --userns=keep-id ...' automatically get the user added to /etc/passwd [1]. However, this user isn't as fully configured as it needs to be. The home directory is specified as '/' and the shell is /bin/sh. Note that Podman doesn't add the user's login group to /etc/group [2]. This leads to the following error when entering the container: /usr/bin/id: cannot find name for group ID 1000 It's expected that this will be fixed in Podman itself. Therefore, the entry point needs to call usermod(8) to update the user, instead of using useradd(8) to create it. [1] Podman commit 6c6670f12a3e6b91 containers/podman#6829 [2] containers/podman#7389 containers#523
Since Podman 2.0.5, containers that were created with 'podman create --userns=keep-id ...' automatically get the user added to /etc/passwd [1]. However, this user isn't as fully configured as it needs to be. The home directory is specified as '/' and the shell is /bin/sh. Note that Podman doesn't add the user's login group to /etc/group [2]. This leads to the following error message when entering the container: /usr/bin/id: cannot find name for group ID 1000 It's expected that this will be fixed in Podman itself. Therefore, the entry point needs to call usermod(8) to update the user, instead of using useradd(8) to create it. [1] Podman commit 6c6670f12a3e6b91 containers/podman#6829 [2] containers/podman#7389 containers#523
If I enter a continer with --userns keep-id, my UID will be present
inside of the container, but most likely my user will not be defined.
This patch will take information about the user and stick it into the
container.
Signed-off-by: Daniel J Walsh [email protected]