Remove /etc/passwd and /etc/group parsing on runc run/exec #3999
+70
−96
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kolyshkin
force-pushed
the
uidgid
branch
2 times, most recently
from
28aadc5
to
4866cd2
Compare
kolyshkin
changed the title
1. Do not ask for the same option value twice. 2. For tty, we always want false, unless specified, and this is what GetBool gets us. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
An error from strconv.Atoi already contains the text it fails to parse. Because of that, errors look way too verbose, e.g.: [root@kir-rhat runc-tst]# ./runc exec --user 1:1:1 2345 true ERRO[0000] exec failed: parsing 1:1 as int for gid failed: strconv.Atoi: parsing "1:1": invalid syntax With this patch, the error looks like this now: [root@kir-rhat runc]# ./runc exec --user 1:1:1 2345 true ERRO[0000] exec failed: bad gid: strconv.Atoi: parsing "1:1": invalid syntax Still not awesome, but better. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Switch from github.com/moby/sys/user to Go stdlib os/user (which has both libc-backed and pure Go implementations). Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
kolyshkin
force-pushed
the
uidgid
branch
2 times, most recently
from
95e76a7
to
ab0c62a
Compare
OCI runtime spec states [1] that the UID, primary GID, and additional GIDs are all specified as numbers, and also adds that symbolic names resolution "are left to upper levels to derive". Meaning, runc should not care about user and group names. Yet, runc tries to be clever than that, always parsing container's /etc/passwd and /etc/group. It results in a few things: 1. If UID (or GID) specified can't be found inside container's /etc/passwd (or /etc/group), runc (run or exec) errors out. 2. Any additional GIDs specified in container's /etc/group are automatically prepended to the list for setgroups(2). Meaning, a user can either specify additional GIDs in OCI runtime spec, or container's /etc/group entry for a given user. Looks like (1) is questionable (on a normal Linux system, I can run programs under any UID (GID), not limited to those listed in /etc/passwd (/etc/group), and (2) is just an extra mechanism of specifying additional GIDs. Let's remove those, hopefully increasing runc performance as well as OCI spec conformance. The only remaining need to parse /etc/passwd is to set HOME environment variable for a specified UID, in case $HOME is not yet set. Use user.LookupUid for this case. PS Note that the structures being changed (initConfig and Process) are never saved to disk as JSON by runc, so there is no compatibility issue for runc users. Still, this is a breaking change in libcontainer, but we never promised that libcontainer API will be stable. For 3998. [1] https://github.com/opencontainers/runtime-spec/blob/v1.0.2/config.md#posix-platform-user Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
TODO: describe this (for now, see the last commit).
Fixes: #3998