github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Add RunAsUsername support.

Browse Source 
Signed-off-by: Lantao Liu <lantaol@google.com>
This commit is contained in:
Lantao Liu
2017-08-25 00:36:25 +00:00
parent e1f74f00a5
commit a80df151d1
5 changed files with 30 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
pkg/server/container_create.go
View File

@@ -135,8 +135,16 @@ func (c *criContainerdService) CreateContainer(ctx context.Context, r *runtime.C
containerMetadataLabel: string(metaBytes),
}
specOpts := containerd.WithSpec(spec)
// Set container username. This could only be done by containerd, because it needs
// access to the container rootfs. Pass user name to containerd, and let it overwrite
// the spec for us.
if username := config.GetLinux().GetSecurityContext().GetRunAsUsername(); username != "" {
specOpts = containerd.WithSpec(spec, containerd.WithUsername(username))
}
opts = append(opts,
containerd.WithSpec(spec),
specOpts,
containerd.WithRuntime(defaultRuntime),
containerd.WithContainerLabels(labels))
var cntr containerd.Container
@@ -257,9 +265,9 @@ func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint3
// Set namespaces, share namespace with sandbox container.
setOCINamespaces(&g, securityContext.GetNamespaceOptions(), sandboxPid)
// TODO(random-liu): [P1] Set username.
runAsUser := securityContext.GetRunAsUser()
if runAsUser != nil {
// TODO(random-liu): We should also set gid. Use containerd#1425 instead.
g.SetProcessUID(uint32(runAsUser.GetValue()))
}