Skip to content

Commit

Permalink
Unbreak 'enter' on Fedora CoreOS
Browse files Browse the repository at this point in the history
... and other hybrid set-ups where the host and container OSes aren't
the same.

The entry point of a toolbox container already runs as root:root.
Therefore, there's no need to run it with an additional group.
Interactive shells spawned by 'sudo su -' both inside the container
and on the host don't run with such an additional group either. They
run just as root:root.

This prevented toolbox containers from starting up on Fedora CoreOS
hosts, because CoreOS has both the 'sudo' and 'wheel' groups but the
fedora-toolbox images only have the 'wheel' group. Therefore, it
ended up calling 'podman create --group-add sudo ...', and since the
'sudo' group was missing from the image, the container failed to start.

The --group-add flag was added in commit 4bda42d when the
entry point ran as $USER as specified in the user-specific customized
image. The additional group was specified to retain consistency with
interactive shells run as $USER.

Since then, things have changed. There's no longer any user-specific
customized image and commit f74400f made the entry point run
as root:root. The --group-add flag should have been removed as part of
those changes.

#423
  • Loading branch information
martinpitt authored and debarshiray committed Aug 28, 2020
1 parent 3b6b9e9 commit 15173f8
Show file tree
Hide file tree
Showing 2 changed files with 0 additions and 12 deletions.
6 changes: 0 additions & 6 deletions src/cmd/create.go
Original file line number Diff line number Diff line change
Expand Up @@ -191,11 +191,6 @@ func createContainer(container, image, release string, showCommandToEnter bool)
toolboxPathEnvArg := "TOOLBOX_PATH=" + toolboxPath
toolboxPathMountArg := toolboxPath + ":/usr/bin/toolbox:ro"

sudoGroup, err := utils.GetGroupForSudo()
if err != nil {
return err
}

logrus.Debug("Checking if 'podman create' supports '--ulimit host'")

var ulimitHost []string
Expand Down Expand Up @@ -339,7 +334,6 @@ func createContainer(container, image, release string, showCommandToEnter bool)
"create",
"--dns", "none",
"--env", toolboxPathEnvArg,
"--group-add", sudoGroup,
"--hostname", "toolbox",
"--ipc", "host",
"--label", "com.github.containers.toolbox=true",
Expand Down
6 changes: 0 additions & 6 deletions toolbox
Original file line number Diff line number Diff line change
Expand Up @@ -982,11 +982,6 @@ create()
return 1
fi

if ! group_for_sudo=$(get_group_for_sudo); then
echo "$base_toolbox_command: failed to create container $toolbox_container: group for sudo not found" >&2
return 1
fi

if [ -f /etc/profile.d/toolbox.sh ] 2>&3; then
toolbox_profile_bind="--volume /etc/profile.d/toolbox.sh:/etc/profile.d/toolbox.sh:ro"
elif [ -f /usr/share/profile.d/toolbox.sh ] 2>&3; then
Expand Down Expand Up @@ -1078,7 +1073,6 @@ create()
$podman_command create \
--dns none \
--env TOOLBOX_PATH="$TOOLBOX_PATH" \
--group-add "$group_for_sudo" \
--hostname toolbox \
--ipc host \
--label "com.github.containers.toolbox=true" \
Expand Down

0 comments on commit 15173f8

Please sign in to comment.