From 998fd2ece0480e581e013124d0969a1af6305110 Mon Sep 17 00:00:00 2001
From: umohnani8 <umohnani@redhat.com>
Date: Tue, 3 Apr 2018 13:37:25 -0400
Subject: Functionality changes to the following flags

	--group-add
	--blkio-weight-device
	--device-read-bps
	--device-write-bps
	--device-read-iops
	--device-write-iops

--group-add now supports group names as well as the gid associated with them.
All the --device flags work now with moderate changes to the code to support both
bps and iops.
Added tests for all the flags.

Signed-off-by: umohnani8 <umohnani@redhat.com>

Closes: #590
Approved by: mheon
---
 libpod/container.go          |  2 ++
 libpod/container_internal.go | 24 ++++++++++++++++++++++++
 libpod/options.go            | 11 +++++++++++
 3 files changed, 37 insertions(+)

(limited to 'libpod')

diff --git a/libpod/container.go b/libpod/container.go
index cbfa09538..f778933c2 100644
--- a/libpod/container.go
+++ b/libpod/container.go
@@ -201,6 +201,8 @@ type ContainerConfig struct {
 	// User and group to use in the container
 	// Can be specified by name or UID/GID
 	User string `json:"user,omitempty"`
+	// Additional groups to add
+	Groups []string `json:"groups, omitempty"`
 
 	// Namespace Config
 	// IDs of container to share namespaces with
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index f3247b1c0..c9454db8a 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -8,6 +8,7 @@ import (
 	"os"
 	"path/filepath"
 	"regexp"
+	"strconv"
 	"strings"
 	"syscall"
 	"time"
@@ -956,6 +957,29 @@ func (c *Container) generateSpec() (*spec.Spec, error) {
 		g.SetProcessGID(gid)
 	}
 
+	// Add addition groups if c.config.GroupAdd is not empty
+	if len(c.config.Groups) > 0 {
+		if !c.state.Mounted {
+			return nil, errors.Wrapf(ErrCtrStateInvalid, "container %s must be mounted in order to add additional groups", c.ID())
+		}
+		for _, group := range c.config.Groups {
+			_, gid, err := chrootuser.GetUser(c.state.Mountpoint, strconv.Itoa(int(g.Spec().Process.User.UID))+":"+group)
+			if err != nil {
+				return nil, err
+			}
+			g.AddProcessAdditionalGid(uint32(gid))
+		}
+	}
+
+	// Look up and add groups the user belongs to
+	groups, err := chrootuser.GetAdditionalGroupsForUser(c.state.Mountpoint, uint64(g.Spec().Process.User.UID))
+	if err != nil {
+		return nil, err
+	}
+	for _, gid := range groups {
+		g.AddProcessAdditionalGid(gid)
+	}
+
 	// Add shared namespaces from other containers
 	if c.config.IPCNsCtr != "" {
 		if err := c.addNamespaceContainer(&g, IPCNS, c.config.IPCNsCtr, spec.IPCNamespace); err != nil {
diff --git a/libpod/options.go b/libpod/options.go
index f9d6cb211..2c51b5834 100644
--- a/libpod/options.go
+++ b/libpod/options.go
@@ -823,3 +823,14 @@ func WithConmonPidFile(path string) CtrCreateOption {
 		return nil
 	}
 }
+
+// WithGroups sets additional groups for the container, which are defined by the user
+func WithGroups(groups []string) CtrCreateOption {
+	return func(ctr *Container) error {
+		if ctr.valid {
+			return ErrCtrFinalized
+		}
+		ctr.config.Groups = groups
+		return nil
+	}
+}
-- 
cgit v1.2.3-54-g00ecf