This repository has been archived by the owner on Jul 28, 2021. It is now read-only.
Allow passing any uid for container processes. #386
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Would be good to check that a more typical Linux runtime (e.g. moby or containerd on Linux) works when you specify a UID that doesn't exist. |
jstarks
reviewed
Dec 3, 2020
|
@kevpar Yeah actually it is very easy to test that. On a linux machine (or on docker running over WSL) you can do |
Usually if a username is provided when starting a process inside the container we look inside the /etc/passwd file of the container to find the uid and gid for that user. However, if a uid is provided instead of a username there is no need to look into the /etc/passwd file to see if that user exists. Signed-off-by: Amit Barve <ambarve@microsoft.com>
anmaxvl
approved these changes
Dec 4, 2020
dcantah
approved these changes
Dec 4, 2020
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Usually if a username is provided when starting a process inside the container we look inside the /etc/passwd file of the container to find the uid and gid for that user. However, if a uid is provided instead of a username there is no need to look into the /etc/passwd file to see if that user exists.
This is in accordance with how things are handled in linux as can be seen here: https://github.com/opencontainers/runc/blob/master/libcontainer/user/user.go#L291 (this is called by docker).
In fact in the same function if the user string is passed as
uid:gid(switch case 2) then we don't look up the uid inside the/etc/passwdfile.