登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
1 Star 0 Fork 58

gnaygnil/docker

forked from src-openEuler/docker 
代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
项目仓库所选许可证以仓库主分支所使用许可证为准
克隆/下载
0021-umask-support-specify-umask.patch 4.51 KB
一键复制 编辑 原始数据 按行查看 历史
gnaygnil 提交于 2020-02-13 15:36 . docker: Fixed build error and URL
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125
From 79b46d05b185bf8df96cabb2a121186cd2f121c3 Mon Sep 17 00:00:00 2001

From: lujingxiao <lujingxiao@huawei.com>

Date: Sat, 19 Jan 2019 11:22:35 +0800

Subject: [PATCH 021/111] umask:  support specify umask



reason: support specify umask.

Umask can be 0022 or 0027(default) by specify umask when

start container by command `docker create/run` or start

daemon by command `dockerd`. For example:

$ dockerd --annotation native.umask=normal

$ dockerd --annotation native.umask=secure

$ docker run --exec-opt native.umask=normal

$ docker run --exec-opt native.umask=secure

`normal` reparent umask is 0022, `secure`

reparent umask is 0027.



Change-Id: Iba07a884b733b411e5268d7ecaa22b9aa327ac3c

Signed-off-by: wangfengtu <wangfengtu@huawei.com>

Signed-off-by: lujingxiao <lujingxiao@huawei.com>

---

 components/engine/daemon/create.go      | 21 +++++++++++++++-

 components/engine/daemon/daemon_unix.go | 33 +++++++++++++++++++++++++

 2 files changed, 53 insertions(+), 1 deletion(-)



diff --git a/components/engine/daemon/create.go b/components/engine/daemon/create.go

index 565e9dc022..fa000c2208 100644

--- a/components/engine/daemon/create.go

+++ b/components/engine/daemon/create.go

@@ -79,6 +79,22 @@ func (daemon *Daemon) containerCreate(params types.ContainerCreateConfig, manage

 	return containertypes.ContainerCreateCreatedBody{ID: container.ID, Warnings: warnings}, nil

 }

 

+func (daemon *Daemon) setUmask(c *containertypes.Config) error {

+	// Use option native.umask passed by command create/run if specified,

+	// otherwise use daemon's native.umask option.

+	if val, ok := c.Annotations["native.umask"]; ok {

+		if val != umaskNormal && val != umaskSecure {

+			return fmt.Errorf("native.umask option %s not supported", val)

+		}

+	} else if UsingNormalUmask(daemon.configStore) {

+		c.Annotations["native.umask"] = umaskNormal

+	} else {

+		c.Annotations["native.umask"] = umaskSecure

+	}

+

+	return nil

+}

+

 // Create creates a new container from the given configuration with a given name.

 func (daemon *Daemon) create(params types.ContainerCreateConfig, managed bool) (retC *container.Container, retErr error) {

 	var (

@@ -162,8 +178,11 @@ func (daemon *Daemon) create(params types.ContainerCreateConfig, managed bool) (

 	}

 	container.RWLayer = rwLayer

 

-	rootIDs := daemon.idMapping.RootPair()

+	if err := daemon.setUmask(params.Config); err != nil {

+		return nil, err

+	}

 

+	rootIDs := daemon.idMapping.RootPair()

 	if err := idtools.MkdirAndChown(container.Root, 0700, rootIDs); err != nil {

 		return nil, err

 	}

diff --git a/components/engine/daemon/daemon_unix.go b/components/engine/daemon/daemon_unix.go

index 5b390d2db1..8ffdd0009a 100644

--- a/components/engine/daemon/daemon_unix.go

+++ b/components/engine/daemon/daemon_unix.go

@@ -77,6 +77,10 @@ const (

 	// DefaultRuntimeName is the default runtime to be used by

 	// containerd if none is specified

 	DefaultRuntimeName = "runc"

+

+	// constant for umasks in containers. normal: 0022, secure(default): 0027

+	umaskNormal = "normal"

+	umaskSecure = "secure"

 )

 

 type containerGetter interface {

@@ -581,6 +585,32 @@ func UsingSystemd(config *config.Config) bool {

 	return getCD(config) == cgroupSystemdDriver

 }

 

+// getUmask gets the raw value of the native.umask option, if set.

+func getUmask(config *config.Config) string {

+	for _, option := range config.ExecOptions {

+		key, val, err := parsers.ParseKeyValueOpt(option)

+		if err != nil || !strings.EqualFold(key, "native.umask") {

+			continue

+		}

+		return val

+	}

+	return ""

+}

+

+// VerifyNativeUmask validates native.umask

+func VerifyNativeUmask(config *config.Config) error {

+	umask := getUmask(config)

+	if umask == "" || umask == umaskNormal || umask == umaskSecure {

+		return nil

+	}

+	return fmt.Errorf("native.umask option %s not supported", umask)

+}

+

+// UsingNormalUmask returns true if cli option includes native.umask=normal

+func UsingNormalUmask(config *config.Config) bool {

+	return getUmask(config) == umaskNormal

+}

+

 // verifyPlatformContainerSettings performs platform-specific validation of the

 // hostconfig and config structures.

 func (daemon *Daemon) verifyPlatformContainerSettings(hostConfig *containertypes.HostConfig, config *containertypes.Config, update bool) ([]string, error) {

@@ -737,6 +767,9 @@ func verifyDaemonSettings(conf *config.Config) error {

 			return fmt.Errorf("cgroup-parent for systemd cgroup should be a valid slice named as \"xxx.slice\"")

 		}

 	}

+	if err := VerifyNativeUmask(conf); err != nil {

+		return err

+	}

 

 	if conf.DefaultRuntime == "" {

 		conf.DefaultRuntime = config.StockRuntimeName

-- 

2.17.1
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/gnaygnil/docker.git
git@gitee.com:gnaygnil/docker.git
gnaygnil
docker
docker
master
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部