Merge pull request #1608 from crosbymichael/gids

add additional-gids to runc exec
This commit is contained in:
Mrunal Patel 2017-10-16 09:18:52 -07:00 committed by GitHub
commit d5fc10a011
3 changed files with 39 additions and 13 deletions

10
exec.go
View File

@ -50,6 +50,10 @@ following will output a list of processes running in the container:
Name: "user, u",
Usage: "UID (format: <uid>[:<gid>])",
},
cli.Int64SliceFlag{
Name: "additional-gids, g",
Usage: "additional gids",
},
cli.StringFlag{
Name: "process, p",
Usage: "path to the process.json",
@ -208,5 +212,11 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) {
}
p.User.UID = uint32(uid)
}
for _, gid := range context.Int64Slice("additional-gids") {
if gid < 0 {
return nil, fmt.Errorf("additional-gids must be a positive number %d", gid)
}
p.User.AdditionalGids = append(p.User.AdditionalGids, uint32(gid))
}
return p, nil
}

View File

@ -14,16 +14,17 @@ following will output a list of processes running in the container:
# runc exec <container-id> ps
# OPTIONS
--console value specify the pty slave path for use with the container
--cwd value current working directory in the container
--env value, -e value set environment variables
--tty, -t allocate a pseudo-TTY
--user value, -u value UID (format: <uid>[:<gid>])
--process value, -p value path to the process.json
--detach, -d detach from the container's process
--pid-file value specify the file to write the process id to
--process-label value set the asm process label for the process commonly used with selinux
--apparmor value set the apparmor profile for the process
--no-new-privs set the no new privileges value for the process
--cap value, -c value add a capability to the bounding set for the process
--no-subreaper disable the use of the subreaper used to reap reparented processes
--console value specify the pty slave path for use with the container
--cwd value current working directory in the container
--env value, -e value set environment variables
--tty, -t allocate a pseudo-TTY
--user value, -u value UID (format: <uid>[:<gid>])
--additional-gids value, -g value additional gids
--process value, -p value path to the process.json
--detach, -d detach from the container's process
--pid-file value specify the file to write the process id to
--process-label value set the asm process label for the process commonly used with selinux
--apparmor value set the apparmor profile for the process
--no-new-privs set the no new privileges value for the process
--cap value, -c value add a capability to the bounding set for the process
--no-subreaper disable the use of the subreaper used to reap reparented processes

View File

@ -112,3 +112,18 @@ function teardown() {
[[ "${output}" == "uid=1000 gid=1000"* ]]
}
@test "runc exec --additional-gids" {
requires root
# run busybox detached
runc run -d --console-socket $CONSOLE_SOCKET test_busybox
[ "$status" -eq 0 ]
wait_for_container 15 1 test_busybox
runc exec --user 1000:1000 --additional-gids 100 --additional-gids 99 test_busybox id
[ "$status" -eq 0 ]
[[ ${output} == "uid=1000 gid=1000 groups=99(nogroup),100(users)" ]]
}