Fix overlay and user namespace permissions

estesp · estesp · commit 191cefbaca45 · 2015-12-08T14:28:28.000-05:00
All underlay dirs need proper remapped ownership. This bug was masked by the
fact that the setupInitLayer code was chown'ing the dirs at startup
time. Since that bug is now fixed, it revealed this permissions issue.

Docker-DCO-1.1-Signed-off-by: Phil Estes &lt;estesp@linux.vnet.ibm.com&gt; (github: estesp)
diff --git a/daemon/graphdriver/overlay/overlay.go b/daemon/graphdriver/overlay/overlay.go
@@ -270,10 +270,10 @@ func (d *Driver) Create(id, parent, mountLabel string) (retErr error) {
 	parentRoot := path.Join(parentDir, "root")
 
 	if s, err := os.Lstat(parentRoot); err == nil {
-		if err := os.Mkdir(path.Join(dir, "upper"), s.Mode()); err != nil {
+		if err := idtools.MkdirAs(path.Join(dir, "upper"), s.Mode(), rootUID, rootGID); err != nil {
 			return err
 		}
-		if err := os.Mkdir(path.Join(dir, "work"), 0700); err != nil {
+		if err := idtools.MkdirAs(path.Join(dir, "work"), 0700, rootUID, rootGID); err != nil {
 			return err
 		}
 		if err := idtools.MkdirAs(path.Join(dir, "merged"), 0700, rootUID, rootGID); err != nil {
@@ -303,10 +303,10 @@ func (d *Driver) Create(id, parent, mountLabel string) (retErr error) {
 	}
 
 	upperDir := path.Join(dir, "upper")
-	if err := os.Mkdir(upperDir, s.Mode()); err != nil {
+	if err := idtools.MkdirAs(upperDir, s.Mode(), rootUID, rootGID); err != nil {
 		return err
 	}
-	if err := os.Mkdir(path.Join(dir, "work"), 0700); err != nil {
+	if err := idtools.MkdirAs(path.Join(dir, "work"), 0700, rootUID, rootGID); err != nil {
 		return err
 	}
 	if err := idtools.MkdirAs(path.Join(dir, "merged"), 0700, rootUID, rootGID); err != nil {

Original file line number	Diff line number	Diff line change
`@@ -270,10 +270,10 @@ func (d *Driver) Create(id, parent, mountLabel string) (retErr error) {`
`270`	`270`	`parentRoot := path.Join(parentDir, "root")`
`271`	`271`
`272`	`272`	`if s, err := os.Lstat(parentRoot); err == nil {`
`273`		`- if err := os.Mkdir(path.Join(dir, "upper"), s.Mode()); err != nil {`
	`273`	`+ if err := idtools.MkdirAs(path.Join(dir, "upper"), s.Mode(), rootUID, rootGID); err != nil {`
`274`	`274`	`return err`
`275`	`275`	`}`
`276`		`- if err := os.Mkdir(path.Join(dir, "work"), 0700); err != nil {`
	`276`	`+ if err := idtools.MkdirAs(path.Join(dir, "work"), 0700, rootUID, rootGID); err != nil {`
`277`	`277`	`return err`
`278`	`278`	`}`
`279`	`279`	`if err := idtools.MkdirAs(path.Join(dir, "merged"), 0700, rootUID, rootGID); err != nil {`
`@@ -303,10 +303,10 @@ func (d *Driver) Create(id, parent, mountLabel string) (retErr error) {`
`303`	`303`	`}`
`304`	`304`
`305`	`305`	`upperDir := path.Join(dir, "upper")`
`306`		`- if err := os.Mkdir(upperDir, s.Mode()); err != nil {`
	`306`	`+ if err := idtools.MkdirAs(upperDir, s.Mode(), rootUID, rootGID); err != nil {`
`307`	`307`	`return err`
`308`	`308`	`}`
`309`		`- if err := os.Mkdir(path.Join(dir, "work"), 0700); err != nil {`
	`309`	`+ if err := idtools.MkdirAs(path.Join(dir, "work"), 0700, rootUID, rootGID); err != nil {`
`310`	`310`	`return err`
`311`	`311`	`}`
`312`	`312`	`if err := idtools.MkdirAs(path.Join(dir, "merged"), 0700, rootUID, rootGID); err != nil {`