Allow passing any uid for container processes.

Usually if a username is provided when starting a process inside the container we look inside the /etc/passwd file of the container to find the uid and gid for that user. However, if a uid is provided instead of a username there is no need to look into the /etc/passwd file to see if that user exists. Signed-off-by: Amit Barve <[email protected]>
microsoft · Dec 4, 2020 · b9c7fc4 · b9c7fc4
1 parent d84eb8a
commit b9c7fc4
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/internal/runtime/hcsv2/spec.go b/internal/runtime/hcsv2/spec.go
@@ -46,10 +46,12 @@ func setProcess(spec *oci.Spec) {
 	}
 }
 
-// setUserStr sets `spec.Process` to the valid `userstr` based on the OCI Image
-// Spec v1.0.0 `userstr`.
+// setUserStr sets `spec.Process` to the valid `userstr` based on the OCI Image Spec
+// v1.0.0 `userstr`.
 //
-// Valid values are: user, uid, user:group, uid:gid, uid:group, user:gid
+// Valid values are: user, uid, user:group, uid:gid, uid:group, user:gid.
+// If uid is provided instead of the username then that value is not checked against the
+// /etc/passwd file to verify if the user with given uid actually exists.
 func setUserStr(spec *oci.Spec, userstr string) error {
 	setProcess(spec)
 
@@ -120,7 +122,8 @@ func setUserID(spec *oci.Spec, uid int) error {
 		return u.Uid == uid
 	})
 	if err != nil {
-		return errors.Wrapf(err, "failed to find user by uid: %d", uid)
+		spec.Process.User.UID, spec.Process.User.GID = uint32(uid), 0
+		return nil
 	}
 	spec.Process.User.UID, spec.Process.User.GID = uint32(u.Uid), uint32(u.Gid)
 	return nil