merge branch 'pr-109'

LGTMs: @cyphar
Closes openSUSE/umoci#109

CHANGELOG.md

@@ -25,6 +25,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 - `umoci` now uses an updated version of `go-mtree`, which has a complete
   rewrite of `Vis` and `Unvis`. The rewrite ensures that unicode handling is
   handled in a far more consistent and sane way. openSUSE/umoci#88
+- `umoci` used to set `process.user.additionalGids` to the "normal value" when
+  unpacking an image in rootless mode, causing issues when trying to actually
+  run said bundle with runC. openSUSE/umoci#109
 
 ## [0.1.0] - 2017-02-11
 ### Added

oci/layer/unpack.go

@@ -243,6 +243,9 @@ func UnpackManifest(ctx context.Context, engine cas.Engine, bundle string, manif
 func ToRootless(spec *rspec.Spec) {
 	var namespaces []rspec.Namespace
 
+	// Remove additional groups.
+	spec.Process.User.AdditionalGids = nil
+
 	// Remove networkns from the spec.
 	for _, ns := range spec.Linux.Namespaces {
 		switch ns.Type {

test/config.bats

@@ -121,13 +121,20 @@ function teardown() {
 	[ "$output" -eq 8888 ]
 
 	# Make sure additionalGids were set.
-	sane_run jq -SMr '.process.user.additionalGids[]' "$BUNDLE_B/config.json"
-	[ "$status" -eq 0 ]
-	[ "${#lines[@]}" -eq 2 ]
-
-	# Check mounts.
-	printf -- '%s\n' "${lines[*]}" | grep '^9001$'
-	printf -- '%s\n' "${lines[*]}" | grep '^2581$'
+	sane_run jq -SMr '.process.user.additionalGids | length' "$BUNDLE_B/config.json"
+	[ "$status" -eq 0 ]
+	if [ "$ROOTLESS" -eq 0 ]; then
+		[[ "$output" == 2 ]]
+
+		# Check the actual values.
+		sane_run jq -SMr '.process.user.additionalGids[]' "$BUNDLE_B/config.json"
+		[ "$status" -eq 0 ]
+		printf -- '%s\n' "${lines[*]}" | grep '^9001$'
+		printf -- '%s\n' "${lines[*]}" | grep '^2581$'
+	else
+		# In rootless containers additionalGids should be empty.
+		[[ "$output" == 0 ]]
+	fi
 
 	# Check that HOME is set.
 	sane_run jq -SMr '.process.env[]' "$BUNDLE_B/config.json"