126 lines
4.5 KiB
Diff
126 lines
4.5 KiB
Diff
From 79b46d05b185bf8df96cabb2a121186cd2f121c3 Mon Sep 17 00:00:00 2001
|
|
From: lujingxiao <lujingxiao@huawei.com>
|
|
Date: Sat, 19 Jan 2019 11:22:35 +0800
|
|
Subject: [PATCH 021/111] umask: support specify umask
|
|
|
|
reason: support specify umask.
|
|
Umask can be 0022 or 0027(default) by specify umask when
|
|
start container by command `docker create/run` or start
|
|
daemon by command `dockerd`. For example:
|
|
$ dockerd --annotation native.umask=normal
|
|
$ dockerd --annotation native.umask=secure
|
|
$ docker run --exec-opt native.umask=normal
|
|
$ docker run --exec-opt native.umask=secure
|
|
`normal` reparent umask is 0022, `secure`
|
|
reparent umask is 0027.
|
|
|
|
Change-Id: Iba07a884b733b411e5268d7ecaa22b9aa327ac3c
|
|
Signed-off-by: wangfengtu <wangfengtu@huawei.com>
|
|
Signed-off-by: lujingxiao <lujingxiao@huawei.com>
|
|
---
|
|
components/engine/daemon/create.go | 21 +++++++++++++++-
|
|
components/engine/daemon/daemon_unix.go | 33 +++++++++++++++++++++++++
|
|
2 files changed, 53 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/components/engine/daemon/create.go b/components/engine/daemon/create.go
|
|
index 565e9dc022..fa000c2208 100644
|
|
--- a/components/engine/daemon/create.go
|
|
+++ b/components/engine/daemon/create.go
|
|
@@ -79,6 +79,22 @@ func (daemon *Daemon) containerCreate(params types.ContainerCreateConfig, manage
|
|
return containertypes.ContainerCreateCreatedBody{ID: container.ID, Warnings: warnings}, nil
|
|
}
|
|
|
|
+func (daemon *Daemon) setUmask(c *containertypes.Config) error {
|
|
+ // Use option native.umask passed by command create/run if specified,
|
|
+ // otherwise use daemon's native.umask option.
|
|
+ if val, ok := c.Annotations["native.umask"]; ok {
|
|
+ if val != umaskNormal && val != umaskSecure {
|
|
+ return fmt.Errorf("native.umask option %s not supported", val)
|
|
+ }
|
|
+ } else if UsingNormalUmask(daemon.configStore) {
|
|
+ c.Annotations["native.umask"] = umaskNormal
|
|
+ } else {
|
|
+ c.Annotations["native.umask"] = umaskSecure
|
|
+ }
|
|
+
|
|
+ return nil
|
|
+}
|
|
+
|
|
// Create creates a new container from the given configuration with a given name.
|
|
func (daemon *Daemon) create(params types.ContainerCreateConfig, managed bool) (retC *container.Container, retErr error) {
|
|
var (
|
|
@@ -162,8 +178,11 @@ func (daemon *Daemon) create(params types.ContainerCreateConfig, managed bool) (
|
|
}
|
|
container.RWLayer = rwLayer
|
|
|
|
- rootIDs := daemon.idMapping.RootPair()
|
|
+ if err := daemon.setUmask(params.Config); err != nil {
|
|
+ return nil, err
|
|
+ }
|
|
|
|
+ rootIDs := daemon.idMapping.RootPair()
|
|
if err := idtools.MkdirAndChown(container.Root, 0700, rootIDs); err != nil {
|
|
return nil, err
|
|
}
|
|
diff --git a/components/engine/daemon/daemon_unix.go b/components/engine/daemon/daemon_unix.go
|
|
index 5b390d2db1..8ffdd0009a 100644
|
|
--- a/components/engine/daemon/daemon_unix.go
|
|
+++ b/components/engine/daemon/daemon_unix.go
|
|
@@ -77,6 +77,10 @@ const (
|
|
// DefaultRuntimeName is the default runtime to be used by
|
|
// containerd if none is specified
|
|
DefaultRuntimeName = "runc"
|
|
+
|
|
+ // constant for umasks in containers. normal: 0022, secure(default): 0027
|
|
+ umaskNormal = "normal"
|
|
+ umaskSecure = "secure"
|
|
)
|
|
|
|
type containerGetter interface {
|
|
@@ -581,6 +585,32 @@ func UsingSystemd(config *config.Config) bool {
|
|
return getCD(config) == cgroupSystemdDriver
|
|
}
|
|
|
|
+// getUmask gets the raw value of the native.umask option, if set.
|
|
+func getUmask(config *config.Config) string {
|
|
+ for _, option := range config.ExecOptions {
|
|
+ key, val, err := parsers.ParseKeyValueOpt(option)
|
|
+ if err != nil || !strings.EqualFold(key, "native.umask") {
|
|
+ continue
|
|
+ }
|
|
+ return val
|
|
+ }
|
|
+ return ""
|
|
+}
|
|
+
|
|
+// VerifyNativeUmask validates native.umask
|
|
+func VerifyNativeUmask(config *config.Config) error {
|
|
+ umask := getUmask(config)
|
|
+ if umask == "" || umask == umaskNormal || umask == umaskSecure {
|
|
+ return nil
|
|
+ }
|
|
+ return fmt.Errorf("native.umask option %s not supported", umask)
|
|
+}
|
|
+
|
|
+// UsingNormalUmask returns true if cli option includes native.umask=normal
|
|
+func UsingNormalUmask(config *config.Config) bool {
|
|
+ return getUmask(config) == umaskNormal
|
|
+}
|
|
+
|
|
// verifyPlatformContainerSettings performs platform-specific validation of the
|
|
// hostconfig and config structures.
|
|
func (daemon *Daemon) verifyPlatformContainerSettings(hostConfig *containertypes.HostConfig, config *containertypes.Config, update bool) ([]string, error) {
|
|
@@ -737,6 +767,9 @@ func verifyDaemonSettings(conf *config.Config) error {
|
|
return fmt.Errorf("cgroup-parent for systemd cgroup should be a valid slice named as \"xxx.slice\"")
|
|
}
|
|
}
|
|
+ if err := VerifyNativeUmask(conf); err != nil {
|
|
+ return err
|
|
+ }
|
|
|
|
if conf.DefaultRuntime == "" {
|
|
conf.DefaultRuntime = config.StockRuntimeName
|
|
--
|
|
2.17.1
|
|
|