Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP3:GA
docker.708
docker-mount-secrets.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File docker-mount-secrets.patch of Package docker.708
From ed97ccf535888a5e1fa2cadf42d01089e1192e06 Mon Sep 17 00:00:00 2001 From: Dan Walsh <dwalsh@redhat.com> Date: Thu, 13 Nov 2014 15:28:39 -0500 Subject: [PATCH] Super Secrets Patch Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan) --- daemon/container.go | 48 +++++++++++++++++++++++++++++- daemon/secrets.go | 86 +++++++++++++++++++++++++++++++++++++++++++++++++++++ daemon/volumes.go | 11 +++++++ graph/graph.go | 1 + 4 files changed, 145 insertions(+), 1 deletion(-) create mode 100644 daemon/secrets.go Index: docker/daemon/container.go =================================================================== --- docker.orig/daemon/container.go +++ docker/daemon/container.go @@ -405,11 +405,28 @@ func (container *Container) Start() (err if err := populateCommand(container, env); err != nil { return err } + if err := container.setupSecretFiles(); err != nil { + return err + } if err := container.setupMounts(); err != nil { return err } - return container.waitForStart() + if err := container.waitForStart(); err != nil { + return err + } + + // Now the container is running, unmount the secrets on the host + secretsPath, err := container.secretsPath() + if err != nil { + return err + } + + if err := syscall.Unmount(secretsPath, syscall.MNT_DETACH); err != nil { + return err + } + + return nil } func (container *Container) Run() error { @@ -886,6 +903,10 @@ func (container *Container) jsonPath() ( return container.getRootResourcePath("config.json") } +func (container *Container) secretsPath() (string, error) { + return container.getRootResourcePath("secrets") +} + // This method must be exported to be used from the lxc template // This directory is only usable when the container is running func (container *Container) RootfsPath() string { @@ -1260,6 +1281,31 @@ func (container *Container) verifyDaemon } } +func (container *Container) setupSecretFiles() error { + secretsPath, err := container.secretsPath() + if err != nil { + return err + } + + if err := os.MkdirAll(secretsPath, 0700); err != nil { + return err + } + + if err := syscall.Mount("tmpfs", secretsPath, "tmpfs", uintptr(syscall.MS_NOEXEC|syscall.MS_NOSUID|syscall.MS_NODEV), label.FormatMountLabel("", container.GetMountLabel())); err != nil { + return fmt.Errorf("mounting secret tmpfs: %s", err) + } + + data, err := getHostSecretData() + if err != nil { + return err + } + for _, s := range data { + s.SaveTo(secretsPath) + } + + return nil +} + func (container *Container) setupLinkedContainers() ([]string, error) { var ( env []string Index: docker/daemon/secrets.go =================================================================== --- /dev/null +++ docker/daemon/secrets.go @@ -0,0 +1,102 @@ +package daemon + +import ( + log "github.com/Sirupsen/logrus" + "io/ioutil" + "os" + "path/filepath" +) + +type Secret struct { + Name string + IsDir bool + HostBased bool +} + +type SecretData struct { + Name string + Data []byte +} + +func (s SecretData) SaveTo(dir string) error { + path := filepath.Join(dir, s.Name) + if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil && !os.IsExist(err) { + return err + } + if err := ioutil.WriteFile(path, s.Data, 0755); err != nil { + return err + } + return nil +} + +func readAll(root, prefix string) ([]SecretData, error) { + path := filepath.Join(root, prefix) + + data := []SecretData{} + + files, err := ioutil.ReadDir(path) + if err != nil { + if os.IsNotExist(err) { + return data, nil + } + + return nil, err + } + + for _, f := range files { + fileData, err := readFile(root, filepath.Join(prefix, f.Name())) + if err != nil { + // If the file did not exist, might be a dangling symlink + // Ignore the error + if os.IsNotExist(err) { + continue + } + return nil, err + } + data = append(data, fileData...) + } + + return data, nil +} + +func readFile(root, name string) ([]SecretData, error) { + path := filepath.Join(root, name) + + s, err := os.Stat(path) + if err != nil { + return nil, err + } + + if s.IsDir() { + dirData, err := readAll(root, name) + if err != nil { + return nil, err + } + return dirData, nil + } else { + bytes, err := ioutil.ReadFile(path) + if err != nil { + return nil, err + } + return []SecretData{{Name: name, Data: bytes}}, nil + } +} + +func getHostSecretData() ([]SecretData, error) { + credentials, err := readAll("/etc/zypp/", "credentials.d") + if err != nil { + log.Errorf("Error while reading zypp credentials: %s", err) + return credentials, err + } + + suseConnect, err := readFile("/etc", "SUSEConnect") + if err != nil { + if os.IsNotExist(err) { + suseConnect = []SecretData{} + } else { + log.Errorf("Error while reading /etc/SUSEConnect: %s", err) + return nil, err + } + } + return append(credentials, suseConnect...), nil +} Index: docker/daemon/volumes.go =================================================================== --- docker.orig/daemon/volumes.go +++ docker/daemon/volumes.go @@ -348,6 +348,17 @@ func (container *Container) setupMounts( mounts = append(mounts, execdriver.Mount{Source: container.HostsPath, Destination: "/etc/hosts", Writable: true, Private: true}) } + secretsPath, err := container.secretsPath() + if err != nil { + return err + } + + mounts = append(mounts, execdriver.Mount{ + Source: secretsPath, + Destination: "/run/secrets", + Writable: true, + }) + container.command.Mounts = mounts return nil } Index: docker/graph/graph.go =================================================================== --- docker.orig/graph/graph.go +++ docker/graph/graph.go @@ -286,6 +286,7 @@ func SetupInitLayer(initLayer string) er "/etc/hostname": "file", "/dev/console": "file", "/etc/mtab": "/proc/mounts", + "/run/secrets": "dir", } { parts := strings.Split(pth, "/") prev := "/"
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor