Merge pull request #27200 from yifan-gu/errorout_empty_gid

Automatic merge from submit-queue

rkt: Error out when the gid is empty.

cc @kubernetes/rktnetes-maintainers 

Ref  https://github.com/appc/spec/issues/623

pkg/kubelet/rkt/rkt.go

@@ -554,13 +554,16 @@ func setApp(imgManifest *appcschema.ImageManifest, c *api.Container, opts *kubec
 
 	// If 'User' or 'Group' are still empty at this point,
 	// then apply the root UID and GID.
-	// TODO(yifan): Instead of using root GID, we should use
+	// TODO(yifan): If only the GID is empty, rkt should be able to determine the GID
-	// the GID which the user is in.
+	// using the /etc/passwd file in the image.
+	// See https://github.com/appc/docker2aci/issues/175.
+	// Maybe we can remove this check in the future.
 	if app.User == "" {
 		app.User = "0"
+		app.Group = "0"
 	}
 	if app.Group == "" {
-		app.Group = "0"
+		return fmt.Errorf("cannot determine the GID of the app %q", imgManifest.Name)
 	}
 
 	// Set working directory.

pkg/kubelet/rkt/rkt_test.go

@@ -846,6 +846,8 @@ func generateMemoryIsolator(t *testing.T, request, limit string) appctypes.Isola
 
 func baseApp(t *testing.T) *appctypes.App {
 	return &appctypes.App{
+		User:              "0",
+		Group:             "0",
 		Exec:              appctypes.Exec{"/bin/foo", "bar"},
 		SupplementaryGIDs: []int{4, 5, 6},
 		WorkingDirectory:  "/foo",