From 15173f8c25c8124443ea373247a0747b724b02c9 Mon Sep 17 00:00:00 2001 From: Martin Pitt Date: Tue, 7 Apr 2020 23:05:25 +0200 Subject: [PATCH] Unbreak 'enter' on Fedora CoreOS ... and other hybrid set-ups where the host and container OSes aren't the same. The entry point of a toolbox container already runs as root:root. Therefore, there's no need to run it with an additional group. Interactive shells spawned by 'sudo su -' both inside the container and on the host don't run with such an additional group either. They run just as root:root. This prevented toolbox containers from starting up on Fedora CoreOS hosts, because CoreOS has both the 'sudo' and 'wheel' groups but the fedora-toolbox images only have the 'wheel' group. Therefore, it ended up calling 'podman create --group-add sudo ...', and since the 'sudo' group was missing from the image, the container failed to start. The --group-add flag was added in commit 4bda42d4146f3d3b when the entry point ran as $USER as specified in the user-specific customized image. The additional group was specified to retain consistency with interactive shells run as $USER. Since then, things have changed. There's no longer any user-specific customized image and commit f74400f4500f0ed6 made the entry point run as root:root. The --group-add flag should have been removed as part of those changes. https://github.com/containers/toolbox/issues/423 --- src/cmd/create.go | 6 ------ toolbox | 6 ------ 2 files changed, 12 deletions(-) diff --git a/src/cmd/create.go b/src/cmd/create.go index 0b78572f4..f90ec2d4e 100644 --- a/src/cmd/create.go +++ b/src/cmd/create.go @@ -191,11 +191,6 @@ func createContainer(container, image, release string, showCommandToEnter bool) toolboxPathEnvArg := "TOOLBOX_PATH=" + toolboxPath toolboxPathMountArg := toolboxPath + ":/usr/bin/toolbox:ro" - sudoGroup, err := utils.GetGroupForSudo() - if err != nil { - return err - } - logrus.Debug("Checking if 'podman create' supports '--ulimit host'") var ulimitHost []string @@ -339,7 +334,6 @@ func createContainer(container, image, release string, showCommandToEnter bool) "create", "--dns", "none", "--env", toolboxPathEnvArg, - "--group-add", sudoGroup, "--hostname", "toolbox", "--ipc", "host", "--label", "com.github.containers.toolbox=true", diff --git a/toolbox b/toolbox index 17221579c..2c8951cce 100755 --- a/toolbox +++ b/toolbox @@ -982,11 +982,6 @@ create() return 1 fi - if ! group_for_sudo=$(get_group_for_sudo); then - echo "$base_toolbox_command: failed to create container $toolbox_container: group for sudo not found" >&2 - return 1 - fi - if [ -f /etc/profile.d/toolbox.sh ] 2>&3; then toolbox_profile_bind="--volume /etc/profile.d/toolbox.sh:/etc/profile.d/toolbox.sh:ro" elif [ -f /usr/share/profile.d/toolbox.sh ] 2>&3; then @@ -1078,7 +1073,6 @@ create() $podman_command create \ --dns none \ --env TOOLBOX_PATH="$TOOLBOX_PATH" \ - --group-add "$group_for_sudo" \ --hostname toolbox \ --ipc host \ --label "com.github.containers.toolbox=true" \