Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix additional_gids_size on process_user_dup #1543

Merged
merged 1 commit into from
Sep 3, 2024
Merged

Fix additional_gids_size on process_user_dup #1543

merged 1 commit into from
Sep 3, 2024

Conversation

saschagrunert
Copy link
Member

The size needs to be set as well otherwise we may break additional_gids.

Found in critest, like: https://github.com/cri-o/cri-o/actions/runs/10680190170/job/29601173374

Summarizing 3 Failures:
  [FAIL] [k8s.io] Security Context SupplementalGroupsPolicy when SupplementalGroupsPolicy=Strict [It] even if the container's primary UID belongs to some groups in the image, runtime should not add SupplementalGroups to them
  sigs.k8s.io/cri-tools/pkg/validate/security_context_linux.go:737
  [FAIL] [k8s.io] Security Context bucket [It] runtime should support SupplementalGroups
  sigs.k8s.io/cri-tools/pkg/validate/security_context_linux.go:309
  [FAIL] [k8s.io] Security Context SupplementalGroupsPolicy when SupplementalGroupsPolicy=Merge (Default) [It] if the container's primary UID belongs to some groups in the image, runtime should add SupplementalGroups to them
  sigs.k8s.io/cri-tools/pkg/validate/security_context_linux.go:669

Follow-up on #1538

@saschagrunert
Fix additional_gids_size on process_user_dup
a32d433 
The size needs to be set as well otherwise we may break `additional_gids`.

Found in critest, like: https://github.com/cri-o/cri-o/actions/runs/10680190170/job/29601173374

```
Summarizing 3 Failures:
  [FAIL] [k8s.io] Security Context SupplementalGroupsPolicy when SupplementalGroupsPolicy=Strict [It] even if the container's primary UID belongs to some groups in the image, runtime should not add SupplementalGroups to them
  sigs.k8s.io/cri-tools/pkg/validate/security_context_linux.go:737
  [FAIL] [k8s.io] Security Context bucket [It] runtime should support SupplementalGroups
  sigs.k8s.io/cri-tools/pkg/validate/security_context_linux.go:309
  [FAIL] [k8s.io] Security Context SupplementalGroupsPolicy when SupplementalGroupsPolicy=Merge (Default) [It] if the container's primary UID belongs to some groups in the image, runtime should add SupplementalGroups to them
  sigs.k8s.io/cri-tools/pkg/validate/security_context_linux.go:669
```

Signed-off-by: Sascha Grunert <[email protected]>
@packit-as-a-service Packit-as-a-Service
Copy link

Ephemeral COPR build failed. @containers/packit-build please check.

@packit-as-a-service Packit-as-a-Service
Copy link

podman system tests failed. @containers/packit-build please check.

@kwilczynski
Copy link
Member

Nice catch!

/approve
/lgtm

giuseppe
giuseppe approved these changes Sep 3, 2024
View reviewed changes
Copy link
Member

@giuseppe giuseppe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rhatdan rhatdan merged commit 04e09b0 into containers:main Sep 3, 2024
32 of 56 checks passed
@saschagrunert saschagrunert deleted the gids-len branch September 3, 2024 12:41
@bduffany bduffany mentioned this pull request Sep 3, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@giuseppe giuseppe giuseppe approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@saschagrunert @kwilczynski @giuseppe @rhatdan