-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tmpfs permissions confusion #1647
Comments
Yeah, we should probably also preserve the owner information. I'll write up a patch. Though you /could/ argue it's a partial security issue as an image could make the owner an unprivileged user to try to trick the container runtime to make the owner of the mount something different... |
Also got bitten by this issue, personally I would expect tmpfs-mode to be honoured when specified |
Hello. This issue seems potentially related to Permissions on tmpfs mounts reset after container restart and --tmpfs with --user works for the first time. Fails in subsequent container starts. Right now, I'm not sure there is a way to use |
The thought below is spanning across both
docker
andrunc
. In case I should be addressing the issue somewhere else, please let me know.I find a bit confusing how
tmpfs
mounts are implemented. Simply doingdocker run --mount type=tmpfs,destination=some-path-here,tmpfs-mode=1770 <...>
will produce variable outcome when the mount point already exists and when it doesn't. That is, the
tmpfs-mode
argument is effectively ignored when the mountpoint exists, since the mode is copied back from the destination directory (libcontainer/rootfs_linux.go:190
).Well, being familiar with this behaviour now, I think this might be useful (still I found nothing about this in docs: https://docs.docker.com/engine/admin/volumes/tmpfs/).
But why then uid/gid are not restored as well? Mounting a
tmpfs
over the existing directory will preserve mode bits, but replace uid and gid withroot
. Sorunc
is stopping somewhere in between -- it does neither fully restore permissions from the existing mount point nor rely on tmpfs mount options (uid, gid, mode, etc). Can this be resolved into a fully consistent behaviour?The text was updated successfully, but these errors were encountered: