diff options
Diffstat (limited to 'libpod')
| -rw-r--r-- | libpod/container_internal_linux.go | 13 | ||||
| -rw-r--r-- | libpod/runtime_img.go | 29 |
2 files changed, 42 insertions, 0 deletions
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index c9f35dd75..3f3b22b6b 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -26,6 +26,7 @@ import ( "github.com/containers/libpod/pkg/resolvconf" "github.com/containers/libpod/pkg/rootless" "github.com/containers/storage/pkg/idtools" + "github.com/cyphar/filepath-securejoin" "github.com/opencontainers/runc/libcontainer/user" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" @@ -366,6 +367,18 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { // For private volumes any root propagation value should work. rootPropagation := "" for _, m := range mounts { + // We need to remove all symlinks from tmpfs mounts. + // Runc and other runtimes may choke on them. + // Easy solution: use securejoin to do a scoped evaluation of + // the links, then trim off the mount prefix. + if m.Type == "tmpfs" { + finalPath, err := securejoin.SecureJoin(c.state.Mountpoint, m.Destination) + if err != nil { + return nil, errors.Wrapf(err, "error resolving symlinks for mount destination %s", m.Destination) + } + trimmedPath := strings.TrimPrefix(finalPath, strings.TrimSuffix(c.state.Mountpoint, "/")) + m.Destination = trimmedPath + } g.AddMount(m) for _, opt := range m.Options { switch opt { diff --git a/libpod/runtime_img.go b/libpod/runtime_img.go index 451c2ebe7..02f925fc6 100644 --- a/libpod/runtime_img.go +++ b/libpod/runtime_img.go @@ -14,6 +14,7 @@ import ( "github.com/containers/libpod/pkg/util" "github.com/containers/storage" "github.com/pkg/errors" + "github.com/sirupsen/logrus" "github.com/containers/image/directory" dockerarchive "github.com/containers/image/docker/archive" @@ -183,6 +184,15 @@ func (r *Runtime) Import(ctx context.Context, source string, reference string, c defer os.Remove(file) source = file } + // if it's stdin, buffer it, too + if source == "-" { + file, err := downloadFromFile(os.Stdin) + if err != nil { + return "", err + } + defer os.Remove(file) + source = file + } newImage, err := r.imageRuntime.Import(ctx, source, reference, writer, image.SigningOptions{}, config) if err != nil { @@ -216,6 +226,25 @@ func downloadFromURL(source string) (string, error) { return outFile.Name(), nil } +// donwloadFromFile reads all of the content from the reader and temporarily +// saves in it /var/tmp/importxyz, which is deleted after the image is imported +func downloadFromFile(reader *os.File) (string, error) { + outFile, err := ioutil.TempFile("/var/tmp", "import") + if err != nil { + return "", errors.Wrap(err, "error creating file") + } + defer outFile.Close() + + logrus.Debugf("saving %s to %s", reader.Name(), outFile.Name()) + + _, err = io.Copy(outFile, reader) + if err != nil { + return "", errors.Wrapf(err, "error saving %s to %s", reader.Name(), outFile.Name()) + } + + return outFile.Name(), nil +} + // LoadImage loads a container image into local storage func (r *Runtime) LoadImage(ctx context.Context, name, inputFile string, writer io.Writer, signaturePolicy string) (string, error) { var newImages []*image.Image |