fix: oci: ensure user/group entries in container

Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
vzokay · Feb 9, 2023 · a585870 · a585870
1 parent f574760
commit a585870
Showing 1 changed file with 45 additions and 6 deletions.
diff --git a/internal/pkg/runtime/launcher/oci/launcher_linux.go b/internal/pkg/runtime/launcher/oci/launcher_linux.go
@@ -18,13 +18,17 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"strings"
 	"syscall"
 
 	"github.com/apptainer/apptainer/internal/pkg/buildcfg"
 	"github.com/apptainer/apptainer/internal/pkg/cache"
 	"github.com/apptainer/apptainer/internal/pkg/runtime/launcher"
+	"github.com/apptainer/apptainer/internal/pkg/util/fs/files"
+	"github.com/apptainer/apptainer/internal/pkg/util/user"
 	"github.com/apptainer/apptainer/pkg/ocibundle/native"
+	"github.com/apptainer/apptainer/pkg/ocibundle/tools"
 	"github.com/apptainer/apptainer/pkg/syfs"
 	"github.com/apptainer/apptainer/pkg/sylog"
 	"github.com/apptainer/apptainer/pkg/util/apptainerconf"
@@ -117,12 +121,6 @@ func checkOpts(lo launcher.Options) error {
 	if lo.NoNvidia {
 		badOpt = append(badOpt, "NoNvidia")
 	}
-	if lo.Rocm {
-		badOpt = append(badOpt, "Rocm")
-	}
-	if lo.NoRocm {
-		badOpt = append(badOpt, "NoRocm")
-	}
 
 	if len(lo.ContainLibs) > 0 {
 		badOpt = append(badOpt, "ContainLibs")
@@ -266,6 +264,43 @@ func (l *Launcher) createSpec() (*specs.Spec, error) {
 	return &spec, nil
 }
 
+func (l *Launcher) updatePasswdGroup(rootfs string) error {
+	uid := os.Getuid()
+	gid := os.Getgid()
+
+	if os.Getuid() == 0 || l.cfg.Fakeroot {
+		return nil
+	}
+
+	containerPasswd := filepath.Join(rootfs, "etc", "passwd")
+	containerGroup := filepath.Join(rootfs, "etc", "group")
+
+	pw, err := user.CurrentOriginal()
+	if err != nil {
+		return err
+	}
+
+	sylog.Debugf("Updating passwd file: %s", containerPasswd)
+	content, err := files.Passwd(containerPasswd, pw.Dir, uid)
+	if err != nil {
+		return fmt.Errorf("while creating passwd file: %w", err)
+	}
+	if err := os.WriteFile(containerPasswd, content, 0o755); err != nil {
+		return fmt.Errorf("while writing passwd file: %w", err)
+	}
+
+	sylog.Debugf("Updating group file: %s", containerGroup)
+	content, err = files.Group(containerGroup, uid, []int{gid})
+	if err != nil {
+		return fmt.Errorf("while creating group file: %w", err)
+	}
+	if err := os.WriteFile(containerGroup, content, 0o755); err != nil {
+		return fmt.Errorf("while writing passwd file: %w", err)
+	}
+
+	return nil
+}
+
 // Exec will interactively execute a container via the runc low-level runtime.
 // image is a reference to an OCI image, e.g. docker://ubuntu or oci:/tmp/mycontainer
 func (l *Launcher) Exec(ctx context.Context, image string, process string, args []string, instanceName string) error {
@@ -346,6 +381,10 @@ func (l *Launcher) Exec(ctx context.Context, image string, process string, args
 		return err
 	}
 
+	if err := l.updatePasswdGroup(tools.RootFs(b.Path()).Path()); err != nil {
+		return err
+	}
+
 	id, err := uuid.NewRandom()
 	if err != nil {
 		return fmt.Errorf("while generating container id: %w", err)