From 36b539ca64d8c47681d5f15689db03751962d496 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 8 Mar 2017 12:41:54 +1100 Subject: [PATCH 1/2] daemon: allow directory creation in /run/secrets Since FileMode can have the directory bit set, allow a SecretStore implementation to return secrets that are actually directories. This is useful for creating directories and subdirectories of secrets. Backport: https://github.com/docker/docker/pull/31632 Signed-off-by: Aleksa Sarai --- daemon/container_operations_unix.go | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go index 2296045765d4..bb08d3c4a207 100644 --- a/daemon/container_operations_unix.go +++ b/daemon/container_operations_unix.go @@ -177,11 +177,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { } targetPath := filepath.Clean(s.File.Name) - // ensure that the target is a filename only; no paths allowed - if targetPath != filepath.Base(targetPath) { - return fmt.Errorf("error creating secret: secret must not be a path") - } - fPath := filepath.Join(localMountPath, targetPath) if err := idtools.MkdirAllAs(filepath.Dir(fPath), 0700, rootUID, rootGID); err != nil { return errors.Wrap(err, "error creating secret mount path") @@ -195,8 +190,14 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { if secret == nil { return fmt.Errorf("unable to get secret from secret store") } - if err := ioutil.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil { - return errors.Wrap(err, "error injecting secret") + if s.File.Mode.IsDir() { + if err := os.Mkdir(fPath, s.File.Mode); err != nil { + return errors.Wrap(err, "error injecting secret dir") + } + } else { + if err := ioutil.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil { + return errors.Wrap(err, "error injecting secret") + } } uid, err := strconv.Atoi(s.File.UID) -- 2.12.2