From 62887656553f26a346724fa9fad3378b09d5ee27 Mon Sep 17 00:00:00 2001 From: fupan Date: Thu, 19 Jul 2018 17:14:55 +0800 Subject: [PATCH] container: fix the issue of using the wrong user Signed-off-by: fupan --- daemon/pod/container.go | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/daemon/pod/container.go b/daemon/pod/container.go index 3239f853..b694b93d 100644 --- a/daemon/pod/container.go +++ b/daemon/pod/container.go @@ -628,12 +628,7 @@ func (c *Container) ociSpec(cjson *dockertypes.ContainerJSON, cmds []string) *sp ocispec.Hostname = c.p.globalSpec.Hostname - /* - * ocispec used the user's UID and GID instead of user name and group name, - * thus it needed to convert the user name and group name to UID and GID in - * the future, here just set it to "0" as default. - */ - ocispec.Process.User = specs.User{UID: 0, GID: 0} + ocispec.Process.User = specs.User{Username: c.spec.User.Name} for _, l := range c.spec.Ulimits { ltype := strings.ToLower(l.Name) @@ -648,7 +643,6 @@ func (c *Container) ociSpec(cjson *dockertypes.ContainerJSON, cmds []string) *sp } func (c *Container) containerConfig(cjson *dockertypes.ContainerJSON) (*vc.ContainerConfig, error) { - var user, group string var ociSpec *specs.Spec var cmds []string @@ -665,6 +659,10 @@ func (c *Container) containerConfig(cjson *dockertypes.ContainerJSON) (*vc.Conta c.spec.StopSignal = "TERM" } + if c.spec.User == nil { + c.spec.User = &apitypes.UserUser{Name: cjson.Config.User} + } + cmds = append(cmds, cjson.Config.Entrypoint.Slice()...) cmds = append(cmds, cjson.Config.Cmd.Slice()...) @@ -706,17 +704,12 @@ func (c *Container) containerConfig(cjson *dockertypes.ContainerJSON) (*vc.Conta } c.Log(DEBUG, "mount id: %s", mountId) - if c.spec.User != nil { - user = c.spec.User.Name - group = c.spec.User.Group - } - cmd := vc.Cmd{ Args: cmds, Envs: c.cmdEnvs([]vc.EnvVar{}), WorkDir: c.spec.Workdir, - User: user, - PrimaryGroup: group, + User: c.spec.User.Name, + PrimaryGroup: c.spec.User.Group, Interactive: c.spec.Tty, Detach: !c.HasTty(), }