|
@@ -4,7 +4,6 @@ import (
|
|
|
"context"
|
|
"context"
|
|
|
|
|
|
|
|
"github.com/containerd/containerd"
|
|
"github.com/containerd/containerd"
|
|
|
- "github.com/containerd/containerd/containers"
|
|
|
|
|
"github.com/containerd/containerd/oci"
|
|
"github.com/containerd/containerd/oci"
|
|
|
coci "github.com/containerd/containerd/oci"
|
|
coci "github.com/containerd/containerd/oci"
|
|
|
"github.com/containerd/containerd/pkg/apparmor"
|
|
"github.com/containerd/containerd/pkg/apparmor"
|
|
@@ -14,13 +13,6 @@ import (
|
|
|
specs "github.com/opencontainers/runtime-spec/specs-go"
|
|
specs "github.com/opencontainers/runtime-spec/specs-go"
|
|
|
)
|
|
)
|
|
|
|
|
|
|
|
-func withResetAdditionalGIDs() oci.SpecOpts {
|
|
|
|
|
- return func(_ context.Context, _ oci.Client, _ *containers.Container, s *oci.Spec) error {
|
|
|
|
|
- s.Process.User.AdditionalGids = nil
|
|
|
|
|
- return nil
|
|
|
|
|
- }
|
|
|
|
|
-}
|
|
|
|
|
-
|
|
|
|
|
func getUserFromContainerd(ctx context.Context, containerdCli *containerd.Client, ec *container.ExecConfig) (specs.User, error) {
|
|
func getUserFromContainerd(ctx context.Context, containerdCli *containerd.Client, ec *container.ExecConfig) (specs.User, error) {
|
|
|
ctr, err := containerdCli.LoadContainer(ctx, ec.Container.ID)
|
|
ctr, err := containerdCli.LoadContainer(ctx, ec.Container.ID)
|
|
|
if err != nil {
|
|
if err != nil {
|
|
@@ -39,7 +31,6 @@ func getUserFromContainerd(ctx context.Context, containerdCli *containerd.Client
|
|
|
|
|
|
|
|
opts := []oci.SpecOpts{
|
|
opts := []oci.SpecOpts{
|
|
|
coci.WithUser(ec.User),
|
|
coci.WithUser(ec.User),
|
|
|
- withResetAdditionalGIDs(),
|
|
|
|
|
coci.WithAdditionalGIDs(ec.User),
|
|
coci.WithAdditionalGIDs(ec.User),
|
|
|
coci.WithAppendAdditionalGroups(ec.Container.HostConfig.GroupAdd...),
|
|
coci.WithAppendAdditionalGroups(ec.Container.HostConfig.GroupAdd...),
|
|
|
}
|
|
}
|
Sebastiaan van Stijn