diff --git a/commands/commands.go b/commands/commands.go index be83ede9..f5c5c3bb 100644 --- a/commands/commands.go +++ b/commands/commands.go @@ -30,6 +30,8 @@ type Command struct { logger log.Entry lock *sync.Mutex fields log.Fields + UID int + GID int } // NewCommand parses JSON config into a Command @@ -101,7 +103,20 @@ func (c *Command) Run(pctx context.Context, bus *events.EventBus) { cmd.Stdout = os.Stdout cmd.Stderr = os.Stderr } + cmd.SysProcAttr = &syscall.SysProcAttr{Setpgid: true} + if os.Getuid() == 0 { + if c.UID != 0 && c.GID != 0 { + cmd.SysProcAttr.Credential = &syscall.Credential{Uid: uint32(c.UID), Gid: uint32(c.GID)} + } else if c.UID != 0 { + cmd.SysProcAttr.Credential = &syscall.Credential{Uid: uint32(c.UID)} + } else if c.GID != 0 { + cmd.SysProcAttr.Credential = &syscall.Credential{Gid: uint32(c.GID)} + } + } else { + log.Debugf("%s.Skipping uid and gid (ContainerPilot is not running as root)", c.Name) + } + c.Cmd = cmd ctx, cancel := getContext(pctx, c.Timeout) diff --git a/docs/30-configuration/34-jobs.md b/docs/30-configuration/34-jobs.md index 14e708bd..fac2e032 100644 --- a/docs/30-configuration/34-jobs.md +++ b/docs/30-configuration/34-jobs.md @@ -108,6 +108,14 @@ The `name` field is the name of the job as it will appear in logs and events. It The `exec` field is the executable (and its arguments) that is called when the job runs. This field can contain a string or an array of strings ([see below](#exec-arguments) for details on the format). The command to be run will have a process group set and this entire process group will be reaped by ContainerPilot when the process exits. The process will be run concurrently to all other work, so the process won't block the processing of other ContainerPilot events. +##### `uid` + +The `uid` field is the ID of the user that runs the command. + +##### `gid` + +The `gid` field is the ID of the group that runs the command. + ##### `logging` Jobs and health checks have a `logging` configuration block with a single option: `raw`. When the `raw`field is set to `false` (the default), ContainerPilot will wrap each line of output from an `exec` process's stdout/stderr in a log line. If set to `true`, ContainerPilot will attach the stdout/stderr of the process to the container's stdout/stderr and these streams will be unmodified by ContainerPilot. The latter option can be useful if the process emits structured logs in its own format. diff --git a/jobs/config.go b/jobs/config.go index 4c2dd0ab..9b537e9a 100644 --- a/jobs/config.go +++ b/jobs/config.go @@ -21,6 +21,8 @@ const taskMinDuration = time.Millisecond type Config struct { Name string `mapstructure:"name"` Exec interface{} `mapstructure:"exec"` + UID int `mapstructure:"uid"` + GID int `mapstructure:"gid"` // service discovery Port int `mapstructure:"port"` @@ -289,6 +291,8 @@ func (cfg *Config) validateExec() error { cfg.Name = cmd.Exec } cmd.Name = cfg.Name + cmd.UID = cfg.UID + cmd.GID = cfg.GID cfg.exec = cmd } return nil diff --git a/jobs/config_test.go b/jobs/config_test.go index ddabdca5..4b729dec 100644 --- a/jobs/config_test.go +++ b/jobs/config_test.go @@ -23,6 +23,8 @@ func TestJobConfigServiceWithPreStart(t *testing.T) { // job0 is the main application job0 := jobs[0] assert.Equal(job0.Name, "serviceA", "config for job0.Name") + assert.Equal(job0.UID, 1, "config for job0.UID") + assert.Equal(job0.GID, 1, "config for job0.GID") assert.Equal(job0.Exec, "/bin/serviceA.sh", "config for job0.Exec") assert.Equal(job0.exec.Exec, "/bin/serviceA.sh", "config for job.0.Exec.exec") diff --git a/jobs/testdata/TestJobConfigServiceWithPreStart.json5 b/jobs/testdata/TestJobConfigServiceWithPreStart.json5 index 1d501f66..05822b3d 100644 --- a/jobs/testdata/TestJobConfigServiceWithPreStart.json5 +++ b/jobs/testdata/TestJobConfigServiceWithPreStart.json5 @@ -2,6 +2,8 @@ { name: "serviceA", port: 8080, + uid: 1, + gid: 1, interfaces: ["inet", "lo0"], exec: "/bin/serviceA.sh", when: { diff --git a/makefile b/makefile index b95baf74..8822c16a 100644 --- a/makefile +++ b/makefile @@ -11,7 +11,7 @@ LDFLAGS := -X ${IMPORT_PATH}/version.GitHash=$(shell git rev-parse --short HEAD) ROOT := $(shell pwd) RUNNER := -v ${ROOT}:/go/src/${IMPORT_PATH} -w /go/src/${IMPORT_PATH} containerpilot_build -docker := docker run --rm -e LDFLAGS="${LDFLAGS}" $(RUNNER) +docker := docker run --disable-content-trust --rm -e LDFLAGS="${LDFLAGS}" $(RUNNER) export PATH :=$(PATH):$(GOPATH)/bin # flags for local development