diff --git a/hack/test-cri.sh b/hack/test-cri.sh index c03184b32..c9b61067b 100755 --- a/hack/test-cri.sh +++ b/hack/test-cri.sh @@ -21,7 +21,7 @@ source $(dirname "${BASH_SOURCE[0]}")/test-utils.sh # FOCUS focuses the test to run. FOCUS=${FOCUS:-} # SKIP skips the test to skip. -SKIP=${SKIP:-"RunAsUserName"} +SKIP=${SKIP:-""} REPORT_DIR=${REPORT_DIR:-"/tmp/test-cri"} if [[ -z "${GOPATH}" ]]; then diff --git a/pkg/server/container_create.go b/pkg/server/container_create.go index bc617bf6d..cd0857ea2 100644 --- a/pkg/server/container_create.go +++ b/pkg/server/container_create.go @@ -135,8 +135,16 @@ func (c *criContainerdService) CreateContainer(ctx context.Context, r *runtime.C containerMetadataLabel: string(metaBytes), } + specOpts := containerd.WithSpec(spec) + // Set container username. This could only be done by containerd, because it needs + // access to the container rootfs. Pass user name to containerd, and let it overwrite + // the spec for us. + if username := config.GetLinux().GetSecurityContext().GetRunAsUsername(); username != "" { + specOpts = containerd.WithSpec(spec, containerd.WithUsername(username)) + } + opts = append(opts, - containerd.WithSpec(spec), + specOpts, containerd.WithRuntime(defaultRuntime), containerd.WithContainerLabels(labels)) var cntr containerd.Container @@ -257,9 +265,9 @@ func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint3 // Set namespaces, share namespace with sandbox container. setOCINamespaces(&g, securityContext.GetNamespaceOptions(), sandboxPid) - // TODO(random-liu): [P1] Set username. runAsUser := securityContext.GetRunAsUser() if runAsUser != nil { + // TODO(random-liu): We should also set gid. Use containerd#1425 instead. g.SetProcessUID(uint32(runAsUser.GetValue())) } diff --git a/pkg/server/container_create_test.go b/pkg/server/container_create_test.go index 6d2d80c68..717d1d9ca 100644 --- a/pkg/server/container_create_test.go +++ b/pkg/server/container_create_test.go @@ -91,6 +91,7 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox }, SupplementalGroups: []int64{1111, 2222}, NoNewPrivs: true, + RunAsUser: &runtime.Int64Value{Value: 255}, }, }, } @@ -143,6 +144,9 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox assert.NotContains(t, spec.Process.Capabilities.Permitted, "CAP_CHOWN") assert.NotContains(t, spec.Process.Capabilities.Ambient, "CAP_CHOWN") + t.Logf("Check uid") + assert.EqualValues(t, spec.Process.User.UID, 255) + t.Logf("Check supplemental groups") assert.Contains(t, spec.Process.User.AdditionalGids, uint32(1111)) assert.Contains(t, spec.Process.User.AdditionalGids, uint32(2222)) diff --git a/pkg/server/sandbox_run.go b/pkg/server/sandbox_run.go index 944a62732..6be7a4ef4 100644 --- a/pkg/server/sandbox_run.go +++ b/pkg/server/sandbox_run.go @@ -274,9 +274,9 @@ func (c *criContainerdService) generateSandboxContainerSpec(id string, config *r // TODO(random-liu): [P1] Apply SeLinux options. - // TODO(random-liu): [P1] Set username. runAsUser := securityContext.GetRunAsUser() if runAsUser != nil { + // TODO(random-liu): We should also set gid. Use containerd#1425 instead. g.SetProcessUID(uint32(runAsUser.GetValue())) } diff --git a/pkg/server/sandbox_run_test.go b/pkg/server/sandbox_run_test.go index df1f3874e..a69dc29e0 100644 --- a/pkg/server/sandbox_run_test.go +++ b/pkg/server/sandbox_run_test.go @@ -128,6 +128,20 @@ func TestGenerateSandboxContainerSpec(t *testing.T) { }, expectErr: true, }, + "should set user correctly": { + configChange: func(c *runtime.PodSandboxConfig) { + c.Linux.SecurityContext = &runtime.LinuxSandboxSecurityContext{ + RunAsUser: &runtime.Int64Value{Value: 255}, + SupplementalGroups: []int64{1111, 2222}, + } + }, + specCheck: func(t *testing.T, spec *runtimespec.Spec) { + require.NotNil(t, spec.Process) + assert.EqualValues(t, spec.Process.User.UID, 255) + assert.Contains(t, spec.Process.User.AdditionalGids, uint32(1111)) + assert.Contains(t, spec.Process.User.AdditionalGids, uint32(2222)) + }, + }, } { t.Logf("TestCase %q", desc) c := newTestCRIContainerdService()