Skip to content

Commit

Permalink
Adding a permissive option to user-preserve-groups incase there are g…
Browse files Browse the repository at this point in the history 
…roups on the host that aren't permissible on the target but you'd like best-effort.

Signed-off-by: Tully Foote <tullyfoote@intrinsic.ai>
  • Loading branch information
@tfoote
tfoote committed Apr 17, 2023
1 parent b16136e commit 44f7946
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 1 deletion.
6 changes: 6 additions & 0 deletions src/rocker/extensions.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -278,6 +278,7 @@ def get_snippet(self, cliargs):
substitutions['user_groups'] = ' '.join(['{};{}'.format(g.gr_name, g.gr_gid) for g in grp.getgrall() if substitutions['name'] in g.gr_mem])
else:
substitutions['user_groups'] = ''
substitutions['user_preserve_groups_permissive'] = True if 'user_preserve_groups_permissive' in cliargs and cliargs['user_preserve_groups_permissive'] else False
substitutions['home_extension_active'] = True if 'home' in cliargs and cliargs['home'] else False
if 'user_override_shell' in cliargs and cliargs['user_override_shell'] is not None:
if cliargs['user_override_shell'] == '':
Expand All @@ -304,6 +305,11 @@ def register_arguments(parser, defaults={}):
action='store_true',
default=defaults.get('user-preserve-groups', False),
help="Assign user to same groups as he belongs in host.")
parser.add_argument('--user-preserve-groups-permissive',
action='store_true',
default=defaults.get('user-preserve-groups-permissive', False),
help="If using user-preserve-groups allow failures in assignment."
"This is important if the host and target have different rules. https://unix.stackexchange.com/a/11481/83370" )
parser.add_argument('--user-override-shell',
action='store',
default=defaults.get('user-override-shell', None),
Expand Down
2 changes: 1 addition & 1 deletion src/rocker/templates/user_snippet.Dockerfile.em
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ RUN existing_user_by_uid=`getent passwd "@(uid)" | cut -f1 -d: || true` && \
for groupinfo in ${user_groups}; do \
existing_group_by_name=`getent group ${groupinfo%;*} || true`; \
existing_group_by_gid=`getent group ${groupinfo#*;} || true`; \
if [ -z "${existing_group_by_name}" ] && [ -z "${existing_group_by_gid}" ]; then groupadd -g "${groupinfo#*;}" "${groupinfo%;*}" && usermod -aG "${groupinfo%;*}" "@(name)"; fi \
if [ -z "${existing_group_by_name}" ] && [ -z "${existing_group_by_gid}" ]; then groupadd -g "${groupinfo#*;}" "${groupinfo%;*}" && usermod -aG "${groupinfo%;*}" "@(name)" @(('|| (true && echo "user-preserve-group-permissive Enabled, continuing without processing group $groupinfo" )') if user_preserve_groups_permissive else ''); fi \
done && \
@[end if]@
echo "@(name) ALL=NOPASSWD: ALL" >> /etc/sudoers.d/rocker
Expand Down
7 changes: 7 additions & 0 deletions test/test_extension.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -321,6 +321,13 @@ def test_user_extension(self):
snippet_result = p.get_snippet(user_override_active_cliargs)
self.assertTrue('usermod -aG' in snippet_result)

user_override_active_cliargs = mock_cliargs
user_override_active_cliargs['user_preserve_groups'] = True
user_override_active_cliargs['user_preserve_groups_permissive'] = True
snippet_result = p.get_snippet(user_override_active_cliargs)
self.assertTrue('usermod -aG' in snippet_result)
self.assertTrue('user-preserve-group-permissive Enabled' in snippet_result)

user_override_active_cliargs['user_override_name'] = 'testusername'
snippet_result = p.get_snippet(user_override_active_cliargs)
self.assertTrue('USER testusername' in snippet_result)
Expand Down

0 comments on commit 44f7946

Please sign in to comment.