Merge pull request #10717 from mrunalp/feature/group_add

Adds support for specifying additional groups.
2015-07-13 17:08:05 -07:00 · 2015-07-13 17:08:05 -07:00 · 35b0223921
parent e221291a25 7fb456589b
commit 35b0223921
14 changed files with 48 additions and 0 deletions
--- a/contrib/completion/bash/docker
+++ b/contrib/completion/bash/docker
@ -829,6 +829,7 @@ _docker_run() {
 		--env -e
 		--env-file
 		--expose
 		--group-add
 		--hostname -h
 		--ipc
 		--label -l
--- a/contrib/completion/fish/docker.fish
+++ b/contrib/completion/fish/docker.fish
@ -127,6 +127,7 @@ complete -c docker -A -f -n '__fish_seen_subcommand_from create' -s e -l env -d
 complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l entrypoint -d 'Overwrite the default ENTRYPOINT of the image'
 complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l env-file -d 'Read in a line delimited file of environment variables'
 complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l expose -d 'Expose a port or a range of ports (e.g. --expose=3300-3310) from the container without publishing it to your host'
 complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l group-add -d 'Add additional groups to run as'
 complete -c docker -A -f -n '__fish_seen_subcommand_from create' -s h -l hostname -d 'Container host name'
 complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l help -d 'Print usage'
 complete -c docker -A -f -n '__fish_seen_subcommand_from create' -s i -l interactive -d 'Keep STDIN open even if not attached'
@ -313,6 +314,7 @@ complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s e -l env -d 'Se
 complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l entrypoint -d 'Overwrite the default ENTRYPOINT of the image'
 complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l env-file -d 'Read in a line delimited file of environment variables'
 complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l expose -d 'Expose a port or a range of ports (e.g. --expose=3300-3310) from the container without publishing it to your host'
 complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l group-add -d 'Add additional groups to run as'
 complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s h -l hostname -d 'Container host name'
 complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l help -d 'Print usage'
 complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s i -l interactive -d 'Keep STDIN open even if not attached'
--- a/contrib/completion/zsh/_docker
+++ b/contrib/completion/zsh/_docker
@ -499,6 +499,7 @@ __docker_subcommand () {
                '--entrypoint=-[Overwrite the default ENTRYPOINT of the image]:entry point: ' \
                '*--env-file=-[Read in a file of environment variables]:environment file:_files' \
                '*--expose=-[Expose a port or a range of ports]:port or a range of ports: ' \
                '*--group-add=-[Add additional groups to run as]:group: ' \
                '(-h --hostname)'{-h,--hostname=-}'[Container host name]:hostname:_hosts' \
                '(- :)--help[Print usage]' \
                '(-i --interactive)'{-i,--interactive}'[Keep STDIN open even if not attached]' \
--- a/daemon/container_unix.go
+++ b/daemon/container_unix.go
@ -301,6 +301,7 @@ func populateCommand(c *Container, env []string) error {
 		AutoCreatedDevices: autoCreatedDevices,
 		CapAdd:             c.hostConfig.CapAdd.Slice(),
 		CapDrop:            c.hostConfig.CapDrop.Slice(),
 		GroupAdd:           c.hostConfig.GroupAdd,
 		ProcessConfig:      processConfig,
 		ProcessLabel:       c.GetProcessLabel(),
 		MountLabel:         c.GetMountLabel(),
--- a/daemon/execdriver/driver.go
+++ b/daemon/execdriver/driver.go
@ -170,6 +170,7 @@ type Command struct {
 	AutoCreatedDevices []*configs.Device `json:"autocreated_devices"`
 	CapAdd             []string          `json:"cap_add"`
 	CapDrop            []string          `json:"cap_drop"`
 	GroupAdd           []string          `json:"group_add"`
 	ContainerPid       int               `json:"container_pid"`  // the pid for the process inside a container
 	ProcessConfig      ProcessConfig     `json:"process_config"` // Describes the init process of the container.
 	ProcessLabel       string            `json:"process_label"`
--- a/daemon/execdriver/native/create.go
+++ b/daemon/execdriver/native/create.go
@ -58,6 +58,8 @@ func (d *driver) createContainer(c *execdriver.Command) (*configs.Config, error)
 		}
 	}
 	container.AdditionalGroups = c.GroupAdd
 	if c.AppArmorProfile != "" {
 		container.AppArmorProfile = c.AppArmorProfile
 	}
--- a/docs/reference/api/docker_remote_api.md
+++ b/docs/reference/api/docker_remote_api.md
@ -68,6 +68,10 @@ Running `docker rmi` emits an **untag** event when removing an image name.  The
 ### What's new
 **New!**
 The `hostConfig` option now accepts the field `GroupAdd`, which specifies a list of additional
 groups that the container process will run as.
 ## v1.19
 ### Full documentation
--- a/docs/reference/commandline/run.md
+++ b/docs/reference/commandline/run.md
@ -34,6 +34,7 @@ weight=1
      --entrypoint=""            Overwrite the default ENTRYPOINT of the image
      --env-file=[]              Read in a file of environment variables
      --expose=[]                Expose a port or a range of ports
      --group-add=[]             Add additional groups to run as
      -h, --hostname=""          Container host name
      --help=false               Print usage
      -i, --interactive=false    Keep STDIN open even if not attached
--- a/docs/reference/run.md
+++ b/docs/reference/run.md
@ -737,6 +737,16 @@ weights of the two containers.
 > **Note:** The blkio weight setting is only available for direct IO. Buffered IO
 > is not currently supported.
 ## Additional groups
    --group-add: Add Linux capabilities
 By default, the docker container process runs with the supplementary groups looked
 up for the specified user. If one wants to add more to that list of groups, then
 one can use this flag:
    $ docker run -ti --rm --group-add audio  --group-add dbus --group-add 777 busybox id
    uid=0(root) gid=0(root) groups=10(wheel),29(audio),81(dbus),777
 ## Runtime privilege, Linux capabilities, and LXC configuration
    --cap-add: Add Linux capabilities
--- a/integration-cli/docker_cli_run_test.go
+++ b/integration-cli/docker_cli_run_test.go
@ -948,6 +948,19 @@ func (s *DockerSuite) TestRunCapAddALLDropNetAdminCanDownInterface(c *check.C) {
 	}
 }
 func (s *DockerSuite) TestRunGroupAdd(c *check.C) {
 	cmd := exec.Command(dockerBinary, "run", "--group-add=audio", "--group-add=dbus", "--group-add=777", "busybox", "sh", "-c", "id")
 	out, _, err := runCommandWithOutput(cmd)
 	if err != nil {
 		c.Fatal(err, out)
 	}
 	groupsList := "uid=0(root) gid=0(root) groups=10(wheel),29(audio),81(dbus),777"
 	if actual := strings.Trim(out, "\r\n"); actual != groupsList {
 		c.Fatalf("expected output %s received %s", groupsList, actual)
 	}
 }
 func (s *DockerSuite) TestRunPrivilegedCanMount(c *check.C) {
 	cmd := exec.Command(dockerBinary, "run", "--privileged", "busybox", "sh", "-c", "mount -t tmpfs none /tmp && echo ok")
 	out, _, err := runCommandWithOutput(cmd)
--- a/man/docker-create.1.md
+++ b/man/docker-create.1.md
@ -24,6 +24,7 @@ docker-create - Create a new container
 [**--entrypoint**[=*ENTRYPOINT*]]
 [**--env-file**[=*[]*]]
 [**--expose**[=*[]*]]
 [**--group-add**[=*[]*]]
 [**-h**|**--hostname**[=*HOSTNAME*]]
 [**--help**]
 [**-i**|**--interactive**[=*false*]]
@ -129,6 +130,9 @@ two memory nodes.
 **--expose**=[]
   Expose a port or a range of ports (e.g. --expose=3300-3310) from the container without publishing it to your host
 **--group-add**=[]
   Add additional groups to run as
 **-h**, **--hostname**=""
   Container host name
--- a/man/docker-run.1.md
+++ b/man/docker-run.1.md
@ -25,6 +25,7 @@ docker-run - Run a command in a new container
 [**--entrypoint**[=*ENTRYPOINT*]]
 [**--env-file**[=*[]*]]
 [**--expose**[=*[]*]]
 [**--group-add**[=*[]*]]
 [**-h**|**--hostname**[=*HOSTNAME*]]
 [**--help**]
 [**-i**|**--interactive**[=*false*]]
@ -216,6 +217,9 @@ ENTRYPOINT.
 **--expose**=[]
   Expose a port, or a range of ports (e.g. --expose=3300-3310), from the container without publishing it to your host
 **--group-add**=[]
   Add additional groups to run as
 **-h**, **--hostname**=""
   Container host name
--- a/runconfig/hostconfig.go
+++ b/runconfig/hostconfig.go
@ -249,6 +249,7 @@ type HostConfig struct {
 	UTSMode          UTSMode
 	CapAdd           *CapList
 	CapDrop          *CapList
 	GroupAdd         []string
 	RestartPolicy    RestartPolicy
 	SecurityOpt      []string
 	ReadonlyRootfs   bool
--- a/runconfig/parse.go
+++ b/runconfig/parse.go
@ -60,6 +60,7 @@ func Parse(cmd *flag.FlagSet, args []string) (*Config, *HostConfig, *flag.FlagSe
 		flEnvFile     = opts.NewListOpts(nil)
 		flCapAdd      = opts.NewListOpts(nil)
 		flCapDrop     = opts.NewListOpts(nil)
 		flGroupAdd    = opts.NewListOpts(nil)
 		flSecurityOpt = opts.NewListOpts(nil)
 		flLabelsFile  = opts.NewListOpts(nil)
 		flLoggingOpts = opts.NewListOpts(nil)
@ -112,6 +113,7 @@ func Parse(cmd *flag.FlagSet, args []string) (*Config, *HostConfig, *flag.FlagSe
 	cmd.Var(&flLxcOpts, []string{"#lxc-conf", "-lxc-conf"}, "Add custom lxc options")
 	cmd.Var(&flCapAdd, []string{"-cap-add"}, "Add Linux capabilities")
 	cmd.Var(&flCapDrop, []string{"-cap-drop"}, "Drop Linux capabilities")
 	cmd.Var(&flGroupAdd, []string{"-group-add"}, "Add additional groups to join")
 	cmd.Var(&flSecurityOpt, []string{"-security-opt"}, "Security Options")
 	cmd.Var(flUlimits, []string{"-ulimit"}, "Ulimit options")
 	cmd.Var(&flLoggingOpts, []string{"-log-opt"}, "Log driver options")
@ -369,6 +371,7 @@ func Parse(cmd *flag.FlagSet, args []string) (*Config, *HostConfig, *flag.FlagSe
 		Devices:          deviceMappings,
 		CapAdd:           NewCapList(flCapAdd.GetAll()),
 		CapDrop:          NewCapList(flCapDrop.GetAll()),
 		GroupAdd:         flGroupAdd.GetAll(),
 		RestartPolicy:    restartPolicy,
 		SecurityOpt:      flSecurityOpt.GetAll(),
 		ReadonlyRootfs:   *flReadonlyRootfs,