Merge commit from fork

dmcgowan · web-flow · commit 7c59e8e9e970 · 2025-11-05T13:50:10.000-08:00
Fix directory permissions
diff --git a/cmd/containerd/server/server.go b/cmd/containerd/server/server.go
@@ -80,10 +80,16 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {
 		return errors.New("root and state must be different paths")
 	}
 
-	if err := sys.MkdirAllWithACL(config.Root, 0o711); err != nil {
+	if err := sys.MkdirAllWithACL(config.Root, 0o700); err != nil {
+		return err
+	}
+	// chmod is needed for upgrading from an older release that created the dir with 0o711
+	if err := os.Chmod(config.Root, 0o700); err != nil {
 		return err
 	}
 
+	// For supporting userns-remapped containers, the state dir cannot be just mkdired with 0o700.
+	// Each of plugins creates a dedicated directory beneath the state dir with appropriate permission bits.
 	if err := sys.MkdirAllWithACL(config.State, 0o711); err != nil {
 		return err
 	}
@@ -98,7 +104,11 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {
 	}
 
 	if config.TempDir != "" {
-		if err := sys.MkdirAllWithACL(config.TempDir, 0o711); err != nil {
+		if err := sys.MkdirAllWithACL(config.TempDir, 0o700); err != nil {
+			return err
+		}
+		// chmod is needed for upgrading from an older release that created the dir with 0o711
+		if err := os.Chmod(config.Root, 0o700); err != nil {
 			return err
 		}
 		if runtime.GOOS == "windows" {
diff --git a/core/runtime/v2/task_manager.go b/core/runtime/v2/task_manager.go
@@ -92,6 +92,8 @@ func init() {
 			}
 			root, state := ic.Properties[plugins.PropertyRootDir], ic.Properties[plugins.PropertyStateDir]
 			for _, d := range []string{root, state} {
+				// root:  the parent of this directory is created as 0o700, not 0o711.
+				// state: the parent of this directory is created as 0o711 too, so as to support userns-remapped containers.
 				if err := os.MkdirAll(d, 0711); err != nil {
 					return nil, err
 				}
diff --git a/plugins/cri/runtime/plugin.go b/plugins/cri/runtime/plugin.go
@@ -79,6 +79,13 @@ func initCRIRuntime(ic *plugin.InitContext) (interface{}, error) {
 	rootDir := filepath.Join(containerdRootDir, "io.containerd.grpc.v1.cri")
 	containerdStateDir := filepath.Dir(ic.Properties[plugins.PropertyStateDir])
 	stateDir := filepath.Join(containerdStateDir, "io.containerd.grpc.v1.cri")
+	if err := os.MkdirAll(stateDir, 0o700); err != nil {
+		return nil, err
+	}
+	// chmod is needed for upgrading from an older release that created the dir with 0o755
+	if err := os.Chmod(stateDir, 0o700); err != nil {
+		return nil, err
+	}
 	c := criconfig.Config{
 		RuntimeConfig:      *pluginConfig,
 		ContainerdRootDir:  containerdRootDir,
diff --git a/plugins/sandbox/controller.go b/plugins/sandbox/controller.go
@@ -68,7 +68,11 @@ func init() {
 			state := ic.Properties[plugins.PropertyStateDir]
 			root := ic.Properties[plugins.PropertyRootDir]
 			for _, d := range []string{root, state} {
-				if err := os.MkdirAll(d, 0711); err != nil {
+				if err := os.MkdirAll(d, 0700); err != nil {
+					return nil, err
+				}
+				// chmod is needed for upgrading from an older release that created the dir with 0o711
+				if err := os.Chmod(d, 0o700); err != nil {
 					return nil, err
 				}
 			}

Original file line number	Diff line number	Diff line change
`@@ -80,10 +80,16 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {`
`80`	`80`	`return errors.New("root and state must be different paths")`
`81`	`81`	`}`
`82`	`82`
`83`		`- if err := sys.MkdirAllWithACL(config.Root, 0o711); err != nil {`
	`83`	`+ if err := sys.MkdirAllWithACL(config.Root, 0o700); err != nil {`
	`84`	`+ return err`
	`85`	`+ }`
	`86`	`+ // chmod is needed for upgrading from an older release that created the dir with 0o711`
	`87`	`+ if err := os.Chmod(config.Root, 0o700); err != nil {`
`84`	`88`	`return err`
`85`	`89`	`}`
`86`	`90`
	`91`	`+ // For supporting userns-remapped containers, the state dir cannot be just mkdired with 0o700.`
	`92`	`+ // Each of plugins creates a dedicated directory beneath the state dir with appropriate permission bits.`
`87`	`93`	`if err := sys.MkdirAllWithACL(config.State, 0o711); err != nil {`
`88`	`94`	`return err`
`89`	`95`	`}`
`@@ -98,7 +104,11 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {`
`98`	`104`	`}`
`99`	`105`
`100`	`106`	`if config.TempDir != "" {`
`101`		`- if err := sys.MkdirAllWithACL(config.TempDir, 0o711); err != nil {`
	`107`	`+ if err := sys.MkdirAllWithACL(config.TempDir, 0o700); err != nil {`
	`108`	`+ return err`
	`109`	`+ }`
	`110`	`+ // chmod is needed for upgrading from an older release that created the dir with 0o711`
	`111`	`+ if err := os.Chmod(config.Root, 0o700); err != nil {`
`102`	`112`	`return err`
`103`	`113`	`}`
`104`	`114`	`if runtime.GOOS == "windows" {`
Original file line number	Diff line number	Diff line change
`@@ -92,6 +92,8 @@ func init() {`
`92`	`92`	`}`
`93`	`93`	`root, state := ic.Properties[plugins.PropertyRootDir], ic.Properties[plugins.PropertyStateDir]`
`94`	`94`	`for _, d := range []string{root, state} {`
	`95`	`+ // root: the parent of this directory is created as 0o700, not 0o711.`
	`96`	`+ // state: the parent of this directory is created as 0o711 too, so as to support userns-remapped containers.`
`95`	`97`	`if err := os.MkdirAll(d, 0711); err != nil {`
`96`	`98`	`return nil, err`
`97`	`99`	`}`
Original file line number	Diff line number	Diff line change
`@@ -68,7 +68,11 @@ func init() {`
`68`	`68`	`state := ic.Properties[plugins.PropertyStateDir]`
`69`	`69`	`root := ic.Properties[plugins.PropertyRootDir]`
`70`	`70`	`for _, d := range []string{root, state} {`
`71`		`- if err := os.MkdirAll(d, 0711); err != nil {`
	`71`	`+ if err := os.MkdirAll(d, 0700); err != nil {`
	`72`	`+ return nil, err`
	`73`	`+ }`
	`74`	`+ // chmod is needed for upgrading from an older release that created the dir with 0o711`
	`75`	`+ if err := os.Chmod(d, 0o700); err != nil {`
`72`	`76`	`return nil, err`
`73`	`77`	`}`
`74`	`78`	`}`