Add support for looking up user/groups via getent#27599
Add support for looking up user/groups via getent#27599justincormack merged 1 commit intomoby:masterfrom
getent#27599Conversation
|
We definitely need to improve this, but not sure what the best answer is. |
|
@justincormack understand the concerns.. to me, given the way I put this PR together, if |
|
I'm +1 on this - my system is also setup such as that my user is on remote db (sssd) |
|
Yes |
pkg/idtools/idtools_unix.go
Outdated
There was a problem hiding this comment.
This error is now always suppressed; is that desirable?
There was a problem hiding this comment.
I.e., the error from getEntUser will always mask this one
There was a problem hiding this comment.
I had a version of the code that tried not to "hide" the orig. error but it was rather ugly, and in the end, ends up as a "can't find user" (getent would have done the same searching of local filesystem in default mode, so same error). If we think there are other potential edge case errors in this path that need to be exposed we can re-work
There was a problem hiding this comment.
Alright, no problem, was just wondering if the original error would contain useful information
pkg/idtools/idtools_unix.go
Outdated
pkg/idtools/idtools_unix.go
Outdated
pkg/idtools/idtools_unix.go
Outdated
When processing the --userns-remap flag, add the capability to call out to `getent` if the user and group information is not found via local file parsing code already in libcontainer/user. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
|
looks like it's updated @cpuguy83 @justincormack ptal 😇 |
|
LGTM |
1 similar comment
|
LGTM |
About github.com/opencontainers/runc/libcontainer/user: According to opencontainers/runc@195d8d5 this package has two functions: - Have a static implementation of user lookup, which is now supported in the os/user stdlib package with the osusergo build tag, but wasn't at the time. - Have extra functions that os/user doesn't have, but none of those are used in homedir. Since moby#11287, homedir depended directly on libcontainer's user package for CurrentUser(). This is being replaced with os/user.Current(), because all of our static binaries are compiled with the osusergo tag, and for dynamic libraries it is more correct to use libc's implementation than parsing /etc/passwd. About github.com/docker/docker/pkg/idtools: Only dependency was from GetStatic() which uses idtools.LookupUID(uid). The implementation of idtools.LookupUID just calls to github.com/opencontainers/runc/libcontainer/user.LookupUid or fallbacks to exec-ing to getent (since moby#27599). This patch replaces calls to homedir.GetStatic by homedir.Get(), opting out of supporting nss lookups in static binaries via exec-ing to getent for the homedir package. If homedir package users need to support nss lookups, they are advised to compile dynamically instead. Signed-off-by: Tibor Vass <tibor@docker.com>
About github.com/opencontainers/runc/libcontainer/user: According to opencontainers/runc@195d8d5 this package has two functions: - Have a static implementation of user lookup, which is now supported in the os/user stdlib package with the osusergo build tag, but wasn't at the time. - Have extra functions that os/user doesn't have, but none of those are used in homedir. Since moby/moby#11287, homedir depended directly on libcontainer's user package for CurrentUser(). This is being replaced with os/user.Current(), because all of our static binaries are compiled with the osusergo tag, and for dynamic libraries it is more correct to use libc's implementation than parsing /etc/passwd. About github.com/docker/docker/pkg/idtools: Only dependency was from GetStatic() which uses idtools.LookupUID(uid). The implementation of idtools.LookupUID just calls to github.com/opencontainers/runc/libcontainer/user.LookupUid or fallbacks to exec-ing to getent (since moby/moby#27599). This patch replaces calls to homedir.GetStatic by homedir.Get(), opting out of supporting nss lookups in static binaries via exec-ing to getent for the homedir package. If homedir package users need to support nss lookups, they are advised to compile dynamically instead. Signed-off-by: Tibor Vass <tibor@docker.com> Upstream-commit: a8608b5b67c77169276863cf31c6bc89a9ab3d8c Component: engine
About github.com/opencontainers/runc/libcontainer/user: According to opencontainers/runc@195d8d5 this package has two functions: - Have a static implementation of user lookup, which is now supported in the os/user stdlib package with the osusergo build tag, but wasn't at the time. - Have extra functions that os/user doesn't have, but none of those are used in homedir. Since moby#11287, homedir depended directly on libcontainer's user package for CurrentUser(). This is being replaced with os/user.Current(), because all of our static binaries are compiled with the osusergo tag, and for dynamic libraries it is more correct to use libc's implementation than parsing /etc/passwd. About github.com/docker/docker/pkg/idtools: Only dependency was from GetStatic() which uses idtools.LookupUID(uid). The implementation of idtools.LookupUID just calls to github.com/opencontainers/runc/libcontainer/user.LookupUid or fallbacks to exec-ing to getent (since moby#27599). This patch replaces calls to homedir.GetStatic by homedir.Get(), opting out of supporting nss lookups in static binaries via exec-ing to getent for the homedir package. If homedir package users need to support nss lookups, they are advised to compile dynamically instead. Signed-off-by: Tibor Vass <tibor@docker.com> Signed-off-by: zach <Zachary.Joyner@linux.com>
Fixes #20191
Adds a path to user/uid and group/gid lookup to use the capabilities for
getentto use host-configured external databases for passwd and group information.This allows the processing of
--userns-remapflag to find valid users and groups on such systems. Without this, user namespaces can't be enabled on these types of Linux hosts.