Add RunAsUsername support.

Signed-off-by: Lantao Liu <lantaol@google.com>
2017-08-25 00:36:25 +00:00 · 2017-08-25 00:36:25 +00:00 · a80df151d1
commit a80df151d1
parent e1f74f00a5
5 changed files with 30 additions and 4 deletions
--- a/hack/test-cri.sh
+++ b/hack/test-cri.sh
@ -21,7 +21,7 @@ source $(dirname "${BASH_SOURCE[0]}")/test-utils.sh
 # FOCUS focuses the test to run.
 FOCUS=${FOCUS:-}
 # SKIP skips the test to skip.
-SKIP=${SKIP:-"RunAsUserName"}
+SKIP=${SKIP:-""}
 REPORT_DIR=${REPORT_DIR:-"/tmp/test-cri"}
 if [[ -z "${GOPATH}" ]]; then
--- a/pkg/server/container_create.go
+++ b/pkg/server/container_create.go
@ -135,8 +135,16 @@ func (c *criContainerdService) CreateContainer(ctx context.Context, r *runtime.C
 		containerMetadataLabel: string(metaBytes),
 	}
 	specOpts := containerd.WithSpec(spec)
 	// Set container username. This could only be done by containerd, because it needs
 	// access to the container rootfs. Pass user name to containerd, and let it overwrite
 	// the spec for us.
 	if username := config.GetLinux().GetSecurityContext().GetRunAsUsername(); username != "" {
 		specOpts = containerd.WithSpec(spec, containerd.WithUsername(username))
 	}
 	opts = append(opts,
-		containerd.WithSpec(spec),
+		specOpts,
 		containerd.WithRuntime(defaultRuntime),
 		containerd.WithContainerLabels(labels))
 	var cntr containerd.Container
@ -257,9 +265,9 @@ func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint3
 	// Set namespaces, share namespace with sandbox container.
 	setOCINamespaces(&g, securityContext.GetNamespaceOptions(), sandboxPid)
 	// TODO(random-liu): [P1] Set username.
 	runAsUser := securityContext.GetRunAsUser()
 	if runAsUser != nil {
 		// TODO(random-liu): We should also set gid. Use containerd#1425 instead.
 		g.SetProcessUID(uint32(runAsUser.GetValue()))
 	}
--- a/pkg/server/container_create_test.go
+++ b/pkg/server/container_create_test.go
@ -91,6 +91,7 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox
 				},
 				SupplementalGroups: []int64{1111, 2222},
 				NoNewPrivs:         true,
 				RunAsUser:          &runtime.Int64Value{Value: 255},
 			},
 		},
 	}
@ -143,6 +144,9 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox
 		assert.NotContains(t, spec.Process.Capabilities.Permitted, "CAP_CHOWN")
 		assert.NotContains(t, spec.Process.Capabilities.Ambient, "CAP_CHOWN")
 		t.Logf("Check uid")
 		assert.EqualValues(t, spec.Process.User.UID, 255)
 		t.Logf("Check supplemental groups")
 		assert.Contains(t, spec.Process.User.AdditionalGids, uint32(1111))
 		assert.Contains(t, spec.Process.User.AdditionalGids, uint32(2222))
--- a/pkg/server/sandbox_run.go
+++ b/pkg/server/sandbox_run.go
@ -274,9 +274,9 @@ func (c *criContainerdService) generateSandboxContainerSpec(id string, config *r
 	// TODO(random-liu): [P1] Apply SeLinux options.
 	// TODO(random-liu): [P1] Set username.
 	runAsUser := securityContext.GetRunAsUser()
 	if runAsUser != nil {
 		// TODO(random-liu): We should also set gid. Use containerd#1425 instead.
 		g.SetProcessUID(uint32(runAsUser.GetValue()))
 	}
--- a/pkg/server/sandbox_run_test.go
+++ b/pkg/server/sandbox_run_test.go
@ -128,6 +128,20 @@ func TestGenerateSandboxContainerSpec(t *testing.T) {
 			},
 			expectErr: true,
 		},
 		"should set user correctly": {
 			configChange: func(c *runtime.PodSandboxConfig) {
 				c.Linux.SecurityContext = &runtime.LinuxSandboxSecurityContext{
 					RunAsUser:          &runtime.Int64Value{Value: 255},
 					SupplementalGroups: []int64{1111, 2222},
 				}
 			},
 			specCheck: func(t *testing.T, spec *runtimespec.Spec) {
 				require.NotNil(t, spec.Process)
 				assert.EqualValues(t, spec.Process.User.UID, 255)
 				assert.Contains(t, spec.Process.User.AdditionalGids, uint32(1111))
 				assert.Contains(t, spec.Process.User.AdditionalGids, uint32(2222))
 			},
 		},
 	} {
 		t.Logf("TestCase %q", desc)
 		c := newTestCRIContainerdService()