This fixes problems encountered when running with a remapped root (the
syscalls related to the metadata directory will fail under user
namespaces). Using 0711 rather than 0701 (which solved the problem
previously) fixes the issue.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
... | ... |
@@ -870,7 +870,7 @@ func setupRemappedRoot(config *Config) ([]idtools.IDMap, []idtools.IDMap, error) |
870 | 870 |
|
871 | 871 |
func setupDaemonRoot(config *Config, rootDir string, rootUID, rootGID int) error { |
872 | 872 |
config.Root = rootDir |
873 |
- // the docker root metadata directory needs to have execute permissions for all users (o+x) |
|
873 |
+ // the docker root metadata directory needs to have execute permissions for all users (g+x,o+x) |
|
874 | 874 |
// so that syscalls executing as non-root, operating on subdirectories of the graph root |
875 | 875 |
// (e.g. mounted layers of a container) can traverse this path. |
876 | 876 |
// The user namespace support will create subdirectories for the remapped root host uid:gid |
... | ... |
@@ -878,12 +878,12 @@ func setupDaemonRoot(config *Config, rootDir string, rootUID, rootGID int) error |
878 | 878 |
// layer content subtrees. |
879 | 879 |
if _, err := os.Stat(rootDir); err == nil { |
880 | 880 |
// root current exists; verify the access bits are correct by setting them |
881 |
- if err = os.Chmod(rootDir, 0701); err != nil { |
|
881 |
+ if err = os.Chmod(rootDir, 0711); err != nil { |
|
882 | 882 |
return err |
883 | 883 |
} |
884 | 884 |
} else if os.IsNotExist(err) { |
885 |
- // no root exists yet, create it 0701 with root:root ownership |
|
886 |
- if err := os.MkdirAll(rootDir, 0701); err != nil { |
|
885 |
+ // no root exists yet, create it 0711 with root:root ownership |
|
886 |
+ if err := os.MkdirAll(rootDir, 0711); err != nil { |
|
887 | 887 |
return err |
888 | 888 |
} |
889 | 889 |
} |