Skip to content

Commit b36b415

Browse files
AkihiroSudaAkihiroSuda
committed
cri: mkdir /etc/cni with 0755, not 0700
/etc/cni has to be readable for non-root users (0755), because /etc/cni/tuning/allowlist.conf is used for rootless mode too. This file was introduced in CNI plugins 1.2.0 (containernetworking/plugins PR 693), and its path is hard-coded. Signed-off-by: Akihiro Suda <[email protected]>
1 parent accb53c commit b36b415

2 files changed

Lines changed: 16 additions & 0 deletions

File tree

pkg/cri/sbserver/cni_conf_syncer.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ package sbserver
1919
import (
2020
"fmt"
2121
"os"
22+
"path/filepath"
2223
"sync"
2324

2425
"github.com/containerd/go-cni"
@@ -46,6 +47,13 @@ func newCNINetConfSyncer(confDir string, netPlugin cni.CNI, loadOpts []cni.Opt)
4647
return nil, fmt.Errorf("failed to create fsnotify watcher: %w", err)
4748
}
4849

50+
// /etc/cni has to be readable for non-root users (0755), because /etc/cni/tuning/allowlist.conf is used for rootless mode too.
51+
// This file was introduced in CNI plugins 1.2.0 (https://github.com/containernetworking/plugins/pull/693), and its path is hard-coded.
52+
confDirParent := filepath.Dir(confDir)
53+
if err := os.MkdirAll(confDirParent, 0755); err != nil {
54+
return nil, fmt.Errorf("failed to create the parent of the cni conf dir=%s: %w", confDirParent, err)
55+
}
56+
4957
if err := os.MkdirAll(confDir, 0700); err != nil {
5058
return nil, fmt.Errorf("failed to create cni conf dir=%s for watch: %w", confDir, err)
5159
}

pkg/cri/server/cni_conf_syncer.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ package server
1919
import (
2020
"fmt"
2121
"os"
22+
"path/filepath"
2223
"sync"
2324

2425
cni "github.com/containerd/go-cni"
@@ -46,6 +47,13 @@ func newCNINetConfSyncer(confDir string, netPlugin cni.CNI, loadOpts []cni.Opt)
4647
return nil, fmt.Errorf("failed to create fsnotify watcher: %w", err)
4748
}
4849

50+
// /etc/cni has to be readable for non-root users (0755), because /etc/cni/tuning/allowlist.conf is used for rootless mode too.
51+
// This file was introduced in CNI plugins 1.2.0 (https://github.com/containernetworking/plugins/pull/693), and its path is hard-coded.
52+
confDirParent := filepath.Dir(confDir)
53+
if err := os.MkdirAll(confDirParent, 0755); err != nil {
54+
return nil, fmt.Errorf("failed to create the parent of the cni conf dir=%s: %w", confDirParent, err)
55+
}
56+
4957
if err := os.MkdirAll(confDir, 0700); err != nil {
5058
return nil, fmt.Errorf("failed to create cni conf dir=%s for watch: %w", confDir, err)
5159
}

0 commit comments

Comments
 (0)