Merge pull request #322 from mrunalp/features/add_groups

Adds functionality to specify additional groups to join.
This commit is contained in:
Victor Marmol 2015-01-08 14:04:03 -08:00
commit e30793aed7
2 changed files with 10 additions and 4 deletions

View File

@ -120,6 +120,10 @@ type Config struct {
// Rlimits specifies the resource limits, such as max open files, to set in the container // Rlimits specifies the resource limits, such as max open files, to set in the container
// If Rlimits are not set, the container will inherit rlimits from the parent process // If Rlimits are not set, the container will inherit rlimits from the parent process
Rlimits []Rlimit `json:"rlimits,omitempty"` Rlimits []Rlimit `json:"rlimits,omitempty"`
// AdditionalGroups specifies the gids that should be added to supplementary groups
// in addition to those that the user belongs to.
AdditionalGroups []int `json:"additional_groups,omitempty"`
} }
// Routes can be specified to create entries in the route table as the container is started // Routes can be specified to create entries in the route table as the container is started

View File

@ -170,7 +170,7 @@ func RestoreParentDeathSignal(old int) error {
} }
// SetupUser changes the groups, gid, and uid for the user inside the container // SetupUser changes the groups, gid, and uid for the user inside the container
func SetupUser(u string) error { func SetupUser(container *libcontainer.Config) error {
// Set up defaults. // Set up defaults.
defaultExecUser := user.ExecUser{ defaultExecUser := user.ExecUser{
Uid: syscall.Getuid(), Uid: syscall.Getuid(),
@ -188,12 +188,14 @@ func SetupUser(u string) error {
return err return err
} }
execUser, err := user.GetExecUserPath(u, &defaultExecUser, passwdPath, groupPath) execUser, err := user.GetExecUserPath(container.User, &defaultExecUser, passwdPath, groupPath)
if err != nil { if err != nil {
return fmt.Errorf("get supplementary groups %s", err) return fmt.Errorf("get supplementary groups %s", err)
} }
if err := syscall.Setgroups(execUser.Sgids); err != nil { suppGroups := append(execUser.Sgids, container.AdditionalGroups...)
if err := syscall.Setgroups(suppGroups); err != nil {
return fmt.Errorf("setgroups %s", err) return fmt.Errorf("setgroups %s", err)
} }
@ -273,7 +275,7 @@ func FinalizeNamespace(container *libcontainer.Config) error {
return fmt.Errorf("set keep caps %s", err) return fmt.Errorf("set keep caps %s", err)
} }
if err := SetupUser(container.User); err != nil { if err := SetupUser(container); err != nil {
return fmt.Errorf("setup user %s", err) return fmt.Errorf("setup user %s", err)
} }