Merge pull request #322 from mrunalp/features/add_groups
Adds functionality to specify additional groups to join.
This commit is contained in:
commit
e30793aed7
|
@ -120,6 +120,10 @@ type Config struct {
|
||||||
// Rlimits specifies the resource limits, such as max open files, to set in the container
|
// Rlimits specifies the resource limits, such as max open files, to set in the container
|
||||||
// If Rlimits are not set, the container will inherit rlimits from the parent process
|
// If Rlimits are not set, the container will inherit rlimits from the parent process
|
||||||
Rlimits []Rlimit `json:"rlimits,omitempty"`
|
Rlimits []Rlimit `json:"rlimits,omitempty"`
|
||||||
|
|
||||||
|
// AdditionalGroups specifies the gids that should be added to supplementary groups
|
||||||
|
// in addition to those that the user belongs to.
|
||||||
|
AdditionalGroups []int `json:"additional_groups,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// Routes can be specified to create entries in the route table as the container is started
|
// Routes can be specified to create entries in the route table as the container is started
|
||||||
|
|
|
@ -170,7 +170,7 @@ func RestoreParentDeathSignal(old int) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetupUser changes the groups, gid, and uid for the user inside the container
|
// SetupUser changes the groups, gid, and uid for the user inside the container
|
||||||
func SetupUser(u string) error {
|
func SetupUser(container *libcontainer.Config) error {
|
||||||
// Set up defaults.
|
// Set up defaults.
|
||||||
defaultExecUser := user.ExecUser{
|
defaultExecUser := user.ExecUser{
|
||||||
Uid: syscall.Getuid(),
|
Uid: syscall.Getuid(),
|
||||||
|
@ -188,12 +188,14 @@ func SetupUser(u string) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
execUser, err := user.GetExecUserPath(u, &defaultExecUser, passwdPath, groupPath)
|
execUser, err := user.GetExecUserPath(container.User, &defaultExecUser, passwdPath, groupPath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("get supplementary groups %s", err)
|
return fmt.Errorf("get supplementary groups %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := syscall.Setgroups(execUser.Sgids); err != nil {
|
suppGroups := append(execUser.Sgids, container.AdditionalGroups...)
|
||||||
|
|
||||||
|
if err := syscall.Setgroups(suppGroups); err != nil {
|
||||||
return fmt.Errorf("setgroups %s", err)
|
return fmt.Errorf("setgroups %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -273,7 +275,7 @@ func FinalizeNamespace(container *libcontainer.Config) error {
|
||||||
return fmt.Errorf("set keep caps %s", err)
|
return fmt.Errorf("set keep caps %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := SetupUser(container.User); err != nil {
|
if err := SetupUser(container); err != nil {
|
||||||
return fmt.Errorf("setup user %s", err)
|
return fmt.Errorf("setup user %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue