Use user-specific temp directory if set#2325
Conversation
This allows non-privileged users to use containerd. This is part of a larger track of work integrating containerd into Cloudfoundry's garden with support for rootless. [#156343575] Signed-off-by: Claudia Beresford <[email protected]>
Codecov Report
@@ Coverage Diff @@
## master #2325 +/- ##
==========================================
+ Coverage 45.41% 45.43% +0.01%
==========================================
Files 83 83
Lines 9210 9214 +4
==========================================
+ Hits 4183 4186 +3
- Misses 4351 4352 +1
Partials 676 676
Continue to review full report at Codecov.
|
|
LGTM I've run into similar problems during demos. |
AkihiroSuda
left a comment
AkihiroSuda
left a comment
There was a problem hiding this comment.
LGTM
I guess we need to do same for FIFO dir as well (sorry I can't look into deeper during kubecon), but it can be done in separate PR.
|
If you want to add tasks to #2262 plz let us know |
crosbymichael
left a comment
crosbymichael
left a comment
There was a problem hiding this comment.
I think we need more logic around this because you need to set the sticky bit if you are using this directory. You can see the implementation in runc for how we are using this when userns is enabled:
root := "/run/runc"
if os.Geteuid() != 0 {
runtimeDir := os.Getenv("XDG_RUNTIME_DIR")
if runtimeDir != "" {
root = runtimeDir + "/runc"
// According to the XDG specification, we need to set anything in
// XDG_RUNTIME_DIR to have a sticky bit if we don't want it to get
// auto-pruned.
if err := os.MkdirAll(root, 0700); err != nil {
fatal(err)
}
if err := os.Chmod(root, 0700|os.ModeSticky); err != nil {
fatal(err)
}
}
}
crosbymichael
left a comment
crosbymichael
left a comment
There was a problem hiding this comment.
LGTM
After reading the spec again and how we are using it, we are safe without the use of the sticky bit (files modified within last 6hrs or sticky bit). Sorry for the noise.
5 participants
This allows non-privileged users to use containerd. This is part of a
larger track of work integrating containerd into Cloudfoundry's garden
with support for rootless.
Also, runc already supports the
XDG_RUNTIME_DIRso supporting the variable here as well makes sense.Here is a link to our tracker on the containerd work: https://www.pivotaltracker.com/n/projects/1158420/search?q=label%3A%22containerd%22
[#156343575]
Signed-off-by: Claudia Beresford [email protected]