Browse code
daemon: use 0711 for /var/lib/docker
This fixes problems encountered when running with a remapped root (the
syscalls related to the metadata directory will fail under user
namespaces). Using 0711 rather than 0701 (which solved the problem
previously) fixes the issue.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Aleksa Sarai authored on 2016/03/16 17:24:03Showing 1 changed files
| ... | ... |
@@ -870,7 +870,7 @@ func setupRemappedRoot(config *Config) ([]idtools.IDMap, []idtools.IDMap, error) |
| 870 | 870 |
|
| 871 | 871 |
func setupDaemonRoot(config *Config, rootDir string, rootUID, rootGID int) error {
|
| 872 | 872 |
config.Root = rootDir |
| 873 |
- // the docker root metadata directory needs to have execute permissions for all users (o+x) |
|
| 873 |
+ // the docker root metadata directory needs to have execute permissions for all users (g+x,o+x) |
|
| 874 | 874 |
// so that syscalls executing as non-root, operating on subdirectories of the graph root |
| 875 | 875 |
// (e.g. mounted layers of a container) can traverse this path. |
| 876 | 876 |
// The user namespace support will create subdirectories for the remapped root host uid:gid |
| ... | ... |
@@ -878,12 +878,12 @@ func setupDaemonRoot(config *Config, rootDir string, rootUID, rootGID int) error |
| 878 | 878 |
// layer content subtrees. |
| 879 | 879 |
if _, err := os.Stat(rootDir); err == nil {
|
| 880 | 880 |
// root current exists; verify the access bits are correct by setting them |
| 881 |
- if err = os.Chmod(rootDir, 0701); err != nil {
|
|
| 881 |
+ if err = os.Chmod(rootDir, 0711); err != nil {
|
|
| 882 | 882 |
return err |
| 883 | 883 |
} |
| 884 | 884 |
} else if os.IsNotExist(err) {
|
| 885 |
- // no root exists yet, create it 0701 with root:root ownership |
|
| 886 |
- if err := os.MkdirAll(rootDir, 0701); err != nil {
|
|
| 885 |
+ // no root exists yet, create it 0711 with root:root ownership |
|
| 886 |
+ if err := os.MkdirAll(rootDir, 0711); err != nil {
|
|
| 887 | 887 |
return err |
| 888 | 888 |
} |
| 889 | 889 |
} |