summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorViacheslav Hletenko <v.gletenko@vyos.io>2024-02-02 11:19:48 +0200
committerGitHub <noreply@github.com>2024-02-02 11:19:48 +0200
commit38a46e1bffd209ae3b91872d4dfb423aff87c10c (patch)
treed5622ace5af425c7b682b5bf8761d5887aa90e34
parentcb702bbe61436286c2ac9400ee4e09c4b5ac397c (diff)
parent33dfd49c385e83cfa0ca6ad7b8aa1000948001f0 (diff)
downloadvyos-1x-38a46e1bffd209ae3b91872d4dfb423aff87c10c.tar.gz
vyos-1x-38a46e1bffd209ae3b91872d4dfb423aff87c10c.zip
Merge pull request #2929 from vyos/mergify/bp/sagitta/pr-2927
container: T5955: add uid/gid settings (backport #2927)
-rw-r--r--interface-definitions/container.xml.in24
-rwxr-xr-xsmoketest/scripts/cli/test_container.py22
-rwxr-xr-xsrc/conf_mode/container.py14
3 files changed, 59 insertions, 1 deletions
diff --git a/interface-definitions/container.xml.in b/interface-definitions/container.xml.in
index b35ba8d1c..f0db8a6f2 100644
--- a/interface-definitions/container.xml.in
+++ b/interface-definitions/container.xml.in
@@ -316,6 +316,30 @@
</properties>
<defaultValue>on-failure</defaultValue>
</leafNode>
+ <leafNode name="uid">
+ <properties>
+ <help>User ID this container will run as</help>
+ <valueHelp>
+ <format>u32:0-65535</format>
+ <description>User ID this container will run as</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-65535"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="gid">
+ <properties>
+ <help>Group ID this container will run as</help>
+ <valueHelp>
+ <format>u32:0-65535</format>
+ <description>Group ID this container will run as</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-65535"/>
+ </constraint>
+ </properties>
+ </leafNode>
<tagNode name="volume">
<properties>
<help>Mount a volume into the container</help>
diff --git a/smoketest/scripts/cli/test_container.py b/smoketest/scripts/cli/test_container.py
index cdf46a6e1..9094e27dd 100755
--- a/smoketest/scripts/cli/test_container.py
+++ b/smoketest/scripts/cli/test_container.py
@@ -188,5 +188,27 @@ class TestContainer(VyOSUnitTestSHIM.TestCase):
self.assertEqual(c['NetworkSettings']['Networks'][net_name]['Gateway'] , str(ip_interface(prefix4).ip + 1))
self.assertEqual(c['NetworkSettings']['Networks'][net_name]['IPAddress'] , str(ip_interface(prefix4).ip + ii))
+ def test_uid_gid(self):
+ cont_name = 'uid-test'
+ gid = '100'
+ uid = '1001'
+
+ self.cli_set(base_path + ['name', cont_name, 'allow-host-networks'])
+ self.cli_set(base_path + ['name', cont_name, 'image', cont_image])
+ self.cli_set(base_path + ['name', cont_name, 'gid', gid])
+
+ # verify() - GID can only be set if UID is set
+ with self.assertRaises(ConfigSessionError):
+ self.cli_commit()
+ self.cli_set(base_path + ['name', cont_name, 'uid', uid])
+
+ self.cli_commit()
+
+ # verify
+ tmp = cmd(f'sudo podman exec -it {cont_name} id -u')
+ self.assertEqual(tmp, uid)
+ tmp = cmd(f'sudo podman exec -it {cont_name} id -g')
+ self.assertEqual(tmp, gid)
+
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py
index 59d11c5a3..321d00abf 100755
--- a/src/conf_mode/container.py
+++ b/src/conf_mode/container.py
@@ -214,6 +214,10 @@ def verify(container):
if {'allow_host_networks', 'network'} <= set(container_config):
raise ConfigError(f'"allow-host-networks" and "network" for "{name}" cannot be both configured at the same time!')
+ # gid cannot be set without uid
+ if 'gid' in container_config and 'uid' not in container_config:
+ raise ConfigError(f'Cannot set "gid" without "uid" for container')
+
# Add new network
if 'network' in container:
for network, network_config in container['network'].items():
@@ -308,6 +312,14 @@ def generate_run_arguments(name, container_config):
# If listen_addresses is empty, just include the standard publish command
port += f' --publish {sport}:{dport}/{protocol}'
+ # Set uid and gid
+ uid = ''
+ if 'uid' in container_config:
+ uid = container_config['uid']
+ if 'gid' in container_config:
+ uid += ':' + container_config['gid']
+ uid = f'--user {uid}'
+
# Bind volume
volume = ''
if 'volume' in container_config:
@@ -320,7 +332,7 @@ def generate_run_arguments(name, container_config):
container_base_cmd = f'--detach --interactive --tty --replace {cap_add} ' \
f'--memory {memory}m --shm-size {shared_memory}m --memory-swap 0 --restart {restart} ' \
- f'--name {name} {hostname} {device} {port} {volume} {env_opt} {label}'
+ f'--name {name} {hostname} {device} {port} {volume} {env_opt} {label} {uid}'
entrypoint = ''
if 'entrypoint' in container_config: