introduce host_paths and host_users labels

deprectates proxt_hostpaths allows mapping of host users and groups into container
dockerland · Oct 18, 2016 · 9b222d2 · 9b222d2
1 parent 3221bcc
commit 9b222d2
Show file tree

Hide file tree

Showing 5 changed files with 42 additions and 10 deletions.
diff --git a/docs/v1-runtime.md b/docs/v1-runtime.md
@@ -21,7 +21,8 @@ lets talk about how to "dexify" your application...
 #  org.dockerland.dex.docker_home=~             (user's actual home)
 #  org.dockerland.dex.docker_volumes=/etc/hosts:/etc/hosts:ro
 #  org.dockerland.dex.docker_workspace=/        (host root as /dex/workspace)
-#  org.dockerland.dex.proxy_hostpaths=rw        (rw mount host HOME and CWD)
+#  org.dockerland.dex.host_paths=rw             (rw mount host HOME and CWD)
+#  org.dockerland.dex.host_users=ro             (ro mount host /etc/passwd|group)
 #  org.dockerland.dex.window=yes                (applies window/X11 flags)
 #
 ```
diff --git a/lib.d/v1-runtime.sh b/lib.d/v1-runtime.sh
@@ -18,7 +18,8 @@ v1-runtime(){
   #  org.dockerland.dex.docker_home=~             (user's actual home)
   #  org.dockerland.dex.docker_volumes=/etc/hosts:/etc/hosts:ro
   #  org.dockerland.dex.docker_workspace=/        (host root as /dex/workspace)
-  #  org.dockerland.dex.proxy_hostpaths=rw        (rw mount host HOME and CWD)
+  #  org.dockerland.dex.host_paths=rw             (rw mount host HOME and CWD)
+  #  org.dockerland.dex.host_users=ro             (ro mount host /etc/passwd|group)
   #  org.dockerland.dex.window=yes                (applies window/X11 flags)
   #
   __docker_devices=
@@ -28,11 +29,12 @@ v1-runtime(){
   __docker_home=$DEX_IMAGE_NAME-$__tag
   __docker_workspace=$DEX_HOST_PWD
   __docker_volumes=
-  __proxy_hostpaths="ro"
+  __host_paths="ro"
+  __host_users=
   __window=
 
   # augment defaults with image meta
-  for label in api docker_devices docker_envars docker_flags docker_groups docker_home docker_workspace docker_volumes proxy_hostpaths window ; do
+  for label in api docker_devices docker_envars docker_flags docker_groups docker_home docker_workspace docker_volumes host_paths host_users window ; do
     # @TODO reduce this to a single docker inspect command
     val=$(__local_docker inspect --format "{{ index .Config.Labels \"org.dockerland.dex.$label\" }}" $__image)
     [ -z "$val" ] && continue
@@ -157,15 +159,21 @@ v1-runtime(){
   done
 
   # mount typical host paths in container to coax some absolute path resolutions
-  case $(echo "$__proxy_hostpaths" | awk '{print tolower($0)}') in rw|ro)
+  case $(echo "$__host_paths" | awk '{print tolower($0)}') in rw|ro)
     if [[ ! "$HOME" =~ ^($DEX_HOST_PWD|/dex/home)$ ]]; then
-      [ -d $HOME ] && __docker_flags+=" -v $HOME:$HOME:$__proxy_hostpaths"
+      [ -d $HOME ] && __docker_flags+=" -v $HOME:$HOME:$__host_paths"
     fi
     if [[ ! "$DEX_HOST_PWD" =~ ^($HOME|/dex/workspace|/|/bin|/dev|/etc|/lib|/lib64|/opt|/proc|/sbin|/run|/sbin|/srv|/sys|/usr|/var)$ ]]; then
-      __docker_flags+=" -v $DEX_HOST_PWD:$DEX_HOST_PWD:$__proxy_hostpaths"
+      __docker_flags+=" -v $DEX_HOST_PWD:$DEX_HOST_PWD:$__host_paths"
     fi
   esac
 
+  # map host /etc/passwd and /etc/group in container
+  case $(echo "$__host_users" | awk '{print tolower($0)}') in rw|ro)
+    [ -e /etc/passwd ] && __docker_flags+=" -v /etc/passwd:/etc/passwd:$__host_users"
+    [ -e /etc/group ] && __docker_flags+=" -v /etc/group:/etc/group:$__host_users"
+  esac
+
   # deactivate docker-machine
   __deactivate_machine
 

diff --git a/tests/bats/06-runtime.bats b/tests/bats/06-runtime.bats
@@ -110,14 +110,22 @@ teardown(){
   [ -d $DEX_HOME/homes/debian-latest ]
 }
 
-@test "runtime ro-mounts typical host paths to coax absolute path resolution by default" {
+@test "runtime ro-mounts host paths to coax common absolute path resolutions" {
   cd $TMPDIR
   $DEX run imgtest/debian ls $TMPDIR
 
-  run $DEX run imgtest/labels:no-hostpaths ls $TMPDIR
+  run $DEX run imgtest/labels:disable-host_paths ls $TMPDIR
   [ $status -eq 2 ]
 }
 
+@test "runtime respects ro-mounting of host users/groups" {
+  run $DEX run imgtest/debian whoami
+  [ $status -eq 1 ]
+
+  run $DEX run imgtest/labels:enable-host_users whoami
+  [ $status -eq 0 ]
+}
+
 @test "runtime respects docker_envars label" {
   # imgtest/labels image ::
   # LABEL org.dockerland.dex.docker_envars="BATS_TESTVAR"

diff --git a/...dex-images/labels/Dockerfile-no-hostpaths → ...ages/labels/Dockerfile-disable-host_paths b/...dex-images/labels/Dockerfile-no-hostpaths → ...ages/labels/Dockerfile-disable-host_paths
@@ -6,7 +6,7 @@ FROM debian:jessie
 
 LABEL \
   org.dockerland.dex.api="v1" \
-  org.dockerland.dex.proxy_hostpaths="off"
+  org.dockerland.dex.host_paths=off
 
 #
 # debian image

diff --git a/tests/fixtures/dex-images/labels/Dockerfile-enable-host_users b/tests/fixtures/dex-images/labels/Dockerfile-enable-host_users
@@ -0,0 +1,15 @@
+FROM debian:jessie
+
+#
+# v1 dex-api
+#
+
+LABEL \
+  org.dockerland.dex.api="v1" \
+  org.dockerland.dex.host_users=ro
+
+#
+# debian image
+#
+
+CMD echo "DEBIAN_RELEASE=$(cat /etc/debian_version)" ; printenv