From 52e9707a43290f5f826766e2c42c5f0db3c9adec Mon Sep 17 00:00:00 2001 From: Piotr Maksymiuk Date: Thu, 1 Feb 2024 22:59:54 +0100 Subject: container: T5955: allow setting uid/gid --- interface-definitions/container.xml.in | 24 ++++++++++++++++++++++++ src/conf_mode/container.py | 14 +++++++++++++- 2 files changed, 37 insertions(+), 1 deletion(-) diff --git a/interface-definitions/container.xml.in b/interface-definitions/container.xml.in index b35ba8d1c..f0db8a6f2 100644 --- a/interface-definitions/container.xml.in +++ b/interface-definitions/container.xml.in @@ -316,6 +316,30 @@ on-failure + + + User ID this container will run as + + u32:0-65535 + User ID this container will run as + + + + + + + + + Group ID this container will run as + + u32:0-65535 + Group ID this container will run as + + + + + + Mount a volume into the container diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py index 59d11c5a3..321d00abf 100755 --- a/src/conf_mode/container.py +++ b/src/conf_mode/container.py @@ -214,6 +214,10 @@ def verify(container): if {'allow_host_networks', 'network'} <= set(container_config): raise ConfigError(f'"allow-host-networks" and "network" for "{name}" cannot be both configured at the same time!') + # gid cannot be set without uid + if 'gid' in container_config and 'uid' not in container_config: + raise ConfigError(f'Cannot set "gid" without "uid" for container') + # Add new network if 'network' in container: for network, network_config in container['network'].items(): @@ -308,6 +312,14 @@ def generate_run_arguments(name, container_config): # If listen_addresses is empty, just include the standard publish command port += f' --publish {sport}:{dport}/{protocol}' + # Set uid and gid + uid = '' + if 'uid' in container_config: + uid = container_config['uid'] + if 'gid' in container_config: + uid += ':' + container_config['gid'] + uid = f'--user {uid}' + # Bind volume volume = '' if 'volume' in container_config: @@ -320,7 +332,7 @@ def generate_run_arguments(name, container_config): container_base_cmd = f'--detach --interactive --tty --replace {cap_add} ' \ f'--memory {memory}m --shm-size {shared_memory}m --memory-swap 0 --restart {restart} ' \ - f'--name {name} {hostname} {device} {port} {volume} {env_opt} {label}' + f'--name {name} {hostname} {device} {port} {volume} {env_opt} {label} {uid}' entrypoint = '' if 'entrypoint' in container_config: -- cgit v1.2.3 From faa4c87d93c7808c6a4edd8eddd29049ec8ec3fa Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Fri, 2 Feb 2024 10:03:54 +0100 Subject: smoketest: T5955: verify container uid/gid setting --- smoketest/scripts/cli/test_container.py | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/smoketest/scripts/cli/test_container.py b/smoketest/scripts/cli/test_container.py index cdf46a6e1..9094e27dd 100755 --- a/smoketest/scripts/cli/test_container.py +++ b/smoketest/scripts/cli/test_container.py @@ -188,5 +188,27 @@ class TestContainer(VyOSUnitTestSHIM.TestCase): self.assertEqual(c['NetworkSettings']['Networks'][net_name]['Gateway'] , str(ip_interface(prefix4).ip + 1)) self.assertEqual(c['NetworkSettings']['Networks'][net_name]['IPAddress'] , str(ip_interface(prefix4).ip + ii)) + def test_uid_gid(self): + cont_name = 'uid-test' + gid = '100' + uid = '1001' + + self.cli_set(base_path + ['name', cont_name, 'allow-host-networks']) + self.cli_set(base_path + ['name', cont_name, 'image', cont_image]) + self.cli_set(base_path + ['name', cont_name, 'gid', gid]) + + # verify() - GID can only be set if UID is set + with self.assertRaises(ConfigSessionError): + self.cli_commit() + self.cli_set(base_path + ['name', cont_name, 'uid', uid]) + + self.cli_commit() + + # verify + tmp = cmd(f'sudo podman exec -it {cont_name} id -u') + self.assertEqual(tmp, uid) + tmp = cmd(f'sudo podman exec -it {cont_name} id -g') + self.assertEqual(tmp, gid) + if __name__ == '__main__': unittest.main(verbosity=2) -- cgit v1.2.3