github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-07-07 04:19:58 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #11358 from burgerdev/gid-warning

Browse Source 
genpolicy: improvements to /etc/passwd checks
This commit is contained in:
Dan Mihai 2025-06-06 17:04:27 -07:00 committed by GitHub
commit e067a1be64
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 716 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/tools/genpolicy/rules.rego
View File

@ -736,7 +736,7 @@ allow_user(p_process, i_process) {
p_user.GID == i_user.GID p_user.GID == i_user.GID
print("allow_user: input additionalGids =", i_user.AdditionalGids, "policy additionalGids =", p_user.AdditionalGids) print("allow_user: input additionalGids =", i_user.AdditionalGids, "policy additionalGids =", p_user.AdditionalGids)
p_user.AdditionalGids == i_user.AdditionalGids {e | some e in p_user.AdditionalGids} == {e | some e in i_user.AdditionalGids}
} }
allow_args(p_process, i_process, s_name) { allow_args(p_process, i_process, s_name) {

87
src/tools/genpolicy/src/registry.rs
View File

@ -104,6 +104,7 @@ struct PasswdRecord {
/// A single record in a Unix group file. /// A single record in a Unix group file.
#[derive(Debug)] #[derive(Debug)]
struct GroupRecord { struct GroupRecord {
#[allow(dead_code)]
pub name: String, pub name: String,
#[allow(dead_code)] #[allow(dead_code)]
pub validate: bool, pub validate: bool,
@ -257,27 +258,34 @@ impl Container {
} }
} }
fn get_user_from_passwd_uid(&self, uid: u32) -> Result<String> {
for record in parse_passwd_file(&self.passwd)? {
if record.uid == uid {
return Ok(record.user);
}
}
Err(anyhow!("No user found with uid {uid}"))
}
pub fn get_additional_groups_from_uid(&self, uid: u32) -> Result<Vec<u32>> { pub fn get_additional_groups_from_uid(&self, uid: u32) -> Result<Vec<u32>> {
if self.group.is_empty() || self.passwd.is_empty() { if self.group.is_empty() || self.passwd.is_empty() {
return Err(anyhow!( return Err(anyhow!(
"No /etc/group, /etc/passwd file is available, unable to parse additional group membership from uid" "No /etc/group, /etc/passwd file is available, unable to parse additional group membership from uid"
)); ));
} }
let user = self.get_user_from_passwd_uid(uid)?;
match parse_group_file(&self.group) { match parse_group_file(&self.group) {
Ok(records) => { Ok(records) => {
let mut groups = Vec::new(); let mut groups = Vec::new();
for record in records.iter() { for record in records.iter() {
record.user_list.iter().for_each(|u| { record.user_list.iter().for_each(|u| {
match self.get_uid_gid_from_passwd_user(u.to_string()) { if u == &user && &record.name != u {
Ok((record_uid, _)) => { // The second condition works around containerd bug
if record_uid == uid { // https://github.com/containerd/containerd/issues/11937.
groups.push(record.gid); groups.push(record.gid);
} }
},
Err(inner_e) => warn!(
"/etc/group indicates a user {u} that is not in /etc/passwd - error {inner_e}"
),
};
}); });
} }
Ok(groups) Ok(groups)
@ -286,24 +294,6 @@ impl Container {
} }
} }
fn get_gid_from_group_name(&self, name: &str) -> Result<u32> {
if self.group.is_empty() {
return Err(anyhow!(
"No /etc/group file is available, unable to parse gids from group name"
));
}
match parse_group_file(&self.group) {
Ok(records) => {
if let Some(record) = records.iter().find(|&r| r.name == name) {
Ok(record.gid)
} else {
Err(anyhow!("Failed to find name {} in /etc/group", name))
}
}
Err(inner_e) => Err(anyhow!("Failed to parse /etc/group - error {inner_e}")),
}
}
fn parse_user_string(&self, user: &str) -> u32 { fn parse_user_string(&self, user: &str) -> u32 {
if user.is_empty() { if user.is_empty() {
return 0; return 0;
@ -317,38 +307,16 @@ impl Container {
"Failed to parse {} as u32, using it as a user name - error {outer_e}", "Failed to parse {} as u32, using it as a user name - error {outer_e}",
user user
); );
let (uid, _) = self match self.get_uid_gid_from_passwd_user(user.to_string().clone()) {
.get_uid_gid_from_passwd_user(user.to_string().clone()) Ok((uid, _)) => uid,
.unwrap_or((0, 0)); Err(err) => {
uid
}
}
}
fn parse_group_string(&self, group: &str) -> u32 {
if group.is_empty() {
return 0;
}
match group.parse::<u32>() {
Ok(id) => {
warn!( warn!(
concat!( "could not resolve named user {}, defaulting to uid 0: {}",
"Parsed gid {} from OCI container image config, but not using it. ", user, err
"GIDs are only picked up by the runtime from /etc/passwd."
),
id
); );
0 0
} }
// If the group is not a number, interpret it as a group name. }
Err(outer_e) => {
debug!(
"Failed to parse {} as u32, using it as a group name - error {outer_e}",
group
);
self.get_gid_from_group_name(group).unwrap_or(0)
} }
} }
} }
@ -374,10 +342,6 @@ impl Container {
* 6. Be erroneus, somehow * 6. Be erroneus, somehow
*/ */
if let Some(image_user) = &docker_config.User { if let Some(image_user) = &docker_config.User {
if self.passwd.is_empty() {
warn!("No /etc/passwd file is available, unable to parse gids from user");
}
if !image_user.is_empty() { if !image_user.is_empty() {
if image_user.contains(':') { if image_user.contains(':') {
debug!("Splitting Docker config user = {:?}", image_user); debug!("Splitting Docker config user = {:?}", image_user);
@ -392,22 +356,17 @@ impl Container {
debug!("Parsing uid from user[0] = {}", &user[0]); debug!("Parsing uid from user[0] = {}", &user[0]);
process.User.UID = self.parse_user_string(user[0]); process.User.UID = self.parse_user_string(user[0]);
debug!("Parsing gid from user[1] = {:?}", user[1]);
process.User.GID = self.parse_group_string(user[1]);
debug!( debug!(
"Overriding OCI container GID with UID:GID mapping from /etc/passwd" "Overriding OCI container GID with UID:GID mapping from /etc/passwd"
); );
process.User.GID =
self.get_gid_from_passwd_uid(process.User.UID).unwrap_or(0);
} }
} else { } else {
debug!("Parsing uid from image_user = {}", image_user); debug!("Parsing uid from image_user = {}", image_user);
process.User.UID = self.parse_user_string(image_user); process.User.UID = self.parse_user_string(image_user);
debug!("Using UID:GID mapping from /etc/passwd"); debug!("Using UID:GID mapping from /etc/passwd");
process.User.GID = self.get_gid_from_passwd_uid(process.User.UID).unwrap_or(0);
} }
process.User.GID = self.get_gid_from_passwd_uid(process.User.UID).unwrap_or(0);
} }
} }

5
src/tools/genpolicy/tests/policy/main.rs
View File

@ -233,6 +233,11 @@ mod tests {
runtests("createcontainer/generate_name").await; runtests("createcontainer/generate_name").await;
} }
#[tokio::test]
async fn test_create_container_gid() {
runtests("createcontainer/gid").await;
}
#[tokio::test] #[tokio::test]
async fn test_state_create_container() { async fn test_state_create_container() {
runtests("state/createcontainer").await; runtests("state/createcontainer").await;

12
src/tools/genpolicy/tests/policy/testdata/createcontainer/gid/pod.yaml vendored Normal file
View File

@ -0,0 +1,12 @@
---
apiVersion: v1
kind: Pod
metadata:
name: gid-experiment
labels:
app: gid-experiment
spec:
runtimeClassName: kata-cc-isolation
containers:
- name: gid
image: "ghcr.io/burgerdev/weird-images/gid:latest@sha256:bdbb485bb9e3baf381a2957b9369b6051c6113097a5f8dcee27faff17624a2c0"

669
src/tools/genpolicy/tests/policy/testdata/createcontainer/gid/testcases.json vendored Normal file
View File

@ -0,0 +1,669 @@
[
{
"description": "image with unusual group setup, see https://github.com/burgerdev/weird-images/tree/74b32e2/src/gid",
"allowed": true,
"request": {
"type": "CreateContainer",
"OCI": {
"Annotations": {
"io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/gid",
"io.katacontainers.pkg.oci.container_type": "pod_container",
"io.kubernetes.cri.container-name": "gid",
"io.kubernetes.cri.container-type": "container",
"io.kubernetes.cri.image-name": "ghcr.io/burgerdev/weird-images/gid@sha256:bdbb485bb9e3baf381a2957b9369b6051c6113097a5f8dcee27faff17624a2c0",
"io.kubernetes.cri.sandbox-id": "8667fea11fc4fc70d427cc3645950ac83cc7d33ca515a8774ab95043f0096bb8",
"io.kubernetes.cri.sandbox-name": "gid-experiment",
"io.kubernetes.cri.sandbox-namespace": "default",
"io.kubernetes.cri.sandbox-uid": "31df313a-931f-4979-a405-cc3f3ccb6a56"
},
"Hooks": null,
"Hostname": "",
"Linux": {
"CgroupsPath": "kubepods-burstable-pod31df313a_931f_4979_a405_cc3f3ccb6a56.slice:cri-containerd:gid",
"Devices": [],
"GIDMappings": [],
"IntelRdt": null,
"MaskedPaths": [
"/proc/asound",
"/proc/acpi",
"/proc/kcore",
"/proc/keys",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/proc/scsi",
"/sys/firmware",
"/sys/devices/virtual/powercap"
],
"MountLabel": "",
"Namespaces": [
{
"Path": "",
"Type": "ipc"
},
{
"Path": "",
"Type": "uts"
},
{
"Path": "",
"Type": "mount"
}
],
"ReadonlyPaths": [
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
],
"Resources": {
"BlockIO": null,
"CPU": {
"Cpus": "",
"Mems": "",
"Period": 100000,
"Quota": 0,
"RealtimePeriod": 0,
"RealtimeRuntime": 0,
"Shares": 2
},
"Devices": [],
"HugepageLimits": [],
"Memory": {
"DisableOOMKiller": false,
"Kernel": 0,
"KernelTCP": 0,
"Limit": 0,
"Reservation": 0,
"Swap": 0,
"Swappiness": 0
},
"Network": null,
"Pids": null
},
"RootfsPropagation": "",
"Seccomp": null,
"Sysctl": {},
"UIDMappings": []
},
"Mounts": [
{
"destination": "/proc",
"options": [
"nosuid",
"noexec",
"nodev"
],
"source": "proc",
"type_": "proc"
},
{
"destination": "/dev",
"options": [
"nosuid",
"strictatime",
"mode=755",
"size=65536k"
],
"source": "tmpfs",
"type_": "tmpfs"
},
{
"destination": "/dev/pts",
"options": [
"nosuid",
"noexec",
"newinstance",
"ptmxmode=0666",
"mode=0620",
"gid=5"
],
"source": "devpts",
"type_": "devpts"
},
{
"destination": "/dev/mqueue",
"options": [
"nosuid",
"noexec",
"nodev"
],
"source": "mqueue",
"type_": "mqueue"
},
{
"destination": "/sys",
"options": [
"nosuid",
"noexec",
"nodev",
"ro"
],
"source": "sysfs",
"type_": "sysfs"
},
{
"destination": "/sys/fs/cgroup",
"options": [
"nosuid",
"noexec",
"nodev",
"relatime",
"ro"
],
"source": "cgroup",
"type_": "cgroup"
},
{
"destination": "/etc/hosts",
"options": [
"rbind",
"rprivate",
"rw"
],
"source": "/run/kata-containers/shared/containers/gid-4a4c20d48254d738-hosts",
"type_": "bind"
},
{
"destination": "/dev/termination-log",
"options": [
"rbind",
"rprivate",
"rw"
],
"source": "/run/kata-containers/shared/containers/gid-72cfcc0e64a0d1af-termination-log",
"type_": "bind"
},
{
"destination": "/etc/hostname",
"options": [
"rbind",
"rprivate",
"rw"
],
"source": "/run/kata-containers/shared/containers/gid-89f0faae823d569c-hostname",
"type_": "bind"
},
{
"destination": "/etc/resolv.conf",
"options": [
"rbind",
"rprivate",
"rw"
],
"source": "/run/kata-containers/shared/containers/gid-8c0d97703dbbb30e-resolv.conf",
"type_": "bind"
},
{
"destination": "/dev/shm",
"options": [
"rbind"
],
"source": "/run/kata-containers/sandbox/shm",
"type_": "bind"
},
{
"destination": "/var/run/secrets/kubernetes.io/serviceaccount",
"options": [
"rbind",
"rprivate",
"ro"
],
"source": "/run/kata-containers/shared/containers/gid-be44d3a46e427870-serviceaccount",
"type_": "bind"
}
],
"Process": {
"ApparmorProfile": "cri-containerd.apparmor.d",
"Args": [
"/entrypoint.sh"
],
"Capabilities": {
"Ambient": [],
"Bounding": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"Effective": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"Inheritable": [],
"Permitted": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
]
},
"ConsoleSize": null,
"Cwd": "/",
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=gid-experiment",
"KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443",
"KUBERNETES_PORT_443_TCP_PROTO=tcp",
"KUBERNETES_PORT_443_TCP_PORT=443",
"KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1",
"KUBERNETES_SERVICE_HOST=10.0.0.1",
"KUBERNETES_SERVICE_PORT=443",
"KUBERNETES_SERVICE_PORT_HTTPS=443",
"KUBERNETES_PORT=tcp://10.0.0.1:443"
],
"NoNewPrivileges": false,
"OOMScoreAdj": 994,
"Rlimits": [],
"SelinuxLabel": "",
"Terminal": false,
"User": {
"AdditionalGids": [
1
],
"GID": 1,
"UID": 2,
"Username": ""
}
},
"Root": {
"Path": "/run/kata-containers/shared/containers/gid/rootfs",
"Readonly": false
},
"Solaris": null,
"Version": "1.1.0",
"Windows": null
},
"container_id": "gid",
"devices": [],
"exec_id": "gid",
"sandbox_pidns": false,
"shared_mounts": [],
"stderr_port": 0,
"stdin_port": 0,
"stdout_port": 0,
"storages": [
{
"driver": "image_guest_pull",
"driver_options": [
"image_guest_pull={\"metadata\":{\"io.katacontainers.pkg.oci.bundle_path\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/gid\",\"io.katacontainers.pkg.oci.container_type\":\"pod_container\",\"io.kubernetes.cri.container-name\":\"gid\",\"io.kubernetes.cri.container-type\":\"container\",\"io.kubernetes.cri.image-name\":\"ghcr.io/burgerdev/weird-images/gid@sha256:bdbb485bb9e3baf381a2957b9369b6051c6113097a5f8dcee27faff17624a2c0\",\"io.kubernetes.cri.sandbox-id\":\"8667fea11fc4fc70d427cc3645950ac83cc7d33ca515a8774ab95043f0096bb8\",\"io.kubernetes.cri.sandbox-name\":\"gid-experiment\",\"io.kubernetes.cri.sandbox-namespace\":\"default\",\"io.kubernetes.cri.sandbox-uid\":\"31df313a-931f-4979-a405-cc3f3ccb6a56\"}}"
],
"fs_group": null,
"fstype": "overlay",
"mount_point": "/run/kata-containers/gid/rootfs",
"options": [],
"source": "ghcr.io/burgerdev/weird-images/gid@sha256:bdbb485bb9e3baf381a2957b9369b6051c6113097a5f8dcee27faff17624a2c0"
}
],
"string_user": null
}
},
{
"description": "image with unusual group setup, but bad additional group",
"allowed": false,
"request": {
"type": "CreateContainer",
"OCI": {
"Annotations": {
"io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/gid",
"io.katacontainers.pkg.oci.container_type": "pod_container",
"io.kubernetes.cri.container-name": "gid",
"io.kubernetes.cri.container-type": "container",
"io.kubernetes.cri.image-name": "ghcr.io/burgerdev/weird-images/gid@sha256:bdbb485bb9e3baf381a2957b9369b6051c6113097a5f8dcee27faff17624a2c0",
"io.kubernetes.cri.sandbox-id": "8667fea11fc4fc70d427cc3645950ac83cc7d33ca515a8774ab95043f0096bb8",
"io.kubernetes.cri.sandbox-name": "gid-experiment",
"io.kubernetes.cri.sandbox-namespace": "default",
"io.kubernetes.cri.sandbox-uid": "31df313a-931f-4979-a405-cc3f3ccb6a56"
},
"Hooks": null,
"Hostname": "",
"Linux": {
"CgroupsPath": "kubepods-burstable-pod31df313a_931f_4979_a405_cc3f3ccb6a56.slice:cri-containerd:gid",
"Devices": [],
"GIDMappings": [],
"IntelRdt": null,
"MaskedPaths": [
"/proc/asound",
"/proc/acpi",
"/proc/kcore",
"/proc/keys",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/proc/scsi",
"/sys/firmware",
"/sys/devices/virtual/powercap"
],
"MountLabel": "",
"Namespaces": [
{
"Path": "",
"Type": "ipc"
},
{
"Path": "",
"Type": "uts"
},
{
"Path": "",
"Type": "mount"
}
],
"ReadonlyPaths": [
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
],
"Resources": {
"BlockIO": null,
"CPU": {
"Cpus": "",
"Mems": "",
"Period": 100000,
"Quota": 0,
"RealtimePeriod": 0,
"RealtimeRuntime": 0,
"Shares": 2
},
"Devices": [],
"HugepageLimits": [],
"Memory": {
"DisableOOMKiller": false,
"Kernel": 0,
"KernelTCP": 0,
"Limit": 0,
"Reservation": 0,
"Swap": 0,
"Swappiness": 0
},
"Network": null,
"Pids": null
},
"RootfsPropagation": "",
"Seccomp": null,
"Sysctl": {},
"UIDMappings": []
},
"Mounts": [
{
"destination": "/proc",
"options": [
"nosuid",
"noexec",
"nodev"
],
"source": "proc",
"type_": "proc"
},
{
"destination": "/dev",
"options": [
"nosuid",
"strictatime",
"mode=755",
"size=65536k"
],
"source": "tmpfs",
"type_": "tmpfs"
},
{
"destination": "/dev/pts",
"options": [
"nosuid",
"noexec",
"newinstance",
"ptmxmode=0666",
"mode=0620",
"gid=5"
],
"source": "devpts",
"type_": "devpts"
},
{
"destination": "/dev/mqueue",
"options": [
"nosuid",
"noexec",
"nodev"
],
"source": "mqueue",
"type_": "mqueue"
},
{
"destination": "/sys",
"options": [
"nosuid",
"noexec",
"nodev",
"ro"
],
"source": "sysfs",
"type_": "sysfs"
},
{
"destination": "/sys/fs/cgroup",
"options": [
"nosuid",
"noexec",
"nodev",
"relatime",
"ro"
],
"source": "cgroup",
"type_": "cgroup"
},
{
"destination": "/etc/hosts",
"options": [
"rbind",
"rprivate",
"rw"
],
"source": "/run/kata-containers/shared/containers/gid-4a4c20d48254d738-hosts",
"type_": "bind"
},
{
"destination": "/dev/termination-log",
"options": [
"rbind",
"rprivate",
"rw"
],
"source": "/run/kata-containers/shared/containers/gid-72cfcc0e64a0d1af-termination-log",
"type_": "bind"
},
{
"destination": "/etc/hostname",
"options": [
"rbind",
"rprivate",
"rw"
],
"source": "/run/kata-containers/shared/containers/gid-89f0faae823d569c-hostname",
"type_": "bind"
},
{
"destination": "/etc/resolv.conf",
"options": [
"rbind",
"rprivate",
"rw"
],
"source": "/run/kata-containers/shared/containers/gid-8c0d97703dbbb30e-resolv.conf",
"type_": "bind"
},
{
"destination": "/dev/shm",
"options": [
"rbind"
],
"source": "/run/kata-containers/sandbox/shm",
"type_": "bind"
},
{
"destination": "/var/run/secrets/kubernetes.io/serviceaccount",
"options": [
"rbind",
"rprivate",
"ro"
],
"source": "/run/kata-containers/shared/containers/gid-be44d3a46e427870-serviceaccount",
"type_": "bind"
}
],
"Process": {
"ApparmorProfile": "cri-containerd.apparmor.d",
"Args": [
"/entrypoint.sh"
],
"Capabilities": {
"Ambient": [],
"Bounding": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"Effective": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"Inheritable": [],
"Permitted": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
]
},
"ConsoleSize": null,
"Cwd": "/",
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=gid-experiment",
"KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443",
"KUBERNETES_PORT_443_TCP_PROTO=tcp",
"KUBERNETES_PORT_443_TCP_PORT=443",
"KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1",
"KUBERNETES_SERVICE_HOST=10.0.0.1",
"KUBERNETES_SERVICE_PORT=443",
"KUBERNETES_SERVICE_PORT_HTTPS=443",
"KUBERNETES_PORT=tcp://10.0.0.1:443"
],
"NoNewPrivileges": false,
"OOMScoreAdj": 994,
"Rlimits": [],
"SelinuxLabel": "",
"Terminal": false,
"User": {
"AdditionalGids": [
1,
123
],
"GID": 1,
"UID": 2,
"Username": ""
}
},
"Root": {
"Path": "/run/kata-containers/shared/containers/gid/rootfs",
"Readonly": false
},
"Solaris": null,
"Version": "1.1.0",
"Windows": null
},
"container_id": "gid",
"devices": [],
"exec_id": "gid",
"sandbox_pidns": false,
"shared_mounts": [],
"stderr_port": 0,
"stdin_port": 0,
"stdout_port": 0,
"storages": [
{
"driver": "image_guest_pull",
"driver_options": [
"image_guest_pull={\"metadata\":{\"io.katacontainers.pkg.oci.bundle_path\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/gid\",\"io.katacontainers.pkg.oci.container_type\":\"pod_container\",\"io.kubernetes.cri.container-name\":\"gid\",\"io.kubernetes.cri.container-type\":\"container\",\"io.kubernetes.cri.image-name\":\"ghcr.io/burgerdev/weird-images/gid@sha256:bdbb485bb9e3baf381a2957b9369b6051c6113097a5f8dcee27faff17624a2c0\",\"io.kubernetes.cri.sandbox-id\":\"8667fea11fc4fc70d427cc3645950ac83cc7d33ca515a8774ab95043f0096bb8\",\"io.kubernetes.cri.sandbox-name\":\"gid-experiment\",\"io.kubernetes.cri.sandbox-namespace\":\"default\",\"io.kubernetes.cri.sandbox-uid\":\"31df313a-931f-4979-a405-cc3f3ccb6a56\"}}"
],
"fs_group": null,
"fstype": "overlay",
"mount_point": "/run/kata-containers/gid/rootfs",
"options": [],
"source": "ghcr.io/burgerdev/weird-images/gid@sha256:bdbb485bb9e3baf381a2957b9369b6051c6113097a5f8dcee27faff17624a2c0"
}
],
"string_user": null
}
}
]