mirror of
https://github.com/containers/podman.git
synced 2025-06-21 01:19:15 +08:00
Allow systemd specifiers in User and Group Quadlet keys
Replaces: https://github.com/containers/podman/pull/18262 Signed-off-by: Tom Mombourquette <tom@devnode.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
@ -615,18 +615,8 @@ func ConvertContainer(container *parser.UnitFile, names map[string]string, isUse
|
|||||||
podman.add("--read-only-tmpfs=false")
|
podman.add("--read-only-tmpfs=false")
|
||||||
}
|
}
|
||||||
|
|
||||||
hasUser := container.HasKey(ContainerGroup, KeyUser)
|
if err := handleUser(container, ContainerGroup, podman); err != nil {
|
||||||
hasGroup := container.HasKey(ContainerGroup, KeyGroup)
|
return nil, err
|
||||||
if hasUser || hasGroup {
|
|
||||||
uid := container.LookupUint32(ContainerGroup, KeyUser, 0)
|
|
||||||
gid := container.LookupUint32(ContainerGroup, KeyGroup, 0)
|
|
||||||
|
|
||||||
podman.add("--user")
|
|
||||||
if hasGroup {
|
|
||||||
podman.addf("%d:%d", uid, gid)
|
|
||||||
} else {
|
|
||||||
podman.addf("%d", uid)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if workdir, exists := container.Lookup(ContainerGroup, KeyWorkingDir); exists {
|
if workdir, exists := container.Lookup(ContainerGroup, KeyWorkingDir); exists {
|
||||||
@ -1225,6 +1215,30 @@ func ConvertImage(image *parser.UnitFile) (*parser.UnitFile, string, error) {
|
|||||||
return service, imageName, nil
|
return service, imageName, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func handleUser(unitFile *parser.UnitFile, groupName string, podman *PodmanCmdline) error {
|
||||||
|
user, hasUser := unitFile.Lookup(groupName, KeyUser)
|
||||||
|
okUser := hasUser && len(user) > 0
|
||||||
|
|
||||||
|
group, hasGroup := unitFile.Lookup(groupName, KeyGroup)
|
||||||
|
okGroup := hasGroup && len(group) > 0
|
||||||
|
|
||||||
|
if !okUser {
|
||||||
|
if okGroup {
|
||||||
|
return fmt.Errorf("invalid Group set without User")
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
if !okGroup {
|
||||||
|
podman.add("--user", user)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
podman.addf("--user=%s:%s", user, group)
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
func handleUserRemap(unitFile *parser.UnitFile, groupName string, podman *PodmanCmdline, isUser, supportManual bool) error {
|
func handleUserRemap(unitFile *parser.UnitFile, groupName string, podman *PodmanCmdline, isUser, supportManual bool) error {
|
||||||
// ignore Remap keys if UserNS is set
|
// ignore Remap keys if UserNS is set
|
||||||
if userns, ok := unitFile.Lookup(groupName, KeyUserNS); ok && len(userns) > 0 {
|
if userns, ok := unitFile.Lookup(groupName, KeyUserNS); ok && len(userns) > 0 {
|
||||||
|
6
test/e2e/quadlet/group.container
Normal file
6
test/e2e/quadlet/group.container
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
## assert-failed
|
||||||
|
## assert-stderr-contains "Group set without User"
|
||||||
|
|
||||||
|
[Container]
|
||||||
|
Image=localhost/imagename
|
||||||
|
Group=foobar
|
@ -1,5 +1,5 @@
|
|||||||
## assert-podman-final-args localhost/imagename
|
## assert-podman-final-args localhost/imagename
|
||||||
## assert-podman-args "--user" "998:999"
|
## assert-podman-args "--user=998:999"
|
||||||
|
|
||||||
[Container]
|
[Container]
|
||||||
Image=localhost/imagename
|
Image=localhost/imagename
|
||||||
|
6
test/e2e/quadlet/user1.container
Normal file
6
test/e2e/quadlet/user1.container
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
## assert-podman-final-args localhost/imagename
|
||||||
|
## assert-podman-args "--user=%U:%G"
|
||||||
|
|
||||||
|
[Container]
|
||||||
|
Image=localhost/imagename
|
||||||
|
User=%U:%G
|
7
test/e2e/quadlet/user2.container
Normal file
7
test/e2e/quadlet/user2.container
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
## assert-podman-final-args localhost/imagename
|
||||||
|
## assert-podman-args "--user=%U:%G"
|
||||||
|
|
||||||
|
[Container]
|
||||||
|
Image=localhost/imagename
|
||||||
|
User=%U
|
||||||
|
Group=%G
|
Reference in New Issue
Block a user