Use user from OCI config per default

We have to use the user from the OCI configuration to have the right set of user permissions inside container. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
2025-06-26 18:18:24 +00:00 · 2020-04-20 15:02:14 +02:00 · 2020-04-20 15:02:14 +02:00 · ae69696fcd
commit ae69696fcd
parent f7a19bb301
2 changed files with 16 additions and 2 deletions
--- a/pkg/container_config.go
+++ b/pkg/container_config.go
@ -37,6 +37,7 @@ type containerConfig struct {
 	Pid    int
 	Rootfs string
 	Env    map[string]string
+	User   string
 	Nvidia *nvidiaConfig
 }

@ -47,7 +48,14 @@ type Root struct {

 // github.com/opencontainers/runtime-spec/blob/v1.0.0/specs-go/config.go#L30-L57
 type Process struct {
-	Env []string `json:"env,omitempty"`
+	Env  []string `json:"env,omitempty"`
+	User User     `json:"user"`
+}
+
+// User specifies specific user (and group) information for the container process.
+type User struct {
+	UID uint32 `json:"uid"`
+	GID uint32 `json:"gid"`
 }

 // We use pointers to structs, similarly to the latest version of runtime-spec:
@ -260,6 +268,7 @@ func getContainerConfig(hook HookConfig) (config containerConfig) {
 		Pid:    h.Pid,
 		Rootfs: s.Root.Path,
 		Env:    env,
+		User:   fmt.Sprintf("%d:%d", s.Process.User.UID, s.Process.User.GID),
 		Nvidia: getNvidiaConfig(env),
 	}
 }
--- a/pkg/main.go
+++ b/pkg/main.go
@ -112,9 +112,14 @@ func doPrestart() {
 	if cli.Ldcache != nil {
 		args = append(args, fmt.Sprintf("--ldcache=%s", *cli.Ldcache))
 	}
+
+	// The CLI user has a higher priority than the OCI config user
+	user := container.User
 	if cli.User != nil {
-		args = append(args, fmt.Sprintf("--user=%s", *cli.User))
+		user = *cli.User
 	}
+	args = append(args, fmt.Sprintf("--user=%s", user))
+
 	args = append(args, "configure")

 	if cli.Ldconfig != nil {