feat: add userns

Author: Shubhranshu153

cmd/nerdctl/container/container_create.go

@@ -55,6 +55,7 @@ func CreateCommand() *cobra.Command {
 	return cmd
 }
 
+//nolint:function-length
 func createOptions(cmd *cobra.Command) (types.ContainerCreateOptions, error) {
 	var err error
 	opt := types.ContainerCreateOptions{

cmd/nerdctl/container/container_create_linux_test.go

@@ -337,26 +337,24 @@ func TestUsernsMappingCreateCmd(t *testing.T) {
 	testCase := &test.Case{
 		Require: require.All(
 			nerdtest.AllowModifyUserns,
-			require.Not(nerdtest.ContainerdV1),
 			require.Not(nerdtest.Docker)),
 		SubTests: []*test.Case{
 			{
 				Description: "Test container start with valid Userns",
 				NoParallel:  true, // Changes system config so running in non parallel mode
 				Setup: func(data test.Data, helpers test.Helpers) {
-					data.Set("validUserns", "nerdctltestuser")
-					data.Set("expectedHostUID", "123456789")
-					// need to be compiled with containerd version >2.0.2 to support multi uidmap and gidmap.
-					if err := appendUsernsConfig(data.Get("validUserns"), data.Get("expectedHostUID")); err != nil {
+					data.Labels().Set("validUserns", "nerdctltestuser")
+					data.Labels().Set("expectedHostUID", "123456789")
+					if err := appendUsernsConfig(data.Labels().Get("validUserns"), data.Labels().Get("expectedHostUID")); err != nil {
 						t.Fatalf("Failed to append Userns config: %v", err)
 					}
 				},
 				Cleanup: func(data test.Data, helpers test.Helpers) {
-					removeUsernsConfig(t, data.Get("validUserns"), data.Get("expectedHostUID"))
+					removeUsernsConfig(t, data.Labels().Get("validUserns"), data.Labels().Get("expectedHostUID"))
 					helpers.Anyhow("rm", "-f", data.Identifier())
 				},
 				Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
-					helpers.Ensure("create", "--tty", "--userns", data.Get("validUserns"), "--name", data.Identifier(), testutil.NginxAlpineImage)
+					helpers.Ensure("create", "--tty", "--userns", data.Labels().Get("validUserns"), "--name", data.Identifier(), testutil.NginxAlpineImage)
 					return helpers.Command("start", data.Identifier())
 				},
 				Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
@@ -367,7 +365,7 @@ func TestUsernsMappingCreateCmd(t *testing.T) {
 							if err != nil {
 								t.Fatalf("Failed to get container host UID: %v", err)
 							}
-							assert.Assert(t, actualHostUID == data.Get("expectedHostUID"), info)
+							assert.Assert(t, actualHostUID == data.Labels().Get("expectedHostUID"), info)
 						},
 					}
 				},
@@ -376,13 +374,13 @@ func TestUsernsMappingCreateCmd(t *testing.T) {
 				Description: "Test container start with invalid Userns",
 				NoParallel:  true, // Changes system config so running in non parallel mode
 				Setup: func(data test.Data, helpers test.Helpers) {
-					data.Set("invalidUserns", "invaliduser")
+					data.Labels().Set("invalidUserns", "invaliduser")
 				},
 				Cleanup: func(data test.Data, helpers test.Helpers) {
 					helpers.Anyhow("rm", "-f", data.Identifier())
 				},
 				Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
-					return helpers.Command("create", "--tty", "--userns", data.Get("invalidUserns"), "--name", data.Identifier(), testutil.NginxAlpineImage)
+					return helpers.Command("create", "--tty", "--userns", data.Labels().Get("invalidUserns"), "--name", data.Identifier(), testutil.NginxAlpineImage)
 				},
 				Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
 					return &test.Expected{
@@ -395,15 +393,15 @@ func TestUsernsMappingCreateCmd(t *testing.T) {
 	testCase.Run(t)
 }
 
-func runUsernsContainer(t *testing.T, name, Userns, image, cmd string) *icmd.Result {
+func runUsernsContainer(t *testing.T, name, userns, image, cmd string) *icmd.Result {
 	base := testutil.NewBase(t)
 	removeContainerArgs := []string{
 		"rm", "-f", name,
 	}
 	base.Cmd(removeContainerArgs...).Run()
 
 	args := []string{
-		"run", "-d", "--userns", Userns, "--name", name, image, "sh", "-c", cmd,
+		"run", "-d", "--userns", userns, "--name", name, image, "sh", "-c", cmd,
 	}
 	return base.Cmd(args...).Run()
 }
@@ -425,12 +423,12 @@ func getContainerHostUID(helpers test.Helpers, containerName string) (string, er
 	return strconv.Itoa(uid), nil
 }
 
-func appendUsernsConfig(Userns string, hostUid string) error {
-	if err := addUser(Userns, hostUid); err != nil {
-		return fmt.Errorf("failed to add user %s: %w", Userns, err)
+func appendUsernsConfig(userns string, hostUid string) error {
+	if err := addUser(userns, hostUid); err != nil {
+		return fmt.Errorf("failed to add user %s: %w", userns, err)
 	}
 
-	entry := fmt.Sprintf("%s:%s:65536\n", Userns, hostUid)
+	entry := fmt.Sprintf("%s:%s:65536\n", userns, hostUid)
 
 	tempDir := os.TempDir()
 
@@ -482,14 +480,13 @@ func addUser(username string, hostId string) error {
 	return nil
 }
 
-func removeUsernsConfig(t *testing.T, Userns string, hostUid string) {
-
-	if err := delUser(Userns); err != nil {
-		t.Logf("failed to del user %s, Error: %s", Userns, err)
+func removeUsernsConfig(t *testing.T, userns string, hostUid string) {
+	if err := delUser(userns); err != nil {
+		t.Logf("failed to del user %s, Error: %s", userns, err)
 	}
 
-	if err := delGroup(Userns); err != nil {
-		t.Logf("failed to del group %s, Error: %s", Userns, err)
+	if err := delGroup(userns); err != nil {
+		t.Logf("failed to del group %s, Error: %s", userns, err)
 	}
 
 	tempDir := os.TempDir()
@@ -521,7 +518,7 @@ func removeUsernsConfig(t *testing.T, Userns string, hostUid string) {
 }
 
 func delUser(username string) error {
-	cmd := exec.Command("sudo", "userdel", username)
+	cmd := exec.Command("userdel", username)
 	output, err := cmd.CombinedOutput()
 	if err != nil {
 		return fmt.Errorf("userdel failed: %s, %w", string(output), err)
@@ -530,7 +527,7 @@ func delUser(username string) error {
 }
 
 func delGroup(groupname string) error {
-	cmd := exec.Command("sudo", "groupdel", groupname)
+	cmd := exec.Command("groupdel", groupname)
 	output, err := cmd.CombinedOutput()
 	if err != nil {
 		return fmt.Errorf("groupdel failed: %s, %w", string(output), err)

cmd/nerdctl/container/container_run_user_linux_test.go

@@ -20,11 +20,12 @@ import (
 	"fmt"
 	"testing"
 
+	"gotest.tools/v3/assert"
+
 	"github.com/containerd/nerdctl/mod/tigron/require"
 	"github.com/containerd/nerdctl/mod/tigron/test"
 	"github.com/containerd/nerdctl/v2/pkg/testutil"
 	"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest"
-	"gotest.tools/v3/assert"
 )
 
 func TestRunUserGID(t *testing.T) {
@@ -192,25 +193,24 @@ func TestUsernsMappingRunCmd(t *testing.T) {
 	testCase := &test.Case{
 		Require: require.All(
 			nerdtest.AllowModifyUserns,
-			require.Not(nerdtest.ContainerdV1),
 			require.Not(nerdtest.Docker)),
 		SubTests: []*test.Case{
 			{
 				Description: "Test container start with valid Userns",
 				NoParallel:  true, // Changes system config so running in non parallel mode
 				Setup: func(data test.Data, helpers test.Helpers) {
-					data.Set("validUserns", "nerdctltestuser")
-					data.Set("expectedHostUID", "123456789")
-					if err := appendUsernsConfig(data.Get("validUserns"), data.Get("expectedHostUID")); err != nil {
+					data.Labels().Set("validUserns", "nerdctltestuser")
+					data.Labels().Set("expectedHostUID", "123456789")
+					if err := appendUsernsConfig(data.Labels().Get("validUserns"), data.Labels().Get("expectedHostUID")); err != nil {
 						t.Fatalf("Failed to append Userns config: %v", err)
 					}
 				},
 				Cleanup: func(data test.Data, helpers test.Helpers) {
 					helpers.Anyhow("rm", "-f", data.Identifier())
-					removeUsernsConfig(t, data.Get("validUserns"), data.Get("expectedHostUID"))
+					removeUsernsConfig(t, data.Labels().Get("validUserns"), data.Labels().Get("expectedHostUID"))
 				},
 				Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
-					return helpers.Command("run", "--tty", "-d", "--userns", data.Get("validUserns"), "--name", data.Identifier(), testutil.NginxAlpineImage)
+					return helpers.Command("run", "--tty", "-d", "--userns", data.Labels().Get("validUserns"), "--name", data.Identifier(), testutil.NginxAlpineImage)
 				},
 				Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
 					return &test.Expected{
@@ -220,7 +220,7 @@ func TestUsernsMappingRunCmd(t *testing.T) {
 							if err != nil {
 								t.Fatalf("Failed to get container host UID: %v", err)
 							}
-							assert.Assert(t, actualHostUID == data.Get("expectedHostUID"), info)
+							assert.Assert(t, actualHostUID == data.Labels().Get("expectedHostUID"), info)
 						},
 					}
 				},
@@ -229,22 +229,22 @@ func TestUsernsMappingRunCmd(t *testing.T) {
 				Description: "Test container network share with valid Userns",
 				NoParallel:  true, // Changes system config so running in non parallel mode
 				Setup: func(data test.Data, helpers test.Helpers) {
-					data.Set("validUserns", "nerdctltestuser")
-					data.Set("expectedHostUID", "123456789")
-					data.Set("net-container", "net-container")
-					if err := appendUsernsConfig(data.Get("validUserns"), data.Get("expectedHostUID")); err != nil {
+					data.Labels().Set("validUserns", "nerdctltestuser")
+					data.Labels().Set("expectedHostUID", "123456789")
+					data.Labels().Set("net-container", "net-container")
+					if err := appendUsernsConfig(data.Labels().Get("validUserns"), data.Labels().Get("expectedHostUID")); err != nil {
 						t.Fatalf("Failed to append Userns config: %v", err)
 					}
 
-					helpers.Ensure("run", "--tty", "-d", "--userns", data.Get("validUserns"), "--name", data.Get("net-container"), testutil.NginxAlpineImage)
+					helpers.Ensure("run", "--tty", "-d", "--userns", data.Labels().Get("validUserns"), "--name", data.Labels().Get("net-container"), testutil.NginxAlpineImage)
 				},
 				Cleanup: func(data test.Data, helpers test.Helpers) {
 					helpers.Anyhow("rm", "-f", data.Identifier())
-					helpers.Anyhow("rm", "-f", data.Get("net-container"))
-					removeUsernsConfig(t, data.Get("validUserns"), data.Get("expectedHostUID"))
+					helpers.Anyhow("rm", "-f", data.Labels().Get("net-container"))
+					removeUsernsConfig(t, data.Labels().Get("validUserns"), data.Labels().Get("expectedHostUID"))
 				},
 				Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
-					return helpers.Command("run", "--tty", "-d", "--userns", data.Get("validUserns"), "--net", fmt.Sprintf("container:%s", data.Get("net-container")), "--name", data.Identifier(), testutil.NginxAlpineImage)
+					return helpers.Command("run", "--tty", "-d", "--userns", data.Labels().Get("validUserns"), "--net", fmt.Sprintf("container:%s", data.Labels().Get("net-container")), "--name", data.Identifier(), testutil.NginxAlpineImage)
 				},
 				Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
 					return &test.Expected{
@@ -255,13 +255,13 @@ func TestUsernsMappingRunCmd(t *testing.T) {
 			{
 				Description: "Test container start with invalid Userns",
 				Setup: func(data test.Data, helpers test.Helpers) {
-					data.Set("invalidUserns", "invaliduser")
+					data.Labels().Set("invalidUserns", "invaliduser")
 				},
 				Cleanup: func(data test.Data, helpers test.Helpers) {
 					helpers.Anyhow("rm", "-f", data.Identifier())
 				},
 				Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
-					return helpers.Command("run", "--tty", "-d", "--userns", data.Get("invalidUserns"), "--name", data.Identifier(), testutil.NginxAlpineImage)
+					return helpers.Command("run", "--tty", "-d", "--userns", data.Labels().Get("invalidUserns"), "--name", data.Identifier(), testutil.NginxAlpineImage)
 				},
 				Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
 					return &test.Expected{