Allow setting the uid & gid of the io pipes

Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2017-10-10 08:18:35 -07:00 · 2017-10-10 08:18:35 -07:00 · c807ba8379
commit c807ba8379
parent 72bb45ac46
11 changed files with 216 additions and 126 deletions
--- a/container_linux_test.go
+++ b/container_linux_test.go
@ -979,3 +979,93 @@ func TestContainerKillInitPidHost(t *testing.T) {
 		t.Error(err)
 	}
 }
+
+func TestUserNamespaces(t *testing.T) {
+	t.Parallel()
+	t.Run("WritableRootFS", func(t *testing.T) { testUserNamespaces(t, false) })
+	// see #1373 and runc#1572
+	t.Run("ReadonlyRootFS", func(t *testing.T) { testUserNamespaces(t, true) })
+}
+
+func testUserNamespaces(t *testing.T, readonlyRootFS bool) {
+	client, err := newClient(t, address)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer client.Close()
+
+	var (
+		image       Image
+		ctx, cancel = testContext()
+		id          = strings.Replace(t.Name(), "/", "-", -1)
+	)
+	defer cancel()
+
+	image, err = client.GetImage(ctx, testImage)
+	if err != nil {
+		t.Error(err)
+		return
+	}
+
+	opts := []NewContainerOpts{WithNewSpec(withImageConfig(image),
+		withExitStatus(7),
+		WithUserNamespace(0, 1000, 10000),
+	)}
+	if readonlyRootFS {
+		opts = append(opts, withRemappedSnapshotView(id, image, 1000, 1000))
+	} else {
+		opts = append(opts, withRemappedSnapshot(id, image, 1000, 1000))
+	}
+
+	container, err := client.NewContainer(ctx, id, opts...)
+	if err != nil {
+		t.Error(err)
+		return
+	}
+	defer container.Delete(ctx, WithSnapshotCleanup)
+
+	task, err := container.NewTask(ctx, Stdio, func(_ context.Context, client *Client, r *TaskInfo) error {
+		r.Options = &runcopts.CreateOptions{
+			IoUid: 1000,
+			IoGid: 1000,
+		}
+		return nil
+	})
+	if err != nil {
+		t.Error(err)
+		return
+	}
+	defer task.Delete(ctx)
+
+	statusC, err := task.Wait(ctx)
+	if err != nil {
+		t.Error(err)
+		return
+	}
+
+	if pid := task.Pid(); pid <= 0 {
+		t.Errorf("invalid task pid %d", pid)
+	}
+	if err := task.Start(ctx); err != nil {
+		t.Error(err)
+		task.Delete(ctx)
+		return
+	}
+	status := <-statusC
+	code, _, err := status.Result()
+	if err != nil {
+		t.Error(err)
+		return
+	}
+	if code != 7 {
+		t.Errorf("expected status 7 from wait but received %d", code)
+	}
+	deleteStatus, err := task.Delete(ctx)
+	if err != nil {
+		t.Error(err)
+		return
+	}
+	if ec := deleteStatus.ExitCode(); ec != 7 {
+		t.Errorf("expected status 7 from delete but received %d", ec)
+	}
+}
--- a/container_test.go
+++ b/container_test.go
@ -706,92 +706,6 @@ func TestContainerExecNoBinaryExists(t *testing.T) {
 	<-finishedC
 }

-func TestUserNamespaces(t *testing.T) {
-	t.Parallel()
-	t.Run("WritableRootFS", func(t *testing.T) { testUserNamespaces(t, false) })
-	// see #1373 and runc#1572
-	t.Run("ReadonlyRootFS", func(t *testing.T) { testUserNamespaces(t, true) })
-}
-
-func testUserNamespaces(t *testing.T, readonlyRootFS bool) {
-	client, err := newClient(t, address)
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer client.Close()
-
-	var (
-		image       Image
-		ctx, cancel = testContext()
-		id          = strings.Replace(t.Name(), "/", "-", -1)
-	)
-	defer cancel()
-
-	if runtime.GOOS != "windows" {
-		image, err = client.GetImage(ctx, testImage)
-		if err != nil {
-			t.Error(err)
-			return
-		}
-	}
-
-	opts := []NewContainerOpts{WithNewSpec(withImageConfig(image),
-		withExitStatus(7),
-		withUserNamespace(0, 1000, 10000),
-	)}
-	if readonlyRootFS {
-		opts = append(opts, withRemappedSnapshotView(id, image, 1000, 1000))
-	} else {
-		opts = append(opts, withRemappedSnapshot(id, image, 1000, 1000))
-	}
-
-	container, err := client.NewContainer(ctx, id, opts...)
-	if err != nil {
-		t.Error(err)
-		return
-	}
-	defer container.Delete(ctx, WithSnapshotCleanup)
-
-	task, err := container.NewTask(ctx, empty())
-	if err != nil {
-		t.Error(err)
-		return
-	}
-	defer task.Delete(ctx)
-
-	statusC, err := task.Wait(ctx)
-	if err != nil {
-		t.Error(err)
-		return
-	}
-
-	if pid := task.Pid(); pid <= 0 {
-		t.Errorf("invalid task pid %d", pid)
-	}
-	if err := task.Start(ctx); err != nil {
-		t.Error(err)
-		task.Delete(ctx)
-		return
-	}
-	status := <-statusC
-	code, _, err := status.Result()
-	if err != nil {
-		t.Error(err)
-		return
-	}
-	if code != 7 {
-		t.Errorf("expected status 7 from wait but received %d", code)
-	}
-	deleteStatus, err := task.Delete(ctx)
-	if err != nil {
-		t.Error(err)
-		return
-	}
-	if ec := deleteStatus.ExitCode(); ec != 7 {
-		t.Errorf("expected status 7 from delete but received %d", ec)
-	}
-}
-
 func TestWaitStoppedTask(t *testing.T) {
 	t.Parallel()

--- a/helpers_unix_test.go
+++ b/helpers_unix_test.go
@ -40,7 +40,6 @@ func withExecArgs(s *specs.Process, args ...string) {
 }

 var (
-	withUserNamespace        = WithUserNamespace
 	withRemappedSnapshot     = WithRemappedSnapshot
 	withRemappedSnapshotView = WithRemappedSnapshotView
 	withNewSnapshot          = WithNewSnapshot
--- a/helpers_windows_test.go
+++ b/helpers_windows_test.go
@ -53,10 +53,6 @@ func withNewSnapshot(id string, i Image) NewContainerOpts {
 	}
 }

-func withUserNamespace(u, g, s uint32) SpecOpts {
-	return withNoop
-}
-
 func withRemappedSnapshot(id string, i Image, u, g uint32) NewContainerOpts {
 	return func(ctx context.Context, client *Client, c *containers.Container) error {
 		return nil
--- a/linux/runcopts/next.pb.txt
+++ b/linux/runcopts/next.pb.txt
@ -98,6 +98,20 @@ file {
      type: TYPE_STRING
      json_name: "shimCgroup"
    }
+    field {
+      name: "io_uid"
+      number: 10
+      label: LABEL_OPTIONAL
+      type: TYPE_UINT32
+      json_name: "ioUid"
+    }
+    field {
+      name: "io_gid"
+      number: 11
+      label: LABEL_OPTIONAL
+      type: TYPE_UINT32
+      json_name: "ioGid"
+    }
  }
  message_type {
    name: "CheckpointOptions"
--- a/linux/runcopts/runc.pb.go
+++ b/linux/runcopts/runc.pb.go
@ -57,6 +57,8 @@ type CreateOptions struct {
 	CgroupsMode         string   `protobuf:"bytes,7,opt,name=cgroups_mode,json=cgroupsMode,proto3" json:"cgroups_mode,omitempty"`
 	NoNewKeyring        bool     `protobuf:"varint,8,opt,name=no_new_keyring,json=noNewKeyring,proto3" json:"no_new_keyring,omitempty"`
 	ShimCgroup          string   `protobuf:"bytes,9,opt,name=shim_cgroup,json=shimCgroup,proto3" json:"shim_cgroup,omitempty"`
+	IoUid               uint32   `protobuf:"varint,10,opt,name=io_uid,json=ioUid,proto3" json:"io_uid,omitempty"`
+	IoGid               uint32   `protobuf:"varint,11,opt,name=io_gid,json=ioGid,proto3" json:"io_gid,omitempty"`
 }

 func (m *CreateOptions) Reset()                    { *m = CreateOptions{} }
@ -230,6 +232,16 @@ func (m *CreateOptions) MarshalTo(dAtA []byte) (int, error) {
 		i = encodeVarintRunc(dAtA, i, uint64(len(m.ShimCgroup)))
 		i += copy(dAtA[i:], m.ShimCgroup)
 	}
+	if m.IoUid != 0 {
+		dAtA[i] = 0x50
+		i++
+		i = encodeVarintRunc(dAtA, i, uint64(m.IoUid))
+	}
+	if m.IoGid != 0 {
+		dAtA[i] = 0x58
+		i++
+		i = encodeVarintRunc(dAtA, i, uint64(m.IoGid))
+	}
 	return i, nil
 }

@ -405,6 +417,12 @@ func (m *CreateOptions) Size() (n int) {
 	if l > 0 {
 		n += 1 + l + sovRunc(uint64(l))
 	}
+	if m.IoUid != 0 {
+		n += 1 + sovRunc(uint64(m.IoUid))
+	}
+	if m.IoGid != 0 {
+		n += 1 + sovRunc(uint64(m.IoGid))
+	}
 	return n
 }

@ -479,6 +497,8 @@ func (this *CreateOptions) String() string {
 		`CgroupsMode:` + fmt.Sprintf("%v", this.CgroupsMode) + `,`,
 		`NoNewKeyring:` + fmt.Sprintf("%v", this.NoNewKeyring) + `,`,
 		`ShimCgroup:` + fmt.Sprintf("%v", this.ShimCgroup) + `,`,
+		`IoUid:` + fmt.Sprintf("%v", this.IoUid) + `,`,
+		`IoGid:` + fmt.Sprintf("%v", this.IoGid) + `,`,
 		`}`,
 	}, "")
 	return s
@ -900,6 +920,44 @@ func (m *CreateOptions) Unmarshal(dAtA []byte) error {
 			}
 			m.ShimCgroup = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
+		case 10:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field IoUid", wireType)
+			}
+			m.IoUid = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowRunc
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.IoUid |= (uint32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 11:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field IoGid", wireType)
+			}
+			m.IoGid = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowRunc
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.IoGid |= (uint32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
 		default:
 			iNdEx = preIndex
 			skippy, err := skipRunc(dAtA[iNdEx:])
@ -1239,35 +1297,36 @@ func init() {
 }

 var fileDescriptorRunc = []byte{
-	// 467 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x93, 0x41, 0x6f, 0xd3, 0x40,
-	0x10, 0x85, 0xbb, 0x6d, 0x69, 0x9d, 0x4d, 0x53, 0x60, 0xa1, 0x92, 0x29, 0xc2, 0x84, 0x08, 0xa4,
-	0x70, 0x49, 0x24, 0xb8, 0x20, 0xb8, 0x91, 0x23, 0x50, 0x2a, 0x03, 0x17, 0x2e, 0x2b, 0x77, 0x33,
-	0x24, 0xab, 0xd8, 0x33, 0xab, 0xdd, 0x35, 0x75, 0x6e, 0xfc, 0x02, 0x7e, 0x57, 0x8f, 0x88, 0x13,
-	0x47, 0x9a, 0x3f, 0x02, 0xf2, 0xda, 0x2e, 0x5c, 0xb9, 0x72, 0x7b, 0xf3, 0xbd, 0xb1, 0xe7, 0xe9,
-	0x49, 0xcb, 0x9f, 0x2f, 0xb4, 0x5f, 0x96, 0x67, 0x13, 0x45, 0xc5, 0x54, 0x11, 0xfa, 0x4c, 0x23,
-	0xd8, 0xf9, 0xdf, 0x32, 0xd7, 0x58, 0x56, 0x53, 0x5b, 0xa2, 0x22, 0xe3, 0x5d, 0x10, 0x13, 0x63,
-	0xc9, 0x93, 0x38, 0xfa, 0xb3, 0x35, 0x09, 0x5b, 0x93, 0xda, 0x3c, 0xbe, 0xbd, 0xa0, 0x05, 0x85,
-	0x8d, 0x69, 0xad, 0x9a, 0xe5, 0xd1, 0x57, 0xc6, 0xfb, 0x69, 0x89, 0xea, 0xad, 0xf1, 0x9a, 0xd0,
-	0x89, 0x98, 0xef, 0xdb, 0x12, 0xbd, 0x2e, 0x20, 0x66, 0x43, 0x36, 0xee, 0xa5, 0xdd, 0x28, 0x1e,
-	0xf0, 0x83, 0x56, 0x4a, 0x4b, 0xe4, 0xe3, 0xed, 0x60, 0xf7, 0x5b, 0x96, 0x12, 0x79, 0x71, 0x97,
-	0xf7, 0x94, 0xd5, 0xa5, 0x34, 0x99, 0x5f, 0xc6, 0x3b, 0xc1, 0x8f, 0x6a, 0x70, 0x9a, 0xf9, 0xa5,
-	0x78, 0xc4, 0x0f, 0xdd, 0xda, 0x79, 0x28, 0xe6, 0x52, 0x2d, 0x2c, 0x95, 0x26, 0xde, 0x1d, 0xb2,
-	0x71, 0x94, 0x0e, 0x5a, 0x3a, 0x0b, 0x70, 0xf4, 0x7d, 0x9b, 0x0f, 0x66, 0x16, 0x32, 0x0f, 0x5d,
-	0xa4, 0x11, 0x1f, 0x20, 0x49, 0xa3, 0x3f, 0x93, 0x6f, 0x2e, 0xb3, 0xf0, 0x5d, 0x1f, 0xe9, 0xb4,
-	0x66, 0xe1, 0xf2, 0x1d, 0x1e, 0x91, 0x01, 0x94, 0x5e, 0x99, 0x10, 0x2c, 0x4a, 0xf7, 0xeb, 0xf9,
-	0xbd, 0x32, 0xe2, 0x09, 0x3f, 0x82, 0xca, 0x83, 0xc5, 0x2c, 0x97, 0x25, 0xea, 0x4a, 0x3a, 0x52,
-	0x2b, 0xf0, 0x2e, 0x04, 0x8c, 0xd2, 0x5b, 0x9d, 0xf9, 0x01, 0x75, 0xf5, 0xae, 0xb1, 0xc4, 0x31,
-	0x8f, 0x3c, 0xd8, 0x42, 0x63, 0x96, 0xb7, 0x29, 0xaf, 0x66, 0x71, 0x8f, 0xf3, 0x4f, 0x3a, 0x07,
-	0x99, 0x93, 0x5a, 0xb9, 0xf8, 0x5a, 0x70, 0x7b, 0x35, 0x79, 0x5d, 0x03, 0xf1, 0x98, 0xdf, 0x80,
-	0xc2, 0xf8, 0xb5, 0xc4, 0xac, 0x00, 0x67, 0x32, 0x05, 0x2e, 0xde, 0x1b, 0xee, 0x8c, 0x7b, 0xe9,
-	0xf5, 0xc0, 0x4f, 0xae, 0x70, 0xdd, 0x68, 0xd3, 0x84, 0x93, 0x05, 0xcd, 0x21, 0xde, 0x6f, 0x1a,
-	0x6d, 0xd9, 0x1b, 0x9a, 0x83, 0x78, 0xc8, 0x0f, 0x91, 0x24, 0xc2, 0xb9, 0x5c, 0xc1, 0xda, 0x6a,
-	0x5c, 0xc4, 0x51, 0x38, 0x78, 0x80, 0x74, 0x02, 0xe7, 0xaf, 0x1a, 0x26, 0xee, 0xf3, 0xbe, 0x5b,
-	0xea, 0xa2, 0xeb, 0xb5, 0x17, 0xfe, 0xc3, 0x6b, 0xd4, 0x96, 0xfa, 0x8b, 0xf1, 0x9b, 0xb3, 0x25,
-	0xa8, 0x95, 0x21, 0x8d, 0xbe, 0x2b, 0x56, 0xf0, 0x5d, 0xa8, 0x74, 0xd7, 0x67, 0xd0, 0xff, 0x6b,
-	0x91, 0x2f, 0xd3, 0x8b, 0xcb, 0x64, 0xeb, 0xc7, 0x65, 0xb2, 0xf5, 0x65, 0x93, 0xb0, 0x8b, 0x4d,
-	0xc2, 0xbe, 0x6d, 0x12, 0xf6, 0x73, 0x93, 0xb0, 0x8f, 0xcf, 0xfe, 0xf1, 0xa9, 0xbd, 0xe8, 0xc4,
-	0xd9, 0x5e, 0x78, 0x42, 0x4f, 0x7f, 0x07, 0x00, 0x00, 0xff, 0xff, 0xe6, 0x26, 0x29, 0x60, 0xad,
-	0x03, 0x00, 0x00,
+	// 495 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x93, 0x31, 0x6f, 0xd3, 0x40,
+	0x14, 0xc7, 0x7b, 0xb4, 0x4d, 0x9c, 0x4b, 0x53, 0xe0, 0x20, 0xd2, 0x51, 0x84, 0x09, 0x11, 0x48,
+	0x61, 0x49, 0x24, 0x58, 0x10, 0x6c, 0x64, 0x60, 0x00, 0x4a, 0x65, 0xe8, 0xc2, 0x72, 0x72, 0xcf,
+	0x87, 0xf3, 0x94, 0xf8, 0xde, 0xe9, 0xee, 0x4c, 0x93, 0xad, 0x9f, 0x80, 0xcf, 0xd5, 0x91, 0x91,
+	0x91, 0xe6, 0x8b, 0x80, 0x7c, 0xb6, 0x0b, 0x2b, 0x2b, 0xdb, 0xff, 0xfd, 0xfe, 0xcf, 0x7e, 0x4f,
+	0xff, 0xd3, 0xa3, 0x2f, 0x73, 0xf0, 0x8b, 0xf2, 0x6c, 0x2a, 0xb1, 0x98, 0x49, 0xd4, 0x3e, 0x05,
+	0xad, 0x6c, 0xf6, 0xb7, 0x5c, 0x81, 0x2e, 0xd7, 0x33, 0x5b, 0x6a, 0x89, 0xc6, 0xbb, 0x20, 0xa6,
+	0xc6, 0xa2, 0x47, 0x36, 0xfc, 0xd3, 0x35, 0x0d, 0x5d, 0xd3, 0xca, 0x3c, 0xba, 0x9b, 0x63, 0x8e,
+	0xa1, 0x63, 0x56, 0xa9, 0xba, 0x79, 0xfc, 0x8d, 0xd0, 0x7e, 0x52, 0x6a, 0xf9, 0xc1, 0x78, 0x40,
+	0xed, 0x18, 0xa7, 0x5d, 0x5b, 0x6a, 0x0f, 0x85, 0xe2, 0x64, 0x44, 0x26, 0xbd, 0xa4, 0x2d, 0xd9,
+	0x23, 0x7a, 0xd0, 0x48, 0x61, 0x11, 0x3d, 0xbf, 0x11, 0xec, 0x7e, 0xc3, 0x12, 0x44, 0xcf, 0xee,
+	0xd3, 0x9e, 0xb4, 0x50, 0x0a, 0x93, 0xfa, 0x05, 0xdf, 0x0d, 0x7e, 0x54, 0x81, 0x93, 0xd4, 0x2f,
+	0xd8, 0x13, 0x7a, 0xe8, 0x36, 0xce, 0xab, 0x22, 0x13, 0x32, 0xb7, 0x58, 0x1a, 0xbe, 0x37, 0x22,
+	0x93, 0x28, 0x19, 0x34, 0x74, 0x1e, 0xe0, 0xf8, 0x62, 0x97, 0x0e, 0xe6, 0x56, 0xa5, 0x5e, 0xb5,
+	0x2b, 0x8d, 0xe9, 0x40, 0xa3, 0x30, 0xf0, 0x15, 0x7d, 0x3d, 0x99, 0x84, 0xef, 0xfa, 0x1a, 0x4f,
+	0x2a, 0x16, 0x26, 0xdf, 0xa3, 0x11, 0x1a, 0xa5, 0x85, 0x97, 0x26, 0x2c, 0x16, 0x25, 0xdd, 0xaa,
+	0xfe, 0x24, 0x0d, 0x7b, 0x46, 0x87, 0x6a, 0xed, 0x95, 0xd5, 0xe9, 0x4a, 0x94, 0x1a, 0xd6, 0xc2,
+	0xa1, 0x5c, 0x2a, 0xef, 0xc2, 0x82, 0x51, 0x72, 0xa7, 0x35, 0x4f, 0x35, 0xac, 0x3f, 0xd6, 0x16,
+	0x3b, 0xa2, 0x91, 0x57, 0xb6, 0x00, 0x9d, 0xae, 0x9a, 0x2d, 0xaf, 0x6b, 0xf6, 0x80, 0xd2, 0x2f,
+	0xb0, 0x52, 0x62, 0x85, 0x72, 0xe9, 0xf8, 0x7e, 0x70, 0x7b, 0x15, 0x79, 0x57, 0x01, 0xf6, 0x94,
+	0xde, 0x52, 0x85, 0xf1, 0x1b, 0xa1, 0xd3, 0x42, 0x39, 0x93, 0x4a, 0xe5, 0x78, 0x67, 0xb4, 0x3b,
+	0xe9, 0x25, 0x37, 0x03, 0x3f, 0xbe, 0xc6, 0x55, 0xa2, 0x75, 0x12, 0x4e, 0x14, 0x98, 0x29, 0xde,
+	0xad, 0x13, 0x6d, 0xd8, 0x7b, 0xcc, 0x14, 0x7b, 0x4c, 0x0f, 0x35, 0x0a, 0xad, 0xce, 0xc5, 0x52,
+	0x6d, 0x2c, 0xe8, 0x9c, 0x47, 0x61, 0xe0, 0x81, 0xc6, 0x63, 0x75, 0xfe, 0xb6, 0x66, 0xec, 0x21,
+	0xed, 0xbb, 0x05, 0x14, 0x6d, 0xae, 0xbd, 0xf0, 0x1f, 0x5a, 0xa1, 0x3a, 0x54, 0x36, 0xa4, 0x1d,
+	0x40, 0x51, 0x42, 0xc6, 0xe9, 0x88, 0x4c, 0x06, 0xc9, 0x3e, 0xe0, 0x29, 0x64, 0x0d, 0xce, 0x21,
+	0xe3, 0xfd, 0x16, 0xbf, 0x81, 0x6c, 0xfc, 0x8b, 0xd0, 0xdb, 0xf3, 0x85, 0x92, 0x4b, 0x83, 0xa0,
+	0x7d, 0xfb, 0x0c, 0x8c, 0xee, 0xa9, 0x35, 0xb4, 0xe9, 0x07, 0xfd, 0xbf, 0xc6, 0xfe, 0x3a, 0xb9,
+	0xbc, 0x8a, 0x77, 0x7e, 0x5c, 0xc5, 0x3b, 0x17, 0xdb, 0x98, 0x5c, 0x6e, 0x63, 0xf2, 0x7d, 0x1b,
+	0x93, 0x9f, 0xdb, 0x98, 0x7c, 0x7e, 0xf1, 0x8f, 0x87, 0xf9, 0xaa, 0x15, 0x67, 0x9d, 0x70, 0x70,
+	0xcf, 0x7f, 0x07, 0x00, 0x00, 0xff, 0xff, 0xbe, 0xbb, 0xf0, 0x6c, 0xdb, 0x03, 0x00, 0x00,
 }
--- a/linux/runcopts/runc.proto
+++ b/linux/runcopts/runc.proto
@ -23,6 +23,8 @@ message CreateOptions {
 	string cgroups_mode = 7;
 	bool no_new_keyring = 8;
 	string shim_cgroup = 9;
+	uint32 io_uid = 10;
+	uint32 io_gid = 11;
 }

 message CheckpointOptions {
--- a/linux/shim/exec.go
+++ b/linux/shim/exec.go
@ -157,7 +157,7 @@ func (e *execProcess) start(ctx context.Context) (err error) {
 			return errors.Wrap(err, "creating new NULL IO")
 		}
 	} else {
-		if e.io, err = runc.NewPipeIO(); err != nil {
+		if e.io, err = runc.NewPipeIO(e.parent.IoUID, e.parent.IoGID); err != nil {
 			return errors.Wrap(err, "failed to create runc io pipes")
 		}
 	}
--- a/linux/shim/init.go
+++ b/linux/shim/init.go
@ -57,6 +57,8 @@ type initProcess struct {
 	stdin    io.Closer
 	stdio    stdio
 	rootfs   string
+	IoUID    int
+	IoGID    int
 }

 func (s *Service) newInitProcess(context context.Context, r *shimapi.CreateTaskRequest) (*initProcess, error) {
@ -120,6 +122,8 @@ func (s *Service) newInitProcess(context context.Context, r *shimapi.CreateTaskR
 		workDir:   s.config.WorkDir,
 		status:    0,
 		waitBlock: make(chan struct{}),
+		IoUID:     int(options.IoUid),
+		IoGID:     int(options.IoGid),
 	}
 	p.initState = &createdState{p: p}
 	var (
@ -136,7 +140,7 @@ func (s *Service) newInitProcess(context context.Context, r *shimapi.CreateTaskR
 			return nil, errors.Wrap(err, "creating new NULL IO")
 		}
 	} else {
-		if p.io, err = runc.NewPipeIO(); err != nil {
+		if p.io, err = runc.NewPipeIO(int(options.IoUid), int(options.IoGid)); err != nil {
 			return nil, errors.Wrap(err, "failed to create OCI runtime io pipes")
 		}
 	}
--- a/vendor.conf
+++ b/vendor.conf
@ -1,5 +1,5 @@
 github.com/coreos/go-systemd 48702e0da86bd25e76cfef347e2adeb434a0d0a6
-github.com/containerd/go-runc b3c048c028ddd789c6f9510c597f8b9c62f25359
+github.com/containerd/go-runc 633fd07c086ff591adaa2849278764771d791f6f
 github.com/containerd/console 84eeaae905fa414d03e07bcd6c8d3f19e7cf180e
 github.com/containerd/cgroups 9c238e632e80d94f71a067c3deb9b34b1886ef18
 github.com/containerd/typeurl f6943554a7e7e88b3c14aad190bf05932da84788
--- a/vendor/github.com/containerd/go-runc/io.go
+++ b/vendor/github.com/containerd/go-runc/io.go
@ -4,6 +4,9 @@ import (
 	"io"
 	"os"
 	"os/exec"
+
+	"github.com/pkg/errors"
+	"golang.org/x/sys/unix"
 )

 type IO interface {
@ -19,7 +22,7 @@ type StartCloser interface {
 }

 // NewPipeIO creates pipe pairs to be used with runc
-func NewPipeIO() (i IO, err error) {
+func NewPipeIO(uid, gid int) (i IO, err error) {
 	var pipes []*pipe
 	// cleanup in case of an error
 	defer func() {
@ -34,18 +37,27 @@ func NewPipeIO() (i IO, err error) {
 		return nil, err
 	}
 	pipes = append(pipes, stdin)
+	if err = unix.Fchown(int(stdin.r.Fd()), uid, gid); err != nil {
+		return nil, errors.Wrap(err, "failed to chown stdin")
+	}

 	stdout, err := newPipe()
 	if err != nil {
 		return nil, err
 	}
 	pipes = append(pipes, stdout)
+	if err = unix.Fchown(int(stdout.w.Fd()), uid, gid); err != nil {
+		return nil, errors.Wrap(err, "failed to chown stdout")
+	}

 	stderr, err := newPipe()
 	if err != nil {
 		return nil, err
 	}
 	pipes = append(pipes, stderr)
+	if err = unix.Fchown(int(stderr.w.Fd()), uid, gid); err != nil {
+		return nil, errors.Wrap(err, "failed to chown stderr")
+	}

 	return &pipeIO{
 		in:  stdin,