1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Mon, 27 Oct 2025 16:42:59 +0900
Subject: Fix directory permissions
- Create /var/lib/containerd with 0o700 (was: 0o711).
- Create config.TempDir with 0o700 (was: 0o711).
- Create /run/containerd/io.containerd.grpc.v1.cri with 0o700 (was: 0o755).
- Create /run/containerd/io.containerd.sandbox.controller.v1.shim with 0o700 (was: 0o711).
- Leave /run/containerd and /run/containerd/io.containerd.runtime.v2.task created with 0o711,
as required by userns-remapped containers.
/run/containerd/io.containerd.runtime.v2.task/<NS>/<ID> is created with:
- 0o700 for non-userns-remapped containers
- 0o710 for userns-remapped containers with the remapped root group as the owner group.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 51b0cf11dc5af7ed1919beba259e644138b28d96)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
pkg/cri/cri.go | 7 +++++++
runtime/v2/manager.go | 2 ++
services/server/server.go | 14 ++++++++++++--
3 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/pkg/cri/cri.go b/pkg/cri/cri.go
index 0cf6618..ae82e1e 100644
--- a/pkg/cri/cri.go
+++ b/pkg/cri/cri.go
@@ -74,6 +74,13 @@ func initCRIService(ic *plugin.InitContext) (interface{}, error) {
}
}
+ if err := os.MkdirAll(ic.State, 0700); err != nil {
+ return nil, err
+ }
+ // chmod is needed for upgrading from an older release that created the dir with 0755
+ if err := os.Chmod(ic.State, 0700); err != nil {
+ return nil, err
+ }
c := criconfig.Config{
PluginConfig: *pluginConfig,
ContainerdRootDir: filepath.Dir(ic.Root),
diff --git a/runtime/v2/manager.go b/runtime/v2/manager.go
index 97ea5f6..dc30e81 100644
--- a/runtime/v2/manager.go
+++ b/runtime/v2/manager.go
@@ -134,6 +134,8 @@ type ManagerConfig struct {
// NewShimManager creates a manager for v2 shims
func NewShimManager(ctx context.Context, config *ManagerConfig) (*ShimManager, error) {
for _, d := range []string{config.Root, config.State} {
+ // root: the parent of this directory is created as 0700, not 0711.
+ // state: the parent of this directory is created as 0711 too, so as to support userns-remapped containers.
if err := os.MkdirAll(d, 0711); err != nil {
return nil, err
}
diff --git a/services/server/server.go b/services/server/server.go
index b62eaab..ba87932 100644
--- a/services/server/server.go
+++ b/services/server/server.go
@@ -75,10 +75,16 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {
return errors.New("root and state must be different paths")
}
- if err := sys.MkdirAllWithACL(config.Root, 0711); err != nil {
+ if err := sys.MkdirAllWithACL(config.Root, 0700); err != nil {
+ return err
+ }
+ // chmod is needed for upgrading from an older release that created the dir with 0o711
+ if err := os.Chmod(config.Root, 0700); err != nil {
return err
}
+ // For supporting userns-remapped containers, the state dir cannot be just mkdired with 0o700.
+ // Each of plugins creates a dedicated directory beneath the state dir with appropriate permission bits.
if err := sys.MkdirAllWithACL(config.State, 0711); err != nil {
return err
}
@@ -93,7 +99,11 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {
}
if config.TempDir != "" {
- if err := sys.MkdirAllWithACL(config.TempDir, 0711); err != nil {
+ if err := sys.MkdirAllWithACL(config.TempDir, 0700); err != nil {
+ return err
+ }
+ // chmod is needed for upgrading from an older release that created the dir with 0o711
+ if err := os.Chmod(config.Root, 0700); err != nil {
return err
}
if runtime.GOOS == "windows" {
|
