reduce the chance of parsing /etc/passwd & /etc/group #4042
+45
−21
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
thaJeztah
reviewed
Sep 28, 2023
lifubang
force-pushed
the
feat-RemovePasswd
branch
3 times, most recently
from
42d0004 to
3cd5c86
Compare
Signed-off-by: lifubang <[email protected]>
lifubang
force-pushed
the
feat-RemovePasswd
branch
from
3cd5c86 to
6d0d22c
Compare
kolyshkin
requested changes
Sep 28, 2023
There was a problem hiding this comment.
The number to string to number conversion is ugly.
I think we should do a change like this:
@@ -68,8 +68,9 @@ type initConfig struct {
ProcessLabel string `json:"process_label"`
AppArmorProfile string `json:"apparmor_profile"`
NoNewPrivileges bool `json:"no_new_privileges"`
- User string `json:"user"`
- AdditionalGroups []string `json:"additional_groups"`
+ UID int `json:"uid"`
+ GID int `json:"gid"`
+ AdditionalGroups []int `json:"additional_groups"`
Config *configs.Config `json:"config"`
Networks []*network `json:"network"`
PassedFilesCount int `json:"passed_files_count"`and the rest will be greatly simplified.
and the same for // Env specifies the environment variables for the process.
Env []string
- // User will set the uid and gid of the executing process running inside the container
+ // UID and GID of the executing process running inside the container
// local to the container's user and group configuration.
- User string
+ UID, GID int
// AdditionalGroups specifies the gids that should be added to supplementary groups
// in addition to those that the user belongs to.
- AdditionalGroups []string
+ AdditionalGroups []int
// Cwd will change the processes current working directory inside the container's rootfs.
Cwd string |
|
In fact, I forgot I had the code doing all that already. Rebased it, PTAL: #3999 |
|
OK, thanks, leave one to save our reviewing time. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
According to #3998 (comment), we can do the third step to reduce the chance of parsing /etc/passwd & /etc/group when start or exec to a container.
Because in
runtime-spec(https://github.com/opencontainers/runtime-spec/blob/v1.0.2/config.md#posix-platform-user),uid,gid, andadditionalGidsare all defined as a numeric field/array. It is no need to parse a numeric id from/etc/passwdor/etc/group, except$HOMEis empty or gid is not provided(Butruntime-specsaid gid is required).