From 2eb85f70168d331e49e9d38bfbd2292d586dfcc1 Mon Sep 17 00:00:00 2001 From: Peter Amstutz Date: Wed, 31 Jan 2018 16:22:31 -0500 Subject: [PATCH] 12764: crunch-run temporary directories have common parent Some directories created by crunch-run need to be world readable/writable. Apply path-based security using parent directory with mode 0700. Enables crunch-run to bind into the container while avoiding making the directory trivially accessible to anyone on the host. Arvados-DCO-1.1-Signed-off-by: Peter Amstutz --- services/crunch-run/crunchrun.go | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/services/crunch-run/crunchrun.go b/services/crunch-run/crunchrun.go index 1895701468..8d935604ee 100644 --- a/services/crunch-run/crunchrun.go +++ b/services/crunch-run/crunchrun.go @@ -113,6 +113,7 @@ type ContainerRunner struct { SigChan chan os.Signal ArvMountExit chan error finalState string + parentTemp string statLogger io.WriteCloser statReporter *crunchstat.Reporter @@ -327,7 +328,7 @@ func (runner *ContainerRunner) ArvMountCmd(arvMountCmd []string, token string) ( func (runner *ContainerRunner) SetupArvMountPoint(prefix string) (err error) { if runner.ArvMountPoint == "" { - runner.ArvMountPoint, err = runner.MkTempDir("", prefix) + runner.ArvMountPoint, err = runner.MkTempDir(runner.parentTemp, prefix) } return } @@ -490,7 +491,7 @@ func (runner *ContainerRunner) SetupMounts() (err error) { case mnt.Kind == "tmp": var tmpdir string - tmpdir, err = runner.MkTempDir("", "") + tmpdir, err = runner.MkTempDir(runner.parentTemp, "tmp") if err != nil { return fmt.Errorf("While creating mount temp dir: %v", err) } @@ -518,7 +519,7 @@ func (runner *ContainerRunner) SetupMounts() (err error) { // can ensure the file is world-readable // inside the container, without having to // make it world-readable on the docker host. - tmpdir, err := runner.MkTempDir("", "") + tmpdir, err := runner.MkTempDir(runner.parentTemp, "json") if err != nil { return fmt.Errorf("creating temp dir: %v", err) } @@ -531,7 +532,7 @@ func (runner *ContainerRunner) SetupMounts() (err error) { runner.Binds = append(runner.Binds, fmt.Sprintf("%s:%s:ro", tmpfn, bind)) case mnt.Kind == "git_tree": - tmpdir, err := runner.MkTempDir("", "") + tmpdir, err := runner.MkTempDir(runner.parentTemp, "git_tree") if err != nil { return fmt.Errorf("creating temp dir: %v", err) } @@ -1432,6 +1433,10 @@ func (runner *ContainerRunner) CleanupDirs() { runner.CrunchLog.Printf("While cleaning up temporary directory %s: %v", tmpdir, rmerr) } } + + if rmerr := os.RemoveAll(runner.parentTemp); rmerr != nil { + runner.CrunchLog.Printf("While cleaning up temporary directory %s: %v", runner.parentTemp, rmerr) + } } // CommitLogs posts the collection containing the final container logs. @@ -1769,6 +1774,12 @@ func main() { os.Exit(1) } + parentTemp, tmperr := cr.MkTempDir("", "crunch-run") + if tmperr != nil { + log.Fatalf("%s: %v", containerId, tmperr) + } + + cr.parentTemp = parentTemp cr.statInterval = *statInterval cr.cgroupRoot = *cgroupRoot cr.expectCgroupParent = *cgroupParent -- 2.30.2