Merge pull request #1608 from crosbymichael/gids
add additional-gids to runc exec
This commit is contained in:
commit
d5fc10a011
10
exec.go
10
exec.go
|
@ -50,6 +50,10 @@ following will output a list of processes running in the container:
|
|||
Name: "user, u",
|
||||
Usage: "UID (format: <uid>[:<gid>])",
|
||||
},
|
||||
cli.Int64SliceFlag{
|
||||
Name: "additional-gids, g",
|
||||
Usage: "additional gids",
|
||||
},
|
||||
cli.StringFlag{
|
||||
Name: "process, p",
|
||||
Usage: "path to the process.json",
|
||||
|
@ -208,5 +212,11 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) {
|
|||
}
|
||||
p.User.UID = uint32(uid)
|
||||
}
|
||||
for _, gid := range context.Int64Slice("additional-gids") {
|
||||
if gid < 0 {
|
||||
return nil, fmt.Errorf("additional-gids must be a positive number %d", gid)
|
||||
}
|
||||
p.User.AdditionalGids = append(p.User.AdditionalGids, uint32(gid))
|
||||
}
|
||||
return p, nil
|
||||
}
|
||||
|
|
|
@ -14,16 +14,17 @@ following will output a list of processes running in the container:
|
|||
# runc exec <container-id> ps
|
||||
|
||||
# OPTIONS
|
||||
--console value specify the pty slave path for use with the container
|
||||
--cwd value current working directory in the container
|
||||
--env value, -e value set environment variables
|
||||
--tty, -t allocate a pseudo-TTY
|
||||
--user value, -u value UID (format: <uid>[:<gid>])
|
||||
--process value, -p value path to the process.json
|
||||
--detach, -d detach from the container's process
|
||||
--pid-file value specify the file to write the process id to
|
||||
--process-label value set the asm process label for the process commonly used with selinux
|
||||
--apparmor value set the apparmor profile for the process
|
||||
--no-new-privs set the no new privileges value for the process
|
||||
--cap value, -c value add a capability to the bounding set for the process
|
||||
--no-subreaper disable the use of the subreaper used to reap reparented processes
|
||||
--console value specify the pty slave path for use with the container
|
||||
--cwd value current working directory in the container
|
||||
--env value, -e value set environment variables
|
||||
--tty, -t allocate a pseudo-TTY
|
||||
--user value, -u value UID (format: <uid>[:<gid>])
|
||||
--additional-gids value, -g value additional gids
|
||||
--process value, -p value path to the process.json
|
||||
--detach, -d detach from the container's process
|
||||
--pid-file value specify the file to write the process id to
|
||||
--process-label value set the asm process label for the process commonly used with selinux
|
||||
--apparmor value set the apparmor profile for the process
|
||||
--no-new-privs set the no new privileges value for the process
|
||||
--cap value, -c value add a capability to the bounding set for the process
|
||||
--no-subreaper disable the use of the subreaper used to reap reparented processes
|
||||
|
|
|
@ -112,3 +112,18 @@ function teardown() {
|
|||
|
||||
[[ "${output}" == "uid=1000 gid=1000"* ]]
|
||||
}
|
||||
|
||||
@test "runc exec --additional-gids" {
|
||||
requires root
|
||||
|
||||
# run busybox detached
|
||||
runc run -d --console-socket $CONSOLE_SOCKET test_busybox
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
wait_for_container 15 1 test_busybox
|
||||
|
||||
runc exec --user 1000:1000 --additional-gids 100 --additional-gids 99 test_busybox id
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
[[ ${output} == "uid=1000 gid=1000 groups=99(nogroup),100(users)" ]]
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue