opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-10-20 20:54:45 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #13616 from giuseppe/passwd-entry

Browse Source 
run, create: add --passwd-entry
This commit is contained in:
OpenShift Merge Robot
2022-04-14 15:35:20 -04:00
committed by GitHub
parent 53b984f20f 3f2939c2ef
commit 6076e1a9a5
11 changed files with 74 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cmd/podman/common/create.go
View File

@ -630,6 +630,10 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
) )
_ = cmd.RegisterFlagCompletionFunc(chrootDirsFlagName, completion.AutocompleteDefault) _ = cmd.RegisterFlagCompletionFunc(chrootDirsFlagName, completion.AutocompleteDefault)
passwdEntryName := "passwd-entry"
createFlags.StringVar(&cf.PasswdEntry, passwdEntryName, "", "Entry to write to /etc/passwd")
_ = cmd.RegisterFlagCompletionFunc(passwdEntryName, completion.AutocompleteNone)
if registry.IsRemote() { if registry.IsRemote() {
_ = createFlags.MarkHidden("env-host") _ = createFlags.MarkHidden("env-host")
_ = createFlags.MarkHidden("http-proxy") _ = createFlags.MarkHidden("http-proxy")

6
docs/source/markdown/podman-create.1.md
View File

@ -755,6 +755,12 @@ Tune the host's OOM preferences for containers (accepts -1000 to 1000)
#### **--os**=*OS* #### **--os**=*OS*
Override the OS, defaults to hosts, of the image to be pulled. For example, `windows`. Override the OS, defaults to hosts, of the image to be pulled. For example, `windows`.
#### **--passwd-entry**=*ENTRY*
Customize the entry that is written to the `/etc/passwd` file within the container when `--passwd` is used.
The variables $USERNAME, $UID, $GID, $NAME, $HOME are automatically replaced with their value at runtime.
#### **--personality**=*persona* #### **--personality**=*persona*
Personality sets the execution domain via Linux personality(2). Personality sets the execution domain via Linux personality(2).

6
docs/source/markdown/podman-run.1.md
View File

@ -787,6 +787,12 @@ Override the OS, defaults to hosts, of the image to be pulled. For example, `win
Allow Podman to add entries to /etc/passwd and /etc/group when used in conjunction with the --user option. Allow Podman to add entries to /etc/passwd and /etc/group when used in conjunction with the --user option.
This is used to override the Podman provided user setup in favor of entrypoint configurations such as libnss-extrausers. This is used to override the Podman provided user setup in favor of entrypoint configurations such as libnss-extrausers.
#### **--passwd-entry**=*ENTRY*
Customize the entry that is written to the `/etc/passwd` file within the container when `--passwd` is used.
The variables $USERNAME, $UID, $GID, $NAME, $HOME are automatically replaced with their value at runtime.
#### **--personality**=*persona* #### **--personality**=*persona*
Personality sets the execution domain via Linux personality(2). Personality sets the execution domain via Linux personality(2).

2
libpod/container_config.go
View File

@ -404,6 +404,8 @@ type ContainerMiscConfig struct {
// InitContainerType specifies if the container is an initcontainer // InitContainerType specifies if the container is an initcontainer
// and if so, what type: always or once are possible non-nil entries // and if so, what type: always or once are possible non-nil entries
InitContainerType string `json:"init_container_type,omitempty"` InitContainerType string `json:"init_container_type,omitempty"`
// PasswdEntry specifies arbitrary data to append to a file.
PasswdEntry string `json:"passwd_entry,omitempty"`
} }
// InfraInherit contains the compatible options inheritable from the infra container // InfraInherit contains the compatible options inheritable from the infra container

19
libpod/container_internal_linux.go
View File

@ -2724,6 +2724,9 @@ func (c *Container) userPasswdEntry(u *user.User) (string, error) {
if !hasHomeSet { if !hasHomeSet {
c.config.Spec.Process.Env = append(c.config.Spec.Process.Env, fmt.Sprintf("HOME=%s", homeDir)) c.config.Spec.Process.Env = append(c.config.Spec.Process.Env, fmt.Sprintf("HOME=%s", homeDir))
} }
if c.config.PasswdEntry != "" {
return c.passwdEntry(u.Username, u.Uid, u.Gid, u.Name, homeDir), nil
}
return fmt.Sprintf("%s:*:%s:%s:%s:%s:/bin/sh\n", u.Username, u.Uid, u.Gid, u.Name, homeDir), nil return fmt.Sprintf("%s:*:%s:%s:%s:%s:/bin/sh\n", u.Username, u.Uid, u.Gid, u.Name, homeDir), nil
} }
@ -2775,9 +2778,25 @@ func (c *Container) generateUserPasswdEntry(addedUID int) (string, int, int, err
gid = group.Gid gid = group.Gid
} }
} }
if c.config.PasswdEntry != "" {
entry := c.passwdEntry(fmt.Sprintf("%d", uid), fmt.Sprintf("%d", uid), fmt.Sprintf("%d", gid), "container user", c.WorkingDir())
return entry, int(uid), gid, nil
}
return fmt.Sprintf("%d:*:%d:%d:container user:%s:/bin/sh\n", uid, uid, gid, c.WorkingDir()), int(uid), gid, nil return fmt.Sprintf("%d:*:%d:%d:container user:%s:/bin/sh\n", uid, uid, gid, c.WorkingDir()), int(uid), gid, nil
} }
func (c *Container) passwdEntry(username string, uid, gid, name, homeDir string) string {
s := c.config.PasswdEntry
s = strings.Replace(s, "$USERNAME", username, -1)
s = strings.Replace(s, "$UID", uid, -1)
s = strings.Replace(s, "$GID", gid, -1)
s = strings.Replace(s, "$NAME", name, -1)
s = strings.Replace(s, "$HOME", homeDir, -1)
return s + "\n"
}
// generatePasswdAndGroup generates container-specific passwd and group files // generatePasswdAndGroup generates container-specific passwd and group files
// iff g.config.User is a number or we are configured to make a passwd entry for // iff g.config.User is a number or we are configured to make a passwd entry for
// the current user or the user specified HostsUsers // the current user or the user specified HostsUsers

13
libpod/options.go
View File

@ -2051,3 +2051,16 @@ func WithChrootDirs(dirs []string) CtrCreateOption {
return nil return nil
} }
} }
// WithPasswdEntry sets the entry to write to the /etc/passwd file.
func WithPasswdEntry(passwdEntry string) CtrCreateOption {
return func(ctr *Container) error {
if ctr.valid {
return define.ErrCtrFinalized
}
ctr.config.PasswdEntry = passwdEntry
return nil
}
}

2
pkg/domain/entities/pods.go
View File

@ -272,6 +272,8 @@ type ContainerCreateOptions struct {
Net *NetOptions `json:"net,omitempty"` Net *NetOptions `json:"net,omitempty"`
CgroupConf []string CgroupConf []string
PasswdEntry string
} }
func NewInfraContainerCreateOptions() ContainerCreateOptions { func NewInfraContainerCreateOptions() ContainerCreateOptions {

3
pkg/specgen/generate/container_create.go
View File

@ -286,6 +286,9 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.
if s.Volatile { if s.Volatile {
options = append(options, libpod.WithVolatile()) options = append(options, libpod.WithVolatile())
} }
if s.PasswdEntry != "" {
options = append(options, libpod.WithPasswdEntry(s.PasswdEntry))
}
useSystemd := false useSystemd := false
switch s.Systemd { switch s.Systemd {

2
pkg/specgen/specgen.go
View File

@ -206,6 +206,8 @@ type ContainerBasicConfig struct {
UnsetEnvAll bool `json:"unsetenvall,omitempty"` UnsetEnvAll bool `json:"unsetenvall,omitempty"`
// Passwd is a container run option that determines if we are validating users/groups before running the container // Passwd is a container run option that determines if we are validating users/groups before running the container
Passwd *bool `json:"manage_password,omitempty"` Passwd *bool `json:"manage_password,omitempty"`
// PasswdEntry specifies arbitrary data to append to a file.
PasswdEntry string `json:"passwd_entry,omitempty"`
} }
// ContainerStorageConfig contains information on the storage configuration of a // ContainerStorageConfig contains information on the storage configuration of a

5
pkg/specgenutil/specgen.go
View File

@ -832,6 +832,11 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions
if s.Passwd == nil { if s.Passwd == nil {
s.Passwd = &t s.Passwd = &t
} }
if len(s.PasswdEntry) == 0 || len(c.PasswdEntry) != 0 {
s.PasswdEntry = c.PasswdEntry
}
return nil return nil
} }

12
test/e2e/run_passwd_test.go
View File

@ -137,4 +137,16 @@ USER 1000`, ALPINE)
Expect(run).Should(Exit(0)) Expect(run).Should(Exit(0))
Expect(run.OutputToString()).NotTo((ContainSubstring("1234:1234"))) Expect(run.OutputToString()).NotTo((ContainSubstring("1234:1234")))
}) })
It("podman run --passwd-entry flag", func() {
// Test that the line we add doesn't contain anything else than what is specified
run := podmanTest.Podman([]string{"run", "--user", "1234:1234", "--passwd-entry=FOO", ALPINE, "grep", "^FOO$", "/etc/passwd"})
run.WaitWithDefaultTimeout()
Expect(run).Should(Exit(0))
run = podmanTest.Podman([]string{"run", "--user", "12345:12346", "-w", "/etc", "--passwd-entry=$UID-$GID-$NAME-$HOME-$USERNAME", ALPINE, "cat", "/etc/passwd"})
run.WaitWithDefaultTimeout()
Expect(run).Should(Exit(0))
Expect(run.OutputToString()).To(ContainSubstring("12345-12346-container user-/etc-12345"))
})
}) })