docker/secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
Jordi Massaguer fa6eaf989a Accepting request 487315 from home:cyphar:containers
- Update SUSE secrets patch to handle boo#1030702.
  * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
  * secrets-0002-SUSE-implement-SUSE-container-secrets.patch

OBS-URL: https://build.opensuse.org/request/show/487315
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=177
2017-04-11 12:13:39 +00:00

52 lines
2.0 KiB
Diff

From 36b539ca64d8c47681d5f15689db03751962d496 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 8 Mar 2017 12:41:54 +1100
Subject: [PATCH 1/2] daemon: allow directory creation in /run/secrets
Since FileMode can have the directory bit set, allow a SecretStore
implementation to return secrets that are actually directories. This is
useful for creating directories and subdirectories of secrets.
Backport: https://github.com/docker/docker/pull/31632
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
daemon/container_operations_unix.go | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
index 2296045765d4..bb08d3c4a207 100644
--- a/daemon/container_operations_unix.go
+++ b/daemon/container_operations_unix.go
@@ -177,11 +177,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
}
targetPath := filepath.Clean(s.File.Name)
- // ensure that the target is a filename only; no paths allowed
- if targetPath != filepath.Base(targetPath) {
- return fmt.Errorf("error creating secret: secret must not be a path")
- }
-
fPath := filepath.Join(localMountPath, targetPath)
if err := idtools.MkdirAllAs(filepath.Dir(fPath), 0700, rootUID, rootGID); err != nil {
return errors.Wrap(err, "error creating secret mount path")
@@ -195,8 +190,14 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
if secret == nil {
return fmt.Errorf("unable to get secret from secret store")
}
- if err := ioutil.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil {
- return errors.Wrap(err, "error injecting secret")
+ if s.File.Mode.IsDir() {
+ if err := os.Mkdir(fPath, s.File.Mode); err != nil {
+ return errors.Wrap(err, "error injecting secret dir")
+ }
+ } else {
+ if err := ioutil.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil {
+ return errors.Wrap(err, "error injecting secret")
+ }
}
uid, err := strconv.Atoi(s.File.UID)
--
2.12.2