diff options
author | Piotr Maksymiuk <piotr.maksymiuk@movishell.pl> | 2024-02-01 22:59:54 +0100 |
---|---|---|
committer | Piotr Maksymiuk <piotr.maksymiuk@movishell.pl> | 2024-02-02 09:53:15 +0100 |
commit | 52e9707a43290f5f826766e2c42c5f0db3c9adec (patch) | |
tree | 9b3b70ad7bdb459033a6c8dd4697ccdf0688747a | |
parent | 97db72a4e2c6cae5b0883495236c4c69c9a4187a (diff) | |
download | vyos-1x-52e9707a43290f5f826766e2c42c5f0db3c9adec.tar.gz vyos-1x-52e9707a43290f5f826766e2c42c5f0db3c9adec.zip |
container: T5955: allow setting uid/gid
-rw-r--r-- | interface-definitions/container.xml.in | 24 | ||||
-rwxr-xr-x | src/conf_mode/container.py | 14 |
2 files changed, 37 insertions, 1 deletions
diff --git a/interface-definitions/container.xml.in b/interface-definitions/container.xml.in index b35ba8d1c..f0db8a6f2 100644 --- a/interface-definitions/container.xml.in +++ b/interface-definitions/container.xml.in @@ -316,6 +316,30 @@ </properties> <defaultValue>on-failure</defaultValue> </leafNode> + <leafNode name="uid"> + <properties> + <help>User ID this container will run as</help> + <valueHelp> + <format>u32:0-65535</format> + <description>User ID this container will run as</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-65535"/> + </constraint> + </properties> + </leafNode> + <leafNode name="gid"> + <properties> + <help>Group ID this container will run as</help> + <valueHelp> + <format>u32:0-65535</format> + <description>Group ID this container will run as</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-65535"/> + </constraint> + </properties> + </leafNode> <tagNode name="volume"> <properties> <help>Mount a volume into the container</help> diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py index 59d11c5a3..321d00abf 100755 --- a/src/conf_mode/container.py +++ b/src/conf_mode/container.py @@ -214,6 +214,10 @@ def verify(container): if {'allow_host_networks', 'network'} <= set(container_config): raise ConfigError(f'"allow-host-networks" and "network" for "{name}" cannot be both configured at the same time!') + # gid cannot be set without uid + if 'gid' in container_config and 'uid' not in container_config: + raise ConfigError(f'Cannot set "gid" without "uid" for container') + # Add new network if 'network' in container: for network, network_config in container['network'].items(): @@ -308,6 +312,14 @@ def generate_run_arguments(name, container_config): # If listen_addresses is empty, just include the standard publish command port += f' --publish {sport}:{dport}/{protocol}' + # Set uid and gid + uid = '' + if 'uid' in container_config: + uid = container_config['uid'] + if 'gid' in container_config: + uid += ':' + container_config['gid'] + uid = f'--user {uid}' + # Bind volume volume = '' if 'volume' in container_config: @@ -320,7 +332,7 @@ def generate_run_arguments(name, container_config): container_base_cmd = f'--detach --interactive --tty --replace {cap_add} ' \ f'--memory {memory}m --shm-size {shared_memory}m --memory-swap 0 --restart {restart} ' \ - f'--name {name} {hostname} {device} {port} {volume} {env_opt} {label}' + f'--name {name} {hostname} {device} {port} {volume} {env_opt} {label} {uid}' entrypoint = '' if 'entrypoint' in container_config: |