Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

libcontainer/user: add supplementary groups only for non-numeric users #1450

Merged
merged 1 commit into from
Jul 7, 2017
Merged

libcontainer/user: add supplementary groups only for non-numeric users #1450

merged 1 commit into from
Jul 7, 2017

Conversation

vrothberg
Copy link
Contributor

As described in opencontainers/image-spec#492 by @cyphar

Signed-off-by: Valentin Rothberg [email protected]

@cyphar
Copy link
Member

cyphar commented May 26, 2017

This comes from umoci, and I thought this semantic change made sense (adding supplementary groups if someone explicitly used a numeric uid doesn't seem right). PTAL?

/cc @crosbymichael

@crosbymichael
Copy link
Member

crosbymichael commented May 26, 2017

LGTM

I think kube is a big users of sgroups so we need to make sure this is not going to affect something that they depend on.

Approved with PullApprove

@cyphar
Copy link
Member

cyphar commented May 27, 2017

LGTM. We can ping someone from the kube team if you want to verify before merging?

Approved with PullApprove

@vrothberg
Copy link
Contributor Author

ping

@cyphar
Copy link
Member

cyphar commented Jul 7, 2017

@crosbymichael

It looks like they don't use libcontainer/user directly anymore, it's just used by github.com/docker/go-connections. So I reckon this is fine to merge, but we should probably ping @vishh.

% git grep 'libcontainer/user'
Godeps/Godeps.json:                     "ImportPath": "github.com/opencontainers/runc/libcontainer/user",
Godeps/LICENSES:= vendor/github.com/opencontainers/runc/libcontainer/user licensed under: =
vendor/github.com/docker/go-connections/sockets/BUILD:        "//vendor/github.com/opencontainers/runc/libcontainer/user:go_default_library",
vendor/github.com/docker/go-connections/sockets/unix_socket.go: "github.com/opencontainers/runc/libcontainer/user"
vendor/github.com/opencontainers/runc/libcontainer/BUILD:        "//vendor/github.com/opencontainers/runc/libcontainer/user:go_default_library",
vendor/github.com/opencontainers/runc/libcontainer/BUILD:        "//vendor/github.com/opencontainers/runc/libcontainer/user:all-srcs",
vendor/github.com/opencontainers/runc/libcontainer/init_linux.go:       "github.com/opencontainers/runc/libcontainer/user"

@crosbymichael crosbymichael merged commit 5c73abb into opencontainers:master Jul 7, 2017
@mlaventure
Copy link
Contributor

This is breaking my attempt to have docker use runc master atm.

I do not see the rational for depriving a user of its additional gids for the simple reason that it was referenced by its numeric ID instead of its human readable alias.

@mlaventure
Copy link
Contributor

ping @cyphar @crosbymichael 😇

@justincormack
Copy link
Contributor

We only use numeric ids in LinuxKit, so this also breaks our ability to use supplemental groups. I really don't understand the rationale.

@vrothberg vrothberg deleted the sgid-non-numeric branch August 4, 2017 09:29
@cyphar
Copy link
Member

cyphar commented Aug 4, 2017

The concept of getting a supplementary group from /etc/passwd for a numeric ID doesn't make all that much sense (to me at least) -- not the least of which because there isn't a unique relationship from entry --> ID so it's possible that there's ambiguity about what supplementary groups a particular UID might have if they were referenced as a user.

To be fair however, sudo does appear to do the same thing:

% sudo -u '#1000' id
uid=1000(cyphar) gid=100(users) groups=100(users),10(wheel),16(dialout),469(libvirt),473(vboxusers),475(docker)

Maybe there is a justification for it...

@mlaventure
Copy link
Contributor

In practice, there should only be a single entry for a given UID. And since standard tools seem to assume so, I think it'd make sense for this repo packages to do the same.

Bottom line, it would be nice if the maintainers could vote on reverting this PR 👼

@crosbymichael
Copy link
Member

I'm fine reverting this as it causes issues in practice and wasn't really fixing a problem in the first place.

mlaventure added a commit to mlaventure/runc that referenced this pull request Aug 4, 2017
…n-numeric"

This reverts commit 5c73abb, reversing
changes made to 51b501d.
mlaventure added a commit to mlaventure/runc that referenced this pull request Aug 4, 2017
…n-numeric"

This reverts commit 5c73abb, reversing
changes made to 51b501d.

Signed-off-by: Kenfe-Mickael Laventure <[email protected]>
@mlaventure
Copy link
Contributor

Created a PR reverting this change #1548

@cyphar
Copy link
Member

cyphar commented Aug 5, 2017

Merged it. Thanks @mlaventure.

stefanberger pushed a commit to stefanberger/runc that referenced this pull request Sep 7, 2017
…n-numeric"

This reverts commit 5c73abb, reversing
changes made to 51b501d.

Signed-off-by: Kenfe-Mickael Laventure <[email protected]>
stefanberger pushed a commit to stefanberger/runc that referenced this pull request Sep 8, 2017
…n-numeric"

This reverts commit 5c73abb, reversing
changes made to 51b501d.

Signed-off-by: Kenfe-Mickael Laventure <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants