diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2022-01-12 09:04:19 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-01-12 09:04:19 +0100 |
commit | 6945b37850d77944fc79a784af9e362cb0184234 (patch) | |
tree | 04c36e107cbc5e8991676eca23d2723aa84061c1 | |
parent | 827299099e8f107fe3c3df6991149ae8e767acb0 (diff) | |
parent | 83b0fb4696fc9db304365eb16720c26bad93e474 (diff) | |
download | podman-6945b37850d77944fc79a784af9e362cb0184234.tar.gz podman-6945b37850d77944fc79a784af9e362cb0184234.tar.bz2 podman-6945b37850d77944fc79a784af9e362cb0184234.zip |
Merge pull request #12813 from rhatdan/secrets
Fix permission on secrets directory
-rw-r--r-- | libpod/runtime_ctr.go | 2 | ||||
-rw-r--r-- | test/system/170-run-userns.bats | 16 |
2 files changed, 17 insertions, 1 deletions
diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go index 2891eb783..53ccb9139 100644 --- a/libpod/runtime_ctr.go +++ b/libpod/runtime_ctr.go @@ -429,7 +429,7 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Contai }() ctr.config.SecretsPath = filepath.Join(ctr.config.StaticDir, "secrets") - err = os.MkdirAll(ctr.config.SecretsPath, 0644) + err = os.MkdirAll(ctr.config.SecretsPath, 0755) if err != nil { return nil, err } diff --git a/test/system/170-run-userns.bats b/test/system/170-run-userns.bats index a5be591ef..c020a73ab 100644 --- a/test/system/170-run-userns.bats +++ b/test/system/170-run-userns.bats @@ -78,3 +78,19 @@ EOF # Then check that the main user is not mapped into the user namespace CONTAINERS_CONF=$PODMAN_TMPDIR/userns_auto.conf run_podman 0 run --rm $IMAGE awk '{if($2 == "0"){exit 1}}' /proc/self/uid_map /proc/self/gid_map } + +@test "podman userns=auto and secrets" { + ns_user="containers" + if is_rootless; then + ns_user=$(id -un) + fi + egrep -q "${ns_user}:" /etc/subuid || skip "no IDs allocated for user ${ns_user}" + test_name="test_$(random_string 12)" + secret_file=$PODMAN_TMPDIR/secret$(random_string 12) + secret_content=$(random_string) + echo ${secret_content} > ${secret_file} + run_podman secret create ${test_name} ${secret_file} + run_podman run --rm --secret=${test_name} --userns=auto:size=1000 $IMAGE cat /run/secrets/${test_name} + is ${output} ${secret_content} "Secrets should work with user namespace" + run_podman secret rm ${test_name} +} |