Merge pull request #235 from runcom/secrets-rewrite

runcom · web-flow · commit 636dd7c4cf3a · 2017-04-24T11:44:51.000+02:00
Secrets rewrite
diff --git a/container/container_notlinux.go b/container/container_notlinux.go
@@ -17,11 +17,6 @@ func (container *Container) SecretMount() *Mount {
 	return nil
 }
 
-// SecretMountRHEL returns the mount for the secret path
-func (container *Container) SecretMountRHEL(rootUID, rootGID int) (*Mount, error) {
-	return nil
-}
-
 // UnmountSecrets unmounts the fs for secrets
 func (container *Container) UnmountSecrets() error {
 	return nil
diff --git a/container/container_unix.go b/container/container_unix.go
@@ -446,42 +446,3 @@ func cleanResourcePath(path string) string {
 func (container *Container) EnableServiceDiscoveryOnDefaultNetwork() bool {
 	return false
 }
-
-// SecretMountRHEL returns the Secret Mount point
-func (container *Container) SecretMountRHEL(rootUID, rootGID int) (*Mount, error) {
-	secretsPath, err := container.GetRootResourcePath("secrets")
-	if err != nil {
-		return nil, fmt.Errorf("GetSecretsPath failed: %v", err)
-	}
-
-	if err := os.RemoveAll(secretsPath); err != nil {
-		return nil, fmt.Errorf("RemoveSecretsPath failed: %v", err)
-	}
-
-	if err := os.MkdirAll(secretsPath, 0755); err != nil {
-		return nil, fmt.Errorf("MakeDirSecretsPath failed: %v", err)
-	}
-
-	data, err := getHostSecretData()
-	if err != nil {
-		return nil, fmt.Errorf("GetHostSecretData failed: %v", err)
-	}
-	for _, s := range data {
-		s.SaveTo(secretsPath)
-	}
-
-	if rootUID != 0 {
-		callback := func(p string, info os.FileInfo, err error) error {
-			return os.Chown(p, rootUID, rootGID)
-		}
-
-		filepath.Walk(secretsPath, callback)
-	}
-	label.Relabel(secretsPath, container.MountLabel, false)
-
-	m := &Mount{}
-	m.Source = secretsPath
-	m.Destination = "/run/secrets"
-	m.Writable = true
-	return m, nil
-}
diff --git a/container/container_windows.go b/container/container_windows.go
@@ -88,11 +88,6 @@ func (container *Container) UpdateContainer(hostConfig *containertypes.HostConfi
 	return nil
 }
 
-// SecretMountRHEL returns the Secret Mount point
-func (container *Container) SecretMountRHEL(rootUID, rootGID int) (*Mount, error) {
-	return nil, nil
-}
-
 // cleanResourcePath cleans a resource path by removing C:\ syntax, and prepares
 // to combine with a volume path
 func cleanResourcePath(path string) string {
diff --git a/container/secrets.go b/container/secrets.go
diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
@@ -177,10 +177,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
 		}
 
 		targetPath := filepath.Clean(s.File.Name)
-		// ensure that the target is a filename only; no paths allowed
-		if targetPath != filepath.Base(targetPath) {
-			return fmt.Errorf("error creating secret: secret must not be a path")
-		}
 
 		fPath := filepath.Join(localMountPath, targetPath)
 		if err := idtools.MkdirAllAs(filepath.Dir(fPath), 0700, rootUID, rootGID); err != nil {
@@ -195,8 +191,14 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
 		if secret == nil {
 			return fmt.Errorf("unable to get secret from secret store")
 		}
-		if err := ioutil.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil {
-			return errors.Wrap(err, "error injecting secret")
+		if s.File.Mode.IsDir() {
+			if err := os.Mkdir(fPath, s.File.Mode); err != nil {
+				return errors.Wrap(err, "error injecting secret dir")
+			}
+		} else {
+			if err := ioutil.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil {
+				return errors.Wrap(err, "error injecting secret")
+			}
 		}
 
 		uid, err := strconv.Atoi(s.File.UID)
@@ -213,6 +215,8 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
 		}
 	}
 
+	label.Relabel(localMountPath, c.MountLabel, false)
+
 	// remount secrets ro
 	if err := mount.Mount("tmpfs", localMountPath, "tmpfs", "remount,ro,"+tmpfsOwnership); err != nil {
 		return errors.Wrap(err, "unable to remount secret dir as readonly")
diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go
@@ -712,18 +712,6 @@ func (daemon *Daemon) createSpec(c *container.Container) (*specs.Spec, error) {
 		ms = append(ms, *m)
 	}
 
-	rootUID, rootGID := daemon.GetRemappedUIDGID()
-	if daemon.configStore.EnableSecrets {
-		m, err := c.SecretMountRHEL(rootUID, rootGID)
-		if err != nil {
-			return nil, err
-		}
-		// SecretMountRHEL() returns m == nil && err == nil
-		// we check m before appending and dereferencing it
-		if m != nil {
-			ms = append(ms, *m)
-		}
-	}
 	sort.Sort(mounts(ms))
 	if err := setMounts(daemon, &s, c, ms); err != nil {
 		return nil, fmt.Errorf("linux mounts: %v", err)
diff --git a/daemon/start.go b/daemon/start.go
@@ -146,6 +146,13 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint
 		return err
 	}
 
+	if daemon.configStore.EnableSecrets {
+		// SUSE:secrets -- inject the SUSE secret store
+		if err := daemon.injectSuseSecretStore(container); err != nil {
+			return err
+		}
+	}
+
 	spec, err := daemon.createSpec(container)
 	if err != nil {
 		return err
diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
diff --git a/integration-cli/docker_cli_diff_test.go b/integration-cli/docker_cli_diff_test.go
