Skip to content

Only chown network files within container metadata #34224

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 2, 2017
Merged

Only chown network files within container metadata #34224

merged 1 commit into from
Nov 2, 2017

Conversation

estesp
Copy link
Contributor

@estesp estesp commented Jul 23, 2017

If the user specifies a mountpath from the host, we should not be
attempting to chown files outside the daemon's metadata directory
(represented by daemon.repository at init time).

This forces users who want to use user namespaces to handle the
ownership needs of any external files mounted as network files
(/etc/resolv.conf, /etc/hosts, /etc/hostname) separately from the
daemon. In all other volume/bind mount situations we have taken this
same line--we don't chown host filesystem content.

Docker-DCO-1.1-Signed-off-by: Phil Estes estesp@linux.vnet.ibm.com

@thaJeztah my only concern here is change in behavior if anyone has relied on mounting network files from a host system location and gotten this automatic "chown" behavior. Something we have to consider I guess.

@thaJeztah
Copy link
Member

@estesp discussing with @vieux; and this LGTM; can you add a small test?

@vieux vieux assigned vieux and unassigned aaronlehmann Oct 26, 2017
@estesp estesp force-pushed the no-chown-nwfiles-outside-metadata branch from c02b1fe to 308f501 Compare October 31, 2017 22:58
@estesp
Copy link
Contributor Author

estesp commented Oct 31, 2017

Thanks @thaJeztah; test added!

@estesp
Only chown network files within container metadata
42716dc 
If the user specifies a mountpath from the host, we should not be
attempting to chown files outside the daemon's metadata directory
(represented by `daemon.repository` at init time).

This forces users who want to use user namespaces to handle the
ownership needs of any external files mounted as network files
(/etc/resolv.conf, /etc/hosts, /etc/hostname) separately from the
daemon. In all other volume/bind mount situations we have taken this
same line--we don't chown host file content.

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
@estesp estesp force-pushed the no-chown-nwfiles-outside-metadata branch from 308f501 to 42716dc Compare November 1, 2017 14:14
vieux
vieux approved these changes Nov 2, 2017
View reviewed changes
Copy link
Contributor

@vieux vieux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@vieux vieux merged commit 462d791 into moby:master Nov 2, 2017
@yongtang yongtang mentioned this pull request Feb 7, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vieux vieux vieux approved these changes

@dnephin dnephin Awaiting requested review from dnephin

@vdemeester vdemeester Awaiting requested review from vdemeester

Assignees

@vieux vieux

Labels
area/volumes status/2-code-review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@estesp @thaJeztah @vieux @aaronlehmann @GordonTheTurtle