diff options
author | Daniel J Walsh <dwalsh@redhat.com> | 2021-04-14 10:52:44 -0400 |
---|---|---|
committer | Daniel J Walsh <dwalsh@redhat.com> | 2021-04-21 13:28:36 -0400 |
commit | e356160f415b6111df09af214f0dea299e78ad04 (patch) | |
tree | 5a2186591697b7261b1f90d819c9026f06bd98fa /cmd | |
parent | 9c8277247d3e2e60a1f945d82851f58447cbdd74 (diff) | |
download | podman-e356160f415b6111df09af214f0dea299e78ad04.tar.gz podman-e356160f415b6111df09af214f0dea299e78ad04.tar.bz2 podman-e356160f415b6111df09af214f0dea299e78ad04.zip |
Add --group-add keep-groups: suplimentary groups into container
Currently we have rootless users who want to leak their groups access
into containers, but this group access is only able to be pushed in by
a hard to find OCI Runtime annotation. This PR makes this option a lot
more visable and hides the complexity within the podman client.
This option is only really needed for local rootless users. It makes
no sense for remote clients, and probably makes little sense for
rootfull containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'cmd')
-rw-r--r-- | cmd/podman/common/create.go | 2 | ||||
-rw-r--r-- | cmd/podman/containers/create.go | 19 |
2 files changed, 20 insertions, 1 deletions
diff --git a/cmd/podman/common/create.go b/cmd/podman/common/create.go index da391d30d..d496ae308 100644 --- a/cmd/podman/common/create.go +++ b/cmd/podman/common/create.go @@ -277,7 +277,7 @@ func DefineCreateFlags(cmd *cobra.Command, cf *ContainerCLIOpts) { createFlags.StringSliceVar( &cf.GroupAdd, groupAddFlagName, []string{}, - "Add additional groups to join", + "Add additional groups to the primary container process. 'keep-groups' allows container processes to use suplementary groups.", ) _ = cmd.RegisterFlagCompletionFunc(groupAddFlagName, completion.AutocompleteNone) diff --git a/cmd/podman/containers/create.go b/cmd/podman/containers/create.go index 507e9c221..3f495e19b 100644 --- a/cmd/podman/containers/create.go +++ b/cmd/podman/containers/create.go @@ -193,6 +193,25 @@ func createInit(c *cobra.Command) error { val := c.Flag("entrypoint").Value.String() cliVals.Entrypoint = &val } + + if c.Flags().Changed("group-add") { + groups := []string{} + for _, g := range cliVals.GroupAdd { + if g == "keep-groups" { + if len(cliVals.GroupAdd) > 1 { + return errors.New("the '--group-add keep-groups' option is not allowed with any other --group-add options") + } + if registry.IsRemote() { + return errors.New("the '--group-add keep-groups' option is not supported in remote mode") + } + cliVals.Annotation = append(cliVals.Annotation, "run.oci.keep_original_groups=1") + } else { + groups = append(groups, g) + } + } + cliVals.GroupAdd = groups + } + if c.Flags().Changed("pids-limit") { val := c.Flag("pids-limit").Value.String() pidsLimit, err := strconv.ParseInt(val, 10, 32) |