From cd0f36e10d9a027633de17b1382a6e737200d91f Mon Sep 17 00:00:00 2001
From: madelen-axis <madelen-axis@users.noreply.github.com>
Date: Tue, 28 Nov 2023 16:27:46 +0100
Subject: [PATCH] Added support for secondary groups

NB! If a container needs sub-group access it has to use the group-add flag.
---
 README.md                 | 29 ++++++++++++++++++++++++++++-
 app/manifest.json         |  4 +++-
 app/postinstallscript.sh  | 13 ++++++++++---
 app/preuninstallscript.sh |  4 ++--
 4 files changed, 43 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 16240b0..bcfe1bc 100644
--- a/README.md
+++ b/README.md
@@ -16,7 +16,8 @@ device. In addition it bundles the docker CLI and the docker Compose CLI.
 > * Only uid and gid are properly mapped between device and containers, not the other groups that
 > the user is a member of. This means that resources on the device, even if they are volume or device
 > mounted can be inaccessible inside the container. This can also affect usage of unsupported dbus
->  methods from the container.
+>  methods from the container. See [Using host user secondary groups in container](#using-host-user-secondary-groups-in-container)
+> for how to handle this.
 > * iptables use is disabled.
 > * The docker.socket group ownership is set to `addon`.
 
@@ -39,6 +40,7 @@ device. In addition it bundles the docker CLI and the docker Compose CLI.
   - [Using the Docker Compose ACAP remotely](#using-the-docker-compose-acap-remotely)
     - [Test that the Docker ACAP can run a container](#test-that-the-docker-acap-can-run-a-container)
     - [Loading images onto a device](#loading-images-onto-a-device)
+    - [Using host user secondary groups in container](#using-host-user-secondary-groups-in-container)
 - [Building the Docker Compose ACAP](#building-the-docker-compose-acap)
 - [Installing a locally built Docker Compose ACAP](#installing-a-locally-built-docker-compose-acap)
 - [Contributing](#contributing)
@@ -337,6 +339,31 @@ and `load` can be used.
 docker save <image on host local repository> | docker --tlsverify --host tcp://$DEVICE_IP:$DOCKER_PORT load
 ```
 
+#### Using host user secondary groups in container
+
+The Docker Compose ACAP is run by a non-root user on the device. This user is set
+up to be a member in a number of secondary groups as listed in the
+[manifest.json](https://github.com/AxisCommunications/docker-compose-acap/blob/rootless-preview/app/manifest.json#L6-L11)
+file. When running a container a user called `root`, (uid 0), belonging to group `root`, (gid 0)
+will be the default user inside the container. It will be mapped to the non-root user on
+the device, and the group will be mapped to the non-root users primary group.
+In order to get access inside the container to resources on the device that are group owned by any
+of the non-root users secondary groups these need to be added for the container user.
+This can be done by using `group_add` in a docker-compose.yaml (`--group-add` if using Docker cli).
+Unfortunately, adding the names of the secondary groups are not supported, instead the *mapped* ids
+of the groups need to be used. At the moment of writing this the mappings are
+
+| device group | container group id |
+| ------------ | ------------------ |
+| datacache    | "1"                |
+| sdk          | "2"                |
+| sdk          | "2"                |
+| storage      | "3"                |
+| vdo          | "4"                |
+| optics       | "5"                |
+
+Note that the names of the groups will not be correctly displayed inside the container.
+
 ## Building the Docker Compose ACAP
 
 To build the Docker Compose ACAP use docker buildx with the provided Dockerfile:
diff --git a/app/manifest.json b/app/manifest.json
index 6d031c9..087e150 100644
--- a/app/manifest.json
+++ b/app/manifest.json
@@ -4,6 +4,8 @@
         "linux": {
             "user": {
                 "groups": [
+                    "datacache",
+                    "optics",
                     "sdk",
                     "storage",
                     "vdo"
@@ -20,7 +22,7 @@
             "embeddedSdkVersion": "3.0",
             "vendorUrl": "https://www.axis.com",
             "runMode": "once",
-            "version": "2.0.0-preview"
+            "version": "2.0.1-preview"
         },
         "installation": {
             "postInstallScript": "postinstallscript.sh"
diff --git a/app/postinstallscript.sh b/app/postinstallscript.sh
index 8599f95..a31fc31 100644
--- a/app/postinstallscript.sh
+++ b/app/postinstallscript.sh
@@ -10,7 +10,9 @@ _appname=dockerdwrapperwithcompose
 _appdirectory=/usr/local/packages/$_appname
 _uname="$(stat -c '%U' "$_appdirectory")"
 _uid="$(id "$_uname" -u)"
+_gid="$(id "$_uname" -g)"
 _gname="$(id "$_uname" -gn)"
+_grpsid="$(id "$_uname" -G)"
 
 # If the device supports cgroups v2 we need to start the user.service
 if [ ! -d /sys/fs/cgroup/unified ]; then
@@ -27,9 +29,14 @@ Wants=acap-user@$_uid.service" >> /etc/systemd/system/sdkdockerdwrapperwithcompo
 
 fi
 
-# Create mapping for subuid and subgid - both shall use user name!
-echo "$_uname:100000:65536" > /etc/subuid
-echo "$_uname:100000:65536" > /etc/subgid
+# Create mapping for subuid and subgid - both shall use user id!
+echo "$_uid:100000:65536" >> /etc/subuid
+for gid in $_grpsid ; do
+    if [ "$gid" -ne "$_gid" ]; then
+        echo "$_uid:$gid:1" >> /etc/subgid
+    fi
+done
+echo "$_uid:100000:65536" >> /etc/subgid
 
 # Let root own these two utilities and make the setuid
 chown root:root newuidmap
diff --git a/app/preuninstallscript.sh b/app/preuninstallscript.sh
index 2de55ba..1d52ce8 100644
--- a/app/preuninstallscript.sh
+++ b/app/preuninstallscript.sh
@@ -30,5 +30,5 @@ rm -Rf /etc/systemd/system/acap-user-runtime-dir@.service
 rm -Rf /etc/systemd/system/acap-user@.service
 
 # Remove the subuid/subgid mappings
-sed -i "/$_uname:100000:65536/d" /etc/subuid
-sed -i "/$_uname:100000:65536/d" /etc/subgid
+sed -i "/$_uid/d" /etc/subuid
+sed -i "/$_uid/d" /etc/subgid