summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2022-01-12 09:04:19 +0100
committerGitHub <noreply@github.com>2022-01-12 09:04:19 +0100
commit6945b37850d77944fc79a784af9e362cb0184234 (patch)
tree04c36e107cbc5e8991676eca23d2723aa84061c1
parent827299099e8f107fe3c3df6991149ae8e767acb0 (diff)
parent83b0fb4696fc9db304365eb16720c26bad93e474 (diff)
downloadpodman-6945b37850d77944fc79a784af9e362cb0184234.tar.gz
podman-6945b37850d77944fc79a784af9e362cb0184234.tar.bz2
podman-6945b37850d77944fc79a784af9e362cb0184234.zip
Merge pull request #12813 from rhatdan/secrets
Fix permission on secrets directory
-rw-r--r--libpod/runtime_ctr.go2
-rw-r--r--test/system/170-run-userns.bats16
2 files changed, 17 insertions, 1 deletions
diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go
index 2891eb783..53ccb9139 100644
--- a/libpod/runtime_ctr.go
+++ b/libpod/runtime_ctr.go
@@ -429,7 +429,7 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Contai
}()
ctr.config.SecretsPath = filepath.Join(ctr.config.StaticDir, "secrets")
- err = os.MkdirAll(ctr.config.SecretsPath, 0644)
+ err = os.MkdirAll(ctr.config.SecretsPath, 0755)
if err != nil {
return nil, err
}
diff --git a/test/system/170-run-userns.bats b/test/system/170-run-userns.bats
index a5be591ef..c020a73ab 100644
--- a/test/system/170-run-userns.bats
+++ b/test/system/170-run-userns.bats
@@ -78,3 +78,19 @@ EOF
# Then check that the main user is not mapped into the user namespace
CONTAINERS_CONF=$PODMAN_TMPDIR/userns_auto.conf run_podman 0 run --rm $IMAGE awk '{if($2 == "0"){exit 1}}' /proc/self/uid_map /proc/self/gid_map
}
+
+@test "podman userns=auto and secrets" {
+ ns_user="containers"
+ if is_rootless; then
+ ns_user=$(id -un)
+ fi
+ egrep -q "${ns_user}:" /etc/subuid || skip "no IDs allocated for user ${ns_user}"
+ test_name="test_$(random_string 12)"
+ secret_file=$PODMAN_TMPDIR/secret$(random_string 12)
+ secret_content=$(random_string)
+ echo ${secret_content} > ${secret_file}
+ run_podman secret create ${test_name} ${secret_file}
+ run_podman run --rm --secret=${test_name} --userns=auto:size=1000 $IMAGE cat /run/secrets/${test_name}
+ is ${output} ${secret_content} "Secrets should work with user namespace"
+ run_podman secret rm ${test_name}
+}