Change to setting the Username field on the runtime spec for LCOW

This change swaps to setting the Username field on the runtime spec for the client provided user string for LCOW. This will make it easier to align with upstream on a solution as setting an lcow annotation would be a bit odd there. The string will be used in the same way in the guest, it will be parsed/validated and the containers rootfs will be searched to find a uid:gid to set on the spec. Signed-off-by: Daniel Canter <[email protected]>
ambarve · Sep 23, 2021 · b2241ed · b2241ed
1 parent f8e83e6
commit b2241ed
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 21 deletions.
diff --git a/pkg/server/container_create_windows.go b/pkg/server/container_create_windows.go
@@ -27,29 +27,27 @@ import (
 	"strings"
 	"time"
 
-	"github.com/sirupsen/logrus"
-
 	runhcsoptions "github.com/Microsoft/hcsshim/cmd/containerd-shim-runhcs-v1/options"
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/containers"
 	"github.com/containerd/containerd/log"
 	"github.com/containerd/containerd/oci"
 	"github.com/containerd/containerd/platforms"
 	"github.com/containerd/containerd/snapshots"
-	"github.com/davecgh/go-spew/spew"
-	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
-	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
-	"github.com/pkg/errors"
-	"golang.org/x/net/context"
-	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
-
 	"github.com/containerd/cri/pkg/annotations"
 	criconfig "github.com/containerd/cri/pkg/config"
 	customopts "github.com/containerd/cri/pkg/containerd/opts"
 	ctrdutil "github.com/containerd/cri/pkg/containerd/util"
 	cio "github.com/containerd/cri/pkg/server/io"
 	containerstore "github.com/containerd/cri/pkg/store/container"
 	"github.com/containerd/cri/pkg/util"
+	"github.com/davecgh/go-spew/spew"
+	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
+	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/net/context"
+	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
 )
 
 // CreateContainer creates a new container in the given PodSandbox.
@@ -402,7 +400,8 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
 			userstr = image.Config.User
 		}
 		if userstr != "" {
-			g.AddAnnotation("io.microsoft.lcow.userstr", userstr)
+			// For LCOW set the runtime specs Username field so we can take the user string and use this to find the uid:gid pair in the guest.
+			g.SetProcessUsername(userstr)
 		}
 		for _, group := range securityContext.GetSupplementalGroups() {
 			g.AddProcessAdditionalGid(uint32(group))

diff --git a/pkg/server/sandbox_run_windows.go b/pkg/server/sandbox_run_windows.go
@@ -19,7 +19,6 @@ limitations under the License.
 package server
 
 import (
-	"github.com/sirupsen/logrus"
 	"strconv"
 
 	runhcsoptions "github.com/Microsoft/hcsshim/cmd/containerd-shim-runhcs-v1/options"
@@ -30,20 +29,20 @@ import (
 	"github.com/containerd/containerd/log"
 	"github.com/containerd/containerd/oci"
 	"github.com/containerd/containerd/snapshots"
-	"github.com/davecgh/go-spew/spew"
-	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
-	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
-	"github.com/pkg/errors"
-	"golang.org/x/net/context"
-	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
-
 	"github.com/containerd/cri/pkg/annotations"
 	criconfig "github.com/containerd/cri/pkg/config"
 	customopts "github.com/containerd/cri/pkg/containerd/opts"
 	ctrdutil "github.com/containerd/cri/pkg/containerd/util"
 	"github.com/containerd/cri/pkg/netns"
 	sandboxstore "github.com/containerd/cri/pkg/store/sandbox"
 	"github.com/containerd/cri/pkg/util"
+	"github.com/davecgh/go-spew/spew"
+	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
+	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/net/context"
+	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
 )
 
 // RunPodSandbox creates and starts a pod-level sandbox. Runtimes should ensure
@@ -174,9 +173,9 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox
 		return nil, errors.Wrap(err, "failed to generate sandbox container spec")
 	}
 	log.G(ctx).WithFields(logrus.Fields{
-		"id": id,
+		"id":             id,
 		"runtimeHandler": runtimeHandler,
-		"spec": spew.NewFormatter(spec),
+		"spec":           spew.NewFormatter(spec),
 	}).Debug("Sandbox container creation")
 
 	sandboxLabels := buildLabels(config.Labels, containerKindSandbox)
@@ -377,7 +376,8 @@ func (c *criService) generateSandboxContainerSpec(id string, config *runtime.Pod
 			userstr = imageConfig.User
 		}
 		if userstr != "" {
-			g.AddAnnotation("io.microsoft.lcow.userstr", userstr)
+			// For LCOW set the runtime specs Username field so we can take the user string and use this to find the uid:gid pair in the guest.
+			g.SetProcessUsername(userstr)
 		}
 
 		for _, group := range securityContext.GetSupplementalGroups() {