From 45a92f8357de75d06c137e48ce61ab8054d5bc8e Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Tue, 17 Jul 2018 16:48:08 +0200 Subject: secrets: parse only one mounts configuration file Signed-off-by: Giuseppe Scrivano --- pkg/secrets/secrets.go | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'pkg/secrets') diff --git a/pkg/secrets/secrets.go b/pkg/secrets/secrets.go index ba0f3b925..f245b9512 100644 --- a/pkg/secrets/secrets.go +++ b/pkg/secrets/secrets.go @@ -147,11 +147,14 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre mountFiles = append(mountFiles, mountFile) } for _, file := range mountFiles { - mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, mountPrefix, uid, gid) - if err != nil { - logrus.Warnf("error mounting secrets, skipping: %v", err) + if _, err := os.Stat(file); err == nil { + mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, mountPrefix, uid, gid) + if err != nil { + logrus.Warnf("error mounting secrets, skipping: %v", err) + } + secretMounts = mounts + break } - secretMounts = append(secretMounts, mounts...) } // Add FIPS mode secret if /etc/system-fips exists on the host -- cgit v1.2.3-54-g00ecf From d4f14be3a7aa7b5b884906d764db3214e51b3e67 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 16 Jul 2018 11:48:59 +0200 Subject: rootless: support a per-user mounts.conf Signed-off-by: Giuseppe Scrivano --- docs/podman.1.md | 2 ++ pkg/secrets/secrets.go | 7 +++++++ 2 files changed, 9 insertions(+) (limited to 'pkg/secrets') diff --git a/docs/podman.1.md b/docs/podman.1.md index 68a9e4e92..5581e0569 100644 --- a/docs/podman.1.md +++ b/docs/podman.1.md @@ -139,6 +139,8 @@ The format of the mounts.conf is the volume format /SRC:/DEST, one mount per lin Note this is not a volume mount. The content of the volumes is copied into container storage, not bind mounted directly from the host. +When Podman runs in rootless mode, the file `$HOME/.config/containers/mounts.conf` is also used. + **hook JSON** (`/usr/share/containers/oci/hooks.d/*.json`) Each `*.json` file in `/usr/share/containers/oci/hooks.d` configures a hook for Podman containers. For more details on the syntax of the JSON files and the semantics of hook injection, see `oci-hooks(5)`. diff --git a/pkg/secrets/secrets.go b/pkg/secrets/secrets.go index f245b9512..bc63ece00 100644 --- a/pkg/secrets/secrets.go +++ b/pkg/secrets/secrets.go @@ -10,6 +10,7 @@ import ( rspec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" + "github.com/projectatomic/libpod/pkg/rootless" "github.com/sirupsen/logrus" ) @@ -20,6 +21,9 @@ var ( // OverrideMountsFile holds the default mount paths in the form // "host_path:container_path" overridden by the user OverrideMountsFile = "/etc/containers/mounts.conf" + // UserOverrideMountsFile holds the default mount paths in the form + // "host_path:container_path" overridden by the rootless user + UserOverrideMountsFile = filepath.Join(os.Getenv("HOME"), ".config/containers/mounts.conf") ) // secretData stores the name of the file and the content read from it @@ -143,6 +147,9 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre // Note for testing purposes only if mountFile == "" { mountFiles = append(mountFiles, []string{OverrideMountsFile, DefaultMountsFile}...) + if rootless.IsRootless() { + mountFiles = append([]string{UserOverrideMountsFile}, mountFiles...) + } } else { mountFiles = append(mountFiles, mountFile) } -- cgit v1.2.3-54-g00ecf