Skip to content

api: expose container user/group ID to plugins. #230

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 16, 2025
Merged

api: expose container user/group ID to plugins. #230

merged 2 commits into from
Sep 16, 2025

Conversation

@klihub
Copy link
Member

@klihub klihub commented Sep 15, 2025

Expose container user, group and supplemental group info to NRI plugins.

@klihub
api,adaptation: add container uid/gid info.
71b0335 
Obtain the container's user, group and supplemental group
IDs from OCI Spec.Process.User and expose it to plugins.

Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
@klihub
docs: update README with container uid/gid info.
22aeb46 
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
@fmuyassarov
Copy link

Thanks @klihub, this patch would be really helpful for our use case. In our setup, we inject a custom script through the NRI hook injector plugin to adjust volume mounts. The script’s logic depends on the pod’s user and group (securityContext.runAsUser / runAsGroup), so having that information available makes it possible to handle mounts correctly based on who the container is running as.

tuminoid
tuminoid approved these changes Sep 15, 2025
View reviewed changes
Copy link

@tuminoid tuminoid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lovely, I was not aware it was as simple as exposing the User from the spec.

This is very helpful to us going forward, thank you!

@mikebrow
Copy link
Member

Lovely, I was not aware it was as simple as exposing the User from the spec.

This is very helpful to us going forward, thank you!

user placed into the container (oci) spec.. is carefully crafted :-)

mikebrow
mikebrow approved these changes Sep 15, 2025
View reviewed changes
Copy link
Member

@mikebrow mikebrow left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

NIT wdyt about also adding umask, username?

is this the first "useful" linux vs windows fields area did we talk about that?

see examples here: https://github.com/opencontainers/runtime-spec/blob/main/config.md#user
not saying I want LinuxUser vs WindowsUser.. just sayin it's worth a discussion.

@klihub
Copy link
Member Author

klihub commented Sep 16, 2025

LGTM

NIT wdyt about also adding umask, username?

@mikebrow Username I was looking at, but since it is Windows only and we don't really have any Windows support at the moment, it was left out. If we start adding Windows support at some point, we can/should add it then.

Umask we can definitely add, now or later, if we find it useful for an external observer or just for the sake of completeness.

is this the first "useful" linux vs windows fields area did we talk about that?
see examples here: https://github.com/opencontainers/runtime-spec/blob/main/config.md#user not saying I want LinuxUser vs WindowsUser.. just sayin it's worth a discussion.

We have deliberately omitted anything windows-specific so far.

@mikebrow mikebrow merged commit d3daead into containerd:main Sep 16, 2025
16 checks passed
@klihub klihub deleted the devel/container-uid-gid-info branch September 17, 2025 15:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chrishenzie chrishenzie chrishenzie approved these changes

@mikebrow mikebrow mikebrow approved these changes

+1 more reviewer

@tuminoid tuminoid tuminoid approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@klihub @fmuyassarov @mikebrow @tuminoid @chrishenzie