Merge pull request #10717 from mrunalp/feature/group_add

Adds support for specifying additional groups.

contrib/completion/bash/docker

@@ -829,6 +829,7 @@ _docker_run() {
 		--env -e
 		--env-file
 		--expose
+		--group-add
 		--hostname -h
 		--ipc
 		--label -l

contrib/completion/fish/docker.fish

@@ -127,6 +127,7 @@ complete -c docker -A -f -n '__fish_seen_subcommand_from create' -s e -l env -d
 complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l entrypoint -d 'Overwrite the default ENTRYPOINT of the image'
 complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l env-file -d 'Read in a line delimited file of environment variables'
 complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l expose -d 'Expose a port or a range of ports (e.g. --expose=3300-3310) from the container without publishing it to your host'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l group-add -d 'Add additional groups to run as'
 complete -c docker -A -f -n '__fish_seen_subcommand_from create' -s h -l hostname -d 'Container host name'
 complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l help -d 'Print usage'
 complete -c docker -A -f -n '__fish_seen_subcommand_from create' -s i -l interactive -d 'Keep STDIN open even if not attached'
@@ -313,6 +314,7 @@ complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s e -l env -d 'Se
 complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l entrypoint -d 'Overwrite the default ENTRYPOINT of the image'
 complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l env-file -d 'Read in a line delimited file of environment variables'
 complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l expose -d 'Expose a port or a range of ports (e.g. --expose=3300-3310) from the container without publishing it to your host'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l group-add -d 'Add additional groups to run as'
 complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s h -l hostname -d 'Container host name'
 complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l help -d 'Print usage'
 complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s i -l interactive -d 'Keep STDIN open even if not attached'

contrib/completion/zsh/_docker

@@ -499,6 +499,7 @@ __docker_subcommand () {
                 '--entrypoint=-[Overwrite the default ENTRYPOINT of the image]:entry point: ' \
                 '*--env-file=-[Read in a file of environment variables]:environment file:_files' \
                 '*--expose=-[Expose a port or a range of ports]:port or a range of ports: ' \
+                '*--group-add=-[Add additional groups to run as]:group: ' \
                 '(-h --hostname)'{-h,--hostname=-}'[Container host name]:hostname:_hosts' \
                 '(- :)--help[Print usage]' \
                 '(-i --interactive)'{-i,--interactive}'[Keep STDIN open even if not attached]' \

daemon/container_unix.go

@@ -301,6 +301,7 @@ func populateCommand(c *Container, env []string) error {
 		AutoCreatedDevices: autoCreatedDevices,
 		CapAdd:             c.hostConfig.CapAdd.Slice(),
 		CapDrop:            c.hostConfig.CapDrop.Slice(),
+		GroupAdd:           c.hostConfig.GroupAdd,
 		ProcessConfig:      processConfig,
 		ProcessLabel:       c.GetProcessLabel(),
 		MountLabel:         c.GetMountLabel(),

daemon/execdriver/driver.go

@@ -170,6 +170,7 @@ type Command struct {
 	AutoCreatedDevices []*configs.Device `json:"autocreated_devices"`
 	CapAdd             []string          `json:"cap_add"`
 	CapDrop            []string          `json:"cap_drop"`
+	GroupAdd           []string          `json:"group_add"`
 	ContainerPid       int               `json:"container_pid"`  // the pid for the process inside a container
 	ProcessConfig      ProcessConfig     `json:"process_config"` // Describes the init process of the container.
 	ProcessLabel       string            `json:"process_label"`

daemon/execdriver/native/create.go

@@ -58,6 +58,8 @@ func (d *driver) createContainer(c *execdriver.Command) (*configs.Config, error)
 		}
 	}
 
+	container.AdditionalGroups = c.GroupAdd
+
 	if c.AppArmorProfile != "" {
 		container.AppArmorProfile = c.AppArmorProfile
 	}

docs/reference/api/docker_remote_api.md

@@ -68,6 +68,10 @@ Running `docker rmi` emits an **untag** event when removing an image name.  The
 
 ### What's new
 
+**New!**
+The `hostConfig` option now accepts the field `GroupAdd`, which specifies a list of additional
+groups that the container process will run as.
+
 ## v1.19
 
 ### Full documentation

docs/reference/commandline/run.md

@@ -34,6 +34,7 @@ weight=1
       --entrypoint=""            Overwrite the default ENTRYPOINT of the image
       --env-file=[]              Read in a file of environment variables
       --expose=[]                Expose a port or a range of ports
+      --group-add=[]             Add additional groups to run as
       -h, --hostname=""          Container host name
       --help=false               Print usage
       -i, --interactive=false    Keep STDIN open even if not attached

docs/reference/run.md

@@ -737,6 +737,16 @@ weights of the two containers.
 > **Note:** The blkio weight setting is only available for direct IO. Buffered IO
 > is not currently supported.
 
+## Additional groups
+    --group-add: Add Linux capabilities
+
+By default, the docker container process runs with the supplementary groups looked
+up for the specified user. If one wants to add more to that list of groups, then
+one can use this flag:
+
+    $ docker run -ti --rm --group-add audio  --group-add dbus --group-add 777 busybox id
+    uid=0(root) gid=0(root) groups=10(wheel),29(audio),81(dbus),777
+
 ## Runtime privilege, Linux capabilities, and LXC configuration
 
     --cap-add: Add Linux capabilities

integration-cli/docker_cli_run_test.go

@@ -948,6 +948,19 @@ func (s *DockerSuite) TestRunCapAddALLDropNetAdminCanDownInterface(c *check.C) {
 	}
 }
 
+func (s *DockerSuite) TestRunGroupAdd(c *check.C) {
+	cmd := exec.Command(dockerBinary, "run", "--group-add=audio", "--group-add=dbus", "--group-add=777", "busybox", "sh", "-c", "id")
+	out, _, err := runCommandWithOutput(cmd)
+	if err != nil {
+		c.Fatal(err, out)
+	}
+
+	groupsList := "uid=0(root) gid=0(root) groups=10(wheel),29(audio),81(dbus),777"
+	if actual := strings.Trim(out, "\r\n"); actual != groupsList {
+		c.Fatalf("expected output %s received %s", groupsList, actual)
+	}
+}
+
 func (s *DockerSuite) TestRunPrivilegedCanMount(c *check.C) {
 	cmd := exec.Command(dockerBinary, "run", "--privileged", "busybox", "sh", "-c", "mount -t tmpfs none /tmp && echo ok")
 	out, _, err := runCommandWithOutput(cmd)

man/docker-create.1.md

@@ -24,6 +24,7 @@ docker-create - Create a new container
 [**--entrypoint**[=*ENTRYPOINT*]]
 [**--env-file**[=*[]*]]
 [**--expose**[=*[]*]]
+[**--group-add**[=*[]*]]
 [**-h**|**--hostname**[=*HOSTNAME*]]
 [**--help**]
 [**-i**|**--interactive**[=*false*]]
@@ -129,6 +130,9 @@ two memory nodes.
 **--expose**=[]
    Expose a port or a range of ports (e.g. --expose=3300-3310) from the container without publishing it to your host
 
+**--group-add**=[]
+   Add additional groups to run as
+
 **-h**, **--hostname**=""
    Container host name
 

man/docker-run.1.md

@@ -25,6 +25,7 @@ docker-run - Run a command in a new container
 [**--entrypoint**[=*ENTRYPOINT*]]
 [**--env-file**[=*[]*]]
 [**--expose**[=*[]*]]
+[**--group-add**[=*[]*]]
 [**-h**|**--hostname**[=*HOSTNAME*]]
 [**--help**]
 [**-i**|**--interactive**[=*false*]]
@@ -216,6 +217,9 @@ ENTRYPOINT.
 **--expose**=[]
    Expose a port, or a range of ports (e.g. --expose=3300-3310), from the container without publishing it to your host
 
+**--group-add**=[]
+   Add additional groups to run as
+
 **-h**, **--hostname**=""
    Container host name
 

runconfig/hostconfig.go

@@ -249,6 +249,7 @@ type HostConfig struct {
 	UTSMode          UTSMode
 	CapAdd           *CapList
 	CapDrop          *CapList
+	GroupAdd         []string
 	RestartPolicy    RestartPolicy
 	SecurityOpt      []string
 	ReadonlyRootfs   bool

runconfig/parse.go

@@ -60,6 +60,7 @@ func Parse(cmd *flag.FlagSet, args []string) (*Config, *HostConfig, *flag.FlagSe
 		flEnvFile     = opts.NewListOpts(nil)
 		flCapAdd      = opts.NewListOpts(nil)
 		flCapDrop     = opts.NewListOpts(nil)
+		flGroupAdd    = opts.NewListOpts(nil)
 		flSecurityOpt = opts.NewListOpts(nil)
 		flLabelsFile  = opts.NewListOpts(nil)
 		flLoggingOpts = opts.NewListOpts(nil)
@@ -112,6 +113,7 @@ func Parse(cmd *flag.FlagSet, args []string) (*Config, *HostConfig, *flag.FlagSe
 	cmd.Var(&flLxcOpts, []string{"#lxc-conf", "-lxc-conf"}, "Add custom lxc options")
 	cmd.Var(&flCapAdd, []string{"-cap-add"}, "Add Linux capabilities")
 	cmd.Var(&flCapDrop, []string{"-cap-drop"}, "Drop Linux capabilities")
+	cmd.Var(&flGroupAdd, []string{"-group-add"}, "Add additional groups to join")
 	cmd.Var(&flSecurityOpt, []string{"-security-opt"}, "Security Options")
 	cmd.Var(flUlimits, []string{"-ulimit"}, "Ulimit options")
 	cmd.Var(&flLoggingOpts, []string{"-log-opt"}, "Log driver options")
@@ -369,6 +371,7 @@ func Parse(cmd *flag.FlagSet, args []string) (*Config, *HostConfig, *flag.FlagSe
 		Devices:          deviceMappings,
 		CapAdd:           NewCapList(flCapAdd.GetAll()),
 		CapDrop:          NewCapList(flCapDrop.GetAll()),
+		GroupAdd:         flGroupAdd.GetAll(),
 		RestartPolicy:    restartPolicy,
 		SecurityOpt:      flSecurityOpt.GetAll(),
 		ReadonlyRootfs:   *flReadonlyRootfs,