stale[bot]
commented
2 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Describe the feature:
This is based on encountering the issue described in #482. I want to add some additional information and see if it is worth reconsidering.
Currently (as far as I can tell), the user and group check are done using https://github.com/opencontainers/runc/blob/master/libcontainer/user/user.go. This simply parses
/etc/groupand/etc/passwd.However, on a Linux system using glibc, user and group checks will generally use nss, which can delegate to one or more "databases", such as the
/etc/groupfile or a remote LDAP server.Describe the solution you'd like
The os/user package, when cgo is enabled, will do the lookups using the libc functions (which should correctly use nss).
One potential downside is the requirement of cgo. I see in https://github.com/aelsabbahy/goss/blob/master/release-build.sh that
CGO_ENABLED=0. Building on Linux for Linux should be possible assuming the system has glibc, but it could complicate cross-compilation and probably is not compatible with Alpine or other musl libc systems without some extra work.Two questions:
os/userinstead of https://github.com/opencontainers/runc/blob/master/libcontainer/user/user.go?os/user, would it then be possible to generate a build (at least a secondary build if not the primary build) with cgo enabled?Describe alternatives you've considered
The easiest workaround is to use
commandinstead ofuserandgroup. It's a functional alternative, but not ideal.