Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add option --group-id to specify numerical group id #1093

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

davidjsherman
Copy link

Add an option --group-id to specify numerical group id separately from the numerical user id. If a group id is not specified, maintain the legacy behavior of using the numerical user id for the group.

Images created with --group-id=0 follow Openshift best practices for container images, see discussion. Such images will work in the default unprivileged restricted security context constraint on Openshift and OKD Kubernetes platforms, where a non-root arbitrary user id is allocated on the fly to containers.

The new test test_user_groups in tests/unit/test_users.py verifies the group id and checks file ownership. The existing test test_users now also tests for the legacy behavior. I admit that these tests are very similar and could perhaps be combined.

Add test of gid to existing test, verify default behavior that gid = uid
Add test of gid when specified, verify that provided gid is used

The two tests are mostly duplicated code, could we refactor using a
pytest parameterized test?
Group-id is an integer,	like user-id. Its default value	is the user-id,
as that	is the existing	behavior. Note that gid=0 is a valid value.
Note that the default GID in the extracted tar image is still
DEFAULT_NB_UID
@welcome
Copy link

welcome bot commented Oct 19, 2021

Thanks for submitting your first pull request! You are awesome! 🤗

If you haven't done so already, check out Jupyter's Code of Conduct. Also, please make sure you followed the pull request template, as this will help us review your contribution more quickly.
welcome
You can meet the other Jovyans by joining our Discourse forum. There is also a intro thread there where you can stop by and say Hi! 👋

Welcome to the Jupyter community! 🎉

@davidjsherman davidjsherman changed the title [WIP] Add option --group-id to specify numerical group id [MRG] Add option --group-id to specify numerical group id Oct 19, 2021
Copy link
Collaborator

@yuvipanda yuvipanda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot for opening this, @davidjsherman. Apologies for the late review.

https://github.com/jupyterhub/repo2docker/search?q=chown shows there's a bunch of chown calls that currently rely on the assumption that the gid is the same as uid, and will need to be modified to take the gid into account properly. Once that's done, I think this is good to be merged.

@davidjsherman
Copy link
Author

I can do that. Do you by chance have a general idea of the tests that need to be made? I can verify that the uids and gids are as specified, but it would be better to check functional dependencies, if there are any.

@yuvipanda
Copy link
Collaborator

@davidjsherman not sure of the specifics, but perhaps look at the paths that are being chowned, and see what tests already cover them? Then, a gid variant can be added there.

@manics manics marked this pull request as draft October 14, 2022 19:33
@consideRatio consideRatio changed the title [MRG] Add option --group-id to specify numerical group id Add option --group-id to specify numerical group id Oct 30, 2022
Comment on lines +92 to +94
"id -u > id && id -g > grp && stat --format %u:%g grp > id_grp && pwd > pwd && whoami > name && echo -n $USER > env_user".format(
ts
),

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why does this need .format(ts)?

@westurner
Copy link

  • add --group-name too for completeness
    • Though that isn't necessary to merge this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants