64b99bd0ee
- Fix a regression in our SUSE secrets patches, which caused the copied files
to not carry the correct {uid,gid} mapping when using user namespaces. This
would not cause any bugs (SUSEConnect does the right thing anyway) but it's
possible some programs would not treat the files correctly. This is
tangentially related to bsc#1055676.
* secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
* secrets-0002-SUSE-implement-SUSE-container-secrets.patch
OBS-URL: https://build.opensuse.org/request/show/519818
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=199
63 lines
2.4 KiB
Diff
63 lines
2.4 KiB
Diff
From 4de0a0a9689c4063d369d54ecc16952241c7f241 Mon Sep 17 00:00:00 2001
|
|
From: Aleksa Sarai <asarai@suse.de>
|
|
Date: Wed, 8 Mar 2017 12:41:54 +1100
|
|
Subject: [PATCH 1/2] daemon: allow directory creation in /run/secrets
|
|
|
|
Since FileMode can have the directory bit set, allow a SecretStore
|
|
implementation to return secrets that are actually directories. This is
|
|
useful for creating directories and subdirectories of secrets.
|
|
|
|
Backport: https://github.com/docker/docker/pull/31632
|
|
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
|
|
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
|
---
|
|
daemon/container_operations_unix.go | 18 +++++++++---------
|
|
1 file changed, 9 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
|
|
index 67b3ee38c0ab..a538ba4e73e8 100644
|
|
--- a/daemon/container_operations_unix.go
|
|
+++ b/daemon/container_operations_unix.go
|
|
@@ -178,11 +178,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
|
|
}
|
|
|
|
targetPath := filepath.Clean(s.File.Name)
|
|
- // ensure that the target is a filename only; no paths allowed
|
|
- if targetPath != filepath.Base(targetPath) {
|
|
- return fmt.Errorf("error creating secret: secret must not be a path")
|
|
- }
|
|
-
|
|
fPath := filepath.Join(localMountPath, targetPath)
|
|
if err := idtools.MkdirAllAs(filepath.Dir(fPath), 0700, rootUID, rootGID); err != nil {
|
|
return errors.Wrap(err, "error creating secret mount path")
|
|
@@ -196,9 +191,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
|
|
if secret == nil {
|
|
return fmt.Errorf("unable to get secret from secret store")
|
|
}
|
|
- if err := ioutil.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil {
|
|
- return errors.Wrap(err, "error injecting secret")
|
|
- }
|
|
|
|
uid, err := strconv.Atoi(s.File.UID)
|
|
if err != nil {
|
|
@@ -208,7 +200,15 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
|
|
if err != nil {
|
|
return err
|
|
}
|
|
-
|
|
+ if s.File.Mode.IsDir() {
|
|
+ if err := idtools.MkdirAllAs(fPath, s.File.Mode, rootUID+uid, rootGID+gid); err != nil {
|
|
+ return errors.Wrap(err, "error injecting secret dir")
|
|
+ }
|
|
+ } else {
|
|
+ if err := ioutil.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil {
|
|
+ return errors.Wrap(err, "error injecting secret")
|
|
+ }
|
|
+ }
|
|
if err := os.Chown(fPath, rootUID+uid, rootGID+gid); err != nil {
|
|
return errors.Wrap(err, "error setting ownership for secret")
|
|
}
|
|
--
|
|
2.14.1
|
|
|