github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

oci: fix additional GIDs

Browse Source 
Test suite:
```yaml

---
apiVersion: v1
kind: Pod
metadata:
  name: test-no-option
  annotations:
    description: "Equivalent of `docker run` (no option)"
spec:
  restartPolicy: Never
  containers:
    - name: main
      image: ghcr.io/containerd/busybox:1.28
      args: ['sh', '-euxc',
             '[ "$(id)" = "uid=0(root) gid=0(root) groups=0(root),10(wheel)" ]']
---
apiVersion: v1
kind: Pod
metadata:
  name: test-group-add-1-group-add-1234
  annotations:
    description: "Equivalent of `docker run --group-add 1 --group-add 1234`"
spec:
  restartPolicy: Never
  containers:
    - name: main
      image: ghcr.io/containerd/busybox:1.28
      args: ['sh', '-euxc',
             '[ "$(id)" = "uid=0(root) gid=0(root) groups=0(root),1(daemon),10(wheel),1234" ]']
  securityContext:
    supplementalGroups: [1, 1234]
---
apiVersion: v1
kind: Pod
metadata:
  name: test-user-1234
  annotations:
    description: "Equivalent of `docker run --user 1234`"
spec:
  restartPolicy: Never
  containers:
    - name: main
      image: ghcr.io/containerd/busybox:1.28
      args: ['sh', '-euxc',
             '[ "$(id)" = "uid=1234 gid=0(root) groups=0(root)" ]']
  securityContext:
    runAsUser: 1234
---
apiVersion: v1
kind: Pod
metadata:
  name: test-user-1234-1234
  annotations:
    description: "Equivalent of `docker run --user 1234:1234`"
spec:
  restartPolicy: Never
  containers:
    - name: main
      image: ghcr.io/containerd/busybox:1.28
      args: ['sh', '-euxc',
             '[ "$(id)" = "uid=1234 gid=1234 groups=1234" ]']
  securityContext:
    runAsUser: 1234
    runAsGroup: 1234
---
apiVersion: v1
kind: Pod
metadata:
  name: test-user-1234-group-add-1234
  annotations:
    description: "Equivalent of `docker run --user 1234 --group-add 1234`"
spec:
  restartPolicy: Never
  containers:
    - name: main
      image: ghcr.io/containerd/busybox:1.28
      args: ['sh', '-euxc',
             '[ "$(id)" = "uid=1234 gid=0(root) groups=0(root),1234" ]']
  securityContext:
    runAsUser: 1234
    supplementalGroups: [1234]
```

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This commit is contained in:
Akihiro Suda
2022-12-24 20:09:04 +09:00
parent ef2560d166
commit 3eda46af12
6 changed files with 169 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
oci/spec_opts_linux_test.go
View File

@@ -180,23 +180,23 @@ sys:x:3:root,bin,adm
}{
{
user: "root",
expected: []uint32{1, 2, 3},
expected: []uint32{0, 1, 2, 3},
},
{
user: "1000",
expected: nil,
expected: []uint32{0},
},
{
user: "bin",
expected: []uint32{2, 3},
expected: []uint32{0, 2, 3},
},
{
user: "bin:root",
expected: []uint32{},
expected: []uint32{0},
},
{
user: "daemon",
expected: []uint32{1},
expected: []uint32{0, 1},
},
}
for _, testCase := range testCases {
@@ -461,8 +461,9 @@ daemon:x:2:root,bin,daemon
err string
}{
{
name: "no additional gids",
groups: []string{},
name: "no additional gids",
groups: []string{},
expected: []uint32{0},
},
{
name: "no additional gids, append root gid",
@@ -472,7 +473,7 @@ daemon:x:2:root,bin,daemon
{
name: "no additional gids, append bin and daemon gids",
groups: []string{"bin", "daemon"},
expected: []uint32{1, 2},
expected: []uint32{0, 1, 2},
},
{
name: "has root additional gids, append bin and daemon gids",
@@ -483,12 +484,13 @@ daemon:x:2:root,bin,daemon
{
name: "append group id",
groups: []string{"999"},
expected: []uint32{999},
expected: []uint32{0, 999},
},
{
name: "unknown group",
groups: []string{"unknown"},
err: "unable to find group unknown",
name: "unknown group",
groups: []string{"unknown"},
err: "unable to find group unknown",
expected: []uint32{0},
},
}