Skip to content
This repository has been archived by the owner on Feb 24, 2020. It is now read-only.

Rkt should support setting supplemental groups on containers #1309

Closed
pmorie opened this issue Aug 19, 2015 · 4 comments
Closed

Rkt should support setting supplemental groups on containers #1309

pmorie opened this issue Aug 19, 2015 · 4 comments

Comments

@pmorie
Copy link
Contributor

pmorie commented Aug 19, 2015

Currently it is possible to set the UID/GID on a container process, but not possible to control the supplemental groups. It would be very convenient to have supplemental group control to enable sharing volumes across containers running as different UID/GIDs.

@jonboulle
Copy link
Contributor

appc/spec#339

@pmorie
Copy link
Contributor Author

pmorie commented Aug 20, 2015

@jonboulle Thanks, I think I must have even read that issue before -- should we close this one, if there's already an issue to add it to the spec?

@jonboulle
Copy link
Contributor

@pmorie Nope we can leave this open, it might encourage me to fix that in the spec sooner (or feel free to put up a PR yourself if you'd like to see this sooner than later :-)

@jonboulle
Copy link
Contributor

This has been fixed in the spec but now needs to be implemented in rkt

jonboulle added a commit to jonboulle/rkt that referenced this issue Sep 24, 2015
Fixes rkt#1309.

Per appc/spec#339, one of the nice things about
supplementary gids is that they can be applied without requiring any
nsswitch lookup. I thought it would be easy to achieve this using systemd.exec's
SupplementaryGroups setting:
http://www.freedesktop.org/software/systemd/man/systemd.exec.html#SupplementaryGroups=

Unfortunately, this somewhat unexpectedly tries to resolve the groups
given even if they are numeric gids (which isn't guaranteed to succeed),
instead of just calling setgroups() (which is) as I'd hoped:

https://github.com/systemd/systemd/blob/56c581598389739ba2a97baf896ea9277c278a1d/src/core/execute.c#L675

It looks like systemd is trying to be clever and reverse-lookup
gid->groupname, which is annoying:
https://github.com/systemd/systemd/blob/d11885c81419cac217ae132c1ef80733707ba650/src/basic/util.c#L3383

Throwing this up for feedback/ideas.
jonboulle added a commit to jonboulle/rkt that referenced this issue Sep 24, 2015
Fixes rkt#1309.

Per appc/spec#339, one of the nice things about
supplementary gids is that they can be applied without requiring any
nsswitch lookup. I thought it would be easy to achieve this using systemd.exec's
SupplementaryGroups setting:
http://www.freedesktop.org/software/systemd/man/systemd.exec.html#SupplementaryGroups=

Unfortunately, this somewhat unexpectedly tries to resolve the groups
given even if they are numeric gids (which isn't guaranteed to succeed),
instead of just calling setgroups() (which is) as I'd hoped:

https://github.com/systemd/systemd/blob/56c581598389739ba2a97baf896ea9277c278a1d/src/core/execute.c#L675

It looks like systemd is trying to be clever and reverse-lookup
gid->groupname, which is annoying:
https://github.com/systemd/systemd/blob/d11885c81419cac217ae132c1ef80733707ba650/src/basic/util.c#L3383

Throwing this up for feedback/ideas.
@jonboulle jonboulle self-assigned this Sep 24, 2015
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants