From 71e8d765df946ffa3232618a427949f9ee0c463d Mon Sep 17 00:00:00 2001 From: Michael Crosby Date: Fri, 24 Mar 2017 12:47:52 -0700 Subject: [PATCH] set +x on overlay fs dirs We need to set +x on the overlay dirs or after dropping from root to a non-root user an eperm will happen on exec or other file access Signed-off-by: Michael Crosby --- cmd/ctr/run.go | 9 ++++++++- linux/runtime.go | 2 +- snapshot/overlay/overlay.go | 3 +-- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/cmd/ctr/run.go b/cmd/ctr/run.go index a25b206..ce2a959 100644 --- a/cmd/ctr/run.go +++ b/cmd/ctr/run.go @@ -113,6 +113,13 @@ func spec(id string, config *ocispec.ImageConfig, context *cli.Context) (*specs. Effective: capabilities, Ambient: capabilities, }, + Rlimits: []specs.LinuxRlimit{ + { + Type: "RLIMIT_NOFILE", + Hard: uint64(1024), + Soft: uint64(1024), + }, + }, }, Mounts: []specs.Mount{ { @@ -311,7 +318,7 @@ var runCommand = cli.Command{ } var imageConfig ocispec.Image switch ic.MediaType { - case ocispec.MediaTypeImageConfig, "application/vnd.docker.container.image.v1+json": + case ocispec.MediaTypeImageConfig, images.MediaTypeDockerSchema2Config: r, err := provider.Reader(ctx, ic.Digest) if err != nil { return err diff --git a/linux/runtime.go b/linux/runtime.go index c239e3c..ff9c396 100644 --- a/linux/runtime.go +++ b/linux/runtime.go @@ -41,7 +41,7 @@ type Config struct { } func New(ic *plugin.InitContext) (interface{}, error) { - path := filepath.Join(ic.Root, runtimeName) + path := filepath.Join(ic.State, runtimeName) if err := os.MkdirAll(path, 0700); err != nil { return nil, err } diff --git a/snapshot/overlay/overlay.go b/snapshot/overlay/overlay.go index 37c54fe..456b5e8 100644 --- a/snapshot/overlay/overlay.go +++ b/snapshot/overlay/overlay.go @@ -47,7 +47,6 @@ func NewSnapshotter(root string, ms storage.MetaStore) (snapshot.Snapshotter, er if err := os.MkdirAll(root, 0700); err != nil { return nil, err } - if err := os.MkdirAll(filepath.Join(root, "snapshots"), 0700); err != nil { return nil, err } @@ -189,7 +188,7 @@ func (o *Snapshotter) createActive(ctx context.Context, key, parent string, read } }() - if err = os.MkdirAll(filepath.Join(td, "fs"), 0700); err != nil { + if err = os.MkdirAll(filepath.Join(td, "fs"), 0711); err != nil { return nil, err } if !readonly {