This repository has been archived by the owner on Feb 24, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 883
Rkt should support setting supplemental groups on containers #1309
Comments
@jonboulle Thanks, I think I must have even read that issue before -- should we close this one, if there's already an issue to add it to the spec? |
@pmorie Nope we can leave this open, it might encourage me to fix that in the spec sooner (or feel free to put up a PR yourself if you'd like to see this sooner than later :-) |
This has been fixed in the spec but now needs to be implemented in rkt |
jonboulle
added a commit
to jonboulle/rkt
that referenced
this issue
Sep 24, 2015
Fixes rkt#1309. Per appc/spec#339, one of the nice things about supplementary gids is that they can be applied without requiring any nsswitch lookup. I thought it would be easy to achieve this using systemd.exec's SupplementaryGroups setting: http://www.freedesktop.org/software/systemd/man/systemd.exec.html#SupplementaryGroups= Unfortunately, this somewhat unexpectedly tries to resolve the groups given even if they are numeric gids (which isn't guaranteed to succeed), instead of just calling setgroups() (which is) as I'd hoped: https://github.com/systemd/systemd/blob/56c581598389739ba2a97baf896ea9277c278a1d/src/core/execute.c#L675 It looks like systemd is trying to be clever and reverse-lookup gid->groupname, which is annoying: https://github.com/systemd/systemd/blob/d11885c81419cac217ae132c1ef80733707ba650/src/basic/util.c#L3383 Throwing this up for feedback/ideas.
jonboulle
added a commit
to jonboulle/rkt
that referenced
this issue
Sep 24, 2015
Fixes rkt#1309. Per appc/spec#339, one of the nice things about supplementary gids is that they can be applied without requiring any nsswitch lookup. I thought it would be easy to achieve this using systemd.exec's SupplementaryGroups setting: http://www.freedesktop.org/software/systemd/man/systemd.exec.html#SupplementaryGroups= Unfortunately, this somewhat unexpectedly tries to resolve the groups given even if they are numeric gids (which isn't guaranteed to succeed), instead of just calling setgroups() (which is) as I'd hoped: https://github.com/systemd/systemd/blob/56c581598389739ba2a97baf896ea9277c278a1d/src/core/execute.c#L675 It looks like systemd is trying to be clever and reverse-lookup gid->groupname, which is annoying: https://github.com/systemd/systemd/blob/d11885c81419cac217ae132c1ef80733707ba650/src/basic/util.c#L3383 Throwing this up for feedback/ideas.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Currently it is possible to set the UID/GID on a container process, but not possible to control the supplemental groups. It would be very convenient to have supplemental group control to enable sharing volumes across containers running as different UID/GIDs.
The text was updated successfully, but these errors were encountered: