api.go doesn't respect nsswitch.conf

[eliasp]

Due to the implementation of api.go which reads only /etc/group, it is impossible to rely on other auth mechanisms (e.g. LDAP, NIS).

groups, err := ioutil.ReadFile("/etc/group")
if err != nil {
        return err
}
re := regexp.MustCompile("(^|\n)docker:.*?:([0-9]+)")
if gidMatch := re.FindStringSubmatch(string(groups)); gidMatch != nil {
        gid, err := strconv.Atoi(gidMatch[2])
        if err != nil {
                return err
        }
        utils.Debugf("docker group found. gid: %d", gid)
        if err := os.Chown(addr, 0, gid); err != nil {
                return err
        }
}

Instead, the getgrnam syscall should be used to determine, whether a docker group exists or not.

The implemenation of lookup_unix.go in the user Go package might serve as inspiration on how to do this.

[crosbymichael]

@eliasp It sounds like you know exactly what to do, a pull request would be great. ;)

[eliasp]

@crosbymichael Well, I know (more or less) exactly what to do, I just completely lack any Go skills.
I might try to come up with something though. :-)

[crosbymichael]

@eliasp Try it out and if you need any help just let me know.

[eliasp]

Currently, the tests for api.go fail:

# _/tmp/docker
./api.go:93: cannot use auth.AuthConfig literal (type *auth.AuthConfig) as type *auth.ConfigFile in assignment
./api.go:95: authConfig.Username undefined (type *auth.ConfigFile has no field or method Username)
./api.go:95: authConfig.Email undefined (type *auth.ConfigFile has no field or method Email)
./api.go:111: cannot use false (type bool) as type *utils.HTTPRequestFactory in function argument
./api.go:122: localAuthConfig.Username undefined (type *auth.ConfigFile has no field or method Username)
./api.go:123: localAuthConfig.Password undefined (type *auth.ConfigFile has no field or method Password)
./api.go:126: undefined: auth.NewAuthConfig
./api.go:127: cannot use true (type bool) as type *utils.HTTPRequestFactory in function argument
./api.go:424: cannot use localAuthConfig (type *auth.ConfigFile) as type *auth.AuthConfig in assignment
./api.go:457: not enough arguments in call to utils.CheckLocalDns
./api.go:457: too many errors
FAIL        _/tmp/docker [build failed]

I feel uncomfortable to start doing changes here and fixing these tests is a little too much for me as a start in Docker/Go… maybe someone could have a look at these failing tests first.

[jpetazzo]

I'm not sure, but — since we're using static linking (and therefore, not
using CGO) we are probably using "built-in" versions of the resolving
functions, and I don't know if they are fancy enough to do that kind of
resolving. I'm sorry if what I said doesn't make sense; ask me to elaborate
and I'll try to explain better!

On Wed, Aug 28, 2013 at 5:10 PM, Elias Probst notifications@github.comwrote:

Currently, the tests for api.go fail:

_/tmp/docker

./api.go:93: cannot use auth.AuthConfig literal (type *auth.AuthConfig) as type *auth.ConfigFile in assignment
./api.go:95: authConfig.Username undefined (type *auth.ConfigFile has no field or method Username)
./api.go:95: authConfig.Email undefined (type *auth.ConfigFile has no field or method Email)
./api.go:111: cannot use false (type bool) as type *utils.HTTPRequestFactory in function argument
./api.go:122: localAuthConfig.Username undefined (type *auth.ConfigFile has no field or method Username)
./api.go:123: localAuthConfig.Password undefined (type *auth.ConfigFile has no field or method Password)
./api.go:126: undefined: auth.NewAuthConfig
./api.go:127: cannot use true (type bool) as type *utils.HTTPRequestFactory in function argument
./api.go:424: cannot use localAuthConfig (type *auth.ConfigFile) as type *auth.AuthConfig in assignment
./api.go:457: not enough arguments in call to utils.CheckLocalDns
./api.go:457: too many errors
FAIL _/tmp/docker [build failed]

I feel uncomfortable to start doing changes here and fixing these tests is
a little too much for me as a start in Docker/Go… maybe someone could have
a look at these failing tests first.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/1715#issuecomment-23458539
.

[creack]

@eliasp The tests does not fail on master. What branch are you using?

@jpetazzo is right, we can't rely on C functions. In order to support more than /etc/group, we'd need to implement it.

[eliasp]

@creack Sorry, turned out it was my fault… I fetched upstream into my clone, but didn't merge it…

@jpetazzo It seems to be possible. But I'm wondering why docker is built statically linked at all? Are there any (possibly Go specific) reasons for that?

[jpetazzo]

The stackoverflow question is a very useful pointer, thanks!

Regarding "why do we build docker statically?", that's because docker is
bind-mounted inside every container, and used as a trampoline to start the
target process in the container; if docker is linked dynamically, it means
that we also have to bring in the libraries it depends on, and those could
clash with existing libraries in the container.

But if we can find a way to link with extra libs and still get a static
binary... Then we're golden :-)

On Thu, Aug 29, 2013 at 4:52 PM, Elias Probst notifications@github.comwrote:

@creack https://github.com/creack Sorry, turned out it was my fault… I
fetched upstream into my clone, but didn't merge it…

@jpetazzo https://github.com/jpetazzo It seems to be possiblehttp://stackoverflow.com/questions/16747021/how-do-you-statically-link-a-c-library-in-go-using-cgo.
But I'm wondering why docker is built statically linked at all? Are there
any (possibly Go specific) reasons for that?

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/1715#issuecomment-23532062
.

[eliasp]

@jpetazzo Thanks for the explanation, that's actually one of the few situations, where static-linking is preferred.

FYI: I won't have time until next Tuesday to work on the implementation of this issue.

[shykes]

Any takers?

I'll mark this as an easy fix for aspiring contributors.

[jadeallenx]

I found this: https://github.com/proxypoke/group.go but no license sadly.

[tianon]

See:
https://groups.google.com/forum/#!topic/golang-nuts/WIYnds6TuEA
https://codereview.appspot.com/4589049
https://codereview.appspot.com/13454043

So potentially a future version of Go will have group lookup functions to go with the user lookup stubs. My guess is that they'll look to start reviewing stuff like this after they finally get the feature-frozen Go 1.2 out the door, then we'll just have to wait until n+1 gets released. Until then, we could implement the same code applied there if it's important enough.

[shykes]

It looks like nobody is actively working on this.

For the record this is open to contributors.

[crosbymichael]

ping @tianon I think your groups stuff fixes this?