WithAppendAdditionalGroups: better /etc/group handling
Scratch images don't necessarily have the /etc/group file, so we shouldn't fail if opening/parsing it is not needed: if all the group to add are numeric. Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
This commit is contained in:
Djordje Lukic
parent
75f72d6272
commit
1398186ca7
@ -894,9 +894,9 @@ func WithAppendAdditionalGroups(groups ...string) SpecOpts {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
ugroups, err := user.ParseGroupFile(gpath)
|
ugroups, groupErr := user.ParseGroupFile(gpath)
|
||||||
if err != nil {
|
if groupErr != nil && !os.IsNotExist(groupErr) {
|
||||||
return err
|
return groupErr
|
||||||
}
|
}
|
||||||
groupMap := make(map[string]user.Group)
|
groupMap := make(map[string]user.Group)
|
||||||
for _, group := range ugroups {
|
for _, group := range ugroups {
|
||||||
@ -910,6 +910,9 @@ func WithAppendAdditionalGroups(groups ...string) SpecOpts {
|
|||||||
} else {
|
} else {
|
||||||
g, ok := groupMap[group]
|
g, ok := groupMap[group]
|
||||||
if !ok {
|
if !ok {
|
||||||
|
if groupErr != nil {
|
||||||
|
return fmt.Errorf("unable to find group %s: %w", group, groupErr)
|
||||||
|
}
|
||||||
return fmt.Errorf("unable to find group %s", group)
|
return fmt.Errorf("unable to find group %s", group)
|
||||||
}
|
}
|
||||||
gids = append(gids, uint32(g.Gid))
|
gids = append(gids, uint32(g.Gid))
|
||||||
|
|||||||
@ -627,6 +627,65 @@ daemon:x:2:root,bin,daemon
|
|||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestWithAppendAdditionalGroupsNoEtcGroup(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
td := t.TempDir()
|
||||||
|
apply := fstest.Apply()
|
||||||
|
if err := apply.Apply(td); err != nil {
|
||||||
|
t.Fatalf("failed to apply: %v", err)
|
||||||
|
}
|
||||||
|
c := containers.Container{ID: t.Name()}
|
||||||
|
|
||||||
|
testCases := []struct {
|
||||||
|
name string
|
||||||
|
additionalGIDs []uint32
|
||||||
|
groups []string
|
||||||
|
expected []uint32
|
||||||
|
err string
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
name: "no additional gids",
|
||||||
|
groups: []string{},
|
||||||
|
expected: []uint32{0},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "no additional gids, append root group",
|
||||||
|
groups: []string{"root"},
|
||||||
|
err: fmt.Sprintf("unable to find group root: open %s: no such file or directory", filepath.Join(td, "etc", "group")),
|
||||||
|
expected: []uint32{0},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "append group id",
|
||||||
|
groups: []string{"999"},
|
||||||
|
expected: []uint32{0, 999},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, testCase := range testCases {
|
||||||
|
testCase := testCase
|
||||||
|
t.Run(testCase.name, func(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
s := Spec{
|
||||||
|
Version: specs.Version,
|
||||||
|
Root: &specs.Root{
|
||||||
|
Path: td,
|
||||||
|
},
|
||||||
|
Process: &specs.Process{
|
||||||
|
User: specs.User{
|
||||||
|
AdditionalGids: testCase.additionalGIDs,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
err := WithAppendAdditionalGroups(testCase.groups...)(context.Background(), nil, &c, &s)
|
||||||
|
if err != nil {
|
||||||
|
assert.EqualError(t, err, testCase.err)
|
||||||
|
}
|
||||||
|
assert.Equal(t, testCase.expected, s.Process.User.AdditionalGids)
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func TestWithLinuxDeviceFollowSymlinks(t *testing.T) {
|
func TestWithLinuxDeviceFollowSymlinks(t *testing.T) {
|
||||||
|
|
||||||
// Create symlink to /dev/zero for the symlink test case
|
// Create symlink to /dev/zero for the symlink test case
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user