Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Split idtools to an internal package and package to be moved #49087

Merged
merged 2 commits into from
Jan 7, 2025
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion builder/dockerfile/copy_windows.go
Original file line number Diff line number Diff line change
@@ -7,6 +7,7 @@ import (
"strings"

winio "github.com/Microsoft/go-winio"
"github.com/docker/docker/internal/usergroup"
"github.com/docker/docker/pkg/idtools"
"github.com/docker/docker/pkg/system"
"github.com/moby/sys/reexec"
@@ -43,7 +44,7 @@ func fixPermissionsReexec() {
}

func fixPermissionsWindows(source, destination, SID string) error {
privileges := []string{winio.SeRestorePrivilege, idtools.SeTakeOwnershipPrivilege}
privileges := []string{winio.SeRestorePrivilege, usergroup.SeTakeOwnershipPrivilege}

err := winio.EnableProcessPrivileges(privileges)
if err != nil {
5 changes: 3 additions & 2 deletions builder/dockerfile/internals_windows.go
Original file line number Diff line number Diff line change
@@ -11,6 +11,7 @@ import (
"github.com/docker/docker/api/types/container"
"github.com/docker/docker/api/types/mount"
"github.com/docker/docker/errdefs"
"github.com/docker/docker/internal/usergroup"
"github.com/docker/docker/pkg/idtools"
"github.com/docker/docker/pkg/jsonmessage"
"golang.org/x/sys/windows"
@@ -45,9 +46,9 @@ func getAccountIdentity(ctx context.Context, builder *Builder, accountName strin

// Check if the account name is one unique to containers.
if strings.EqualFold(accountName, "ContainerAdministrator") {
return idtools.Identity{SID: idtools.ContainerAdministratorSidString}, nil
return idtools.Identity{SID: usergroup.ContainerAdministratorSidString}, nil
} else if strings.EqualFold(accountName, "ContainerUser") {
return idtools.Identity{SID: idtools.ContainerUserSidString}, nil
return idtools.Identity{SID: usergroup.ContainerUserSidString}, nil
}

// All other lookups failed, so therefore determine if the account in
3 changes: 2 additions & 1 deletion daemon/archive_tarcopyoptions_unix.go
Original file line number Diff line number Diff line change
@@ -4,6 +4,7 @@ package daemon // import "github.com/docker/docker/daemon"

import (
"github.com/docker/docker/container"
"github.com/docker/docker/internal/usergroup"
"github.com/docker/docker/pkg/archive"
"github.com/docker/docker/pkg/idtools"
)
@@ -13,7 +14,7 @@ func (daemon *Daemon) tarCopyOptions(container *container.Container, noOverwrite
return daemon.defaultTarCopyOptions(noOverwriteDirNonDir), nil
}

user, err := idtools.LookupUser(container.Config.User)
user, err := usergroup.LookupUser(container.Config.User)
if err != nil {
return nil, err
}
17 changes: 9 additions & 8 deletions daemon/daemon_unix.go
Original file line number Diff line number Diff line change
@@ -31,6 +31,7 @@ import (
"github.com/docker/docker/daemon/initlayer"
"github.com/docker/docker/errdefs"
"github.com/docker/docker/internal/nlwrap"
"github.com/docker/docker/internal/usergroup"
"github.com/docker/docker/libcontainerd/remote"
"github.com/docker/docker/libnetwork"
nwconfig "github.com/docker/docker/libnetwork/config"
@@ -1291,15 +1292,15 @@ func parseRemappedRoot(usergrp string) (string, string, error) {
if uid, err := strconv.ParseInt(idparts[0], 10, 32); err == nil {
// must be a uid; take it as valid
userID = int(uid)
luser, err := idtools.LookupUID(userID)
luser, err := usergroup.LookupUID(userID)
if err != nil {
return "", "", fmt.Errorf("Uid %d has no entry in /etc/passwd: %v", userID, err)
}
username = luser.Name
if len(idparts) == 1 {
// if the uid was numeric and no gid was specified, take the uid as the gid
groupID = userID
lgrp, err := idtools.LookupGID(groupID)
lgrp, err := usergroup.LookupGID(groupID)
if err != nil {
return "", "", fmt.Errorf("Gid %d has no entry in /etc/group: %v", groupID, err)
}
@@ -1312,15 +1313,15 @@ func parseRemappedRoot(usergrp string) (string, string, error) {
if lookupName == defaultIDSpecifier {
lookupName = defaultRemappedID
}
luser, err := idtools.LookupUser(lookupName)
luser, err := usergroup.LookupUser(lookupName)
if err != nil && idparts[0] != defaultIDSpecifier {
// error if the name requested isn't the special "dockremap" ID
return "", "", fmt.Errorf("Error during uid lookup for %q: %v", lookupName, err)
} else if err != nil {
// special case-- if the username == "default", then we have been asked
// to create a new entry pair in /etc/{passwd,group} for which the /etc/sub{uid,gid}
// ranges will be used for the user and group mappings in user namespaced containers
_, _, err := idtools.AddNamespaceRangesUser(defaultRemappedID)
_, _, err := usergroup.AddNamespaceRangesUser(defaultRemappedID)
if err == nil {
return defaultRemappedID, defaultRemappedID, nil
}
@@ -1329,7 +1330,7 @@ func parseRemappedRoot(usergrp string) (string, string, error) {
username = luser.Name
if len(idparts) == 1 {
// we only have a string username, and no group specified; look up gid from username as group
group, err := idtools.LookupGroup(lookupName)
group, err := usergroup.LookupGroup(lookupName)
if err != nil {
return "", "", fmt.Errorf("Error during gid lookup for %q: %v", lookupName, err)
}
@@ -1343,14 +1344,14 @@ func parseRemappedRoot(usergrp string) (string, string, error) {
if gid, err := strconv.ParseInt(idparts[1], 10, 32); err == nil {
// must be a gid, take it as valid
groupID = int(gid)
lgrp, err := idtools.LookupGID(groupID)
lgrp, err := usergroup.LookupGID(groupID)
if err != nil {
return "", "", fmt.Errorf("Gid %d has no entry in /etc/passwd: %v", groupID, err)
}
groupname = lgrp.Name
} else {
// not a number; attempt a lookup
if _, err := idtools.LookupGroup(idparts[1]); err != nil {
if _, err := usergroup.LookupGroup(idparts[1]); err != nil {
return "", "", fmt.Errorf("Error during groupname lookup for %q: %v", idparts[1], err)
}
groupname = idparts[1]
@@ -1381,7 +1382,7 @@ func setupRemappedRoot(config *config.Config) (idtools.IdentityMapping, error) {
// update remapped root setting now that we have resolved them to actual names
config.RemappedRoot = fmt.Sprintf("%s:%s", username, groupname)

mappings, err := idtools.LoadIdentityMapping(username)
mappings, err := usergroup.LoadIdentityMapping(username)
if err != nil {
return idtools.IdentityMapping{}, errors.Wrap(err, "Can't create ID mappings")
}
4 changes: 2 additions & 2 deletions daemon/listeners/group_unix.go
Original file line number Diff line number Diff line change
@@ -6,13 +6,13 @@ import (
"fmt"
"strconv"

"github.com/docker/docker/pkg/idtools"
"github.com/docker/docker/internal/usergroup"
)

const defaultSocketGroup = "docker"

func lookupGID(name string) (int, error) {
group, err := idtools.LookupGroup(name)
group, err := usergroup.LookupGroup(name)
if err == nil {
return group.Gid, nil
}
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package idtools // import "github.com/docker/docker/pkg/idtools"
package usergroup

import (
"fmt"
73 changes: 73 additions & 0 deletions internal/usergroup/add_linux_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
package usergroup

import (
"os"
"os/exec"
"os/user"
"syscall"
"testing"

"github.com/docker/docker/pkg/idtools"
"gotest.tools/v3/assert"
is "gotest.tools/v3/assert/cmp"
"gotest.tools/v3/skip"
)

const (
tempUser = "tempuser"
)

func TestNewIDMappings(t *testing.T) {
skip.If(t, os.Getuid() != 0, "skipping test that requires root")
_, _, err := AddNamespaceRangesUser(tempUser)
assert.Check(t, err)
defer delUser(t, tempUser)

tempUser, err := user.Lookup(tempUser)
assert.Check(t, err)

idMapping, err := LoadIdentityMapping(tempUser.Username)
assert.Check(t, err)

rootUID, rootGID, err := idtools.GetRootUIDGID(idMapping.UIDMaps, idMapping.GIDMaps)
assert.Check(t, err)

dirName, err := os.MkdirTemp("", "mkdirall")
assert.Check(t, err, "Couldn't create temp directory")
defer os.RemoveAll(dirName)

err = idtools.MkdirAllAndChown(dirName, 0o700, idtools.Identity{UID: rootUID, GID: rootGID})
assert.Check(t, err, "Couldn't change ownership of file path. Got error")
cmd := exec.Command("ls", "-la", dirName)
cmd.SysProcAttr = &syscall.SysProcAttr{
Credential: &syscall.Credential{Uid: uint32(rootUID), Gid: uint32(rootGID)},
}
out, err := cmd.CombinedOutput()
assert.Check(t, err, "Unable to access %s directory with user UID:%d and GID:%d:\n%s", dirName, rootUID, rootGID, string(out))
}

func TestLookupUserAndGroup(t *testing.T) {
skip.If(t, os.Getuid() != 0, "skipping test that requires root")
uid, gid, err := AddNamespaceRangesUser(tempUser)
assert.Check(t, err)
defer delUser(t, tempUser)

fetchedUser, err := LookupUser(tempUser)
assert.Check(t, err)

fetchedUserByID, err := LookupUID(uid)
assert.Check(t, err)
assert.Check(t, is.DeepEqual(fetchedUserByID, fetchedUser))

fetchedGroup, err := LookupGroup(tempUser)
assert.Check(t, err)

fetchedGroupByID, err := LookupGID(gid)
assert.Check(t, err)
assert.Check(t, is.DeepEqual(fetchedGroupByID, fetchedGroup))
}

func delUser(t *testing.T, name string) {
out, err := exec.Command("userdel", name).CombinedOutput()
assert.Check(t, err, out)
}
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
//go:build !linux

package idtools // import "github.com/docker/docker/pkg/idtools"
package usergroup

import "fmt"

10 changes: 10 additions & 0 deletions internal/usergroup/const_windows.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
package usergroup

const (
SeTakeOwnershipPrivilege = "SeTakeOwnershipPrivilege"
)

const (
ContainerAdministratorSidString = "S-1-5-93-2-1"
ContainerUserSidString = "S-1-5-93-2-2"
)
thaJeztah marked this conversation as resolved.
Show resolved Hide resolved
Loading
Loading