From e0d96fb3ef562103690529c34140d04604599497 Mon Sep 17 00:00:00 2001 From: Mrunal Patel Date: Wed, 17 Jun 2015 14:39:17 -0400 Subject: [PATCH 1/4] Adds support for specifying additional groups. Signed-off-by: Mrunal Patel --- daemon/container_unix.go | 4 ++++ daemon/execdriver/driver.go | 1 + daemon/execdriver/native/create.go | 2 ++ runconfig/hostconfig.go | 1 + runconfig/parse.go | 3 +++ 5 files changed, 11 insertions(+) diff --git a/daemon/container_unix.go b/daemon/container_unix.go index cc730e4c40..86238d819a 100644 --- a/daemon/container_unix.go +++ b/daemon/container_unix.go @@ -301,6 +301,10 @@ func populateCommand(c *Container, env []string) error { AutoCreatedDevices: autoCreatedDevices, CapAdd: c.hostConfig.CapAdd.Slice(), CapDrop: c.hostConfig.CapDrop.Slice(), + GroupAdd: c.hostConfig.GroupAdd.Slice(), + CapAdd: c.hostConfig.CapAdd, + CapDrop: c.hostConfig.CapDrop, + GroupAdd: c.hostConfig.GroupAdd, ProcessConfig: processConfig, ProcessLabel: c.GetProcessLabel(), MountLabel: c.GetMountLabel(), diff --git a/daemon/execdriver/driver.go b/daemon/execdriver/driver.go index c470ad408e..128d3ea10b 100644 --- a/daemon/execdriver/driver.go +++ b/daemon/execdriver/driver.go @@ -170,6 +170,7 @@ type Command struct { AutoCreatedDevices []*configs.Device `json:"autocreated_devices"` CapAdd []string `json:"cap_add"` CapDrop []string `json:"cap_drop"` + GroupAdd []string `json:"group_add"` ContainerPid int `json:"container_pid"` // the pid for the process inside a container ProcessConfig ProcessConfig `json:"process_config"` // Describes the init process of the container. ProcessLabel string `json:"process_label"` diff --git a/daemon/execdriver/native/create.go b/daemon/execdriver/native/create.go index a8adda6ded..a9328408ca 100644 --- a/daemon/execdriver/native/create.go +++ b/daemon/execdriver/native/create.go @@ -58,6 +58,8 @@ func (d *driver) createContainer(c *execdriver.Command) (*configs.Config, error) } } + container.AdditionalGroups = c.GroupAdd + if c.AppArmorProfile != "" { container.AppArmorProfile = c.AppArmorProfile } diff --git a/runconfig/hostconfig.go b/runconfig/hostconfig.go index 9264d9ae9b..21b40dc104 100644 --- a/runconfig/hostconfig.go +++ b/runconfig/hostconfig.go @@ -249,6 +249,7 @@ type HostConfig struct { UTSMode UTSMode CapAdd *CapList CapDrop *CapList + GroupAdd []string RestartPolicy RestartPolicy SecurityOpt []string ReadonlyRootfs bool diff --git a/runconfig/parse.go b/runconfig/parse.go index ed6917acb3..e849daf374 100644 --- a/runconfig/parse.go +++ b/runconfig/parse.go @@ -60,6 +60,7 @@ func Parse(cmd *flag.FlagSet, args []string) (*Config, *HostConfig, *flag.FlagSe flEnvFile = opts.NewListOpts(nil) flCapAdd = opts.NewListOpts(nil) flCapDrop = opts.NewListOpts(nil) + flGroupAdd = opts.NewListOpts(nil) flSecurityOpt = opts.NewListOpts(nil) flLabelsFile = opts.NewListOpts(nil) flLoggingOpts = opts.NewListOpts(nil) @@ -112,6 +113,7 @@ func Parse(cmd *flag.FlagSet, args []string) (*Config, *HostConfig, *flag.FlagSe cmd.Var(&flLxcOpts, []string{"#lxc-conf", "-lxc-conf"}, "Add custom lxc options") cmd.Var(&flCapAdd, []string{"-cap-add"}, "Add Linux capabilities") cmd.Var(&flCapDrop, []string{"-cap-drop"}, "Drop Linux capabilities") + cmd.Var(&flGroupAdd, []string{"-group-add"}, "Add additional groups to join") cmd.Var(&flSecurityOpt, []string{"-security-opt"}, "Security Options") cmd.Var(flUlimits, []string{"-ulimit"}, "Ulimit options") cmd.Var(&flLoggingOpts, []string{"-log-opt"}, "Log driver options") @@ -369,6 +371,7 @@ func Parse(cmd *flag.FlagSet, args []string) (*Config, *HostConfig, *flag.FlagSe Devices: deviceMappings, CapAdd: NewCapList(flCapAdd.GetAll()), CapDrop: NewCapList(flCapDrop.GetAll()), + GroupAdd: flGroupAdd.GetAll(), RestartPolicy: restartPolicy, SecurityOpt: flSecurityOpt.GetAll(), ReadonlyRootfs: *flReadonlyRootfs, From 0b7938e8459eda3b80bcc581837e90edc4d6855f Mon Sep 17 00:00:00 2001 From: Mrunal Patel Date: Wed, 17 Jun 2015 14:39:59 -0400 Subject: [PATCH 2/4] Adds test for additional groups. Signed-off-by: Mrunal Patel --- integration-cli/docker_cli_run_test.go | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go index d2377efb4a..957c1a2ad4 100644 --- a/integration-cli/docker_cli_run_test.go +++ b/integration-cli/docker_cli_run_test.go @@ -948,6 +948,19 @@ func (s *DockerSuite) TestRunCapAddALLDropNetAdminCanDownInterface(c *check.C) { } } +func (s *DockerSuite) TestRunGroupAdd(c *check.C) { + cmd := exec.Command(dockerBinary, "run", "--group-add=audio", "--group-add=dbus", "--group-add=777", "busybox", "sh", "-c", "id") + out, _, err := runCommandWithOutput(cmd) + if err != nil { + c.Fatal(err, out) + } + + groupsList := "uid=0(root) gid=0(root) groups=10(wheel),29(audio),81(dbus),777" + if actual := strings.Trim(out, "\r\n"); actual != groupsList { + c.Fatalf("expected output %s received %s", groupsList, actual) + } +} + func (s *DockerSuite) TestRunPrivilegedCanMount(c *check.C) { cmd := exec.Command(dockerBinary, "run", "--privileged", "busybox", "sh", "-c", "mount -t tmpfs none /tmp && echo ok") out, _, err := runCommandWithOutput(cmd) From d77d0268eb1f419509ceb6670ff7aaa298314218 Mon Sep 17 00:00:00 2001 From: Mrunal Patel Date: Wed, 17 Jun 2015 16:25:53 -0400 Subject: [PATCH 3/4] Adds documentation for additional groups. Signed-off-by: Mrunal Patel --- contrib/completion/bash/docker | 1 + contrib/completion/fish/docker.fish | 2 ++ contrib/completion/zsh/_docker | 1 + docs/reference/api/docker_remote_api.md | 4 ++++ docs/reference/commandline/run.md | 1 + docs/reference/run.md | 10 ++++++++++ man/docker-create.1.md | 4 ++++ man/docker-run.1.md | 4 ++++ 8 files changed, 27 insertions(+) diff --git a/contrib/completion/bash/docker b/contrib/completion/bash/docker index d489b6ecb3..6ea82b2162 100755 --- a/contrib/completion/bash/docker +++ b/contrib/completion/bash/docker @@ -829,6 +829,7 @@ _docker_run() { --env -e --env-file --expose + --group-add --hostname -h --ipc --label -l diff --git a/contrib/completion/fish/docker.fish b/contrib/completion/fish/docker.fish index 79f7ed4bad..e146ae6cf3 100644 --- a/contrib/completion/fish/docker.fish +++ b/contrib/completion/fish/docker.fish @@ -127,6 +127,7 @@ complete -c docker -A -f -n '__fish_seen_subcommand_from create' -s e -l env -d complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l entrypoint -d 'Overwrite the default ENTRYPOINT of the image' complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l env-file -d 'Read in a line delimited file of environment variables' complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l expose -d 'Expose a port or a range of ports (e.g. --expose=3300-3310) from the container without publishing it to your host' +complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l group-add -d 'Add additional groups to run as' complete -c docker -A -f -n '__fish_seen_subcommand_from create' -s h -l hostname -d 'Container host name' complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l help -d 'Print usage' complete -c docker -A -f -n '__fish_seen_subcommand_from create' -s i -l interactive -d 'Keep STDIN open even if not attached' @@ -313,6 +314,7 @@ complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s e -l env -d 'Se complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l entrypoint -d 'Overwrite the default ENTRYPOINT of the image' complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l env-file -d 'Read in a line delimited file of environment variables' complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l expose -d 'Expose a port or a range of ports (e.g. --expose=3300-3310) from the container without publishing it to your host' +complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l group-add -d 'Add additional groups to run as' complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s h -l hostname -d 'Container host name' complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l help -d 'Print usage' complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s i -l interactive -d 'Keep STDIN open even if not attached' diff --git a/contrib/completion/zsh/_docker b/contrib/completion/zsh/_docker index dfca95ae57..e6fb8caebe 100644 --- a/contrib/completion/zsh/_docker +++ b/contrib/completion/zsh/_docker @@ -499,6 +499,7 @@ __docker_subcommand () { '--entrypoint=-[Overwrite the default ENTRYPOINT of the image]:entry point: ' \ '*--env-file=-[Read in a file of environment variables]:environment file:_files' \ '*--expose=-[Expose a port or a range of ports]:port or a range of ports: ' \ + '*--group-add=-[Add additional groups to run as]:group: ' \ '(-h --hostname)'{-h,--hostname=-}'[Container host name]:hostname:_hosts' \ '(- :)--help[Print usage]' \ '(-i --interactive)'{-i,--interactive}'[Keep STDIN open even if not attached]' \ diff --git a/docs/reference/api/docker_remote_api.md b/docs/reference/api/docker_remote_api.md index 6fce450a35..e82283609a 100644 --- a/docs/reference/api/docker_remote_api.md +++ b/docs/reference/api/docker_remote_api.md @@ -68,6 +68,10 @@ Running `docker rmi` emits an **untag** event when removing an image name. The ### What's new +**New!** +The `hostConfig` option now accepts the field `GroupAdd`, which specifies a list of additional +groups that the container process will run as. + ## v1.19 ### Full documentation diff --git a/docs/reference/commandline/run.md b/docs/reference/commandline/run.md index 147bf70495..e13ee094f3 100644 --- a/docs/reference/commandline/run.md +++ b/docs/reference/commandline/run.md @@ -34,6 +34,7 @@ weight=1 --entrypoint="" Overwrite the default ENTRYPOINT of the image --env-file=[] Read in a file of environment variables --expose=[] Expose a port or a range of ports + --group-add=[] Add additional groups to run as -h, --hostname="" Container host name --help=false Print usage -i, --interactive=false Keep STDIN open even if not attached diff --git a/docs/reference/run.md b/docs/reference/run.md index 48662ccdd1..dcc9e663a5 100644 --- a/docs/reference/run.md +++ b/docs/reference/run.md @@ -737,6 +737,16 @@ weights of the two containers. > **Note:** The blkio weight setting is only available for direct IO. Buffered IO > is not currently supported. +## Additional groups + --group-add: Add Linux capabilities + +By default, the docker container process runs with the supplementary groups looked +up for the specified user. If one wants to add more to that list of groups, then +one can use this flag: + + $ docker run -ti --rm --group-add audio --group-add dbus --group-add 777 busybox id + uid=0(root) gid=0(root) groups=10(wheel),29(audio),81(dbus),777 + ## Runtime privilege, Linux capabilities, and LXC configuration --cap-add: Add Linux capabilities diff --git a/man/docker-create.1.md b/man/docker-create.1.md index 0bde6271e8..2badefa39e 100644 --- a/man/docker-create.1.md +++ b/man/docker-create.1.md @@ -24,6 +24,7 @@ docker-create - Create a new container [**--entrypoint**[=*ENTRYPOINT*]] [**--env-file**[=*[]*]] [**--expose**[=*[]*]] +[**--group-add**[=*[]*]] [**-h**|**--hostname**[=*HOSTNAME*]] [**--help**] [**-i**|**--interactive**[=*false*]] @@ -129,6 +130,9 @@ two memory nodes. **--expose**=[] Expose a port or a range of ports (e.g. --expose=3300-3310) from the container without publishing it to your host +**--group-add**=[] + Add additional groups to run as + **-h**, **--hostname**="" Container host name diff --git a/man/docker-run.1.md b/man/docker-run.1.md index cdecee8461..0d98de85b6 100644 --- a/man/docker-run.1.md +++ b/man/docker-run.1.md @@ -25,6 +25,7 @@ docker-run - Run a command in a new container [**--entrypoint**[=*ENTRYPOINT*]] [**--env-file**[=*[]*]] [**--expose**[=*[]*]] +[**--group-add**[=*[]*]] [**-h**|**--hostname**[=*HOSTNAME*]] [**--help**] [**-i**|**--interactive**[=*false*]] @@ -216,6 +217,9 @@ ENTRYPOINT. **--expose**=[] Expose a port, or a range of ports (e.g. --expose=3300-3310), from the container without publishing it to your host +**--group-add**=[] + Add additional groups to run as + **-h**, **--hostname**="" Container host name From 7fb456589bee9d98cc7273cae25ae2d7aa743975 Mon Sep 17 00:00:00 2001 From: Mrunal Patel Date: Mon, 13 Jul 2015 14:50:30 -0400 Subject: [PATCH 4/4] Fixup rebase. Signed-off-by: Mrunal Patel --- daemon/container_unix.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/daemon/container_unix.go b/daemon/container_unix.go index 86238d819a..c5d3c01bb6 100644 --- a/daemon/container_unix.go +++ b/daemon/container_unix.go @@ -301,9 +301,6 @@ func populateCommand(c *Container, env []string) error { AutoCreatedDevices: autoCreatedDevices, CapAdd: c.hostConfig.CapAdd.Slice(), CapDrop: c.hostConfig.CapDrop.Slice(), - GroupAdd: c.hostConfig.GroupAdd.Slice(), - CapAdd: c.hostConfig.CapAdd, - CapDrop: c.hostConfig.CapDrop, GroupAdd: c.hostConfig.GroupAdd, ProcessConfig: processConfig, ProcessLabel: c.GetProcessLabel(),