Merge pull request #46732 from laurazard/add-exec-group-add-user-test

exec/tests: add test for `--group-add` with `--user`

integration/container/exec_test.go

@@ -2,6 +2,7 @@ package container // import "github.com/docker/docker/integration/container"
 
 import (
 	"io"
+	"strings"
 	"testing"
 	"time"
 
@@ -136,3 +137,23 @@ func TestExecUser(t *testing.T) {
 
 	assert.Assert(t, is.Contains(result.Stdout(), "uid=1(daemon) gid=1(daemon)"), "exec command not running as uid/gid 1")
 }
+
+// Test that additional groups set with `--group-add` are kept on exec when the container
+// also has a user set.
+// (regression test for https://github.com/moby/moby/issues/46712)
+func TestExecWithGroupAdd(t *testing.T) {
+	skip.If(t, versions.LessThan(testEnv.DaemonAPIVersion(), "1.39"), "broken in earlier versions")
+	skip.If(t, testEnv.DaemonInfo.OSType == "windows", "FIXME. Probably needs to wait for container to be in running state.")
+
+	ctx := setupTest(t)
+	apiClient := testEnv.APIClient()
+
+	cID := container.Run(ctx, t, apiClient, container.WithTty(true), container.WithUser("root:root"), container.WithAdditionalGroups("staff", "wheel", "audio", "777"), container.WithCmd("sleep", "5"))
+
+	result, err := container.Exec(ctx, apiClient, cID, []string{"id"})
+	assert.NilError(t, err)
+
+	assert.Assert(t,
+		is.Equal(strings.TrimSpace(result.Stdout()), "uid=0(root) gid=0(root) groups=0(root),10(wheel),29(audio),50(staff),777"),
+		"exec command not keeping additional groups w/ user")
+}

integration/internal/container/ops.go

@@ -193,6 +193,13 @@ func WithUser(user string) func(c *TestContainerConfig) {
 	}
 }
 
+// WithAdditionalGroups sets the additional groups for the container
+func WithAdditionalGroups(groups ...string) func(c *TestContainerConfig) {
+	return func(c *TestContainerConfig) {
+		c.HostConfig.GroupAdd = groups
+	}
+}
+
 // WithPrivileged sets privileged mode for the container
 func WithPrivileged(privileged bool) func(*TestContainerConfig) {
 	return func(c *TestContainerConfig) {