2017-05-29 14:37:19 +02:00
|
|
|
From 4de0a0a9689c4063d369d54ecc16952241c7f241 Mon Sep 17 00:00:00 2001
|
2017-03-08 10:03:15 +01:00
|
|
|
From: Aleksa Sarai <asarai@suse.de>
|
|
|
|
|
Date: Wed, 8 Mar 2017 12:41:54 +1100
|
|
|
|
|
Subject: [PATCH 1/2] daemon: allow directory creation in /run/secrets
|
|
|
|
|
|
|
|
|
|
Since FileMode can have the directory bit set, allow a SecretStore
|
|
|
|
|
implementation to return secrets that are actually directories. This is
|
|
|
|
|
useful for creating directories and subdirectories of secrets.
|
|
|
|
|
|
|
|
|
|
Backport: https://github.com/docker/docker/pull/31632
|
2017-05-29 14:37:19 +02:00
|
|
|
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
|
2017-03-08 10:03:15 +01:00
|
|
|
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
|
|
|
|
---
|
2017-05-29 14:37:19 +02:00
|
|
|
daemon/container_operations_unix.go | 18 +++++++++---------
|
|
|
|
|
1 file changed, 9 insertions(+), 9 deletions(-)
|
2017-03-08 10:03:15 +01:00
|
|
|
|
|
|
|
|
diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
|
2017-05-29 14:37:19 +02:00
|
|
|
index 67b3ee38c0ab..a538ba4e73e8 100644
|
2017-03-08 10:03:15 +01:00
|
|
|
--- a/daemon/container_operations_unix.go
|
|
|
|
|
+++ b/daemon/container_operations_unix.go
|
2017-05-29 14:37:19 +02:00
|
|
|
@@ -178,11 +178,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
|
2017-04-11 14:13:39 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
targetPath := filepath.Clean(s.File.Name)
|
|
|
|
|
- // ensure that the target is a filename only; no paths allowed
|
|
|
|
|
- if targetPath != filepath.Base(targetPath) {
|
|
|
|
|
- return fmt.Errorf("error creating secret: secret must not be a path")
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
fPath := filepath.Join(localMountPath, targetPath)
|
|
|
|
|
if err := idtools.MkdirAllAs(filepath.Dir(fPath), 0700, rootUID, rootGID); err != nil {
|
|
|
|
|
return errors.Wrap(err, "error creating secret mount path")
|
2017-05-29 14:37:19 +02:00
|
|
|
@@ -196,9 +191,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
|
2017-03-08 10:03:15 +01:00
|
|
|
if secret == nil {
|
|
|
|
|
return fmt.Errorf("unable to get secret from secret store")
|
|
|
|
|
}
|
|
|
|
|
- if err := ioutil.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil {
|
|
|
|
|
- return errors.Wrap(err, "error injecting secret")
|
2017-05-29 14:37:19 +02:00
|
|
|
- }
|
|
|
|
|
|
|
|
|
|
uid, err := strconv.Atoi(s.File.UID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
@@ -208,7 +200,15 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
-
|
2017-03-08 10:03:15 +01:00
|
|
|
+ if s.File.Mode.IsDir() {
|
2017-05-29 14:37:19 +02:00
|
|
|
+ if err := idtools.MkdirAllAs(fPath, s.File.Mode, rootUID+uid, rootGID+gid); err != nil {
|
2017-03-08 10:03:15 +01:00
|
|
|
+ return errors.Wrap(err, "error injecting secret dir")
|
|
|
|
|
+ }
|
|
|
|
|
+ } else {
|
|
|
|
|
+ if err := ioutil.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil {
|
|
|
|
|
+ return errors.Wrap(err, "error injecting secret")
|
|
|
|
|
+ }
|
2017-05-29 14:37:19 +02:00
|
|
|
+ }
|
|
|
|
|
if err := os.Chown(fPath, rootUID+uid, rootGID+gid); err != nil {
|
|
|
|
|
return errors.Wrap(err, "error setting ownership for secret")
|
2017-03-08 10:03:15 +01:00
|
|
|
}
|
|
|
|
|
--
|
2017-09-04 15:03:50 +02:00
|
|
|
2.14.1
|
2017-03-08 10:03:15 +01:00
|
|
|
|
