feat: Add PidMode, Ipcmode and GroupAdd options (runfinch#232)

feat: Add PidMode, Ipc mode

Signed-off-by: Arjun Raja Yogidas <[email protected]>

Author: coderbirju

api/handlers/container/create.go

@@ -175,6 +175,10 @@ func (h *handler) create(w http.ResponseWriter, r *http.Request) {
 	if req.HostConfig.Tmpfs != nil {
 		tmpfs = translateTmpfs(req.HostConfig.Tmpfs)
 	}
+	groupAdd := []string{}
+	if req.HostConfig.GroupAdd != nil {
+		groupAdd = req.HostConfig.GroupAdd
+	}
 
 	globalOpt := ncTypes.GlobalCommandOptions(*h.Config)
 	createOpt := ncTypes.ContainerCreateOptions{
@@ -193,6 +197,7 @@ func (h *handler) create(w http.ResponseWriter, r *http.Request) {
 		StopTimeout:    stopTimeout,
 		CidFile:        req.HostConfig.ContainerIDFile, // CidFile write the container ID to the file
 		OomKillDisable: req.HostConfig.OomKillDisable,
+		Pid:            req.HostConfig.PidMode, // Pid namespace to use
 		// #endregion
 
 		// #region for platform flags
@@ -222,10 +227,12 @@ func (h *handler) create(w http.ResponseWriter, r *http.Request) {
 		BlkioDeviceWriteBps:  throttleDevicesToStrings(req.HostConfig.BlkioDeviceWriteBps),
 		BlkioDeviceReadIOps:  throttleDevicesToStrings(req.HostConfig.BlkioDeviceReadIOps),
 		BlkioDeviceWriteIOps: throttleDevicesToStrings(req.HostConfig.BlkioDeviceWriteIOps),
+		IPC:                  req.HostConfig.IpcMode, // IPC namespace to use
 		// #endregion
 
 		// #region for user flags
-		User: req.User,
+		User:     req.User,
+		GroupAdd: groupAdd,
 		// #endregion
 
 		// #region for security flags

api/handlers/container/create_test.go

@@ -482,6 +482,27 @@ var _ = Describe("Container Create API ", func() {
 			Expect(rr.Body).Should(MatchJSON(jsonResponse))
 		})
 
+		It("should set GroupAdd option", func() {
+			body := []byte(`{
+				"Image": "test-image",
+				"HostConfig": {
+					"GroupAdd": ["someGroup"]
+				}
+			}`)
+			req, _ := http.NewRequest(http.MethodPost, "/containers/create", bytes.NewReader(body))
+
+			// expected create options
+			createOpt.GroupAdd = []string{"someGroup"}
+
+			service.EXPECT().Create(gomock.Any(), "test-image", nil, equalTo(createOpt), equalTo(netOpt)).Return(
+				cid, nil)
+
+			// handler should return success message with 201 status code.
+			h.create(rr, req)
+			Expect(rr).Should(HaveHTTPStatus(http.StatusCreated))
+			Expect(rr.Body).Should(MatchJSON(jsonResponse))
+		})
+
 		It("should set Privileged option", func() {
 			body := []byte(`{
 				"Image": "test-image",
@@ -817,6 +838,48 @@ var _ = Describe("Container Create API ", func() {
 			Expect(rr.Body).Should(MatchJSON(jsonResponse))
 		})
 
+		It("should set PidMode option", func() {
+			body := []byte(`{
+				"Image": "test-image",
+				"HostConfig": {
+					"PidMode": "host"
+				}
+			}`)
+			req, _ := http.NewRequest(http.MethodPost, "/containers/create", bytes.NewReader(body))
+
+			// expected create options
+			createOpt.Pid = "host"
+
+			service.EXPECT().Create(gomock.Any(), "test-image", nil, equalTo(createOpt), equalTo(netOpt)).Return(
+				cid, nil)
+
+			// handler should return success message with 201 status code.
+			h.create(rr, req)
+			Expect(rr).Should(HaveHTTPStatus(http.StatusCreated))
+			Expect(rr.Body).Should(MatchJSON(jsonResponse))
+		})
+
+		It("should set IPC option", func() {
+			body := []byte(`{
+				"Image": "test-image",
+				"HostConfig": {
+					"IpcMode": "host"
+				}
+			}`)
+			req, _ := http.NewRequest(http.MethodPost, "/containers/create", bytes.NewReader(body))
+
+			// expected create options
+			createOpt.IPC = "host"
+
+			service.EXPECT().Create(gomock.Any(), "test-image", nil, equalTo(createOpt), equalTo(netOpt)).Return(
+				cid, nil)
+
+			// handler should return success message with 201 status code.
+			h.create(rr, req)
+			Expect(rr).Should(HaveHTTPStatus(http.StatusCreated))
+			Expect(rr.Body).Should(MatchJSON(jsonResponse))
+		})
+
 		Context("translate port mappings", func() {
 			It("should return empty if port mappings is nil", func() {
 				Expect(translatePortMappings(nil)).Should(BeEmpty())
@@ -992,6 +1055,7 @@ func getDefaultCreateOpt(conf config.Config) types.ContainerCreateOptions {
 		CapAdd:      []string{}, // nerdctl default.
 		CapDrop:     []string{}, // nerdctl default.
 		Privileged:  false,
+		GroupAdd:    []string{}, // nerdctl default.
 		// #endregion
 
 		// #region for runtime flags

api/types/container_types.go

@@ -79,14 +79,15 @@ type ContainerHostConfig struct {
 	DNSOptions []string `json:"DnsOptions"` // List of DNSOption to look for
 	DNSSearch  []string `json:"DnsSearch"`  // List of DNSSearch to look for
 	ExtraHosts []string // List of extra hosts
-	// TODO: GroupAdd []string // List of additional groups that the container process will run as
-	// TODO: IpcMode IpcMode // IPC namespace to use for the container
+	GroupAdd   []string // List of additional groups that the container process will run as
+	IpcMode    string   // IPC namespace to use for the container
 	// TODO: Cgroup          CgroupSpec        // Cgroup to use for the container
 	// TODO: Links           []string          // List of links (in the name:alias form)
 	OomKillDisable bool // specifies whether to disable OOM Killer
-	// TODO: OomScoreAdj    int               // specifies the tune container’s OOM preferences (-1000 to 1000, rootless: 100 to 1000)
-	// TODO: PidMode        string            // PID namespace to use for the container
-	Privileged bool // Is the container in privileged mode
+	// TODO: OomScoreAdj        int    // specifies the tune container’s OOM preferences (-1000 to 1000, rootless: 100 to 1000)
+	// TODO: OomScoreAdjChanged bool   // OomScoreAdjChanged specifies whether the OOM preferences
+	PidMode    string // PID namespace to use for the container
+	Privileged bool   // Is the container in privileged mode
 	// TODO: ReadonlyRootfs bool              // Is the container root filesystem in read-only
 	// TODO: SecurityOpt []string          // List of string values to customize labels for MLS systems, such as SELinux. (["key=value"])
 	Tmpfs   map[string]string `json:",omitempty"` // List of tmpfs (mounts) used for the container

e2e/tests/container_create.go

@@ -617,6 +617,7 @@ func ContainerCreate(opt *option.Option) {
 			command.Run(opt, "start", testContainerName)
 			verifyNetworkSettings(opt, testContainerName, "bridge")
 		})
+
 		It("should create a container with specified restart options", func() {
 			// define options
 			options.Cmd = []string{"sleep", "Infinity"}
@@ -1126,6 +1127,144 @@ func ContainerCreate(opt *option.Option) {
 			}
 			Expect(foundUTSNamespace).Should(BeFalse())
 		})
+
+		It("should create a container with specified PidMode", func() {
+			// First create a container that will be referenced in pid mode
+			hostOptions := types.ContainerCreateRequest{}
+			hostOptions.Image = defaultImage
+			hostOptions.Cmd = []string{"sleep", "Infinity"}
+			statusCode, hostCtr := createContainer(uClient, url, "host-container", hostOptions)
+			Expect(statusCode).Should(Equal(http.StatusCreated))
+			Expect(hostCtr.ID).ShouldNot(BeEmpty())
+			command.Run(opt, "start", "host-container")
+
+			// Define options for the container with pid mode
+			options.Cmd = []string{"sleep", "Infinity"}
+			options.HostConfig.PidMode = "container:host-container"
+
+			// Create container
+			statusCode, ctr := createContainer(uClient, url, testContainerName, options)
+			Expect(statusCode).Should(Equal(http.StatusCreated))
+			Expect(ctr.ID).ShouldNot(BeEmpty())
+
+			// Inspect container using Docker-compatible format
+			resp := command.Stdout(opt, "inspect", testContainerName)
+			var inspect []*dockercompat.Container
+			err := json.Unmarshal(resp, &inspect)
+			Expect(err).Should(BeNil())
+			Expect(inspect).Should(HaveLen(1))
+
+			// Verify PidMode configuration
+			Expect(inspect[0].HostConfig.PidMode).Should(Equal(hostCtr.ID))
+
+			// Cleanup
+			command.Run(opt, "rm", "-f", "host-container")
+		})
+
+		It("should create a container with private IPC mode", func() {
+			options.Cmd = []string{"sleep", "Infinity"}
+			options.HostConfig.IpcMode = "private"
+
+			statusCode, ctr := createContainer(uClient, url, testContainerName, options)
+			Expect(statusCode).Should(Equal(http.StatusCreated))
+			Expect(ctr.ID).ShouldNot(BeEmpty())
+
+			command.Run(opt, "start", testContainerName)
+
+			nativeResp := command.Stdout(opt, "inspect", "--mode=native", testContainerName)
+			var nativeInspect []map[string]interface{}
+			err := json.Unmarshal(nativeResp, &nativeInspect)
+			Expect(err).Should(BeNil())
+			Expect(nativeInspect).Should(HaveLen(1))
+
+			spec, ok := nativeInspect[0]["Spec"].(map[string]interface{})
+			Expect(ok).Should(BeTrue())
+			linux, ok := spec["linux"].(map[string]interface{})
+			Expect(ok).Should(BeTrue())
+			namespaces, ok := linux["namespaces"].([]interface{})
+			Expect(ok).Should(BeTrue())
+
+			// For private IPC mode, verify IPC namespace is present
+			foundIpcNamespace := false
+			for _, ns := range namespaces {
+				namespace := ns.(map[string]interface{})
+				if namespace["type"] == "ipc" {
+					foundIpcNamespace = true
+					break
+				}
+			}
+			Expect(foundIpcNamespace).Should(BeTrue())
+		})
+
+		It("should create a container with privileged mode", func() {
+			// Define options
+			options.Cmd = []string{"sleep", "Infinity"}
+			options.HostConfig.Privileged = true
+
+			// Create container
+			statusCode, ctr := createContainer(uClient, url, testContainerName, options)
+			Expect(statusCode).Should(Equal(http.StatusCreated))
+			Expect(ctr.ID).ShouldNot(BeEmpty())
+
+			// Start container
+			command.Run(opt, "start", testContainerName)
+
+			// Inspect the container using native format
+			nativeResp := command.Stdout(opt, "inspect", "--mode=native", testContainerName)
+			var nativeInspect []map[string]interface{}
+			err := json.Unmarshal(nativeResp, &nativeInspect)
+			Expect(err).Should(BeNil())
+			Expect(nativeInspect).Should(HaveLen(1))
+
+			// Navigate to the process capabilities section
+			spec, ok := nativeInspect[0]["Spec"].(map[string]interface{})
+			Expect(ok).Should(BeTrue())
+			process, ok := spec["process"].(map[string]interface{})
+			Expect(ok).Should(BeTrue())
+			capabilities, ok := process["capabilities"].(map[string]interface{})
+			Expect(ok).Should(BeTrue())
+
+			// Verify privileged capabilities
+			// In privileged mode, the container should have extensive capabilities
+			expectedCaps := []string{
+				"CAP_SYS_ADMIN",
+				"CAP_NET_ADMIN",
+				"CAP_SYS_MODULE",
+			}
+
+			for _, capType := range []string{"bounding", "effective", "permitted"} {
+				caps, ok := capabilities[capType].([]interface{})
+				Expect(ok).Should(BeTrue())
+				capsList := make([]string, len(caps))
+				for i, cap := range caps {
+					capsList[i] = cap.(string)
+				}
+				for _, expectedCap := range expectedCaps {
+					Expect(capsList).Should(ContainElement(expectedCap))
+				}
+			}
+
+			// Also verify that devices are allowed in privileged mode
+			linux, ok := spec["linux"].(map[string]interface{})
+			Expect(ok).Should(BeTrue())
+			resources, ok := linux["resources"].(map[string]interface{})
+			Expect(ok).Should(BeTrue())
+			devices, ok := resources["devices"].([]interface{})
+			Expect(ok).Should(BeTrue())
+
+			// In privileged mode, there should be a device rule that allows all devices
+			foundAllowAllDevices := false
+			for _, device := range devices {
+				dev := device.(map[string]interface{})
+				if dev["allow"] == true && dev["access"] == "rwm" {
+					if _, hasType := dev["type"]; !hasType {
+						foundAllowAllDevices = true
+						break
+					}
+				}
+			}
+			Expect(foundAllowAllDevices).Should(BeTrue())
+		})
 	})
 }