From 581759d12d924f276262ecb41267f3de0aa684f8 Mon Sep 17 00:00:00 2001
From: Yifan Gu <guyifan1121@gmail.com>
Date: Wed, 27 Jan 2016 11:55:56 -0800
Subject: [PATCH] rkt: Set default 'User', 'Group' to root if it's not
 specified.

---
 pkg/kubelet/rkt/rkt.go      | 11 +++++++++++
 pkg/kubelet/rkt/rkt_test.go | 16 ++++++++++------
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/pkg/kubelet/rkt/rkt.go b/pkg/kubelet/rkt/rkt.go
index 867f1e818dc..cf8eca92d9c 100644
--- a/pkg/kubelet/rkt/rkt.go
+++ b/pkg/kubelet/rkt/rkt.go
@@ -434,6 +434,17 @@ func setApp(app *appctypes.App, c *api.Container, opts *kubecontainer.RunContain
 	}
 	setSupplementaryGIDs(app, podCtx)
 
+	// If 'User' or 'Group' are still empty at this point,
+	// then apply the root UID and GID.
+	// TODO(yifan): Instead of using root GID, we should use
+	// the GID which the user is in.
+	if app.User == "" {
+		app.User = "0"
+	}
+	if app.Group == "" {
+		app.Group = "0"
+	}
+
 	// Set working directory.
 	if len(c.WorkingDir) > 0 {
 		app.WorkingDirectory = c.WorkingDir
diff --git a/pkg/kubelet/rkt/rkt_test.go b/pkg/kubelet/rkt/rkt_test.go
index 56dbe62ddc4..6cc1abee92a 100644
--- a/pkg/kubelet/rkt/rkt_test.go
+++ b/pkg/kubelet/rkt/rkt_test.go
@@ -703,8 +703,6 @@ func generateMemoryIsolator(t *testing.T, request, limit string) appctypes.Isola
 func baseApp(t *testing.T) *appctypes.App {
 	return &appctypes.App{
 		Exec:              appctypes.Exec{"/bin/foo"},
-		User:              "0",
-		Group:             "22",
 		SupplementaryGIDs: []int{4, 5, 6},
 		WorkingDirectory:  "/foo",
 		Environment: []appctypes.EnvironmentVariable{
@@ -725,6 +723,12 @@ func baseApp(t *testing.T) *appctypes.App {
 	}
 }
 
+func baseAppWithRootUserGroup(t *testing.T) *appctypes.App {
+	app := baseApp(t)
+	app.User, app.Group = "0", "0"
+	return app
+}
+
 type envByName []appctypes.EnvironmentVariable
 
 func (s envByName) Len() int           { return len(s) }
@@ -776,13 +780,13 @@ func TestSetApp(t *testing.T) {
 		expect    *appctypes.App
 		err       error
 	}{
-		// Nothing should change.
+		// Nothing should change, but the "User" and "Group" should be filled.
 		{
 			container: &api.Container{},
 			opts:      &kubecontainer.RunContainerOptions{},
 			ctx:       nil,
 			podCtx:    nil,
-			expect:    baseApp(t),
+			expect:    baseAppWithRootUserGroup(t),
 			err:       nil,
 		},
 
@@ -836,7 +840,7 @@ func TestSetApp(t *testing.T) {
 			expect: &appctypes.App{
 				Exec:              appctypes.Exec{"/bin/bar", "hello", "world"},
 				User:              "42",
-				Group:             "22",
+				Group:             "0",
 				SupplementaryGIDs: []int{1, 2, 3},
 				WorkingDirectory:  tmpDir,
 				Environment: []appctypes.EnvironmentVariable{
@@ -898,7 +902,7 @@ func TestSetApp(t *testing.T) {
 			expect: &appctypes.App{
 				Exec:              appctypes.Exec{"/bin/bar", "foo", "hello", "world", "bar"},
 				User:              "42",
-				Group:             "22",
+				Group:             "0",
 				SupplementaryGIDs: []int{1, 2, 3},
 				WorkingDirectory:  tmpDir,
 				Environment: []appctypes.EnvironmentVariable{