Use idtools.LookupGroup instead of parsing /etc/group file for docker.sock ownership

[mjameswh]

fixes #1715
fixes docker/for-linux#186

What I did
Fix dockerd setting /var/run/docker.sock's group to root rather than docker when /etc/nsswitch.conf specify external sources for groups (for example LDAP, NIS or SSS).

How I did it
Used the existing idtools.LookupGroup function instead of reading the /etc/group file directly. idtools.LookupGroup first try reading the group file; if it fails, it makes a system call to the getent program. This is an uncommon strategy in general, but ensure that dockerd doesn't need to be linked against libnss, which depend on plugins and can't therefore be statically linked.

How to verify
I can't unfortunately provide a viable test case since that would require the test environment to be configured to use an external identity source (LDAP, ActiveDirectory, etc). However, existing tests should at least provide the garante that the existing behavior (that is, the most common case of using the docker group defined in the /etc/group) is indeed maintained, and the fact that idtools.LookupGroup is already being used in docker indicates that it most probably provides the expected new behavior.

Changelog
Properly set group on docker.sock when using external group databases (LDAP, NIS, SSS...)

[thaJeztah]

thanks for working on this! Left some comments / thoughts

[thaJeztah]

Wondering if we should log the error as a warning if we both fail to find a group, and converting the name to an integer also fails.

(It's a bit unfortunate that "group not found", and "an error occurred looking up the group" both return an error here;

moby/pkg/idtools/idtools_unix.go

Line 183 in b3e9f7b

return user.Group{}, fmt.Errorf("getent failed to find groups entry for %q", strings.Split(args, " ")[1])

🤔 ideally we should have a "IsNotFound"-like error, or perhaps no error at all for that)

[mjameswh]

Regarding the specific case of daemon/listeners/group_unix.go, errors get intercepted and are logged if appropriate in listeners_linux.go :

moby/daemon/listeners/listeners_linux.go

Line 40 in b3e9f7b

logrus.Warnf("could not change group %s to %s: %v", addr, defaultSocketGroup, err)

This is the only call site to group_unix.lookupGID().

As for the more general matter of error handling in idtools_unix.go, I agree that some minor improvement could be possible, but I think the behaviour of returning an error status (whatever its exact semantic) is the proper way to go. After all, the fact that a named group doesn't exist is not necessarily an error in all use case, but callers definitely need a way to help the user identify why a group was not found, notably when using external sources... I also think that it would be desirable to move to idtools_unix.go the handling of "the group name is actually a numerical id" cases, as it appears (well, at least to me) to always be a desirable fallback...

Now, come to that, I have noticed that there are quite a few places in Docker's source code where passwd and group files are crawled using various ad-hoc strategies. If more efforts is to be put in idtools_unix.go, then maybe it would be wise to consider using those functions everywhere instead of having custom code there and there...

By the way, I tried to retain the original behaviour as much as possible, in the hope that it would make the fix more acceptable for inclusion, essentially because it is my first contribution here. Still, I can certainly put a little more work in it if you are willing to give me some hints on what is to be done.

[mjameswh]

Ok, after some more checks, it turns out that there are almost no case left of ad-hoc parsing. I only found oci_linux.go and internals_linux.go, and I don't think that supporting external user sources for the second would be desirable.

[thaJeztah]

ping @estesp PTAL 🤗

[GordonTheTurtle]

Please sign your commits following these rules:
https://github.com/moby/moby/blob/master/CONTRIBUTING.md#sign-your-work
The easiest way to do this is to amend the last commit:

$ git clone -b "fix-1715" git@github.com:mjameswh/moby.git somewhere
$ cd somewhere
$ git rebase -i HEAD~842354377400
editor opens
change each 'pick' to 'edit'
save the file and quit
$ git commit --amend -s --no-edit
$ git rebase --continue # and repeat the amend for each commit
$ git push -f

Amending updates the existing PR. You DO NOT need to open a new one.

[thaJeztah]

LGTM

[andrewhsu]

SGTM

[kolyshkin]

Can you please squash your commits into one?

[codecov]

Codecov Report

❗ No coverage uploaded for pull request base (master@baab736). Click here to learn what that means.
The diff coverage is n/a.

@@            Coverage Diff            @@
##             master   #38126   +/-   ##
=========================================
  Coverage          ?   36.13%           
=========================================
  Files             ?      610           
  Lines             ?    45216           
  Branches          ?        0           
=========================================
  Hits              ?    16337           
  Misses            ?    26641           
  Partials          ?     2238

[mjameswh]

Can you please squash your commits into one?

Done.

[thaJeztah]

Thanks!

[thaJeztah]

Ah.. this broke master in combination with #38316 fix upcoming

[thaJeztah]

Fix #38360 👍