Accepting request 519818 from home:cyphar:containers:bsc1055676_userns_mount

- Fix a regression in our SUSE secrets patches, which caused the copied files to not carry the correct {uid,gid} mapping when using user namespaces. This would not cause any bugs (SUSEConnect does the right thing anyway) but it's possible some programs would not treat the files correctly. This is tangentially related to bsc#1055676. * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch * secrets-0002-SUSE-implement-SUSE-container-secrets.patch OBS-URL: https://build.opensuse.org/request/show/519818 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=199
2017-09-04 13:03:50 +00:00 · 2017-09-04 13:03:50 +00:00 · 64b99bd0ee
commit 64b99bd0ee
parent ca3f73206d
3 changed files with 36 additions and 11 deletions
--- a/docker.changes
+++ b/docker.changes
@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Wed Aug 30 14:58:52 UTC 2017 - asarai@suse.com
+
+- Fix a regression in our SUSE secrets patches, which caused the copied files
+  to not carry the correct {uid,gid} mapping when using user namespaces. This
+  would not cause any bugs (SUSEConnect does the right thing anyway) but it's
+  possible some programs would not treat the files correctly. This is
+  tangentially related to bsc#1055676.
+  * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
+  * secrets-0002-SUSE-implement-SUSE-container-secrets.patch
+
 -------------------------------------------------------------------
 Wed Aug  2 13:37:16 UTC 2017 - asarai@suse.com

--- a/secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
+++ b/secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
@ -58,5 +58,5 @@ index 67b3ee38c0ab..a538ba4e73e8 100644
 			return errors.Wrap(err, "error setting ownership for secret")
 		}
 -- 
-2.13.0
+2.14.1

--- a/secrets-0002-SUSE-implement-SUSE-container-secrets.patch
+++ b/secrets-0002-SUSE-implement-SUSE-container-secrets.patch
@ -1,4 +1,4 @@
-From a6d2f9f43ea02d93534867271f7fa7cf0f77e70c Mon Sep 17 00:00:00 2001
+From 9b33a267ec637d7d8a29259246033bfe1b5f47bc Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 11:43:29 +1100
 Subject: [PATCH 2/2] SUSE: implement SUSE container secrets
@ -13,8 +13,8 @@ MAKES BUILDS NOT ENTIRELY REPRODUCIBLE.
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
 daemon/start.go        |   5 +
- daemon/suse_secrets.go | 246 +++++++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 251 insertions(+)
+ daemon/suse_secrets.go | 260 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 265 insertions(+)
 create mode 100644 daemon/suse_secrets.go

 diff --git a/daemon/start.go b/daemon/start.go
@ -35,10 +35,10 @@ index eddb5d3d5060..eb74e2ab1096 100644
 		return err
 diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
 new file mode 100644
-index 000000000000..99bdbefdebcc
+index 000000000000..b577b7081976
 --- /dev/null
 +++ b/daemon/suse_secrets.go
-@@ -0,0 +1,246 @@
+@@ -0,0 +1,260 @@
 +/*
 + * suse-secrets: patch for Docker to implement SUSE secrets
 + * Copyright (C) 2017 SUSE LLC.
@ -67,6 +67,7 @@ index 000000000000..99bdbefdebcc
 +
 +	"github.com/Sirupsen/logrus"
 +	"github.com/docker/docker/container"
+	"github.com/docker/docker/pkg/idtools"
 +	"github.com/opencontainers/go-digest"
 +
 +	swarmtypes "github.com/docker/docker/api/types/swarm"
@ -102,14 +103,26 @@ index 000000000000..99bdbefdebcc
 +	}
 +}
 +
-+func (s SuseFakeFile) toSecretReference() *swarmtypes.SecretReference {
+func (s SuseFakeFile) toSecretReference(uidMaps, gidMaps []idtools.IDMap) *swarmtypes.SecretReference {
+	// Figure out the host-facing {uid,gid} based on the provided maps. Fall
+	// back to root if the UID/GID don't match (we are guaranteed that root is
+	// mapped).
+	hostUid, hostGid, _ := idtools.GetRootUIDGID(uidMaps, gidMaps)
+	if uid, err := idtools.ToHost(s.Uid, uidMaps); err == nil {
+		hostUid = uid
+	}
+	if gid, err := idtools.ToHost(s.Gid, gidMaps); err == nil {
+		hostGid = gid
+	}
+
+	// Return the secret reference as a file target.
 +	return &swarmtypes.SecretReference{
 +		SecretID:   s.id(),
 +		SecretName: s.id(),
 +		File: &swarmtypes.SecretReferenceFileTarget{
 +			Name: s.Path,
-+			UID:  fmt.Sprintf("%d", s.Uid),
-+			GID:  fmt.Sprintf("%d", s.Gid),
+			UID:  fmt.Sprintf("%d", hostUid),
+			GID:  fmt.Sprintf("%d", hostGid),
 +			Mode: s.Mode,
 +		},
 +	}
@ -277,14 +290,15 @@ index 000000000000..99bdbefdebcc
 +		return err
 +	}
 +
+	uidMaps, gidMaps := daemon.GetUIDGIDMaps()
 +	for _, secret := range secrets {
 +		newSecretStore.secrets[secret.id()] = secret.toSecret()
-+		c.SecretReferences = append(c.SecretReferences, secret.toSecretReference())
+		c.SecretReferences = append(c.SecretReferences, secret.toSecretReference(uidMaps, gidMaps))
 +	}
 +
 +	c.SecretStore = newSecretStore
 +	return nil
 +}
 -- 
-2.13.0
+2.14.1