summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorcdoern <cdoern@redhat.com>2021-12-20 10:23:08 -0500
committercdoern <cdoern@redhat.com>2021-12-21 17:19:41 -0500
commit20ce6e5c6031bd4180514ec412760a294f8a83a2 (patch)
treed725886615e4353e46cd30a73df188257ff7ade0
parentf45070ee0e63ea26e475e618ff32a498096fa561 (diff)
downloadpodman-20ce6e5c6031bd4180514ec412760a294f8a83a2.tar.gz
podman-20ce6e5c6031bd4180514ec412760a294f8a83a2.tar.bz2
podman-20ce6e5c6031bd4180514ec412760a294f8a83a2.zip
Podman run --passwd
added support for a new flag --passwd which, when false prohibits podman from creating entries in /etc/passwd and /etc/groups allowing users to modify those files in the container entrypoint resolves #11805 Signed-off-by: cdoern <cdoern@redhat.com>
-rw-r--r--cmd/podman/containers/run.go4
-rw-r--r--docs/source/markdown/podman-run.1.md5
-rw-r--r--libpod/container_config.go2
-rw-r--r--libpod/container_inspect.go2
-rw-r--r--libpod/container_internal_linux.go32
-rw-r--r--libpod/define/container_inspect.go2
-rw-r--r--libpod/options.go11
-rw-r--r--pkg/api/handlers/libpod/containers_create.go6
-rw-r--r--pkg/domain/entities/containers.go1
-rw-r--r--pkg/domain/infra/abi/containers.go1
-rw-r--r--pkg/specgen/generate/container_create.go3
-rw-r--r--pkg/specgen/specgen.go2
-rw-r--r--pkg/specgenutil/specgen.go3
-rw-r--r--test/e2e/run_passwd_test.go12
14 files changed, 70 insertions, 16 deletions
diff --git a/cmd/podman/containers/run.go b/cmd/podman/containers/run.go
index cfb89ce57..b9a2c3bb5 100644
--- a/cmd/podman/containers/run.go
+++ b/cmd/podman/containers/run.go
@@ -83,6 +83,9 @@ func runFlags(cmd *cobra.Command) {
_ = cmd.RegisterFlagCompletionFunc(gpuFlagName, completion.AutocompleteNone)
_ = flags.MarkHidden("gpus")
+ passwdFlagName := "passwd"
+ flags.BoolVar(&runOpts.Passwd, passwdFlagName, true, "add entries to /etc/passwd and /etc/group")
+
if registry.IsRemote() {
_ = flags.MarkHidden("preserve-fds")
_ = flags.MarkHidden("conmon-pidfile")
@@ -191,6 +194,7 @@ func run(cmd *cobra.Command, args []string) error {
return err
}
s.RawImageName = rawImageName
+ s.Passwd = &runOpts.Passwd
runOpts.Spec = s
if _, err := createPodIfNecessary(cmd, s, cliVals.Net); err != nil {
diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md
index a6687e656..55642d5b3 100644
--- a/docs/source/markdown/podman-run.1.md
+++ b/docs/source/markdown/podman-run.1.md
@@ -762,6 +762,11 @@ Tune the host's OOM preferences for containers (accepts values from **-1000** to
#### **--os**=*OS*
Override the OS, defaults to hosts, of the image to be pulled. For example, `windows`.
+#### **--passwd**
+
+Allow Podman to add entries to /etc/passwd and /etc/group when used in conjunction with the --user option.
+This is used to override the Podman provided user setup in favor of entrypoint configurations such as libnss-extrausers.
+
#### **--personality**=*persona*
Personality sets the execution domain via Linux personality(2).
diff --git a/libpod/container_config.go b/libpod/container_config.go
index adc585fa1..db65063b5 100644
--- a/libpod/container_config.go
+++ b/libpod/container_config.go
@@ -163,6 +163,8 @@ type ContainerRootFSConfig struct {
// Volatile specifies whether the container storage can be optimized
// at the cost of not syncing all the dirty files in memory.
Volatile bool `json:"volatile,omitempty"`
+ // Passwd allows to user to override podman's passwd/group file setup
+ Passwd *bool `json:"passwd,omitempty"`
}
// ContainerSecurityConfig is an embedded sub-config providing security configuration
diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go
index 439328ea8..b065dd1f9 100644
--- a/libpod/container_inspect.go
+++ b/libpod/container_inspect.go
@@ -377,6 +377,8 @@ func (c *Container) generateInspectContainerConfig(spec *spec.Spec) *define.Insp
ctrConfig.Umask = c.config.Umask
}
+ ctrConfig.Passwd = c.config.Passwd
+
return ctrConfig
}
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index 9e6ae9f02..dcffc4292 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -1767,21 +1767,23 @@ func (c *Container) makeBindMounts() error {
// SHM is always added when we mount the container
c.state.BindMounts["/dev/shm"] = c.config.ShmDir
- newPasswd, newGroup, err := c.generatePasswdAndGroup()
- if err != nil {
- return errors.Wrapf(err, "error creating temporary passwd file for container %s", c.ID())
- }
- if newPasswd != "" {
- // Make /etc/passwd
- // If it already exists, delete so we can recreate
- delete(c.state.BindMounts, "/etc/passwd")
- c.state.BindMounts["/etc/passwd"] = newPasswd
- }
- if newGroup != "" {
- // Make /etc/group
- // If it already exists, delete so we can recreate
- delete(c.state.BindMounts, "/etc/group")
- c.state.BindMounts["/etc/group"] = newGroup
+ if c.config.Passwd != nil && *c.config.Passwd {
+ newPasswd, newGroup, err := c.generatePasswdAndGroup()
+ if err != nil {
+ return errors.Wrapf(err, "error creating temporary passwd file for container %s", c.ID())
+ }
+ if newPasswd != "" {
+ // Make /etc/passwd
+ // If it already exists, delete so we can recreate
+ delete(c.state.BindMounts, "/etc/passwd")
+ c.state.BindMounts["/etc/passwd"] = newPasswd
+ }
+ if newGroup != "" {
+ // Make /etc/group
+ // If it already exists, delete so we can recreate
+ delete(c.state.BindMounts, "/etc/group")
+ c.state.BindMounts["/etc/group"] = newGroup
+ }
}
// Make /etc/hostname
diff --git a/libpod/define/container_inspect.go b/libpod/define/container_inspect.go
index a4d9bcf4f..ba73e4196 100644
--- a/libpod/define/container_inspect.go
+++ b/libpod/define/container_inspect.go
@@ -68,6 +68,8 @@ type InspectContainerConfig struct {
Timeout uint `json:"Timeout"`
// StopTimeout is time before container is stopped when calling stop
StopTimeout uint `json:"StopTimeout"`
+ // Passwd determines whether or not podman can add entries to /etc/passwd and /etc/group
+ Passwd *bool `json:"Passwd,omitempty"`
}
// InspectRestartPolicy holds information about the container's restart policy.
diff --git a/libpod/options.go b/libpod/options.go
index e6fa987a8..85d7b4689 100644
--- a/libpod/options.go
+++ b/libpod/options.go
@@ -1794,6 +1794,17 @@ func WithHostDevice(dev []specs.LinuxDevice) CtrCreateOption {
}
}
+// WithSelectedPasswordManagement makes it so that the container either does or does not setup /etc/passwd or /etc/group
+func WithSelectedPasswordManagement(passwd *bool) CtrCreateOption {
+ return func(c *Container) error {
+ if c.valid {
+ return define.ErrCtrFinalized
+ }
+ c.config.Passwd = passwd
+ return nil
+ }
+}
+
// Pod Creation Options
// WithPodCreateCommand adds the full command plus arguments of the current
diff --git a/pkg/api/handlers/libpod/containers_create.go b/pkg/api/handlers/libpod/containers_create.go
index 77bfe7b50..d1841769a 100644
--- a/pkg/api/handlers/libpod/containers_create.go
+++ b/pkg/api/handlers/libpod/containers_create.go
@@ -19,11 +19,15 @@ import (
func CreateContainer(w http.ResponseWriter, r *http.Request) {
runtime := r.Context().Value(api.RuntimeKey).(*libpod.Runtime)
var sg specgen.SpecGenerator
+
if err := json.NewDecoder(r.Body).Decode(&sg); err != nil {
utils.Error(w, "Something went wrong.", http.StatusInternalServerError, errors.Wrap(err, "Decode()"))
return
}
-
+ if sg.Passwd == nil {
+ t := true
+ sg.Passwd = &t
+ }
warn, err := generate.CompleteSpec(r.Context(), runtime, &sg)
if err != nil {
utils.InternalServerError(w, err)
diff --git a/pkg/domain/entities/containers.go b/pkg/domain/entities/containers.go
index 1677c067f..ae441b7f3 100644
--- a/pkg/domain/entities/containers.go
+++ b/pkg/domain/entities/containers.go
@@ -341,6 +341,7 @@ type ContainerRunOptions struct {
Rm bool
SigProxy bool
Spec *specgen.SpecGenerator
+ Passwd bool
}
// ContainerRunReport describes the results of running
diff --git a/pkg/domain/infra/abi/containers.go b/pkg/domain/infra/abi/containers.go
index d1af4a479..bf4dcff62 100644
--- a/pkg/domain/infra/abi/containers.go
+++ b/pkg/domain/infra/abi/containers.go
@@ -927,6 +927,7 @@ func (ic *ContainerEngine) ContainerRun(ctx context.Context, opts entities.Conta
for _, w := range warn {
fmt.Fprintf(os.Stderr, "%s\n", w)
}
+
rtSpec, spec, optsN, err := generate.MakeContainer(ctx, ic.Libpod, opts.Spec)
if err != nil {
return nil, err
diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go
index 331c9393a..7d8ef576a 100644
--- a/pkg/specgen/generate/container_create.go
+++ b/pkg/specgen/generate/container_create.go
@@ -482,5 +482,8 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.
if s.PidFile != "" {
options = append(options, libpod.WithPidFile(s.PidFile))
}
+
+ options = append(options, libpod.WithSelectedPasswordManagement(s.Passwd))
+
return options, nil
}
diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go
index e650c1966..5a1cc1144 100644
--- a/pkg/specgen/specgen.go
+++ b/pkg/specgen/specgen.go
@@ -201,6 +201,8 @@ type ContainerBasicConfig struct {
// UnsetEnvAll unsets all default environment variables from the image or from buildin
// Optional.
UnsetEnvAll bool `json:"unsetenvall,omitempty"`
+ // Passwd is a container run option that determines if we are validating users/groups before running the container
+ Passwd *bool `json:"manage_password,omitempty"`
}
// ContainerStorageConfig contains information on the storage configuration of a
diff --git a/pkg/specgenutil/specgen.go b/pkg/specgenutil/specgen.go
index 123c0073b..9a91b2893 100644
--- a/pkg/specgenutil/specgen.go
+++ b/pkg/specgenutil/specgen.go
@@ -698,6 +698,9 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions
// Initcontainers
s.InitContainerType = c.InitContainerType
+
+ t := true
+ s.Passwd = &t
return nil
}
diff --git a/test/e2e/run_passwd_test.go b/test/e2e/run_passwd_test.go
index 6d1d26914..2207a50a8 100644
--- a/test/e2e/run_passwd_test.go
+++ b/test/e2e/run_passwd_test.go
@@ -125,4 +125,16 @@ USER 1000`, ALPINE)
Expect(session).Should(Exit(0))
Expect(session.OutputToString()).To(Not(ContainSubstring("/etc/group")))
})
+
+ It("podman run --no-manage-passwd flag", func() {
+ run := podmanTest.Podman([]string{"run", "--user", "1234:1234", ALPINE, "cat", "/etc/passwd"})
+ run.WaitWithDefaultTimeout()
+ Expect(run).Should(Exit(0))
+ Expect(run.OutputToString()).To(ContainSubstring("1234:1234"))
+
+ run = podmanTest.Podman([]string{"run", "--passwd=false", "--user", "1234:1234", ALPINE, "cat", "/etc/passwd"})
+ run.WaitWithDefaultTimeout()
+ Expect(run).Should(Exit(0))
+ Expect(run.OutputToString()).NotTo((ContainSubstring("1234:1234")))
+ })
})