runtime-spec icon indicating copy to clipboard operation
runtime-spec copied to clipboard

Published 20 hours ago verified publisher icon opencontainers

Make GID optional to allow retaining `overflowgid` (useful for exposing `crw-rw----` devices to Rootless Containers)

Open AkihiroSuda opened this issue 3 years ago • 2 comments

https://github.com/opencontainers/runtime-spec/blob/v1.0.2/config.md

In the current spec, .process.user.gid is defined as a REQUIRED attribute.

I suggest makng this attribute OPTIONAL to allow retaining overflowgid, by avoiding calling setgroups(2). When gid is unset, additionalGids MUST be unset, too.

This is useful for exposing crw-rw---- devices to Rootless Containers:

  • https://github.com/moby/moby/issues/43019

I have issues mounting a device with rootless docker through --device /dev/ttyUSB0. The device is accessible outside the docker to users of the dialout group. But I suspect the group is not properly propagated to the docker container. The device shows up as

crw-rw---- 1 nobody nogroup 188, 0 Nov 15 15:59 /dev/ttyUSB0

within the docker. On the host it is

crw-rw---- 1 root dialout 188, 0 Nov 15 07:59 /dev/ttyUSB0

Trying to access the device leads to a Permission denied error.

AkihiroSuda avatar Nov 16 '21 07:11 AkihiroSuda

@cyphar @giuseppe @kolyshkin WDYT?

AkihiroSuda avatar Nov 16 '21 07:11 AkihiroSuda

I agree it is useful. crun implements it with an annotation. I have already opened a similar issue: https://github.com/opencontainers/runtime-spec/issues/1020

giuseppe avatar Nov 16 '21 07:11 giuseppe