Functionality changes to the following flags

--group-add --blkio-weight-device --device-read-bps --device-write-bps --device-read-iops --device-write-iops --group-add now supports group names as well as the gid associated with them. All the --device flags work now with moderate changes to the code to support both bps and iops. Added tests for all the flags. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #590 Approved by: mheon
2025-08-06 03:19:52 +08:00 · 2018-04-03 13:37:25 -04:00
parent c3e2b00333
commit 998fd2ece0
10 changed files with 170 additions and 39 deletions
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@ -8,6 +8,7 @@ import (
 	"os"
 	"path/filepath"
 	"regexp"
+	"strconv"
 	"strings"
 	"syscall"
 	"time"
@ -956,6 +957,29 @@ func (c *Container) generateSpec() (*spec.Spec, error) {
 		g.SetProcessGID(gid)
 	}

+	// Add addition groups if c.config.GroupAdd is not empty
+	if len(c.config.Groups) > 0 {
+		if !c.state.Mounted {
+			return nil, errors.Wrapf(ErrCtrStateInvalid, "container %s must be mounted in order to add additional groups", c.ID())
+		}
+		for _, group := range c.config.Groups {
+			_, gid, err := chrootuser.GetUser(c.state.Mountpoint, strconv.Itoa(int(g.Spec().Process.User.UID))+":"+group)
+			if err != nil {
+				return nil, err
+			}
+			g.AddProcessAdditionalGid(uint32(gid))
+		}
+	}
+
+	// Look up and add groups the user belongs to
+	groups, err := chrootuser.GetAdditionalGroupsForUser(c.state.Mountpoint, uint64(g.Spec().Process.User.UID))
+	if err != nil {
+		return nil, err
+	}
+	for _, gid := range groups {
+		g.AddProcessAdditionalGid(gid)
+	}
+
 	// Add shared namespaces from other containers
 	if c.config.IPCNsCtr != "" {
 		if err := c.addNamespaceContainer(&g, IPCNS, c.config.IPCNsCtr, spec.IPCNamespace); err != nil {