Skip to content

Only chown network files within container metadata#34224

Merged
vieux merged 1 commit into
moby:masterfrom
estesp:no-chown-nwfiles-outside-metadata
Nov 2, 2017
Merged

Only chown network files within container metadata#34224
vieux merged 1 commit into
moby:masterfrom
estesp:no-chown-nwfiles-outside-metadata

Conversation

@estesp
Copy link
Copy Markdown
Contributor

@estesp estesp commented Jul 23, 2017

If the user specifies a mountpath from the host, we should not be
attempting to chown files outside the daemon's metadata directory
(represented by daemon.repository at init time).

This forces users who want to use user namespaces to handle the
ownership needs of any external files mounted as network files
(/etc/resolv.conf, /etc/hosts, /etc/hostname) separately from the
daemon. In all other volume/bind mount situations we have taken this
same line--we don't chown host filesystem content.

Docker-DCO-1.1-Signed-off-by: Phil Estes [email protected]

@thaJeztah my only concern here is change in behavior if anyone has relied on mounting network files from a host system location and gotten this automatic "chown" behavior. Something we have to consider I guess.

@thaJeztah
Copy link
Copy Markdown
Member

thaJeztah commented Oct 26, 2017

@estesp discussing with @vieux; and this LGTM; can you add a small test?

@vieux vieux assigned vieux and unassigned aaronlehmann Oct 26, 2017
@estesp estesp force-pushed the no-chown-nwfiles-outside-metadata branch from c02b1fe to 308f501 Compare October 31, 2017 22:58
@estesp
Copy link
Copy Markdown
Contributor Author

estesp commented Oct 31, 2017

Thanks @thaJeztah; test added!

@estesp
Only chown network files within container metadata
42716dc 
If the user specifies a mountpath from the host, we should not be
attempting to chown files outside the daemon's metadata directory
(represented by `daemon.repository` at init time).

This forces users who want to use user namespaces to handle the
ownership needs of any external files mounted as network files
(/etc/resolv.conf, /etc/hosts, /etc/hostname) separately from the
daemon. In all other volume/bind mount situations we have taken this
same line--we don't chown host file content.

Docker-DCO-1.1-Signed-off-by: Phil Estes <[email protected]>
@estesp estesp force-pushed the no-chown-nwfiles-outside-metadata branch from 308f501 to 42716dc Compare November 1, 2017 14:14
vieux
vieux approved these changes Nov 2, 2017
View reviewed changes
Copy link
Copy Markdown
Contributor

@vieux vieux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@vieux vieux merged commit 462d791 into moby:master Nov 2, 2017
@yongtang yongtang mentioned this pull request Feb 7, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dnephin dnephin Awaiting requested review from dnephin

@vdemeester vdemeester Awaiting requested review from vdemeester

1 more reviewer

@vieux vieux vieux approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@vieux vieux

Labels

area/volumes Volumes status/2-code-review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@estesp @thaJeztah @vieux @aaronlehmann @GordonTheTurtle