From 7a386c2b601a76055123839a3005520323a3dbfe Mon Sep 17 00:00:00 2001 From: Sumit Sanghrajka Date: Thu, 2 Feb 2017 14:08:35 -0800 Subject: [PATCH] Add --additional-gids to runc exec. This flag allows specifying additional gids for the process. Without this flag, the user will have to provide process.json which allows additional gids. Closes #1306 Signed-off-by: Sumit Sanghrajka --- exec.go | 13 +++++++++++++ man/runc-exec.8.md | 27 ++++++++++++++------------- tests/integration/exec.bats | 13 +++++++++++++ 3 files changed, 40 insertions(+), 13 deletions(-) diff --git a/exec.go b/exec.go index ced9b66a..d73518f6 100644 --- a/exec.go +++ b/exec.go @@ -50,6 +50,10 @@ following will output a list of processes running in the container: Name: "user, u", Usage: "UID (format: [:])", }, + cli.StringFlag{ + Name: "additional-gids, g", + Usage: "additional gids separated by comma", + }, cli.StringFlag{ Name: "process, p", Usage: "path to the process.json", @@ -208,5 +212,14 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) { } p.User.UID = uint32(uid) } + if context.String("additional-gids") != "" { + for _, i := range strings.Split(context.String("additional-gids"), ",") { + gid, err := strconv.Atoi(i) + if err != nil { + return nil, fmt.Errorf("parsing %s as int for gid failed: %v", i, err) + } + p.User.AdditionalGids = append(p.User.AdditionalGids, uint32(gid)) + } + } return p, nil } diff --git a/man/runc-exec.8.md b/man/runc-exec.8.md index e47f8284..46b26617 100644 --- a/man/runc-exec.8.md +++ b/man/runc-exec.8.md @@ -14,16 +14,17 @@ following will output a list of processes running in the container: # runc exec ps # OPTIONS - --console value specify the pty slave path for use with the container - --cwd value current working directory in the container - --env value, -e value set environment variables - --tty, -t allocate a pseudo-TTY - --user value, -u value UID (format: [:]) - --process value, -p value path to the process.json - --detach, -d detach from the container's process - --pid-file value specify the file to write the process id to - --process-label value set the asm process label for the process commonly used with selinux - --apparmor value set the apparmor profile for the process - --no-new-privs set the no new privileges value for the process - --cap value, -c value add a capability to the bounding set for the process - --no-subreaper disable the use of the subreaper used to reap reparented processes + --console value specify the pty slave path for use with the container + --cwd value current working directory in the container + --env value, -e value set environment variables + --tty, -t allocate a pseudo-TTY + --user value, -u value UID (format: [:]) + --additional-gids value, -g value additional gids separated by comma + --process value, -p value path to the process.json + --detach, -d detach from the container's process + --pid-file value specify the file to write the process id to + --process-label value set the asm process label for the process commonly used with selinux + --apparmor value set the apparmor profile for the process + --no-new-privs set the no new privileges value for the process + --cap value, -c value add a capability to the bounding set for the process + --no-subreaper disable the use of the subreaper used to reap reparented processes diff --git a/tests/integration/exec.bats b/tests/integration/exec.bats index c42d28a2..c7774a0e 100644 --- a/tests/integration/exec.bats +++ b/tests/integration/exec.bats @@ -112,3 +112,16 @@ function teardown() { [[ "${output}" == "uid=1000 gid=1000"* ]] } + +@test "runc exec --additional-gids" { + # run busybox detached + runc run -d --console-socket $CONSOLE_SOCKET test_busybox + [ "$status" -eq 0 ] + + wait_for_container 15 1 test_busybox + + runc exec --user 1000:1000 --additional-gids 100 test_busybox id + [ "$status" -eq 0 ] + + [[ ${output} == "uid=1000 gid=1000 groups=100(users)" ]] +}