Allow systemd specifiers in User and Group Quadlet keys

Replaces: https://github.com/containers/podman/pull/18262

Signed-off-by: Tom Mombourquette <tom@devnode.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh
2023-10-18 06:08:28 -04:00
parent ef2392f21c
commit 285718915c
5 changed files with 46 additions and 13 deletions

View File

@ -615,18 +615,8 @@ func ConvertContainer(container *parser.UnitFile, names map[string]string, isUse
podman.add("--read-only-tmpfs=false") podman.add("--read-only-tmpfs=false")
} }
hasUser := container.HasKey(ContainerGroup, KeyUser) if err := handleUser(container, ContainerGroup, podman); err != nil {
hasGroup := container.HasKey(ContainerGroup, KeyGroup) return nil, err
if hasUser || hasGroup {
uid := container.LookupUint32(ContainerGroup, KeyUser, 0)
gid := container.LookupUint32(ContainerGroup, KeyGroup, 0)
podman.add("--user")
if hasGroup {
podman.addf("%d:%d", uid, gid)
} else {
podman.addf("%d", uid)
}
} }
if workdir, exists := container.Lookup(ContainerGroup, KeyWorkingDir); exists { if workdir, exists := container.Lookup(ContainerGroup, KeyWorkingDir); exists {
@ -1225,6 +1215,30 @@ func ConvertImage(image *parser.UnitFile) (*parser.UnitFile, string, error) {
return service, imageName, nil return service, imageName, nil
} }
func handleUser(unitFile *parser.UnitFile, groupName string, podman *PodmanCmdline) error {
user, hasUser := unitFile.Lookup(groupName, KeyUser)
okUser := hasUser && len(user) > 0
group, hasGroup := unitFile.Lookup(groupName, KeyGroup)
okGroup := hasGroup && len(group) > 0
if !okUser {
if okGroup {
return fmt.Errorf("invalid Group set without User")
}
return nil
}
if !okGroup {
podman.add("--user", user)
return nil
}
podman.addf("--user=%s:%s", user, group)
return nil
}
func handleUserRemap(unitFile *parser.UnitFile, groupName string, podman *PodmanCmdline, isUser, supportManual bool) error { func handleUserRemap(unitFile *parser.UnitFile, groupName string, podman *PodmanCmdline, isUser, supportManual bool) error {
// ignore Remap keys if UserNS is set // ignore Remap keys if UserNS is set
if userns, ok := unitFile.Lookup(groupName, KeyUserNS); ok && len(userns) > 0 { if userns, ok := unitFile.Lookup(groupName, KeyUserNS); ok && len(userns) > 0 {

View File

@ -0,0 +1,6 @@
## assert-failed
## assert-stderr-contains "Group set without User"
[Container]
Image=localhost/imagename
Group=foobar

View File

@ -1,5 +1,5 @@
## assert-podman-final-args localhost/imagename ## assert-podman-final-args localhost/imagename
## assert-podman-args "--user" "998:999" ## assert-podman-args "--user=998:999"
[Container] [Container]
Image=localhost/imagename Image=localhost/imagename

View File

@ -0,0 +1,6 @@
## assert-podman-final-args localhost/imagename
## assert-podman-args "--user=%U:%G"
[Container]
Image=localhost/imagename
User=%U:%G

View File

@ -0,0 +1,7 @@
## assert-podman-final-args localhost/imagename
## assert-podman-args "--user=%U:%G"
[Container]
Image=localhost/imagename
User=%U
Group=%G