Use containerd WithUserID.

Signed-off-by: Lantao Liu <lantaol@google.com>
2017-08-25 21:03:16 +00:00 · 2017-08-25 21:03:16 +00:00 · 270e09ab26
commit 270e09ab26
parent 55d3abdb89
5 changed files with 13 additions and 26 deletions
--- a/hack/test-e2e-node.sh
+++ b/hack/test-e2e-node.sh
@ -19,7 +19,6 @@ set -o pipefail
 source $(dirname "${BASH_SOURCE[0]}")/test-utils.sh

 DEFAULT_SKIP="\[Flaky\]|\[Slow\]|\[Serial\]"
-DEFAULT_SKIP+="|runAsUser"
 DEFAULT_SKIP+="|scheduling\sa\sGuaranteed\sPod"
 DEFAULT_SKIP+="|scheduling\sa\sBurstable\sPod"
 DEFAULT_SKIP+="|scheduling\sa\sBestEffort\sPod"
--- a/pkg/server/container_create.go
+++ b/pkg/server/container_create.go
@ -140,16 +140,18 @@ func (c *criContainerdService) CreateContainer(ctx context.Context, r *runtime.C
 		containerMetadataLabel: string(metaBytes),
 	}

-	specOpts := containerd.WithSpec(spec)
+	var specOpts []containerd.SpecOpts
 	// Set container username. This could only be done by containerd, because it needs
 	// access to the container rootfs. Pass user name to containerd, and let it overwrite
 	// the spec for us.
-	if username := config.GetLinux().GetSecurityContext().GetRunAsUsername(); username != "" {
-		specOpts = containerd.WithSpec(spec, containerd.WithUsername(username))
+	if uid := config.GetLinux().GetSecurityContext().GetRunAsUser(); uid != nil {
+		specOpts = append(specOpts, containerd.WithUserID(uint32(uid.GetValue())))
+	}
+	if username := config.GetLinux().GetSecurityContext().GetRunAsUsername(); username != "" {
+		specOpts = append(specOpts, containerd.WithUsername(username))
 	}
-
 	opts = append(opts,
-		specOpts,
+		containerd.WithSpec(spec, specOpts...),
 		containerd.WithRuntime(defaultRuntime),
 		containerd.WithContainerLabels(labels))
 	var cntr containerd.Container
@ -270,12 +272,6 @@ func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint3
 	// Set namespaces, share namespace with sandbox container.
 	setOCINamespaces(&g, securityContext.GetNamespaceOptions(), sandboxPid)

-	runAsUser := securityContext.GetRunAsUser()
-	if runAsUser != nil {
-		// TODO(random-liu): We should also set gid. Use containerd#1425 instead.
-		g.SetProcessUID(uint32(runAsUser.GetValue()))
-	}
-
 	supplementalGroups := securityContext.GetSupplementalGroups()
 	for _, group := range supplementalGroups {
 		g.AddProcessAdditionalGid(uint32(group))
--- a/pkg/server/container_create_test.go
+++ b/pkg/server/container_create_test.go
@ -91,7 +91,6 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox
 				},
 				SupplementalGroups: []int64{1111, 2222},
 				NoNewPrivs:         true,
-				RunAsUser:          &runtime.Int64Value{Value: 255},
 			},
 		},
 	}
@ -144,9 +143,6 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox
 		assert.NotContains(t, spec.Process.Capabilities.Permitted, "CAP_CHOWN")
 		assert.NotContains(t, spec.Process.Capabilities.Ambient, "CAP_CHOWN")

-		t.Logf("Check uid")
-		assert.EqualValues(t, spec.Process.User.UID, 255)
-
 		t.Logf("Check supplemental groups")
 		assert.Contains(t, spec.Process.User.AdditionalGids, uint32(1111))
 		assert.Contains(t, spec.Process.User.AdditionalGids, uint32(2222))
--- a/pkg/server/sandbox_run.go
+++ b/pkg/server/sandbox_run.go
@ -126,8 +126,12 @@ func (c *criContainerdService) RunPodSandbox(ctx context.Context, r *runtime.Run
 		sandboxMetadataLabel: string(metaBytes),
 	}

+	var specOpts []containerd.SpecOpts
+	if uid := config.GetLinux().GetSecurityContext().GetRunAsUser(); uid != nil {
+		specOpts = append(specOpts, containerd.WithUserID(uint32(uid.GetValue())))
+	}
 	opts := []containerd.NewContainerOpts{
-		containerd.WithSpec(spec),
+		containerd.WithSpec(spec, specOpts...),
 		containerd.WithContainerLabels(labels),
 		containerd.WithRuntime(defaultRuntime),
 		containerd.WithNewSnapshotView(id, image.Image)}
@ -268,12 +272,6 @@ func (c *criContainerdService) generateSandboxContainerSpec(id string, config *r

 	// TODO(random-liu): [P1] Apply SeLinux options.

-	runAsUser := securityContext.GetRunAsUser()
-	if runAsUser != nil {
-		// TODO(random-liu): We should also set gid. Use containerd#1425 instead.
-		g.SetProcessUID(uint32(runAsUser.GetValue()))
-	}
-
 	supplementalGroups := securityContext.GetSupplementalGroups()
 	for _, group := range supplementalGroups {
 		g.AddProcessAdditionalGid(uint32(group))
--- a/pkg/server/sandbox_run_test.go
+++ b/pkg/server/sandbox_run_test.go
@ -128,16 +128,14 @@ func TestGenerateSandboxContainerSpec(t *testing.T) {
 			},
 			expectErr: true,
 		},
-		"should set user correctly": {
+		"should set supplemental groups correctly": {
 			configChange: func(c *runtime.PodSandboxConfig) {
 				c.Linux.SecurityContext = &runtime.LinuxSandboxSecurityContext{
-					RunAsUser:          &runtime.Int64Value{Value: 255},
 					SupplementalGroups: []int64{1111, 2222},
 				}
 			},
 			specCheck: func(t *testing.T, spec *runtimespec.Spec) {
 				require.NotNil(t, spec.Process)
-				assert.EqualValues(t, spec.Process.User.UID, 255)
 				assert.Contains(t, spec.Process.User.AdditionalGids, uint32(1111))
 				assert.Contains(t, spec.Process.User.AdditionalGids, uint32(2222))
 			},