mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
Fix init layer chown of existing dir ownership
This solves a bug where /etc may have pre-existing permissions from build time, but init layer setup (reworked for user namespaces) was assuming root ownership. Adds a test as well to catch this situation in the future. Minor fix to wrong ordering of chown/close on files created during the same initlayer setup. Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
This commit is contained in:
Phil Estes
parent
e3fbd6922f
commit
23b771782a
2 changed files with 26 additions and 3 deletions
|
|
@ -585,12 +585,12 @@ func setupInitLayer(initLayer string, rootUID, rootGID int) error {
|
|||
|
||||
if _, err := os.Stat(filepath.Join(initLayer, pth)); err != nil {
|
||||
if os.IsNotExist(err) {
|
||||
if err := idtools.MkdirAllAs(filepath.Join(initLayer, filepath.Dir(pth)), 0755, rootUID, rootGID); err != nil {
|
||||
if err := idtools.MkdirAllNewAs(filepath.Join(initLayer, filepath.Dir(pth)), 0755, rootUID, rootGID); err != nil {
|
||||
return err
|
||||
}
|
||||
switch typ {
|
||||
case "dir":
|
||||
if err := idtools.MkdirAllAs(filepath.Join(initLayer, pth), 0755, rootUID, rootGID); err != nil {
|
||||
if err := idtools.MkdirAllNewAs(filepath.Join(initLayer, pth), 0755, rootUID, rootGID); err != nil {
|
||||
return err
|
||||
}
|
||||
case "file":
|
||||
|
|
@ -598,8 +598,8 @@ func setupInitLayer(initLayer string, rootUID, rootGID int) error {
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
f.Close()
|
||||
f.Chown(rootUID, rootGID)
|
||||
f.Close()
|
||||
default:
|
||||
if err := os.Symlink(typ, filepath.Join(initLayer, pth)); err != nil {
|
||||
return err
|
||||
|
|
|
|||
|
|
@ -3762,6 +3762,29 @@ func (s *DockerSuite) TestRunInvalidReference(c *check.C) {
|
|||
}
|
||||
}
|
||||
|
||||
// Test fix for issue #17854
|
||||
func (s *DockerSuite) TestRunInitLayerPathOwnership(c *check.C) {
|
||||
// Not applicable on Windows as it does not support Linux uid/gid ownership
|
||||
testRequires(c, DaemonIsLinux)
|
||||
name := "testetcfileownership"
|
||||
_, err := buildImage(name,
|
||||
`FROM busybox
|
||||
RUN echo 'dockerio:x:1001:1001::/bin:/bin/false' >> /etc/passwd
|
||||
RUN echo 'dockerio:x:1001:' >> /etc/group
|
||||
RUN chown dockerio:dockerio /etc`,
|
||||
true)
|
||||
if err != nil {
|
||||
c.Fatal(err)
|
||||
}
|
||||
|
||||
// Test that dockerio ownership of /etc is retained at runtime
|
||||
out, _ := dockerCmd(c, "run", "--rm", name, "stat", "-c", "%U:%G", "/etc")
|
||||
out = strings.TrimSpace(out)
|
||||
if out != "dockerio:dockerio" {
|
||||
c.Fatalf("Wrong /etc ownership: expected dockerio:dockerio, got %q", out)
|
||||
}
|
||||
}
|
||||
|
||||
func (s *DockerSuite) TestRunWithOomScoreAdj(c *check.C) {
|
||||
testRequires(c, DaemonIsLinux)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue