Only chown network files within container metadata

If the user specifies a mountpath from the host, we should not be attempting to chown files outside the daemon's metadata directory (represented by `daemon.repository` at init time). This forces users who want to use user namespaces to handle the ownership needs of any external files mounted as network files (/etc/resolv.conf, /etc/hosts, /etc/hostname) separately from the daemon. In all other volume/bind mount situations we have taken this same line--we don't chown host file content. Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2026-01-11 18:51:37 +00:00 · 2017-07-22 22:11:09 -04:00
parent 3ab20a87fa
commit 42716dcf5c
3 changed files with 99 additions and 2 deletions
--- a/daemon/volumes_unix.go
+++ b/daemon/volumes_unix.go
@@ -86,8 +86,13 @@ func (daemon *Daemon) setupMounts(c *container.Container) ([]container.Mount, er
 	// remapped root (user namespaces)
 	rootIDs := daemon.idMappings.RootPair()
 	for _, mount := range netMounts {
-		if err := os.Chown(mount.Source, rootIDs.UID, rootIDs.GID); err != nil {
-			return nil, err
+		// we should only modify ownership of network files within our own container
+		// metadata repository. If the user specifies a mount path external, it is
+		// up to the user to make sure the file has proper ownership for userns
+		if strings.Index(mount.Source, daemon.repository) == 0 {
+			if err := os.Chown(mount.Source, rootIDs.UID, rootIDs.GID); err != nil {
+				return nil, err
+			}
 		}
 	}
 	return append(mounts, netMounts...), nil