Accepting request 519818 from home:cyphar:containers:bsc1055676_userns_mount
- Fix a regression in our SUSE secrets patches, which caused the copied files to not carry the correct {uid,gid} mapping when using user namespaces. This would not cause any bugs (SUSEConnect does the right thing anyway) but it's possible some programs would not treat the files correctly. This is tangentially related to bsc#1055676. * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch * secrets-0002-SUSE-implement-SUSE-container-secrets.patch OBS-URL: https://build.opensuse.org/request/show/519818 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=199
This commit is contained in:
parent
ca3f73206d
commit
64b99bd0ee
@ -1,3 +1,14 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Aug 30 14:58:52 UTC 2017 - asarai@suse.com
|
||||||
|
|
||||||
|
- Fix a regression in our SUSE secrets patches, which caused the copied files
|
||||||
|
to not carry the correct {uid,gid} mapping when using user namespaces. This
|
||||||
|
would not cause any bugs (SUSEConnect does the right thing anyway) but it's
|
||||||
|
possible some programs would not treat the files correctly. This is
|
||||||
|
tangentially related to bsc#1055676.
|
||||||
|
* secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
|
||||||
|
* secrets-0002-SUSE-implement-SUSE-container-secrets.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Aug 2 13:37:16 UTC 2017 - asarai@suse.com
|
Wed Aug 2 13:37:16 UTC 2017 - asarai@suse.com
|
||||||
|
|
||||||
|
@ -58,5 +58,5 @@ index 67b3ee38c0ab..a538ba4e73e8 100644
|
|||||||
return errors.Wrap(err, "error setting ownership for secret")
|
return errors.Wrap(err, "error setting ownership for secret")
|
||||||
}
|
}
|
||||||
--
|
--
|
||||||
2.13.0
|
2.14.1
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From a6d2f9f43ea02d93534867271f7fa7cf0f77e70c Mon Sep 17 00:00:00 2001
|
From 9b33a267ec637d7d8a29259246033bfe1b5f47bc Mon Sep 17 00:00:00 2001
|
||||||
From: Aleksa Sarai <asarai@suse.de>
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
Date: Wed, 8 Mar 2017 11:43:29 +1100
|
Date: Wed, 8 Mar 2017 11:43:29 +1100
|
||||||
Subject: [PATCH 2/2] SUSE: implement SUSE container secrets
|
Subject: [PATCH 2/2] SUSE: implement SUSE container secrets
|
||||||
@ -13,8 +13,8 @@ MAKES BUILDS NOT ENTIRELY REPRODUCIBLE.
|
|||||||
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||||
---
|
---
|
||||||
daemon/start.go | 5 +
|
daemon/start.go | 5 +
|
||||||
daemon/suse_secrets.go | 246 +++++++++++++++++++++++++++++++++++++++++++++++++
|
daemon/suse_secrets.go | 260 +++++++++++++++++++++++++++++++++++++++++++++++++
|
||||||
2 files changed, 251 insertions(+)
|
2 files changed, 265 insertions(+)
|
||||||
create mode 100644 daemon/suse_secrets.go
|
create mode 100644 daemon/suse_secrets.go
|
||||||
|
|
||||||
diff --git a/daemon/start.go b/daemon/start.go
|
diff --git a/daemon/start.go b/daemon/start.go
|
||||||
@ -35,10 +35,10 @@ index eddb5d3d5060..eb74e2ab1096 100644
|
|||||||
return err
|
return err
|
||||||
diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
|
diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 000000000000..99bdbefdebcc
|
index 000000000000..b577b7081976
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/daemon/suse_secrets.go
|
+++ b/daemon/suse_secrets.go
|
||||||
@@ -0,0 +1,246 @@
|
@@ -0,0 +1,260 @@
|
||||||
+/*
|
+/*
|
||||||
+ * suse-secrets: patch for Docker to implement SUSE secrets
|
+ * suse-secrets: patch for Docker to implement SUSE secrets
|
||||||
+ * Copyright (C) 2017 SUSE LLC.
|
+ * Copyright (C) 2017 SUSE LLC.
|
||||||
@ -67,6 +67,7 @@ index 000000000000..99bdbefdebcc
|
|||||||
+
|
+
|
||||||
+ "github.com/Sirupsen/logrus"
|
+ "github.com/Sirupsen/logrus"
|
||||||
+ "github.com/docker/docker/container"
|
+ "github.com/docker/docker/container"
|
||||||
|
+ "github.com/docker/docker/pkg/idtools"
|
||||||
+ "github.com/opencontainers/go-digest"
|
+ "github.com/opencontainers/go-digest"
|
||||||
+
|
+
|
||||||
+ swarmtypes "github.com/docker/docker/api/types/swarm"
|
+ swarmtypes "github.com/docker/docker/api/types/swarm"
|
||||||
@ -102,14 +103,26 @@ index 000000000000..99bdbefdebcc
|
|||||||
+ }
|
+ }
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+func (s SuseFakeFile) toSecretReference() *swarmtypes.SecretReference {
|
+func (s SuseFakeFile) toSecretReference(uidMaps, gidMaps []idtools.IDMap) *swarmtypes.SecretReference {
|
||||||
|
+ // Figure out the host-facing {uid,gid} based on the provided maps. Fall
|
||||||
|
+ // back to root if the UID/GID don't match (we are guaranteed that root is
|
||||||
|
+ // mapped).
|
||||||
|
+ hostUid, hostGid, _ := idtools.GetRootUIDGID(uidMaps, gidMaps)
|
||||||
|
+ if uid, err := idtools.ToHost(s.Uid, uidMaps); err == nil {
|
||||||
|
+ hostUid = uid
|
||||||
|
+ }
|
||||||
|
+ if gid, err := idtools.ToHost(s.Gid, gidMaps); err == nil {
|
||||||
|
+ hostGid = gid
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ // Return the secret reference as a file target.
|
||||||
+ return &swarmtypes.SecretReference{
|
+ return &swarmtypes.SecretReference{
|
||||||
+ SecretID: s.id(),
|
+ SecretID: s.id(),
|
||||||
+ SecretName: s.id(),
|
+ SecretName: s.id(),
|
||||||
+ File: &swarmtypes.SecretReferenceFileTarget{
|
+ File: &swarmtypes.SecretReferenceFileTarget{
|
||||||
+ Name: s.Path,
|
+ Name: s.Path,
|
||||||
+ UID: fmt.Sprintf("%d", s.Uid),
|
+ UID: fmt.Sprintf("%d", hostUid),
|
||||||
+ GID: fmt.Sprintf("%d", s.Gid),
|
+ GID: fmt.Sprintf("%d", hostGid),
|
||||||
+ Mode: s.Mode,
|
+ Mode: s.Mode,
|
||||||
+ },
|
+ },
|
||||||
+ }
|
+ }
|
||||||
@ -277,14 +290,15 @@ index 000000000000..99bdbefdebcc
|
|||||||
+ return err
|
+ return err
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
|
+ uidMaps, gidMaps := daemon.GetUIDGIDMaps()
|
||||||
+ for _, secret := range secrets {
|
+ for _, secret := range secrets {
|
||||||
+ newSecretStore.secrets[secret.id()] = secret.toSecret()
|
+ newSecretStore.secrets[secret.id()] = secret.toSecret()
|
||||||
+ c.SecretReferences = append(c.SecretReferences, secret.toSecretReference())
|
+ c.SecretReferences = append(c.SecretReferences, secret.toSecretReference(uidMaps, gidMaps))
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ c.SecretStore = newSecretStore
|
+ c.SecretStore = newSecretStore
|
||||||
+ return nil
|
+ return nil
|
||||||
+}
|
+}
|
||||||
--
|
--
|
||||||
2.13.0
|
2.14.1
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user