Merge pull request #942 from umohnani8/secrets_patch
Add secrets support to crio
This commit is contained in:
Daniel J Walsh
GitHub
commit
5b41729b6c
7 changed files with 282 additions and 1 deletions
|
|
@ -384,6 +384,27 @@ func ensureSaneLogPath(logPath string) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
// addSecretsBindMounts mounts user defined secrets to the container
|
||||
func addSecretsBindMounts(mountLabel, ctrRunDir, configDefaultMountsPath string, specgen generate.Generator) error {
|
||||
mountPaths := []string{libkpod.OverrideMountsFile, libkpod.DefaultMountsFile}
|
||||
// configDefaultMountsPath is used to override the mount file path for testing purposes only when set in the runtime config
|
||||
if configDefaultMountsPath != "" {
|
||||
mountPaths = []string{configDefaultMountsPath}
|
||||
}
|
||||
for _, path := range mountPaths {
|
||||
containerMounts := specgen.Spec().Mounts
|
||||
mounts, err := secretMounts(mountLabel, path, ctrRunDir, containerMounts)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
for _, m := range mounts {
|
||||
specgen.AddBindMount(m.Source, m.Destination, nil)
|
||||
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// CreateContainer creates a new container in specified PodSandbox
|
||||
func (s *Server) CreateContainer(ctx context.Context, req *pb.CreateContainerRequest) (res *pb.CreateContainerResponse, err error) {
|
||||
logrus.Debugf("CreateContainerRequest %+v", req)
|
||||
|
|
@ -911,6 +932,10 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
return nil, err
|
||||
}
|
||||
|
||||
if err = addSecretsBindMounts(mountLabel, containerInfo.RunDir, s.config.DefaultMountsPath, specgen); err != nil {
|
||||
return nil, fmt.Errorf("failed to mount secrets: %v", err)
|
||||
}
|
||||
|
||||
mountPoint, err := s.StorageRuntimeServer().StartContainer(containerID)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to mount container %s(%s): %v", containerName, containerID, err)
|
||||
|
|
|
|||
186
server/secrets.go
Normal file
186
server/secrets.go
Normal file
|
|
@ -0,0 +1,186 @@
|
|||
package server
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
|
||||
rspec "github.com/opencontainers/runtime-spec/specs-go"
|
||||
"github.com/opencontainers/selinux/go-selinux/label"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/sirupsen/logrus"
|
||||
)
|
||||
|
||||
// SecretData info
|
||||
type SecretData struct {
|
||||
Name string
|
||||
Data []byte
|
||||
}
|
||||
|
||||
// SaveTo saves secret data to given directory
|
||||
func (s SecretData) SaveTo(dir string) error {
|
||||
path := filepath.Join(dir, s.Name)
|
||||
if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil && !os.IsExist(err) {
|
||||
return err
|
||||
}
|
||||
return ioutil.WriteFile(path, s.Data, 0700)
|
||||
}
|
||||
|
||||
// readMountFile returns a list of the host:container paths
|
||||
func readMountFile(mountFilePath string) ([]string, error) {
|
||||
var mountPaths []string
|
||||
file, err := os.Open(mountFilePath)
|
||||
if err != nil {
|
||||
logrus.Warnf("file doesn't exist %q", mountFilePath)
|
||||
return nil, nil
|
||||
}
|
||||
defer file.Close()
|
||||
|
||||
scanner := bufio.NewScanner(file)
|
||||
scanner.Split(bufio.ScanLines)
|
||||
for scanner.Scan() {
|
||||
mountPaths = append(mountPaths, scanner.Text())
|
||||
}
|
||||
|
||||
return mountPaths, nil
|
||||
}
|
||||
|
||||
func readAll(root, prefix string) ([]SecretData, error) {
|
||||
path := filepath.Join(root, prefix)
|
||||
|
||||
data := []SecretData{}
|
||||
|
||||
files, err := ioutil.ReadDir(path)
|
||||
if err != nil {
|
||||
if os.IsNotExist(err) {
|
||||
return data, nil
|
||||
}
|
||||
|
||||
return nil, err
|
||||
}
|
||||
|
||||
for _, f := range files {
|
||||
fileData, err := readFile(root, filepath.Join(prefix, f.Name()))
|
||||
if err != nil {
|
||||
// If the file did not exist, might be a dangling symlink
|
||||
// Ignore the error
|
||||
if os.IsNotExist(err) {
|
||||
continue
|
||||
}
|
||||
return nil, err
|
||||
}
|
||||
data = append(data, fileData...)
|
||||
}
|
||||
|
||||
return data, nil
|
||||
}
|
||||
|
||||
func readFile(root, name string) ([]SecretData, error) {
|
||||
path := filepath.Join(root, name)
|
||||
|
||||
s, err := os.Stat(path)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if s.IsDir() {
|
||||
dirData, err := readAll(root, name)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return dirData, nil
|
||||
}
|
||||
bytes, err := ioutil.ReadFile(path)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return []SecretData{{Name: name, Data: bytes}}, nil
|
||||
}
|
||||
|
||||
// getHostAndCtrDir separates the host:container paths
|
||||
func getMountsMap(path string) (string, string, error) {
|
||||
arr := strings.SplitN(path, ":", 2)
|
||||
if len(arr) == 2 {
|
||||
return arr[0], arr[1], nil
|
||||
}
|
||||
return "", "", errors.Errorf("unable to get host and container dir")
|
||||
}
|
||||
|
||||
func getHostSecretData(hostDir string) ([]SecretData, error) {
|
||||
var allSecrets []SecretData
|
||||
hostSecrets, err := readAll(hostDir, "")
|
||||
if err != nil {
|
||||
return nil, errors.Wrapf(err, "failed to read secrets from %q", hostDir)
|
||||
}
|
||||
return append(allSecrets, hostSecrets...), nil
|
||||
}
|
||||
|
||||
// secretMount copies the contents of host directory to container directory
|
||||
// and returns a list of mounts
|
||||
func secretMounts(mountLabel, mountFilePath, containerWorkingDir string, runtimeMounts []rspec.Mount) ([]rspec.Mount, error) {
|
||||
var mounts []rspec.Mount
|
||||
mountPaths, err := readMountFile(mountFilePath)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
for _, path := range mountPaths {
|
||||
hostDir, ctrDir, err := getMountsMap(path)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
// skip if the hostDir path doesn't exist
|
||||
if _, err := os.Stat(hostDir); os.IsNotExist(err) {
|
||||
logrus.Warnf("%q doesn't exist, skipping", hostDir)
|
||||
continue
|
||||
}
|
||||
|
||||
ctrDir = filepath.Join(containerWorkingDir, ctrDir)
|
||||
// skip if ctrDir has already been mounted by caller
|
||||
if isAlreadyMounted(runtimeMounts, ctrDir) {
|
||||
logrus.Warnf("%q has already been mounted; cannot override mount", ctrDir)
|
||||
continue
|
||||
}
|
||||
|
||||
if err := os.RemoveAll(ctrDir); err != nil {
|
||||
return nil, fmt.Errorf("remove container directory failed: %v", err)
|
||||
}
|
||||
|
||||
if err := os.MkdirAll(ctrDir, 0755); err != nil {
|
||||
return nil, fmt.Errorf("making container directory failed: %v", err)
|
||||
}
|
||||
|
||||
hostDir, err = resolveSymbolicLink(hostDir)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
data, err := getHostSecretData(hostDir)
|
||||
if err != nil {
|
||||
return nil, errors.Wrapf(err, "getting host secret data failed")
|
||||
}
|
||||
for _, s := range data {
|
||||
s.SaveTo(ctrDir)
|
||||
}
|
||||
label.Relabel(ctrDir, mountLabel, false)
|
||||
|
||||
m := rspec.Mount{
|
||||
Source: hostDir,
|
||||
Destination: ctrDir,
|
||||
}
|
||||
|
||||
mounts = append(mounts, m)
|
||||
}
|
||||
return mounts, nil
|
||||
}
|
||||
|
||||
func isAlreadyMounted(mounts []rspec.Mount, mountPath string) bool {
|
||||
for _, mount := range mounts {
|
||||
if mount.Destination == mountPath {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue