[release-1.22] run: add container gid to additional groups

run_linux.go

@@ -2018,6 +2018,7 @@ func (b *Builder) configureUIDGID(g *generate.Generator, mountPoint string, opti
  }
  g.SetProcessUID(user.UID)
  g.SetProcessGID(user.GID)
+ g.AddProcessAdditionalGid(user.GID)
  for _, gid := range user.AdditionalGids {
  g.AddProcessAdditionalGid(gid)
  }

tests/bud.bats

@@ -130,6 +130,22 @@ symlink(subdir)"
  check_options_flag_err "--userns=cnt1"
 }
 
+@test "build test has gid in supplemental groups" {
+ _prefetch alpine
+ run_buildah build $WITH_POLICY_JSON -t source -f ${TESTSDIR}/bud/supplemental-groups/Dockerfile
+ # gid 1000 must be in supplemental groups
+ expect_output --substring "Groups: 1000"
+}
+
+@test "build test if supplemental groups has gid with --isolation chroot" {
+ test -z "${BUILDAH_ISOLATION}" || skip "BUILDAH_ISOLATION=${BUILDAH_ISOLATION} overrides --isolation"
+
+ _prefetch alpine
+ run_buildah build --isolation chroot $WITH_POLICY_JSON -t source -f ${TESTSDIR}/bud/supplemental-groups/Dockerfile
+ # gid 1000 must be in supplemental groups
+ expect_output --substring "Groups: 1000"
+}
+
 @test "bud with --layers and --no-cache flags" {
  cp -a ${TESTSDIR}/bud/use-layers ${TESTDIR}/use-layers
 

tests/bud/supplemental-groups/Dockerfile

@@ -0,0 +1,3 @@
+FROM alpine
+USER 1000:1000
+RUN cat /proc/$$/status

tests/run.bats

@@ -306,6 +306,20 @@ function configure_and_check_user() {
  expect_output "888:888"
 }
 
+@test "run --user and verify gid in supplemental groups" {
+ skip_if_no_runtime
+
+ # Create the container.
+ _prefetch alpine
+ run_buildah from $WITH_POLICY_JSON alpine
+ ctr="$output"
+
+ # Run with uid:gid 1000:1000 and verify if gid is present in additional groups
+ run_buildah run --user 1000:1000 "$ctr" cat /proc/self/status
+ # gid 1000 must be in additional/supplemental groups
+ expect_output --substring "Groups: 1000 "
+}
+
 @test "run --workingdir" {
  skip_if_no_runtime