diff options
| author | Daniel J Walsh <dwalsh@redhat.com> | 2018-04-23 20:42:53 -0400 |
|---|---|---|
| committer | Atomic Bot <atomic-devel@projectatomic.io> | 2018-05-04 17:15:55 +0000 |
| commit | b51d7379987581da82902027fe91cdf298047bc0 (patch) | |
| tree | f9d7fbebf3b946caea5eb5e2c626a19413c795c8 /pkg/secrets/secrets.go | |
| parent | 1f5debd43806cc3bd07f562ff00ef4c426540f98 (diff) | |
| download | podman-b51d7379987581da82902027fe91cdf298047bc0.tar.gz podman-b51d7379987581da82902027fe91cdf298047bc0.tar.bz2 podman-b51d7379987581da82902027fe91cdf298047bc0.zip | |
Begin wiring in USERNS Support into podman
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #690
Approved by: mheon
Diffstat (limited to 'pkg/secrets/secrets.go')
| -rw-r--r-- | pkg/secrets/secrets.go | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/pkg/secrets/secrets.go b/pkg/secrets/secrets.go index 04890c06a..29ccd4592 100644 --- a/pkg/secrets/secrets.go +++ b/pkg/secrets/secrets.go @@ -127,7 +127,12 @@ func getMountsMap(path string) (string, string, error) { } // SecretMounts copies, adds, and mounts the secrets to the container root filesystem -func SecretMounts(mountLabel, containerWorkingDir string, mountFile string) []rspec.Mount { +func SecretMounts(mountLabel, containerWorkingDir, mountFile string) []rspec.Mount { + return SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, 0, 0) +} + +// SecretMountsWithUIDGID specifies the uid/gid of the owner +func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile string, uid, gid int) []rspec.Mount { var ( secretMounts []rspec.Mount mountFiles []string @@ -141,7 +146,7 @@ func SecretMounts(mountLabel, containerWorkingDir string, mountFile string) []rs mountFiles = append(mountFiles, mountFile) } for _, file := range mountFiles { - mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir) + mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, uid, gid) if err != nil { logrus.Warnf("error mounting secrets, skipping: %v", err) } @@ -162,9 +167,15 @@ func SecretMounts(mountLabel, containerWorkingDir string, mountFile string) []rs return secretMounts } +func rchown(chowndir string, uid, gid int) error { + return filepath.Walk(chowndir, func(filePath string, f os.FileInfo, err error) error { + return os.Lchown(filePath, uid, gid) + }) +} + // addSecretsFromMountsFile copies the contents of host directory to container directory // and returns a list of mounts -func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir string) ([]rspec.Mount, error) { +func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir string, uid, gid int) ([]rspec.Mount, error) { var mounts []rspec.Mount defaultMountsPaths := getMounts(filePath) for _, path := range defaultMountsPaths { @@ -186,7 +197,6 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir string) if err = os.MkdirAll(ctrDirOnHost, 0755); err != nil { return nil, errors.Wrapf(err, "making container directory failed") } - hostDir, err = resolveSymbolicLink(hostDir) if err != nil { return nil, err @@ -206,6 +216,11 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir string) if err != nil { return nil, errors.Wrap(err, "error applying correct labels") } + if uid != 0 || gid != 0 { + if err := rchown(ctrDirOnHost, uid, gid); err != nil { + return nil, err + } + } } else if err != nil { return nil, errors.Wrapf(err, "error getting status of %q", ctrDirOnHost) } |