Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use user-specific temp directory if set #41

Merged
merged 1 commit into from
May 11, 2018
Merged

Use user-specific temp directory if set #41

merged 1 commit into from
May 11, 2018

Conversation

Callisto13
Copy link
Contributor

This allows non-privileged users to use containerd. This is part of a
larger track of work integrating containerd into Cloudfoundry's garden
with support for rootless.

This is linked to containerd/containerd#2325

[#156343575]

Signed-off-by: Claudia Beresford cberesford@pivotal.io

crosbymichael
crosbymichael reviewed May 4, 2018
View reviewed changes
console.go Outdated
@@ -50,7 +50,7 @@ func NewConsoleSocket(path string) (*Socket, error) {
// NewTempConsoleSocket returns a temp console socket for use with a container
// On Close(), the socket is deleted
func NewTempConsoleSocket() (*Socket, error) {
dir, err := ioutil.TempDir("", "pty")
dir, err := ioutil.TempDir(os.Getenv("XDG_RUNTIME_DIR"), "pty")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think for this one, we need to set the sticky bit on the temp dir that we are creating so that it does not get auto pruned after 6hrs when the socket is not updated. Here is the runc code for this.

	root := "/run/runc"
	if os.Geteuid() != 0 {
		runtimeDir := os.Getenv("XDG_RUNTIME_DIR")
		if runtimeDir != "" {
			root = runtimeDir + "/runc"
			// According to the XDG specification, we need to set anything in
			// XDG_RUNTIME_DIR to have a sticky bit if we don't want it to get
			// auto-pruned.
			if err := os.MkdirAll(root, 0700); err != nil {
				fatal(err)
			}
			if err := os.Chmod(root, 0700|os.ModeSticky); err != nil {
				fatal(err)
			}
		}
}

@Callisto13 @yulianedyalkova
Use user-specific temp directory if set
07e192d 
This allows non-privileged users to use containerd. This is part of a
larger track of work integrating containerd into Cloudfoundry's garden
with support for rootless.

[#156343575]

Signed-off-by: Julia Nedialkova <julianedialkova@hotmail.com>
Signed-off-by: Tom Godkin <tgodkin@pivotal.io>
@Callisto13
Copy link
Contributor Author

@crosbymichael bump just incase github didn't update you on the force push :)

@crosbymichael
Copy link
Member

@Callisto13 do you know if there is a distinction between the stickybit being on the directory or the files inside for auto prune?

@BooleanCat
Copy link

@crosbymichael @Callisto13 The XDG Base Directory Specification is ambiguous on this topic, it's unclear (at least to me) whether the spec describes files as any file or as non-directories.

Although, it appears that systemd creates sockets in subdirectories of XDG_RUNTIME_DIR and doesn't set the sticky bit on those files.

@crosbymichael
Copy link
Member

LGTM

Thanks for looking into this more @BooleanCat

estesp
estesp approved these changes May 11, 2018
View reviewed changes
Copy link
Member

@estesp estesp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@estesp estesp merged commit 301f7c1 into containerd:master May 11, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crosbymichael crosbymichael crosbymichael left review comments

@estesp estesp estesp approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Callisto13 @crosbymichael @BooleanCat @estesp