Revert "Revert "Add RHEL super secrets patch""

This reverts commit c1195c2.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

container/container_notlinux.go

@@ -17,6 +17,11 @@ func (container *Container) SecretMount() *Mount {
 	return nil
 }
 
+// SecretMountRHEL returns the mount for the secret path
+func (container *Container) SecretMountRHEL(rootUID, rootGID int) (*Mount, error) {
+	return nil
+}
+
 // UnmountSecrets unmounts the fs for secrets
 func (container *Container) UnmountSecrets() error {
 	return nil

container/container_unix.go

@@ -263,6 +263,7 @@ func (container *Container) SecretMount() *Mount {
 			Source:      container.SecretMountPath(),
 			Destination: containerSecretMountPath,
 			Writable:    false,
+			Propagation: "rprivate",
 		}
 	}
 
@@ -452,3 +453,38 @@ func cleanResourcePath(path string) string {
 func (container *Container) EnableServiceDiscoveryOnDefaultNetwork() bool {
 	return false
 }
+
+// SecretMountRHEL returns the Secret Mount point
+func (container *Container) SecretMountRHEL(rootUID, rootGID int) (*Mount, error) {
+	secretsPath, err := container.GetRootResourcePath("secrets")
+	if err != nil {
+		return nil, fmt.Errorf("GetSecretsPath failed: %v", err)
+	}
+
+	if err := os.RemoveAll(secretsPath); err != nil {
+		return nil, fmt.Errorf("RemoveSecretsPath failed: %v", err)
+	}
+
+	if err := os.MkdirAll(secretsPath, 0755); err != nil {
+		return nil, fmt.Errorf("MakeDirSecretsPath failed: %v", err)
+	}
+
+	data, err := getHostSecretData()
+	if err != nil {
+		return nil, fmt.Errorf("GetHostSecretData failed: %v", err)
+	}
+	for _, s := range data {
+		s.SaveTo(secretsPath)
+	}
+
+	if rootUID != 0 {
+		callback := func(p string, info os.FileInfo, err error) error {
+			return os.Chown(p, rootUID, rootGID)
+		}
+
+		filepath.Walk(secretsPath, callback)
+	}
+	label.Relabel(secretsPath, container.MountLabel, false)
+
+	return nil, nil
+}

container/container_windows.go

@@ -88,6 +88,11 @@ func (container *Container) UpdateContainer(hostConfig *containertypes.HostConfi
 	return nil
 }
 
+// SecretMountRHEL returns the Secret Mount point
+func (container *Container) SecretMountRHEL(rootUID, rootGID int) (*Mount, error) {
+	return nil, nil
+}
+
 // cleanResourcePath cleans a resource path by removing C:\ syntax, and prepares
 // to combine with a volume path
 func cleanResourcePath(path string) string {

container/secrets.go

@@ -0,0 +1,99 @@
+package container
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+)
+
+const (
+	baseDir     = "/usr/share/rhel/secrets"
+	overrideDir = "/etc/container/rhel/secrets"
+)
+
+// Secret info
+type Secret struct {
+	Name      string
+	IsDir     bool
+	HostBased bool
+}
+
+// SecretData info
+type SecretData struct {
+	Name string
+	Data []byte
+}
+
+// SaveTo saves secret data to given directory
+func (s SecretData) SaveTo(dir string) error {
+	path := filepath.Join(dir, s.Name)
+	if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil && !os.IsExist(err) {
+		return err
+	}
+	return ioutil.WriteFile(path, s.Data, 0700)
+}
+
+func readAll(root, prefix string) ([]SecretData, error) {
+	path := filepath.Join(root, prefix)
+
+	data := []SecretData{}
+
+	files, err := ioutil.ReadDir(path)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return data, nil
+		}
+
+		return nil, err
+	}
+
+	for _, f := range files {
+		fileData, err := readFile(root, filepath.Join(prefix, f.Name()))
+		if err != nil {
+			// If the file did not exist, might be a dangling symlink
+			// Ignore the error
+			if os.IsNotExist(err) {
+				continue
+			}
+			return nil, err
+		}
+		data = append(data, fileData...)
+	}
+
+	return data, nil
+}
+
+func readFile(root, name string) ([]SecretData, error) {
+	path := filepath.Join(root, name)
+
+	s, err := os.Stat(path)
+	if err != nil {
+		return nil, err
+	}
+
+	if s.IsDir() {
+		dirData, err := readAll(root, name)
+		if err != nil {
+			return nil, err
+		}
+		return dirData, nil
+	}
+	bytes, err := ioutil.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+	return []SecretData{{Name: name, Data: bytes}}, nil
+}
+
+func getHostSecretData() ([]SecretData, error) {
+	baseSecrets, err := readAll(baseDir, "")
+	if err != nil {
+		return nil, fmt.Errorf("Failed to read secrets from %s: %s\n", baseDir, err.Error())
+	}
+	overrideSecrets, err := readAll(overrideDir, "")
+	if err != nil {
+		return nil, fmt.Errorf("Failed to read secrets from %s: %s\n", overrideDir, err.Error())
+	}
+	return append(baseSecrets, overrideSecrets...), nil
+}

daemon/container_operations_unix.go

@@ -213,6 +213,8 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
 		}
 	}
 
+	label.Relabel(localMountPath, c.MountLabel, false)
+
 	// remount secrets ro
 	if err := mount.Mount("tmpfs", localMountPath, "tmpfs", "remount,ro,"+tmpfsOwnership); err != nil {
 		return errors.Wrap(err, "unable to remount secret dir as readonly")

daemon/oci_linux.go

@@ -693,10 +693,6 @@ func (daemon *Daemon) createSpec(c *container.Container) (*specs.Spec, error) {
 		return nil, err
 	}
 
-	if err := daemon.setupSecretDir(c); err != nil {
-		return nil, err
-	}
-
 	ms, err := daemon.setupMounts(c)
 	if err != nil {
 		return nil, err
@@ -710,7 +706,28 @@ func (daemon *Daemon) createSpec(c *container.Container) (*specs.Spec, error) {
 	}
 	ms = append(ms, tmpfsMounts...)
 
-	if m := c.SecretMount(); m != nil {
+	rootUID, rootGID := daemon.GetRemappedUIDGID()
+	if daemon.configStore.EnableSecrets {
+		_, err := c.SecretMountRHEL(rootUID, rootGID)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if err := daemon.setupSecretDir(c); err != nil {
+		return nil, err
+	}
+
+	sm := c.SecretMount()
+	if sm != nil {
+		ms = append(ms, *sm)
+	} else {
+		// add the rhel mount
+		m := &container.Mount{}
+		m.Source = c.SecretMountPath()
+		m.Destination = "/run/secrets"
+		m.Writable = true
+		m.Propagation = "rprivate"
 		ms = append(ms, *m)
 	}
 

integration-cli/docker_cli_diff_test.go

@@ -83,6 +83,8 @@ func (s *DockerSuite) TestDiffEnsureDefaultDevs(c *check.C) {
 		"A /dev/tty":     true,
 		"A /dev/urandom": true,
 		"A /dev/zero":    true,
+		"A /run":         true, // secrets patch
+		"A /run/secrets": true, // secrets patch
 	}
 
 	for _, line := range strings.Split(out, "\n") {