-
Notifications
You must be signed in to change notification settings - Fork 159
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Manually assign uid/gid to username and groupname in dom0 #3989
Conversation
@shjala this looks good to me. I like that we can fix it. But, if linuxkit is doing this incorrectly, let's fix it. Open an issue there? |
6579b39
to
08c8c02
Compare
@deitch I thought about it, but I'm not sure if this is considered an issue in linuxkit. Should linuxkit resolve the names from the containers Using fixed IDs seems straightforward and avoids possible confusion. But If you still think it should be fixed, just le me know I'll open an issue. |
Actually, this is done in a funny way. These are all set for the user part of the OCI spec. Normally, these are a property of the container, e.g. if you build a container with |
@deitch Lets get this merged, I've opened a issue linuxkit/linuxkit#4047 and I'll send a new PR to eve once the issue is resolved. |
Let eden run! |
Linuxkit dosn't use container's /etc/passwd and /etc/group files to resolve user and group names defined in build.yml. Instead it assignes increamentally created ids to the container[1] based on their delared position in rootfs.yml. It only respects the container's build.yml uid/gid value if its integer[2]. By assigning a fixed uid/gid in dom0, we can use the same value in the build.yml of the containers and be sure that access to resources work as expected, and adding/reordering containers in rootfs.yml won't break the access control. [1] https://github.com/linuxkit/linuxkit/blob/4f89f4f67e392ffa8c8bab63dfaf31746e3c11a0/src/cmd/linuxkit/moby/build/build.go#L188 [2] https://github.com/linuxkit/linuxkit/blob/4f89f4f67e392ffa8c8bab63dfaf31746e3c11a0/src/cmd/linuxkit/moby/config.go#L708 Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
08c8c02
to
1fa82da
Compare
Note that we have some new regressions which soon will be fixed (by Andrew and Pavel). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@eriknordmark Although eden test failures reported for this PR are known and patches are being prepared (#3996 + #3998), I would appreciate if we could stop merging new PRs if anything but the Virtualization test suite fails (it fails due to an issue with the runner which we continue investigating). Sometimes we may get some Linux kernel crash in other test suites, which is likely irrelevant and also runner-related, but it should be the responsibility of the PR owner to investigate and possibly rerun the failed test suite. It does not make much sense to trigger rerun of failed tests and merge at the same time. |
Linuxkit dosn't use container's /etc/passwd and /etc/group files to resolve user and group names defined in build.yml. Instead it assignes increamentally created ids to the container[1] based on their delared position in rootfs.yml. It only respects the container's build.yml uid/gid value if its integer[2].
By assigning a fixed uid/gid in dom0, we can use the same value in the build.yml of the containers and be sure that access to resources work as expected, and adding/reordering containers in rootfs.yml won't break the access control.
[1] https://github.com/linuxkit/linuxkit/blob/4f89f4f67e392ffa8c8bab63dfaf31746e3c11a0/src/cmd/linuxkit/moby/build/build.go#L188
[2] https://github.com/linuxkit/linuxkit/blob/4f89f4f67e392ffa8c8bab63dfaf31746e3c11a0/src/cmd/linuxkit/moby/config.go#L708