Giter VIP home page Giter VIP logo

Comments (8)

itamarst avatar itamarst commented on July 18, 2024

Definitely not necessary for first release.

from flocker.

tomprince avatar tomprince commented on July 18, 2024

Note that user is recorded symbolically, and may not be a user that exists on the host system (or may have a different UID on the host-system.

from flocker.

itamarst avatar itamarst commented on July 18, 2024

If the Docker image is configured with username... the knowledge of which uid it corresponds to is available elsewhere within the Docker image. So maybe we could launch a process inside a container using that image which will extract the UID in advance of starting the real container.

Unfortunately then there's images like the official MongoDB one, where it switches users inside the script it runs (https://github.com/docker-library/mongo/blob/master/2.7/docker-entrypoint.sh) so the information is not available for introspection.

from flocker.

itamarst avatar itamarst commented on July 18, 2024

An alternative approach might work depending on how the binding works. If /flocker is only RWX by root, and /flocker/myvolume is world RWX that means /flocker/myvolume is still protected on the host, and it's possible that's once it's bound into the container namespace it's only the permissions on /flocker/myvolume that matter.

from flocker.

itamarst avatar itamarst commented on July 18, 2024

Yeah, that works:

$ sudo ls -ld /tmp/protected/
drwx------ 3 root root 4096 Oct  9 14:42 /tmp/protected/
$ sudo ls -ld /tmp/protected/volume
drwxrwxrwx 2 itamarst itamarst 4096 Oct  9 14:44 /tmp/protected/volume
$ sudo docker run --rm --user=nobody -v /tmp/protected/volume:/myvolume busybox touch /myvolume/hello
$ ls /tmp/protected/volume/hello
ls: cannot access /tmp/protected/volume/hello: Permission denied
$ sudo ls /tmp/protected/volume/hello
/tmp/protected/volume/hello

from flocker.

itamarst avatar itamarst commented on July 18, 2024

So it looks like only thing we need to do is set /flocker to be only readable/writeable/executable by root, and we're good.

from flocker.

tomprince avatar tomprince commented on July 18, 2024

What does docker do with the permissions on the volume?

from flocker.

adamtheturtle avatar adamtheturtle commented on July 18, 2024

We are moving our development planning to JIRA. This issue is now being tracked at https://clusterhq.atlassian.net/browse/FLOC-34. You are welcome to file additional issues in GitHub if that's easier for you.

from flocker.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.