kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

proper cleanup upon mount fail

Browse source 
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
This commit is contained in:
Evan Hazlett 2016-10-27 11:29:51 -07:00
parent f50a65ff0c
commit 0c170a76c5
1 changed files with 9 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
daemon/container_operations_unix.go
View file

@ -144,12 +144,10 @@ func (daemon *Daemon) setupIpcDirs(c *container.Container) error {
return nil return nil
} }
func (daemon *Daemon) setupSecretDir(c *container.Container) error { func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
localMountPath := c.SecretMountPath() localMountPath := c.SecretMountPath()
logrus.Debugf("secrets: setting up secret dir: %s", localMountPath) logrus.Debugf("secrets: setting up secret dir: %s", localMountPath)
var setupErr error
defer func(err error) { defer func(err error) {
if err != nil { if err != nil {
// cleanup // cleanup
@ -163,22 +161,22 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) error {
// create tmpfs // create tmpfs
if err := os.MkdirAll(localMountPath, 0700); err != nil { if err := os.MkdirAll(localMountPath, 0700); err != nil {
setupErr = errors.Wrap(err, "error creating secret local mount path") return errors.Wrap(err, "error creating secret local mount path")
} }
if err := mount.Mount("tmpfs", localMountPath, "tmpfs", "nodev"); err != nil { if err := mount.Mount("tmpfs", localMountPath, "tmpfs", "nodev"); err != nil {
setupErr = errors.Wrap(err, "unable to setup secret mount") return errors.Wrap(err, "unable to setup secret mount")
} }
for _, s := range c.Secrets { for _, s := range c.Secrets {
// ensure that the target is a filename only; no paths allowed // ensure that the target is a filename only; no paths allowed
tDir, tPath := filepath.Split(s.Target) tDir, tPath := filepath.Split(s.Target)
if tDir != "" { if tDir != "" {
setupErr = fmt.Errorf("error creating secret: secret must not have a path") return fmt.Errorf("error creating secret: secret must not have a path")
} }
fPath := filepath.Join(localMountPath, tPath) fPath := filepath.Join(localMountPath, tPath)
if err := os.MkdirAll(filepath.Dir(fPath), 0700); err != nil { if err := os.MkdirAll(filepath.Dir(fPath), 0700); err != nil {
setupErr = errors.Wrap(err, "error creating secret mount path") return errors.Wrap(err, "error creating secret mount path")
} }
logrus.WithFields(logrus.Fields{ logrus.WithFields(logrus.Fields{
@ -186,20 +184,20 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) error {
"path": fPath, "path": fPath,
}).Debug("injecting secret") }).Debug("injecting secret")
if err := ioutil.WriteFile(fPath, s.Data, s.Mode); err != nil { if err := ioutil.WriteFile(fPath, s.Data, s.Mode); err != nil {
setupErr = errors.Wrap(err, "error injecting secret") return errors.Wrap(err, "error injecting secret")
} }
if err := os.Chown(fPath, s.Uid, s.Gid); err != nil { if err := os.Chown(fPath, s.Uid, s.Gid); err != nil {
setupErr = errors.Wrap(err, "error setting ownership for secret") return errors.Wrap(err, "error setting ownership for secret")
} }
} }
// remount secrets ro // remount secrets ro
if err := mount.Mount("tmpfs", localMountPath, "tmpfs", "remount,ro"); err != nil { if err := mount.Mount("tmpfs", localMountPath, "tmpfs", "remount,ro"); err != nil {
setupErr = errors.Wrap(err, "unable to remount secret dir as readonly") return errors.Wrap(err, "unable to remount secret dir as readonly")
} }
return setupErr return nil
} }
func killProcessDirectly(container *container.Container) error { func killProcessDirectly(container *container.Container) error {