opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-21 09:28:09 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2474 from giuseppe/fix-fips-mode-with-namespaces

Browse Source 
secrets: fix fips-mode with user namespaces
This commit is contained in:
OpenShift Merge Robot
2019-02-28 00:45:13 +01:00
committed by GitHub
parent cd060d0b54 80bad464f9
commit 6f0dbd004f
1 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
pkg/secrets/secrets.go
View File

@ -8,6 +8,7 @@ import (
"strings" "strings"
"github.com/containers/libpod/pkg/rootless" "github.com/containers/libpod/pkg/rootless"
"github.com/containers/storage/pkg/idtools"
rspec "github.com/opencontainers/runtime-spec/specs-go" rspec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/selinux/go-selinux/label" "github.com/opencontainers/selinux/go-selinux/label"
"github.com/pkg/errors" "github.com/pkg/errors"
@ -176,7 +177,7 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre
// Add FIPS mode secret if /etc/system-fips exists on the host // Add FIPS mode secret if /etc/system-fips exists on the host
_, err := os.Stat("/etc/system-fips") _, err := os.Stat("/etc/system-fips")
if err == nil { if err == nil {
if err := addFIPSModeSecret(&secretMounts, containerWorkingDir); err != nil { if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPrefix, mountLabel, uid, gid); err != nil {
logrus.Errorf("error adding FIPS mode secret to container: %v", err) logrus.Errorf("error adding FIPS mode secret to container: %v", err)
} }
} else if os.IsNotExist(err) { } else if os.IsNotExist(err) {
@ -264,13 +265,16 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr
// root filesystem if /etc/system-fips exists on hosts. // root filesystem if /etc/system-fips exists on hosts.
// This enables the container to be FIPS compliant and run openssl in // This enables the container to be FIPS compliant and run openssl in
// FIPS mode as the host is also in FIPS mode. // FIPS mode as the host is also in FIPS mode.
func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir string) error { func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix, mountLabel string, uid, gid int) error {
secretsDir := "/run/secrets" secretsDir := "/run/secrets"
ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir) ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir)
if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) { if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) {
if err = os.MkdirAll(ctrDirOnHost, 0755); err != nil { if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil {
return errors.Wrapf(err, "making container directory on host failed") return errors.Wrapf(err, "making container directory on host failed")
} }
if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil {
return errors.Wrap(err, "error applying correct labels")
}
} }
fipsFile := filepath.Join(ctrDirOnHost, "system-fips") fipsFile := filepath.Join(ctrDirOnHost, "system-fips")
// In the event of restart, it is possible for the FIPS mode file to already exist // In the event of restart, it is possible for the FIPS mode file to already exist
@ -284,7 +288,7 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir string) error
if !mountExists(*mounts, secretsDir) { if !mountExists(*mounts, secretsDir) {
m := rspec.Mount{ m := rspec.Mount{
Source: ctrDirOnHost, Source: filepath.Join(mountPrefix, secretsDir),
Destination: secretsDir, Destination: secretsDir,
Type: "bind", Type: "bind",
Options: []string{"bind", "rprivate"}, Options: []string{"bind", "rprivate"},