forked from pool/docker
f28071cbb5
<https://docs.docker.com/engine/release-notes/24.0/#2406>. bsc#1215323 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * cli-0001-docs-include-required-tools-in-source-tree.patch - Switch from disabledrun to manualrun in _service. - Add a docker.socket unit file, but with socket activation effectively disabled to ensure that Docker will always run even if you start the socket individually. Users should probably just ignore this unit file. bsc#1210141 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=395
74 lines
2.6 KiB
Diff
74 lines
2.6 KiB
Diff
From 2dedd52de834525fa533aba7854b91fdc783d821 Mon Sep 17 00:00:00 2001
|
|
From: Aleksa Sarai <asarai@suse.de>
|
|
Date: Wed, 8 Mar 2017 12:41:54 +1100
|
|
Subject: [PATCH 1/4] SECRETS: daemon: allow directory creation in /run/secrets
|
|
|
|
Since FileMode can have the directory bit set, allow a SecretStore
|
|
implementation to return secrets that are actually directories. This is
|
|
useful for creating directories and subdirectories of secrets.
|
|
|
|
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
|
|
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
|
---
|
|
daemon/container_operations_unix.go | 23 ++++++++++++++++++++---
|
|
1 file changed, 20 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
|
|
index 290ec59a34a7..b7013fb89c83 100644
|
|
--- a/daemon/container_operations_unix.go
|
|
+++ b/daemon/container_operations_unix.go
|
|
@@ -4,6 +4,7 @@
|
|
package daemon // import "github.com/docker/docker/daemon"
|
|
|
|
import (
|
|
+ "bytes"
|
|
"fmt"
|
|
"os"
|
|
"path/filepath"
|
|
@@ -14,6 +15,7 @@ import (
|
|
"github.com/docker/docker/daemon/links"
|
|
"github.com/docker/docker/errdefs"
|
|
"github.com/docker/docker/libnetwork"
|
|
+ "github.com/docker/docker/pkg/archive"
|
|
"github.com/docker/docker/pkg/idtools"
|
|
"github.com/docker/docker/pkg/process"
|
|
"github.com/docker/docker/pkg/stringid"
|
|
@@ -206,9 +208,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
|
|
if err != nil {
|
|
return errors.Wrap(err, "unable to get secret from secret store")
|
|
}
|
|
- if err := os.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil {
|
|
- return errors.Wrap(err, "error injecting secret")
|
|
- }
|
|
|
|
uid, err := strconv.Atoi(s.File.UID)
|
|
if err != nil {
|
|
@@ -219,6 +218,24 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
|
|
return err
|
|
}
|
|
|
|
+ if s.File.Mode.IsDir() {
|
|
+ if err := os.Mkdir(fPath, s.File.Mode); err != nil {
|
|
+ return errors.Wrap(err, "error creating secretdir")
|
|
+ }
|
|
+ if secret.Spec.Data != nil {
|
|
+ // If the "file" is a directory, then s.File.Data is actually a tar
|
|
+ // archive of the directory. So we just do a tar extraction here.
|
|
+ if err := archive.UntarUncompressed(bytes.NewBuffer(secret.Spec.Data), fPath, &archive.TarOptions{
|
|
+ IDMap: daemon.idMapping,
|
|
+ }); err != nil {
|
|
+ return errors.Wrap(err, "error injecting secretdir")
|
|
+ }
|
|
+ }
|
|
+ } else {
|
|
+ if err := os.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil {
|
|
+ return errors.Wrap(err, "error injecting secret")
|
|
+ }
|
|
+ }
|
|
if err := os.Chown(fPath, rootIDs.UID+uid, rootIDs.GID+gid); err != nil {
|
|
return errors.Wrap(err, "error setting ownership for secret")
|
|
}
|
|
--
|
|
2.42.0
|
|
|