mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
Merge pull request #10717 from mrunalp/feature/group_add
Adds support for specifying additional groups.
This commit is contained in:
commit
35b0223921
14 changed files with 48 additions and 0 deletions
|
@ -829,6 +829,7 @@ _docker_run() {
|
|||
--env -e
|
||||
--env-file
|
||||
--expose
|
||||
--group-add
|
||||
--hostname -h
|
||||
--ipc
|
||||
--label -l
|
||||
|
|
|
@ -127,6 +127,7 @@ complete -c docker -A -f -n '__fish_seen_subcommand_from create' -s e -l env -d
|
|||
complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l entrypoint -d 'Overwrite the default ENTRYPOINT of the image'
|
||||
complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l env-file -d 'Read in a line delimited file of environment variables'
|
||||
complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l expose -d 'Expose a port or a range of ports (e.g. --expose=3300-3310) from the container without publishing it to your host'
|
||||
complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l group-add -d 'Add additional groups to run as'
|
||||
complete -c docker -A -f -n '__fish_seen_subcommand_from create' -s h -l hostname -d 'Container host name'
|
||||
complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l help -d 'Print usage'
|
||||
complete -c docker -A -f -n '__fish_seen_subcommand_from create' -s i -l interactive -d 'Keep STDIN open even if not attached'
|
||||
|
@ -313,6 +314,7 @@ complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s e -l env -d 'Se
|
|||
complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l entrypoint -d 'Overwrite the default ENTRYPOINT of the image'
|
||||
complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l env-file -d 'Read in a line delimited file of environment variables'
|
||||
complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l expose -d 'Expose a port or a range of ports (e.g. --expose=3300-3310) from the container without publishing it to your host'
|
||||
complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l group-add -d 'Add additional groups to run as'
|
||||
complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s h -l hostname -d 'Container host name'
|
||||
complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l help -d 'Print usage'
|
||||
complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s i -l interactive -d 'Keep STDIN open even if not attached'
|
||||
|
|
|
@ -499,6 +499,7 @@ __docker_subcommand () {
|
|||
'--entrypoint=-[Overwrite the default ENTRYPOINT of the image]:entry point: ' \
|
||||
'*--env-file=-[Read in a file of environment variables]:environment file:_files' \
|
||||
'*--expose=-[Expose a port or a range of ports]:port or a range of ports: ' \
|
||||
'*--group-add=-[Add additional groups to run as]:group: ' \
|
||||
'(-h --hostname)'{-h,--hostname=-}'[Container host name]:hostname:_hosts' \
|
||||
'(- :)--help[Print usage]' \
|
||||
'(-i --interactive)'{-i,--interactive}'[Keep STDIN open even if not attached]' \
|
||||
|
|
|
@ -301,6 +301,7 @@ func populateCommand(c *Container, env []string) error {
|
|||
AutoCreatedDevices: autoCreatedDevices,
|
||||
CapAdd: c.hostConfig.CapAdd.Slice(),
|
||||
CapDrop: c.hostConfig.CapDrop.Slice(),
|
||||
GroupAdd: c.hostConfig.GroupAdd,
|
||||
ProcessConfig: processConfig,
|
||||
ProcessLabel: c.GetProcessLabel(),
|
||||
MountLabel: c.GetMountLabel(),
|
||||
|
|
|
@ -170,6 +170,7 @@ type Command struct {
|
|||
AutoCreatedDevices []*configs.Device `json:"autocreated_devices"`
|
||||
CapAdd []string `json:"cap_add"`
|
||||
CapDrop []string `json:"cap_drop"`
|
||||
GroupAdd []string `json:"group_add"`
|
||||
ContainerPid int `json:"container_pid"` // the pid for the process inside a container
|
||||
ProcessConfig ProcessConfig `json:"process_config"` // Describes the init process of the container.
|
||||
ProcessLabel string `json:"process_label"`
|
||||
|
|
|
@ -58,6 +58,8 @@ func (d *driver) createContainer(c *execdriver.Command) (*configs.Config, error)
|
|||
}
|
||||
}
|
||||
|
||||
container.AdditionalGroups = c.GroupAdd
|
||||
|
||||
if c.AppArmorProfile != "" {
|
||||
container.AppArmorProfile = c.AppArmorProfile
|
||||
}
|
||||
|
|
|
@ -68,6 +68,10 @@ Running `docker rmi` emits an **untag** event when removing an image name. The
|
|||
|
||||
### What's new
|
||||
|
||||
**New!**
|
||||
The `hostConfig` option now accepts the field `GroupAdd`, which specifies a list of additional
|
||||
groups that the container process will run as.
|
||||
|
||||
## v1.19
|
||||
|
||||
### Full documentation
|
||||
|
|
|
@ -34,6 +34,7 @@ weight=1
|
|||
--entrypoint="" Overwrite the default ENTRYPOINT of the image
|
||||
--env-file=[] Read in a file of environment variables
|
||||
--expose=[] Expose a port or a range of ports
|
||||
--group-add=[] Add additional groups to run as
|
||||
-h, --hostname="" Container host name
|
||||
--help=false Print usage
|
||||
-i, --interactive=false Keep STDIN open even if not attached
|
||||
|
|
|
@ -737,6 +737,16 @@ weights of the two containers.
|
|||
> **Note:** The blkio weight setting is only available for direct IO. Buffered IO
|
||||
> is not currently supported.
|
||||
|
||||
## Additional groups
|
||||
--group-add: Add Linux capabilities
|
||||
|
||||
By default, the docker container process runs with the supplementary groups looked
|
||||
up for the specified user. If one wants to add more to that list of groups, then
|
||||
one can use this flag:
|
||||
|
||||
$ docker run -ti --rm --group-add audio --group-add dbus --group-add 777 busybox id
|
||||
uid=0(root) gid=0(root) groups=10(wheel),29(audio),81(dbus),777
|
||||
|
||||
## Runtime privilege, Linux capabilities, and LXC configuration
|
||||
|
||||
--cap-add: Add Linux capabilities
|
||||
|
|
|
@ -948,6 +948,19 @@ func (s *DockerSuite) TestRunCapAddALLDropNetAdminCanDownInterface(c *check.C) {
|
|||
}
|
||||
}
|
||||
|
||||
func (s *DockerSuite) TestRunGroupAdd(c *check.C) {
|
||||
cmd := exec.Command(dockerBinary, "run", "--group-add=audio", "--group-add=dbus", "--group-add=777", "busybox", "sh", "-c", "id")
|
||||
out, _, err := runCommandWithOutput(cmd)
|
||||
if err != nil {
|
||||
c.Fatal(err, out)
|
||||
}
|
||||
|
||||
groupsList := "uid=0(root) gid=0(root) groups=10(wheel),29(audio),81(dbus),777"
|
||||
if actual := strings.Trim(out, "\r\n"); actual != groupsList {
|
||||
c.Fatalf("expected output %s received %s", groupsList, actual)
|
||||
}
|
||||
}
|
||||
|
||||
func (s *DockerSuite) TestRunPrivilegedCanMount(c *check.C) {
|
||||
cmd := exec.Command(dockerBinary, "run", "--privileged", "busybox", "sh", "-c", "mount -t tmpfs none /tmp && echo ok")
|
||||
out, _, err := runCommandWithOutput(cmd)
|
||||
|
|
|
@ -24,6 +24,7 @@ docker-create - Create a new container
|
|||
[**--entrypoint**[=*ENTRYPOINT*]]
|
||||
[**--env-file**[=*[]*]]
|
||||
[**--expose**[=*[]*]]
|
||||
[**--group-add**[=*[]*]]
|
||||
[**-h**|**--hostname**[=*HOSTNAME*]]
|
||||
[**--help**]
|
||||
[**-i**|**--interactive**[=*false*]]
|
||||
|
@ -129,6 +130,9 @@ two memory nodes.
|
|||
**--expose**=[]
|
||||
Expose a port or a range of ports (e.g. --expose=3300-3310) from the container without publishing it to your host
|
||||
|
||||
**--group-add**=[]
|
||||
Add additional groups to run as
|
||||
|
||||
**-h**, **--hostname**=""
|
||||
Container host name
|
||||
|
||||
|
|
|
@ -25,6 +25,7 @@ docker-run - Run a command in a new container
|
|||
[**--entrypoint**[=*ENTRYPOINT*]]
|
||||
[**--env-file**[=*[]*]]
|
||||
[**--expose**[=*[]*]]
|
||||
[**--group-add**[=*[]*]]
|
||||
[**-h**|**--hostname**[=*HOSTNAME*]]
|
||||
[**--help**]
|
||||
[**-i**|**--interactive**[=*false*]]
|
||||
|
@ -216,6 +217,9 @@ ENTRYPOINT.
|
|||
**--expose**=[]
|
||||
Expose a port, or a range of ports (e.g. --expose=3300-3310), from the container without publishing it to your host
|
||||
|
||||
**--group-add**=[]
|
||||
Add additional groups to run as
|
||||
|
||||
**-h**, **--hostname**=""
|
||||
Container host name
|
||||
|
||||
|
|
|
@ -249,6 +249,7 @@ type HostConfig struct {
|
|||
UTSMode UTSMode
|
||||
CapAdd *CapList
|
||||
CapDrop *CapList
|
||||
GroupAdd []string
|
||||
RestartPolicy RestartPolicy
|
||||
SecurityOpt []string
|
||||
ReadonlyRootfs bool
|
||||
|
|
|
@ -60,6 +60,7 @@ func Parse(cmd *flag.FlagSet, args []string) (*Config, *HostConfig, *flag.FlagSe
|
|||
flEnvFile = opts.NewListOpts(nil)
|
||||
flCapAdd = opts.NewListOpts(nil)
|
||||
flCapDrop = opts.NewListOpts(nil)
|
||||
flGroupAdd = opts.NewListOpts(nil)
|
||||
flSecurityOpt = opts.NewListOpts(nil)
|
||||
flLabelsFile = opts.NewListOpts(nil)
|
||||
flLoggingOpts = opts.NewListOpts(nil)
|
||||
|
@ -112,6 +113,7 @@ func Parse(cmd *flag.FlagSet, args []string) (*Config, *HostConfig, *flag.FlagSe
|
|||
cmd.Var(&flLxcOpts, []string{"#lxc-conf", "-lxc-conf"}, "Add custom lxc options")
|
||||
cmd.Var(&flCapAdd, []string{"-cap-add"}, "Add Linux capabilities")
|
||||
cmd.Var(&flCapDrop, []string{"-cap-drop"}, "Drop Linux capabilities")
|
||||
cmd.Var(&flGroupAdd, []string{"-group-add"}, "Add additional groups to join")
|
||||
cmd.Var(&flSecurityOpt, []string{"-security-opt"}, "Security Options")
|
||||
cmd.Var(flUlimits, []string{"-ulimit"}, "Ulimit options")
|
||||
cmd.Var(&flLoggingOpts, []string{"-log-opt"}, "Log driver options")
|
||||
|
@ -369,6 +371,7 @@ func Parse(cmd *flag.FlagSet, args []string) (*Config, *HostConfig, *flag.FlagSe
|
|||
Devices: deviceMappings,
|
||||
CapAdd: NewCapList(flCapAdd.GetAll()),
|
||||
CapDrop: NewCapList(flCapDrop.GetAll()),
|
||||
GroupAdd: flGroupAdd.GetAll(),
|
||||
RestartPolicy: restartPolicy,
|
||||
SecurityOpt: flSecurityOpt.GetAll(),
|
||||
ReadonlyRootfs: *flReadonlyRootfs,
|
||||
|
|
Loading…
Reference in a new issue