Merge pull request #25815 from giuseppe/fix-hostuser

libpod: --user works with  --hostuser entries

Author: openshift-merge-bot[bot]

libpod/container_internal_common.go

@@ -195,15 +195,15 @@ func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFunc
 			cleanupFunc()
 		}
 	}()
+
+	if err := c.makeBindMounts(); err != nil {
+		return nil, nil, err
+	}
+
 	overrides := c.getUserOverrides()
 	execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, c.config.User, overrides)
 	if err != nil {
-		if slices.Contains(c.config.HostUsers, c.config.User) {
-			execUser, err = lookupHostUser(c.config.User)
-		}
-		if err != nil {
-			return nil, nil, err
-		}
+		return nil, nil, err
 	}
 
 	// NewFromSpec() is deprecated according to its comment
@@ -236,10 +236,6 @@ func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFunc
 		g.SetProcessApparmorProfile(updatedProfile)
 	}
 
-	if err := c.makeBindMounts(); err != nil {
-		return nil, nil, err
-	}
-
 	if err := c.mountNotifySocket(g); err != nil {
 		return nil, nil, err
 	}
@@ -2434,7 +2430,7 @@ func (c *Container) generateGroupEntry() (string, error) {
 
 	// Things we *can't* handle: adding the user we added in
 	// generatePasswdEntry to any *existing* groups.
-	addedGID := 0
+	addedGID := -1
 	if c.config.AddCurrentUserPasswdEntry {
 		entry, gid, err := c.generateCurrentUserGroupEntry()
 		if err != nil {
@@ -2503,7 +2499,7 @@ func (c *Container) generateUserGroupEntry(addedGID int) (string, error) {
 	}
 
 	splitUser := strings.SplitN(c.config.User, ":", 2)
-	group := splitUser[0]
+	group := "0"
 	if len(splitUser) > 1 {
 		group = splitUser[1]
 	}
@@ -2513,7 +2509,7 @@ func (c *Container) generateUserGroupEntry(addedGID int) (string, error) {
 		return "", nil //nolint: nilerr
 	}
 
-	if addedGID != 0 && addedGID == int(gid) {
+	if addedGID != -1 && addedGID == int(gid) {
 		return "", nil
 	}
 

libpod/container_internal_linux_test.go

@@ -47,16 +47,16 @@ func TestGenerateUserGroupEntry(t *testing.T) {
 			Mountpoint: "/does/not/exist/tmp/",
 		},
 	}
-	group, err := c.generateUserGroupEntry(0)
+	group, err := c.generateUserGroupEntry(-1)
 	if err != nil {
 		t.Fatal(err)
 	}
 	assert.Equal(t, group, "456789:x:456789:123456\n")
 
 	c.config.User = "567890"
-	group, err = c.generateUserGroupEntry(0)
+	group, err = c.generateUserGroupEntry(-1)
 	if err != nil {
 		t.Fatal(err)
 	}
-	assert.Equal(t, group, "567890:x:567890:567890\n")
+	assert.Equal(t, group, "0:x:0:567890\n")
 }

test/e2e/run_passwd_test.go

@@ -90,13 +90,6 @@ USER 1000`, ALPINE)
 		Expect(session.OutputToString()).To(ContainSubstring("/etc/group"))
 	})
 
-	It("podman run numeric user not specified in container modifies group", func() {
-		session := podmanTest.Podman([]string{"run", "--read-only", "-u", "20001", BB, "mount"})
-		session.WaitWithDefaultTimeout()
-		Expect(session).Should(ExitCleanly())
-		Expect(session.OutputToString()).To(ContainSubstring("/etc/group"))
-	})
-
 	It("podman run numeric group from image and no group file", func() {
 		dockerfile := fmt.Sprintf(`FROM %s
 RUN rm -f /etc/passwd /etc/shadow /etc/group

test/system/030-run.bats

@@ -906,6 +906,17 @@ EOF
     fi
 
     user=$(id -u)
+
+    userspec=$(id -un):$(id -g)
+    run_podman run --hostuser=$user --user $userspec --rm $IMAGE sh -c 'echo $(id -un):$(id -g)'
+    is "$output" "$userspec"
+
+    run_podman run --hostuser=$user --user $userspec --group-entry="$(id -gn):x:$(id -g):" --rm $IMAGE sh -c 'echo $(id -un):$(id -gn)'
+    is "$output" "$(id -un):$(id -gn)"
+
+    run_podman 126 run --hostuser=$user --user "$(id -un):$(id -gn)" --rm $IMAGE sh -c 'echo $(id -un):$(id -gn)'
+    is "$output" "Error:.* no matching entries in group file"
+
     run_podman run --hostuser=$user --rm $IMAGE grep $user /etc/passwd
     run_podman run --hostuser=$user --user $user --rm $IMAGE grep $user /etc/passwd
     user=bogus