add additional-gids to runc exec

exec.go

@@ -50,6 +50,10 @@ following will output a list of processes running in the container:
 			Name:  "user, u",
 			Usage: "UID (format: <uid>[:<gid>])",
 		},
+		cli.Int64SliceFlag{
+			Name:  "additional-gids, g",
+			Usage: "additional gids",
+		},
 		cli.StringFlag{
 			Name:  "process, p",
 			Usage: "path to the process.json",
@@ -208,5 +212,11 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) {
 		}
 		p.User.UID = uint32(uid)
 	}
+	for _, gid := range context.Int64Slice("additional-gids") {
+		if gid < 0 {
+			return nil, fmt.Errorf("additional-gids must be a positive number %d", gid)
+		}
+		p.User.AdditionalGids = append(p.User.AdditionalGids, uint32(gid))
+	}
 	return p, nil
 }

man/runc-exec.8.md

@@ -14,16 +14,17 @@ following will output a list of processes running in the container:
        # runc exec <container-id> ps
 
 # OPTIONS
-   --console value              specify the pty slave path for use with the container
-   --cwd value                  current working directory in the container
-   --env value, -e value        set environment variables
-   --tty, -t                    allocate a pseudo-TTY
-   --user value, -u value       UID (format: <uid>[:<gid>])
-   --process value, -p value    path to the process.json
-   --detach, -d                 detach from the container's process
-   --pid-file value             specify the file to write the process id to
-   --process-label value        set the asm process label for the process commonly used with selinux
-   --apparmor value             set the apparmor profile for the process
-   --no-new-privs               set the no new privileges value for the process
-   --cap value, -c value        add a capability to the bounding set for the process
-   --no-subreaper               disable the use of the subreaper used to reap reparented processes
+   --console value                          specify the pty slave path for use with the container
+   --cwd value                              current working directory in the container
+   --env value, -e value                    set environment variables
+   --tty, -t                                allocate a pseudo-TTY
+   --user value, -u value                   UID (format: <uid>[:<gid>])
+   --additional-gids value, -g value        additional gids
+   --process value, -p value                path to the process.json
+   --detach, -d                             detach from the container's process
+   --pid-file value                         specify the file to write the process id to
+   --process-label value                    set the asm process label for the process commonly used with selinux
+   --apparmor value                         set the apparmor profile for the process
+   --no-new-privs                           set the no new privileges value for the process
+   --cap value, -c value                    add a capability to the bounding set for the process
+   --no-subreaper                           disable the use of the subreaper used to reap reparented processes

tests/integration/exec.bats

@@ -112,3 +112,18 @@ function teardown() {
 
   [[ "${output}" == "uid=1000 gid=1000"* ]]
 }
+
+@test "runc exec --additional-gids" {
+  requires root
+
+  # run busybox detached
+  runc run -d --console-socket $CONSOLE_SOCKET test_busybox
+  [ "$status" -eq 0 ]
+
+  wait_for_container 15 1 test_busybox
+
+  runc exec --user 1000:1000 --additional-gids 100 --additional-gids 99 test_busybox id 
+  [ "$status" -eq 0 ]
+
+  [[ ${output} == "uid=1000 gid=1000 groups=99(nogroup),100(users)" ]]
+}