summaryrefslogtreecommitdiff
path: root/cmd
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2021-04-14 10:52:44 -0400
committerDaniel J Walsh <dwalsh@redhat.com>2021-04-21 13:28:36 -0400
commite356160f415b6111df09af214f0dea299e78ad04 (patch)
tree5a2186591697b7261b1f90d819c9026f06bd98fa /cmd
parent9c8277247d3e2e60a1f945d82851f58447cbdd74 (diff)
downloadpodman-e356160f415b6111df09af214f0dea299e78ad04.tar.gz
podman-e356160f415b6111df09af214f0dea299e78ad04.tar.bz2
podman-e356160f415b6111df09af214f0dea299e78ad04.zip
Add --group-add keep-groups: suplimentary groups into container
Currently we have rootless users who want to leak their groups access into containers, but this group access is only able to be pushed in by a hard to find OCI Runtime annotation. This PR makes this option a lot more visable and hides the complexity within the podman client. This option is only really needed for local rootless users. It makes no sense for remote clients, and probably makes little sense for rootfull containers. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'cmd')
-rw-r--r--cmd/podman/common/create.go2
-rw-r--r--cmd/podman/containers/create.go19
2 files changed, 20 insertions, 1 deletions
diff --git a/cmd/podman/common/create.go b/cmd/podman/common/create.go
index da391d30d..d496ae308 100644
--- a/cmd/podman/common/create.go
+++ b/cmd/podman/common/create.go
@@ -277,7 +277,7 @@ func DefineCreateFlags(cmd *cobra.Command, cf *ContainerCLIOpts) {
createFlags.StringSliceVar(
&cf.GroupAdd,
groupAddFlagName, []string{},
- "Add additional groups to join",
+ "Add additional groups to the primary container process. 'keep-groups' allows container processes to use suplementary groups.",
)
_ = cmd.RegisterFlagCompletionFunc(groupAddFlagName, completion.AutocompleteNone)
diff --git a/cmd/podman/containers/create.go b/cmd/podman/containers/create.go
index 507e9c221..3f495e19b 100644
--- a/cmd/podman/containers/create.go
+++ b/cmd/podman/containers/create.go
@@ -193,6 +193,25 @@ func createInit(c *cobra.Command) error {
val := c.Flag("entrypoint").Value.String()
cliVals.Entrypoint = &val
}
+
+ if c.Flags().Changed("group-add") {
+ groups := []string{}
+ for _, g := range cliVals.GroupAdd {
+ if g == "keep-groups" {
+ if len(cliVals.GroupAdd) > 1 {
+ return errors.New("the '--group-add keep-groups' option is not allowed with any other --group-add options")
+ }
+ if registry.IsRemote() {
+ return errors.New("the '--group-add keep-groups' option is not supported in remote mode")
+ }
+ cliVals.Annotation = append(cliVals.Annotation, "run.oci.keep_original_groups=1")
+ } else {
+ groups = append(groups, g)
+ }
+ }
+ cliVals.GroupAdd = groups
+ }
+
if c.Flags().Changed("pids-limit") {
val := c.Flag("pids-limit").Value.String()
pidsLimit, err := strconv.ParseInt(val, 10, 32)