New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix working with read-only /dev #3345
Conversation
Use os/file Chown method instead of bare unix.Fchown as it already have access to underlying fd, and produces nice-looking errors. This allows us to remove our error wrapping and some linter annotations. We still use unix.Fstat since os.Stat access to os-specific fields like uid/gid is not very straightforward. The only change here is to use file name (rather than fd) in the error text. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Since we already called fstat, we know the current file uid. In case it is the same as the one we want it to be, there's no point in trying chown. Remove the specific /dev/null check, as the above also covers it (comparing /dev/null uid with itself is true). This also fixes runc exec with read-only /dev for root user. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
In case of a read-only /dev, it's better to move on and let whatever is run in a container to handle any possible errors. This solves runc exec for a user with read-only /dev. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
I guess I could add some integration tests, but this is pretty straightforward. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
LGTM |
@AkihiroSuda PTAL |
@mrunalp PTAL |
Depending on podman release plans, we may need to have 1.1.1 released with the backport of this one. |
It looks like we need to release 1.1.1 |
TL;DR: do not chown
/dev/std{in,out,err}
if there's no need; ignore EROFS when chown fails.For the context, see containers/podman#12954
Please review commit-by-commit.