start: Respect lxc.init.groups also in new user namespace

Fix supplementary groups defined in 'lxc.init.groups' being ignored when
the container uses a new user namespace.

In other words: Fix lxc.init.groups for unprivileged containers.

Signed-off-by: Filip Schauer <f.schauer@proxmox.com>

diff --git a/src/lxc/start.c b/src/lxc/start.c
index 4927faf9528ea353d0b37a8e2039697744b05372..b5ca683dbdbc3738e640be6932b049dc52c17a74 100644 (file)
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1603,17 +1603,19 @@ static int do_start(void *data)
                if (lxc_proc_cap_is_set(CAP_SETGID, CAP_EFFECTIVE))
                #endif
                {
-                       if (handler->conf->init_groups.size > 0) {
-                               if (!lxc_setgroups(handler->conf->init_groups.list,
-                                                  handler->conf->init_groups.size))
-                                       goto out_warn_father;
-                       } else {
+                       if (handler->conf->init_groups.size == 0) {
                                if (!lxc_drop_groups())
                                        goto out_warn_father;
                        }
                }
        }
 
+       if (handler->conf->init_groups.size > 0) {
+               if (!lxc_setgroups(handler->conf->init_groups.list,
+                                  handler->conf->init_groups.size))
+                       goto out_warn_father;
+       }
+
        if (!lxc_switch_uid_gid(new_uid, new_gid))
                goto out_warn_father;