Skip to content

Reduce file permissions#11360

Closed
fengwei0328 wants to merge 1 commit intocontainerd:mainfrom
fengwei0328:permision
Closed

Reduce file permissions#11360
fengwei0328 wants to merge 1 commit intocontainerd:mainfrom
fengwei0328:permision

Conversation

@fengwei0328
Copy link
Copy Markdown
Contributor

@fengwei0328 fengwei0328 commented Feb 8, 2025
edited
Loading

/var/lib/containerd

containerd                                                                                  drwx--x--x.
├── io.containerd.content.v1.content                                                        drwxr-xr-x.    //755 -> 700
│   ├── blobs                                                                               drwxr-xr-x.    //755 -> 700
│   │   └── sha256                                                                          drwxr-xr-x.    //755 -> 700
│   │       ├── 0968e31df05b727234888883ba43ccaa4ec75566113c75065af5a6124b62d93c            -r--r--r--.
│   │       ├── 0b16ab2571f4b3e0d5a96b66a00e5016ddc0d268e8bc45dc612948c4c95b94cd            -r--r--r--.
│   │       ├── 194fdd7e97b357a66bf462d13404702e429c9be14ae1f824f6d233a156b122d7            -r--r--r--.
│   │       ├── da86e6ba6ca197bf6bc5e9d900febd906b133eaa4750e6bed647b0fbe50ed43e            -r--r--r--.
│   │       ├── e17133b79956ad6f69ae7f775badd1c11bad2fc64f0529cab863b9d12fbaa5c4            -r--r--r--.
│   │       └── ff4a8eb070e12018233797e865841d877a7835c4c6d5cfc52e5481995da6b2f7            -r--r--r--.
│   └── ingest                                                                              drwxr-xr-x.    //755 -> 700
├── io.containerd.grpc.v1.cri                                                               drwxr-xr-x.    //755 -> 700
│   ├── containers                                                                          drwxr-xr-x.    //755 -> 700
│   │   └── 0a7565a2b82508a2b088d6aaa4ba88ae966319cc097159ee4ac377b7258a6c9b                drwxr-xr-x.    //755 -> 700
│   │       └── status                                                                      -rw-------.
│   └── sandboxes                                                                           drwxr-xr-x.    //755 -> 700
│       └── 02602d4ea2123e45724138006e986bbcb4f0d7211b5a9c4aaf8697486819a9c4                drwxr-xr-x.    //755 -> 700
│           ├── hostname                                                                    -rw-r--r--.
│           ├── hosts                                                                       -rw-r--r--.
│           └── resolv.conf                                                                 -rw-r--r--.
├── io.containerd.metadata.v1.bolt                                                          drwx--x--x.
│   └── meta.db                                                                             -rw-r--r--.
├── io.containerd.runtime.v1.linux                                                          drwx--x--x.
├── io.containerd.runtime.v2.task                                                           drwx--x--x.
│   └── k8s.io                                                                              drwx--x--x.
│       ├── 02602d4ea2123e45724138006e986bbcb4f0d7211b5a9c4aaf8697486819a9c4                drwx--x--x.
│       ├── 0a7565a2b82508a2b088d6aaa4ba88ae966319cc097159ee4ac377b7258a6c9b                drwx--x--x.
│       └── 1b0eced10dea9fddab7c66631f0920170121bd996d2845b48468ff119fe40826                drwx--x--x.
├── io.containerd.snapshotter.v1.blockfile                                                  drwx------.
├── io.containerd.snapshotter.v1.native                                                     drwx------.
│   └── snapshots                                                                           drwx------.
├── io.containerd.snapshotter.v1.overlayfs                                                  drwx------.
│   ├── metadata.db                                                                         -rw-------.
│   └── snapshots                                                                           drwx------.
│       ├── 1                                                                               drwx------.
│       │   ├── fs                                                                          drwxr-xr-x.    //755       // The mirror real layer does not need to be modified
│       │   └── work                                                                        drwx--x--x.    //711
└── tmpmounts

/run/containerd

containerd                                                                                  drwx--x--x.
├── containerd.sock                                                                         srw-rw----.
├── containerd.sock.ttrpc                                                                   srw-rw----.
├── io.containerd.grpc.v1.cri                                                               drwxr-xr-x.    //755 -> 700
│     ├── containers                                                                        drwxr-xr-x.    //755 -> 700
│     │     └── 0a7565a2b82508a2b088d6aaa4ba88ae966319cc097159ee4ac377b7258a6c9b            drwxr-xr-x.    //755 -> 700
│     │         └── io                  drwx------.
│     │             └── 149561824       drwx------.
│     │                 ├── 0a7565a2b82508a2b088d6aaa4ba88ae966319cc097159ee4ac377b7258a6c9b-stderr     prwx------.
│     │                 ├── 0a7565a2b82508a2b088d6aaa4ba88ae966319cc097159ee4ac377b7258a6c9b-stdin      prwx------.
│     │                 └── 0a7565a2b82508a2b088d6aaa4ba88ae966319cc097159ee4ac377b7258a6c9b-stdout     prwx------.
│     └── sandboxes                                                                         drwxr-xr-x.    //755 -> 700
│         └── 02602d4ea2123e45724138006e986bbcb4f0d7211b5a9c4aaf8697486819a9c4              drwxr-xr-x.    755 -> 700
│             └── shm                                                                       drwxrwxrwt.
├── io.containerd.runtime.v1.linux                                                          drwx--x--x.
├── io.containerd.runtime.v2.task                                                           drwx--x--x.
│     └── k8s.io                                                                            drwx--x--x.
│         ├── 02602d4ea2123e45724138006e986bbcb4f0d7211b5a9c4aaf8697486819a9c4              drwx------.
│         │     ├── address                                                                 -rw-rw-rw-.    //666
│         │     ├── config.json                                                             -rw-r--r--.    //644
│         │     ├── init.pid                                                                -rw-r--r--.    //644
│         │     ├── log                                                                     prwx------.
│         │     ├── log.json                                                                -rw-r--r--.    //644    //moby is also 644, consistent
│         │     ├── options.json                                                            -rw-------.
│         │     ├── rootfs                                                                  drwxr-xr-x.    //755    //rootfs does not need
│         │     ├── runtime                                                                 -rw-------.
│         │     ├── shim-binary-path                                                        -rw-------.
│         │     └── work > /var/lib/containerd/io.containerd.runtime.v2.task/k8s.io/02602d4ea2123e45724138006e986bbcb4f0d7211b5a9c4aaf8697486819a9c4       lrwxrwxrwx
├── runc                                                                                    drwx------.
│     └── k8s.io                                                                            drwx------.
│         ├── 02602d4ea2123e45724138006e986bbcb4f0d7211b5a9c4aaf8697486819a9c4              drwx--x--x.
│         │     └── state.json                                                              -rw-------.
└── s                                                                                       drwx------.
├── 04b3d1385fb38cef9c81753c21b55621fdcddad6775f21613e526263acb14ad7                        srw-------.
└── a8ed90f4e10f762eeaa786a339301cdd0f4864a1cbabff8c1d213837676ad1ba                        srw-------.

@k8s-ci-robot
Copy link
Copy Markdown

k8s-ci-robot commented Feb 8, 2025

Hi @fengwei0328. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@dosubot dosubot Bot added the area/runtime Runtime label Feb 8, 2025
fengwei0328
fengwei0328 commented Feb 8, 2025
View reviewed changes
Comment thread plugins/content/local/store.go
}

func (s *store) ensureIngestRoot() error {
return os.MkdirAll(filepath.Join(s.root, "ingest"), 0777)
Copy link
Copy Markdown
Contributor Author

@fengwei0328 fengwei0328 Feb 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Due to kernel limitations, it is impossible to create a 777 folder, so why choose 777 at the beginning of the code design

@k8s-ci-robot
Copy link
Copy Markdown

k8s-ci-robot commented Feb 27, 2025

@fengwei0328: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

Details

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@fengwei0328 fengwei0328 mentioned this pull request Feb 27, 2025
Merged
@fengwei0328
Reduce file permissions
90aff2b 
Signed-off-by: fengwei0328 <[email protected]>
@k8s-ci-robot
Copy link
Copy Markdown

k8s-ci-robot commented Mar 12, 2025

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jun 11, 2025

This PR is stale because it has been open 90 days with no activity. This PR will be closed in 7 days unless new comments are made or the stale label is removed.

@github-actions github-actions Bot added the Stale label Jun 11, 2025
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jun 19, 2025

This PR was closed because it has been stalled for 7 days with no activity.

@github-actions github-actions Bot closed this Jun 19, 2025
@github-project-automation github-project-automation Bot moved this from Needs Triage to Done in Pull Request Review Jun 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/runtime Runtime needs-ok-to-test needs-rebase size/S Stale

Projects

Pull Request Review
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fengwei0328 @k8s-ci-robot