exec/tests: add test for --group-add with --user

Adds test ensuring that additional groups set with `--group-add` are kept on exec when container had `--user` set on run. Regression test for https://github.com/moby/moby/issues/46712 Signed-off-by: Laura Brehm <laurabrehm@hey.com>
2023-10-26 15:57:09 +01:00 · 2023-10-26 15:57:09 +01:00 · 153d7e4038
commit 153d7e4038
parent 1b9411ef77
2 changed files with 28 additions and 0 deletions
--- a/integration/container/exec_test.go
+++ b/integration/container/exec_test.go
@ -2,6 +2,7 @@ package container // import "github.com/docker/docker/integration/container"

 import (
 	"io"
+	"strings"
 	"testing"
 	"time"

@ -136,3 +137,23 @@ func TestExecUser(t *testing.T) {

 	assert.Assert(t, is.Contains(result.Stdout(), "uid=1(daemon) gid=1(daemon)"), "exec command not running as uid/gid 1")
 }
+
+// Test that additional groups set with `--group-add` are kept on exec when the container
+// also has a user set.
+// (regression test for https://github.com/moby/moby/issues/46712)
+func TestExecWithGroupAdd(t *testing.T) {
+	skip.If(t, versions.LessThan(testEnv.DaemonAPIVersion(), "1.39"), "broken in earlier versions")
+	skip.If(t, testEnv.DaemonInfo.OSType == "windows", "FIXME. Probably needs to wait for container to be in running state.")
+
+	ctx := setupTest(t)
+	apiClient := testEnv.APIClient()
+
+	cID := container.Run(ctx, t, apiClient, container.WithTty(true), container.WithUser("root:root"), container.WithAdditionalGroups("staff", "wheel", "audio", "777"), container.WithCmd("sleep", "5"))
+
+	result, err := container.Exec(ctx, apiClient, cID, []string{"id"})
+	assert.NilError(t, err)
+
+	assert.Assert(t,
+		is.Equal(strings.TrimSpace(result.Stdout()), "uid=0(root) gid=0(root) groups=0(root),10(wheel),29(audio),50(staff),777"),
+		"exec command not keeping additional groups w/ user")
+}
--- a/integration/internal/container/ops.go
+++ b/integration/internal/container/ops.go
@ -193,6 +193,13 @@ func WithUser(user string) func(c *TestContainerConfig) {
 	}
 }

+// WithAdditionalGroups sets the additional groups for the container
+func WithAdditionalGroups(groups ...string) func(c *TestContainerConfig) {
+	return func(c *TestContainerConfig) {
+		c.HostConfig.GroupAdd = groups
+	}
+}
+
 // WithPrivileged sets privileged mode for the container
 func WithPrivileged(privileged bool) func(*TestContainerConfig) {
 	return func(c *TestContainerConfig) {