Browse code
Use "local" secret paths based on the secretID
This prevents targets with the same basename from colliding.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Aaron Lehmann authored on 2017/04/29 03:48:52Showing 4 changed files
- container/container.go
- container/container_unix.go
- container/container_windows.go
- daemon/container_operations_unix.go
| ... | ... |
@@ -954,8 +954,9 @@ func (container *Container) SecretMountPath() string {
|
| 954 | 954 |
return filepath.Join(container.Root, "secrets") |
| 955 | 955 |
} |
| 956 | 956 |
|
| 957 |
-func (container *Container) getLocalSecretPath(r *swarmtypes.SecretReference) string {
|
|
| 958 |
- return filepath.Join(container.SecretMountPath(), filepath.Base(r.File.Name)) |
|
| 957 |
+// SecretFilePath returns the path to the location of a secret on the host. |
|
| 958 |
+func (container *Container) SecretFilePath(secretRef swarmtypes.SecretReference) string {
|
|
| 959 |
+ return filepath.Join(container.SecretMountPath(), secretRef.SecretID) |
|
| 959 | 960 |
} |
| 960 | 961 |
|
| 961 | 962 |
func getSecretTargetPath(r *swarmtypes.SecretReference) string {
|
| ... | ... |
@@ -248,15 +248,15 @@ func (container *Container) IpcMounts() []Mount {
|
| 248 | 248 |
return mounts |
| 249 | 249 |
} |
| 250 | 250 |
|
| 251 |
-// SecretMounts returns the mount for the secret path |
|
| 251 |
+// SecretMounts returns the mounts for the secret path. |
|
| 252 | 252 |
func (container *Container) SecretMounts() []Mount {
|
| 253 | 253 |
var mounts []Mount |
| 254 | 254 |
for _, r := range container.SecretReferences {
|
| 255 |
- // secrets are created in the SecretMountPath at a single level |
|
| 256 |
- // i.e. /var/run/secrets/foo |
|
| 257 |
- srcPath := container.getLocalSecretPath(r) |
|
| 255 |
+ if r.File == nil {
|
|
| 256 |
+ continue |
|
| 257 |
+ } |
|
| 258 | 258 |
mounts = append(mounts, Mount{
|
| 259 |
- Source: srcPath, |
|
| 259 |
+ Source: container.SecretFilePath(*r), |
|
| 260 | 260 |
Destination: getSecretTargetPath(r), |
| 261 | 261 |
Writable: false, |
| 262 | 262 |
}) |
| ... | ... |
@@ -47,7 +47,7 @@ func (container *Container) IpcMounts() []Mount {
|
| 47 | 47 |
return nil |
| 48 | 48 |
} |
| 49 | 49 |
|
| 50 |
-// SecretMounts returns the mount for the secret path |
|
| 50 |
+// SecretMounts returns the mounts for the secret path |
|
| 51 | 51 |
func (container *Container) SecretMounts() []Mount {
|
| 52 | 52 |
return nil |
| 53 | 53 |
} |
| ... | ... |
@@ -177,9 +177,9 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
|
| 177 | 177 |
return fmt.Errorf("secret target type is not a file target")
|
| 178 | 178 |
} |
| 179 | 179 |
|
| 180 |
- // secrets are created in the SecretMountPath at a single level |
|
| 181 |
- // i.e. /var/run/secrets/foo |
|
| 182 |
- fPath := filepath.Join(localMountPath, filepath.Base(s.File.Name)) |
|
| 180 |
+ // secrets are created in the SecretMountPath on the host, at a |
|
| 181 |
+ // single level |
|
| 182 |
+ fPath := c.SecretFilePath(*s) |
|
| 183 | 183 |
if err := idtools.MkdirAllAs(filepath.Dir(fPath), 0700, rootUID, rootGID); err != nil {
|
| 184 | 184 |
return errors.Wrap(err, "error creating secret mount path") |
| 185 | 185 |
} |