Skip to content

Commit 59d8363

Browse files
everpeacethaJeztah
everpeace
authored and
thaJeztah
committed
fix userstr for dditionalGids on Linux
It should fallback to imageConfig.User when no securityContext.RunAsUser/RunAsUsername Signed-off-by: Shingo Omura <[email protected]> (cherry picked from commit 727b254) Signed-off-by: Sebastiaan van Stijn <[email protected]>
1 parent 3787ef4 commit 59d8363

2 files changed

Lines changed: 89 additions & 3 deletions

File tree

pkg/cri/server/container_create_linux.go

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -341,12 +341,14 @@ func (c *criService) containerSpecOpts(config *runtime.ContainerConfig, imageCon
341341
specOpts = append(specOpts, oci.WithUser(userstr))
342342
}
343343

344+
userstr = "0" // runtime default
344345
if securityContext.GetRunAsUsername() != "" {
345346
userstr = securityContext.GetRunAsUsername()
346-
} else {
347-
// Even if RunAsUser is not set, we still call `GetValue` to get uid 0.
348-
// Because it is still useful to get additional gids for uid 0.
347+
} else if securityContext.GetRunAsUser() != nil {
349348
userstr = strconv.FormatInt(securityContext.GetRunAsUser().GetValue(), 10)
349+
} else if imageConfig.User != "" {
350+
parts := strings.Split(imageConfig.User, ":")
351+
userstr = parts[0]
350352
}
351353
specOpts = append(specOpts, customopts.WithAdditionalGIDs(userstr),
352354
customopts.WithSupplementalGroups(securityContext.GetSupplementalGroups()))

pkg/cri/server/container_create_linux_test.go

Lines changed: 84 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1319,6 +1319,90 @@ func TestGenerateUserString(t *testing.T) {
13191319
}
13201320
}
13211321

1322+
func TestProcessUser(t *testing.T) {
1323+
testID := "test-id"
1324+
testSandboxID := "sandbox-id"
1325+
testContainerName := "container-name"
1326+
testPid := uint32(1234)
1327+
ociRuntime := config.Runtime{}
1328+
c := newTestCRIService()
1329+
testContainer := &containers.Container{ID: "64ddfe361f0099f8d59075398feeb3dcb3863b6851df7b946744755066c03e9d"}
1330+
ctx := context.Background()
1331+
1332+
etcPasswd := `
1333+
root:x:0:0:root:/root:/bin/sh
1334+
alice:x:1000:1000:alice:/home/alice:/bin/sh
1335+
` // #nosec G101
1336+
etcGroup := `
1337+
root:x:0
1338+
alice:x:1000:
1339+
additional-group-for-alice:x:11111:alice
1340+
additional-group-for-root:x:22222:root
1341+
`
1342+
tempRootDir, err := os.MkdirTemp("", "TestContainerUser-")
1343+
require.NoError(t, err)
1344+
if tempRootDir != "" {
1345+
defer os.RemoveAll(tempRootDir)
1346+
}
1347+
require.NoError(t,
1348+
os.MkdirAll(filepath.Join(tempRootDir, "etc"), 0755),
1349+
)
1350+
require.NoError(t,
1351+
os.WriteFile(filepath.Join(tempRootDir, "etc", "passwd"), []byte(etcPasswd), 0644),
1352+
)
1353+
require.NoError(t,
1354+
os.WriteFile(filepath.Join(tempRootDir, "etc", "group"), []byte(etcGroup), 0644),
1355+
)
1356+
1357+
for desc, test := range map[string]struct {
1358+
imageConfigUser string
1359+
securityContext *runtime.LinuxContainerSecurityContext
1360+
expected runtimespec.User
1361+
}{
1362+
"Only SecurityContext was set, SecurityContext defines User": {
1363+
securityContext: &runtime.LinuxContainerSecurityContext{
1364+
RunAsUser: &runtime.Int64Value{Value: 1000},
1365+
RunAsGroup: &runtime.Int64Value{Value: 2000},
1366+
SupplementalGroups: []int64{3333},
1367+
},
1368+
expected: runtimespec.User{UID: 1000, GID: 2000, AdditionalGids: []uint32{2000, 3333, 11111}},
1369+
},
1370+
"Only imageConfig.User was set, imageConfig.User defines User": {
1371+
imageConfigUser: "1000",
1372+
securityContext: nil,
1373+
expected: runtimespec.User{UID: 1000, GID: 1000, AdditionalGids: []uint32{1000, 11111}},
1374+
},
1375+
"Both SecurityContext and ImageConfig.User was set, SecurityContext defines User": {
1376+
imageConfigUser: "0",
1377+
securityContext: &runtime.LinuxContainerSecurityContext{
1378+
RunAsUser: &runtime.Int64Value{Value: 1000},
1379+
RunAsGroup: &runtime.Int64Value{Value: 2000},
1380+
SupplementalGroups: []int64{3333},
1381+
},
1382+
expected: runtimespec.User{UID: 1000, GID: 2000, AdditionalGids: []uint32{2000, 3333, 11111}},
1383+
},
1384+
"No SecurityContext nor ImageConfig.User were set, runtime default defines User": {
1385+
expected: runtimespec.User{UID: 0, GID: 0, AdditionalGids: []uint32{0, 22222}},
1386+
},
1387+
} {
1388+
t.Run(desc, func(t *testing.T) {
1389+
containerConfig, sandboxConfig, imageConfig, _ := getCreateContainerTestData()
1390+
containerConfig.Linux.SecurityContext = test.securityContext
1391+
imageConfig.User = test.imageConfigUser
1392+
1393+
spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, testImageName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
1394+
require.NoError(t, err)
1395+
1396+
spec.Root.Path = tempRootDir // simulating /etc/{passwd, group}
1397+
opts, err := c.containerSpecOpts(containerConfig, imageConfig)
1398+
require.NoError(t, err)
1399+
oci.ApplyOpts(ctx, nil, testContainer, spec, opts...)
1400+
1401+
require.Equal(t, test.expected, spec.Process.User)
1402+
})
1403+
}
1404+
}
1405+
13221406
func TestNonRootUserAndDevices(t *testing.T) {
13231407
testPid := uint32(1234)
13241408
c := newTestCRIService()

0 commit comments

Comments
 (0)