diff options
| author | Djordje Lukic <djordje.lukic@docker.com> | 2023-04-04 15:12:28 +0200 |
|---|---|---|
| committer | Djordje Lukic <djordje.lukic@docker.com> | 2023-04-07 10:53:25 +0200 |
| commit | 41a230758c82227e9adb0256bbfe40f440c9c951 (patch) | |
| tree | 91ec61ad90b23e12be23b673b3121639569e2556 /daemon/exec_linux.go | |
| parent | dd3b71d17c614f837c4bba18baed9fa2cb31f1a4 (diff) | |
| download | docker-41a230758c82227e9adb0256bbfe40f440c9c951.tar.gz | |
c8d: Set the process user on exec
This change makes is possible to run `docker exec -u <UID> ...` when the
containerd integration is activated.
Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
Diffstat (limited to 'daemon/exec_linux.go')
| -rw-r--r-- | daemon/exec_linux.go | 56 |
1 files changed, 53 insertions, 3 deletions
diff --git a/daemon/exec_linux.go b/daemon/exec_linux.go index 46ed4309ff..6d5af58808 100644 --- a/daemon/exec_linux.go +++ b/daemon/exec_linux.go @@ -3,20 +3,69 @@ package daemon // import "github.com/docker/docker/daemon" import ( "context" + "github.com/containerd/containerd" + "github.com/containerd/containerd/containers" + "github.com/containerd/containerd/oci" + coci "github.com/containerd/containerd/oci" "github.com/containerd/containerd/pkg/apparmor" "github.com/docker/docker/container" "github.com/docker/docker/oci/caps" specs "github.com/opencontainers/runtime-spec/specs-go" ) +func withResetAdditionalGIDs() oci.SpecOpts { + return func(_ context.Context, _ oci.Client, _ *containers.Container, s *oci.Spec) error { + s.Process.User.AdditionalGids = nil + return nil + } +} + +func getUserFromContainerd(ctx context.Context, containerdCli *containerd.Client, ec *container.ExecConfig) (specs.User, error) { + ctr, err := containerdCli.LoadContainer(ctx, ec.Container.ID) + if err != nil { + return specs.User{}, err + } + + cinfo, err := ctr.Info(ctx) + if err != nil { + return specs.User{}, err + } + + spec, err := ctr.Spec(ctx) + if err != nil { + return specs.User{}, err + } + + opts := []oci.SpecOpts{ + coci.WithUser(ec.User), + withResetAdditionalGIDs(), + coci.WithAdditionalGIDs(ec.User), + } + for _, opt := range opts { + if err := opt(ctx, containerdCli, &cinfo, spec); err != nil { + return specs.User{}, err + } + } + + return spec.Process.User, nil +} + func (daemon *Daemon) execSetPlatformOpt(ctx context.Context, ec *container.ExecConfig, p *specs.Process) error { if len(ec.User) > 0 { var err error - p.User, err = getUser(ec.Container, ec.User) - if err != nil { - return err + if daemon.UsesSnapshotter() { + p.User, err = getUserFromContainerd(ctx, daemon.containerdCli, ec) + if err != nil { + return err + } + } else { + p.User, err = getUser(ec.Container, ec.User) + if err != nil { + return err + } } } + if ec.Privileged { p.Capabilities = &specs.LinuxCapabilities{ Bounding: caps.GetAllCapabilities(), @@ -24,6 +73,7 @@ func (daemon *Daemon) execSetPlatformOpt(ctx context.Context, ec *container.Exec Effective: caps.GetAllCapabilities(), } } + if apparmor.HostSupports() { var appArmorProfile string if ec.Container.AppArmorProfile != "" { |