Skip to content
This repository was archived by the owner on Feb 8, 2021. It is now read-only.

Commit b484c8b

Browse files
lifupanlifupan
committed
container: fix the issue of using the wrong user
Signed-off-by: fupan <[email protected]>
1 parent 98ab211 commit b484c8b

File tree

1 file changed

+25
-14
lines changed

1 file changed

+25
-14
lines changed

daemon/pod/container.go

+25-14
Original file line numberDiff line numberDiff line change
@@ -614,7 +614,7 @@ func (c *Container) ociEnv() []string {
614614
return envs
615615
}
616616

617-
func (c *Container) ociSpec(cjson *dockertypes.ContainerJSON, cmds []string) *specs.Spec {
617+
func (c *Container) ociSpec(cjson *dockertypes.ContainerJSON, cmds []string, user string) *specs.Spec {
618618
var ocispec specs.Spec
619619

620620
ocispec = oci.DefaultSpec()
@@ -628,12 +628,7 @@ func (c *Container) ociSpec(cjson *dockertypes.ContainerJSON, cmds []string) *sp
628628

629629
ocispec.Hostname = c.p.globalSpec.Hostname
630630

631-
/*
632-
* ocispec used the user's UID and GID instead of user name and group name,
633-
* thus it needed to convert the user name and group name to UID and GID in
634-
* the future, here just set it to "0" as default.
635-
*/
636-
ocispec.Process.User = specs.User{UID: 0, GID: 0}
631+
ocispec.Process.User = specs.User{Username: user}
637632

638633
for _, l := range c.spec.Ulimits {
639634
ltype := strings.ToLower(l.Name)
@@ -648,7 +643,8 @@ func (c *Container) ociSpec(cjson *dockertypes.ContainerJSON, cmds []string) *sp
648643
}
649644

650645
func (c *Container) containerConfig(cjson *dockertypes.ContainerJSON) (*vc.ContainerConfig, error) {
651-
var user, group string
646+
var user = "0"
647+
var group = "0"
652648
var ociSpec *specs.Spec
653649
var cmds []string
654650

@@ -665,10 +661,30 @@ func (c *Container) containerConfig(cjson *dockertypes.ContainerJSON) (*vc.Conta
665661
c.spec.StopSignal = "TERM"
666662
}
667663

664+
if c.spec.User != nil {
665+
if c.spec.User.Name != "" {
666+
user = c.spec.User.Name
667+
}
668+
if c.spec.User.Group != "" {
669+
group = c.spec.User.Group
670+
}
671+
} else if cjson.Config.User != "" {
672+
users := strings.Split(cjson.Config.User, ":")
673+
if len(users) > 2 {
674+
return nil, fmt.Errorf("container %s invalid user group config: %s", cjson.Name, cjson.Config.User)
675+
}
676+
if len(users) == 2 {
677+
user = users[0]
678+
group = users[1]
679+
} else {
680+
user = cjson.Config.User
681+
}
682+
}
683+
668684
cmds = append(cmds, cjson.Config.Entrypoint.Slice()...)
669685
cmds = append(cmds, cjson.Config.Cmd.Slice()...)
670686

671-
ociSpec = c.ociSpec(cjson, cmds)
687+
ociSpec = c.ociSpec(cjson, cmds, user)
672688

673689
//remove those namespace types from ocispec
674690
for _, ns := range []specs.LinuxNamespaceType{
@@ -706,11 +722,6 @@ func (c *Container) containerConfig(cjson *dockertypes.ContainerJSON) (*vc.Conta
706722
}
707723
c.Log(DEBUG, "mount id: %s", mountId)
708724

709-
if c.spec.User != nil {
710-
user = c.spec.User.Name
711-
group = c.spec.User.Group
712-
}
713-
714725
cmd := vc.Cmd{
715726
Args: cmds,
716727
Envs: c.cmdEnvs([]vc.EnvVar{}),

0 commit comments

Comments
 (0)