From b4813f2841638be28208b7b1602f12750a46ece9 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Tue, 5 Aug 2014 16:43:33 -0400 Subject: [PATCH] Docker should use /var/lib/container/tmp for large temporary files. /tmp is often a tmpfs file system and large temporary files could cause docker commands to fail. Also using /tmp potentially allows users on the system to get access to content, or even attack the content. Moving the tmpdir to /var/lib/container/tmp will protect the data. Docker-DCO-1.1-Signed-off-by: Dan Walsh (github: rhatdan) Conflicts: docker/docker.go --- daemon/daemon.go | 5 ++++- docs/sources/reference/commandline/cli.md | 7 +++---- utils/tmpdir.go | 12 ++++++++++++ utils/tmpdir_unix.go | 18 ++++++++++++++++++ 4 files changed, 37 insertions(+), 5 deletions(-) create mode 100644 utils/tmpdir.go create mode 100644 utils/tmpdir_unix.go diff --git a/daemon/daemon.go b/daemon/daemon.go index 3da5422c6e..0d275492dc 100644 --- a/daemon/daemon.go +++ b/daemon/daemon.go @@ -678,7 +678,10 @@ func NewDaemonFromDirectory(config *daemonconfig.Config, eng *engine.Engine) (*D } // set up the TempDir to use a canonical path - tmp := os.TempDir() + tmp, err := utils.TempDir(config.Root) + if err != nil { + log.Fatalf("Unable to get the TempDir under %s: %s", config.Root, err) + } realTmp, err := utils.ReadSymlinkedDirectory(tmp) if err != nil { log.Fatalf("Unable to get the full path to the TempDir (%s): %s", tmp, err) diff --git a/docs/sources/reference/commandline/cli.md b/docs/sources/reference/commandline/cli.md index 83590a60e1..83cd56a206 100644 --- a/docs/sources/reference/commandline/cli.md +++ b/docs/sources/reference/commandline/cli.md @@ -120,12 +120,11 @@ systemd in the [docker source tree]( https://github.com/docker/docker/blob/master/contrib/init/systemd/socket-activation/). Docker supports softlinks for the Docker data directory -(`/var/lib/docker`) and for `/tmp`. TMPDIR and the data directory can be set -like this: +(`/var/lib/docker`) and for `/var/lib/docker/tmp`. The `DOCKER_TMPDIR` and the data directory can be set like this: - TMPDIR=/mnt/disk2/tmp /usr/local/bin/docker -d -D -g /var/lib/docker -H unix:// > /var/lib/boot2docker/docker.log 2>&1 + DOCKER_TMPDIR=/mnt/disk2/tmp /usr/local/bin/docker -d -D -g /var/lib/docker -H unix:// > /var/lib/boot2docker/docker.log 2>&1 # or - export TMPDIR=/mnt/disk2/tmp + export DOCKER_TMPDIR=/mnt/disk2/tmp /usr/local/bin/docker -d -D -g /var/lib/docker -H unix:// > /var/lib/boot2docker/docker.log 2>&1 ## attach diff --git a/utils/tmpdir.go b/utils/tmpdir.go new file mode 100644 index 0000000000..921a8f697c --- /dev/null +++ b/utils/tmpdir.go @@ -0,0 +1,12 @@ +// +build !darwin,!dragonfly,!freebsd,!linux,!netbsd,!openbsd + +package utils + +import ( + "os" +) + +// TempDir returns the default directory to use for temporary files. +func TempDir(rootdir string) (string error) { + return os.TempDir(), nil +} diff --git a/utils/tmpdir_unix.go b/utils/tmpdir_unix.go new file mode 100644 index 0000000000..30d7c3a192 --- /dev/null +++ b/utils/tmpdir_unix.go @@ -0,0 +1,18 @@ +// +build darwin dragonfly freebsd linux netbsd openbsd + +package utils + +import ( + "os" + "path/filepath" +) + +// TempDir returns the default directory to use for temporary files. +func TempDir(rootDir string) (string, error) { + var tmpDir string + if tmpDir = os.Getenv("DOCKER_TMPDIR"); tmpDir == "" { + tmpDir = filepath.Join(rootDir, "tmp") + } + err := os.MkdirAll(tmpDir, 0700) + return tmpDir, err +}