aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAditya Rajan <arajan@redhat.com>2021-11-15 14:39:26 +0530
committerAditya Rajan <arajan@redhat.com>2021-11-15 23:19:27 +0530
commit014cc4b9d9a15db6e61331a3be37a98235db8301 (patch)
tree2bbde4f868821a6d92dca4edce2549b6c69d7871
parentcca6df428cb9ce187ae1341740ac1137c7a67a75 (diff)
downloadpodman-014cc4b9d9a15db6e61331a3be37a98235db8301.tar.gz
podman-014cc4b9d9a15db6e61331a3be37a98235db8301.tar.bz2
podman-014cc4b9d9a15db6e61331a3be37a98235db8301.zip
secret: honor custom target for secrets with run
Honor custom `target` if specified while running or creating containers with secret `type=mount`. Example: `podman run -it --secret token,type=mount,target=TOKEN ubi8/ubi:latest bash` Signed-off-by: Aditya Rajan <arajan@redhat.com>
-rw-r--r--libpod/container.go2
-rw-r--r--libpod/container_internal_linux.go11
-rw-r--r--pkg/specgen/generate/container_create.go1
-rw-r--r--pkg/specgen/specgen.go1
-rw-r--r--pkg/specgenutil/specgen.go5
-rw-r--r--test/e2e/run_test.go48
6 files changed, 60 insertions, 8 deletions
diff --git a/libpod/container.go b/libpod/container.go
index 86989a02f..c38acb513 100644
--- a/libpod/container.go
+++ b/libpod/container.go
@@ -259,6 +259,8 @@ type ContainerSecret struct {
GID uint32
// Mode is the mode of the secret file
Mode uint32
+ // Secret target inside container
+ Target string
}
// ContainerNetworkDescriptions describes the relationship between the CNI
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index 91453574e..3363ceb9b 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -1833,8 +1833,17 @@ rootless=%d
return errors.Wrapf(err, "error creating secrets mount")
}
for _, secret := range c.Secrets() {
+ secretFileName := secret.Name
+ base := "/run/secrets"
+ if secret.Target != "" {
+ secretFileName = secret.Target
+ //If absolute path for target given remove base.
+ if filepath.IsAbs(secretFileName) {
+ base = ""
+ }
+ }
src := filepath.Join(c.config.SecretsPath, secret.Name)
- dest := filepath.Join("/run/secrets", secret.Name)
+ dest := filepath.Join(base, secretFileName)
c.state.BindMounts[dest] = src
}
}
diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go
index f3dc28b01..f90fef9e8 100644
--- a/pkg/specgen/generate/container_create.go
+++ b/pkg/specgen/generate/container_create.go
@@ -474,6 +474,7 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.
UID: s.UID,
GID: s.GID,
Mode: s.Mode,
+ Target: s.Target,
})
}
options = append(options, libpod.WithSecrets(secrs))
diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go
index d777287d7..310695c3b 100644
--- a/pkg/specgen/specgen.go
+++ b/pkg/specgen/specgen.go
@@ -540,6 +540,7 @@ func (s *SpecGenerator) GetImage() (*libimage.Image, string) {
type Secret struct {
Source string
+ Target string
UID uint32
GID uint32
Mode uint32
diff --git a/pkg/specgenutil/specgen.go b/pkg/specgenutil/specgen.go
index 04d3add32..91f5165f2 100644
--- a/pkg/specgenutil/specgen.go
+++ b/pkg/specgenutil/specgen.go
@@ -874,6 +874,7 @@ func parseSecrets(secrets []string) ([]specgen.Secret, map[string]string, error)
if len(split) == 1 {
mountSecret := specgen.Secret{
Source: val,
+ Target: target,
UID: uid,
GID: gid,
Mode: mode,
@@ -939,11 +940,9 @@ func parseSecrets(secrets []string) ([]specgen.Secret, map[string]string, error)
return nil, nil, errors.Wrapf(secretParseError, "no source found %s", val)
}
if secretType == "mount" {
- if target != "" {
- return nil, nil, errors.Wrapf(secretParseError, "target option is invalid for mounted secrets")
- }
mountSecret := specgen.Secret{
Source: source,
+ Target: target,
UID: uid,
GID: gid,
Mode: mode,
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index ed2d8938d..d6d729d3a 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -1723,6 +1723,50 @@ WORKDIR /madethis`, BB)
})
+ It("podman run --secret source=mysecret,type=mount with target", func() {
+ secretsString := "somesecretdata"
+ secretFilePath := filepath.Join(podmanTest.TempDir, "secret")
+ err := ioutil.WriteFile(secretFilePath, []byte(secretsString), 0755)
+ Expect(err).To(BeNil())
+
+ session := podmanTest.Podman([]string{"secret", "create", "mysecret_target", secretFilePath})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+
+ session = podmanTest.Podman([]string{"run", "--secret", "source=mysecret_target,type=mount,target=hello", "--name", "secr_target", ALPINE, "cat", "/run/secrets/hello"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ Expect(session.OutputToString()).To(Equal(secretsString))
+
+ session = podmanTest.Podman([]string{"inspect", "secr_target", "--format", " {{(index .Config.Secrets 0).Name}}"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ Expect(session.OutputToString()).To(ContainSubstring("mysecret_target"))
+
+ })
+
+ It("podman run --secret source=mysecret,type=mount with target at /tmp", func() {
+ secretsString := "somesecretdata"
+ secretFilePath := filepath.Join(podmanTest.TempDir, "secret")
+ err := ioutil.WriteFile(secretFilePath, []byte(secretsString), 0755)
+ Expect(err).To(BeNil())
+
+ session := podmanTest.Podman([]string{"secret", "create", "mysecret_target2", secretFilePath})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+
+ session = podmanTest.Podman([]string{"run", "--secret", "source=mysecret_target2,type=mount,target=/tmp/hello", "--name", "secr_target2", ALPINE, "cat", "/tmp/hello"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ Expect(session.OutputToString()).To(Equal(secretsString))
+
+ session = podmanTest.Podman([]string{"inspect", "secr_target2", "--format", " {{(index .Config.Secrets 0).Name}}"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ Expect(session.OutputToString()).To(ContainSubstring("mysecret_target2"))
+
+ })
+
It("podman run --secret source=mysecret,type=env", func() {
secretsString := "somesecretdata"
secretFilePath := filepath.Join(podmanTest.TempDir, "secret")
@@ -1748,10 +1792,6 @@ WORKDIR /madethis`, BB)
session := podmanTest.Podman([]string{"secret", "create", "mysecret", secretFilePath})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
- // target with mount type should fail
- session = podmanTest.Podman([]string{"run", "--secret", "source=mysecret,type=mount,target=anotherplace", "--name", "secr", ALPINE, "cat", "/run/secrets/mysecret"})
- session.WaitWithDefaultTimeout()
- Expect(session).To(ExitWithError())
session = podmanTest.Podman([]string{"run", "--secret", "source=mysecret,type=env,target=anotherplace", "--name", "secr", ALPINE, "printenv", "anotherplace"})
session.WaitWithDefaultTimeout()