2024-12-16 08:04:37 +01:00
|
|
|
From e61934d55312f3c59e2f7900386a76601abaab9e Mon Sep 17 00:00:00 2001
|
2024-12-11 11:51:14 +01:00
|
|
|
From: Aleksa Sarai <asarai@suse.de>
|
|
|
|
|
Date: Wed, 8 Mar 2017 12:41:54 +1100
|
2024-12-16 08:04:37 +01:00
|
|
|
Subject: [PATCH 1/5] SECRETS: daemon: allow directory creation in /run/secrets
|
2024-12-11 11:51:14 +01:00
|
|
|
|
|
|
|
|
Since FileMode can have the directory bit set, allow a SecretStore
|
|
|
|
|
implementation to return secrets that are actually directories. This is
|
|
|
|
|
useful for creating directories and subdirectories of secrets.
|
|
|
|
|
|
|
|
|
|
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
|
|
|
|
|
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
|
|
|
|
---
|
|
|
|
|
daemon/container_operations_unix.go | 23 ++++++++++++++++++++---
|
|
|
|
|
1 file changed, 20 insertions(+), 3 deletions(-)
|
|
|
|
|
|
|
|
|
|
diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
|
2024-12-16 08:04:37 +01:00
|
|
|
index f572e0d8a865..88573559d537 100644
|
2024-12-11 11:51:14 +01:00
|
|
|
--- a/daemon/container_operations_unix.go
|
|
|
|
|
+++ b/daemon/container_operations_unix.go
|
|
|
|
|
@@ -3,6 +3,7 @@
|
|
|
|
|
package daemon // import "github.com/docker/docker/daemon"
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
+ "bytes"
|
|
|
|
|
"context"
|
|
|
|
|
"fmt"
|
|
|
|
|
"os"
|
2024-12-16 08:04:37 +01:00
|
|
|
@@ -17,6 +18,7 @@ import (
|
|
|
|
|
"github.com/docker/docker/daemon/network"
|
2024-12-11 11:51:14 +01:00
|
|
|
"github.com/docker/docker/errdefs"
|
|
|
|
|
"github.com/docker/docker/libnetwork"
|
|
|
|
|
+ "github.com/docker/docker/pkg/archive"
|
|
|
|
|
"github.com/docker/docker/pkg/idtools"
|
|
|
|
|
"github.com/docker/docker/pkg/process"
|
|
|
|
|
"github.com/docker/docker/pkg/stringid"
|
2024-12-16 08:04:37 +01:00
|
|
|
@@ -240,9 +242,6 @@ func (daemon *Daemon) setupSecretDir(ctr *container.Container) (setupErr error)
|
2024-12-11 11:51:14 +01:00
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrap(err, "unable to get secret from secret store")
|
|
|
|
|
}
|
|
|
|
|
- if err := os.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil {
|
|
|
|
|
- return errors.Wrap(err, "error injecting secret")
|
|
|
|
|
- }
|
|
|
|
|
|
|
|
|
|
uid, err := strconv.Atoi(s.File.UID)
|
|
|
|
|
if err != nil {
|
2024-12-16 08:04:37 +01:00
|
|
|
@@ -253,6 +252,24 @@ func (daemon *Daemon) setupSecretDir(ctr *container.Container) (setupErr error)
|
2024-12-11 11:51:14 +01:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
+ if s.File.Mode.IsDir() {
|
|
|
|
|
+ if err := os.Mkdir(fPath, s.File.Mode); err != nil {
|
|
|
|
|
+ return errors.Wrap(err, "error creating secretdir")
|
|
|
|
|
+ }
|
|
|
|
|
+ if secret.Spec.Data != nil {
|
|
|
|
|
+ // If the "file" is a directory, then s.File.Data is actually a tar
|
|
|
|
|
+ // archive of the directory. So we just do a tar extraction here.
|
|
|
|
|
+ if err := archive.UntarUncompressed(bytes.NewBuffer(secret.Spec.Data), fPath, &archive.TarOptions{
|
|
|
|
|
+ IDMap: daemon.idMapping,
|
|
|
|
|
+ }); err != nil {
|
|
|
|
|
+ return errors.Wrap(err, "error injecting secretdir")
|
|
|
|
|
+ }
|
|
|
|
|
+ }
|
|
|
|
|
+ } else {
|
|
|
|
|
+ if err := os.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil {
|
|
|
|
|
+ return errors.Wrap(err, "error injecting secret")
|
|
|
|
|
+ }
|
|
|
|
|
+ }
|
|
|
|
|
if err := os.Chown(fPath, rootIDs.UID+uid, rootIDs.GID+gid); err != nil {
|
|
|
|
|
return errors.Wrap(err, "error setting ownership for secret")
|
|
|
|
|
}
|
|
|
|
|
--
|
2024-12-16 08:04:37 +01:00
|
|
|
2.47.1
|
2024-12-11 11:51:14 +01:00
|
|
|
|
