Merge pull request #685 from DataDog/fricounet/socket-uid

Allow to configure the socket uid and gid

Author: imeoer

cmd/containerd-nydus-grpc/snapshotter.go

@@ -38,6 +38,8 @@ func Start(ctx context.Context, cfg *config.SnapshotterConfig) error {
 	stopSignal := signals.SetupSignalHandler()
 	opt := ServeOptions{
 		ListeningSocketPath: cfg.Address,
+		ListeningSocketUID:  cfg.UID,
+		ListeningSocketGID:  cfg.GID,
 		EnableCRIKeychain:   cfg.RemoteConfig.AuthConfig.EnableCRIKeychain,
 		ImageServiceAddress: cfg.RemoteConfig.AuthConfig.ImageServiceAddress,
 	}
@@ -53,6 +55,8 @@ func Start(ctx context.Context, cfg *config.SnapshotterConfig) error {
 
 type ServeOptions struct {
 	ListeningSocketPath string
+	ListeningSocketUID  int
+	ListeningSocketGID  int
 	EnableCRIKeychain   bool
 	ImageServiceAddress string
 }
@@ -72,6 +76,10 @@ func Serve(ctx context.Context, sn snapshots.Snapshotter, options ServeOptions,
 		return errors.Wrapf(err, "listen socket %q", options.ListeningSocketPath)
 	}
 
+	if err := os.Chown(options.ListeningSocketPath, options.ListeningSocketUID, options.ListeningSocketGID); err != nil {
+		return errors.Wrap(err, "chown socket")
+	}
+
 	if options.EnableCRIKeychain {
 		auth.AddImageProxy(ctx, rpc, options.ImageServiceAddress)
 	}

config/config.go

@@ -222,17 +222,25 @@ type DebugConfig struct {
 }
 
 type SystemControllerConfig struct {
-	Enable      bool        `toml:"enable"`
-	Address     string      `toml:"address"`
+	Enable  bool   `toml:"enable"`
+	Address string `toml:"address"`
+	// UID to set on the system controller socket
+	UID int `toml:"uid"`
+	// GID to set on the system controller socket
+	GID         int         `toml:"gid"`
 	DebugConfig DebugConfig `toml:"debug"`
 }
 
 type SnapshotterConfig struct {
 	// Configuration format version
 	Version int `toml:"version"`
 	// Snapshotter's root work directory
-	Root       string `toml:"root"`
-	Address    string `toml:"address"`
+	Root    string `toml:"root"`
+	Address string `toml:"address"`
+	// UID to set on the snapshotter socket
+	UID int `toml:"uid"`
+	// GID to set on the snapshotter socket
+	GID        int    `toml:"gid"`
 	DaemonMode string `toml:"daemon_mode"`
 	// Clean up all the resources when snapshotter is closed
 	CleanupOnClose bool `toml:"cleanup_on_close"`

config/config_test.go

@@ -26,6 +26,8 @@ func TestLoadSnapshotterTOMLConfig(t *testing.T) {
 		Version:    1,
 		Root:       "/var/lib/containerd/io.containerd.snapshotter.v1.nydus",
 		Address:    "/run/containerd-nydus/containerd-nydus-grpc.sock",
+		UID:        0,
+		GID:        0,
 		DaemonMode: "dedicated",
 		Experimental: Experimental{
 			EnableStargz:         false,
@@ -35,6 +37,8 @@ func TestLoadSnapshotterTOMLConfig(t *testing.T) {
 		SystemControllerConfig: SystemControllerConfig{
 			Enable:  true,
 			Address: "/run/containerd-nydus/system.sock",
+			UID:     0,
+			GID:     0,
 			DebugConfig: DebugConfig{
 				ProfileDuration: 5,
 				PprofAddress:    "",

pkg/system/system.go

@@ -31,6 +31,7 @@ import (
 	"github.com/containerd/nydus-snapshotter/pkg/manager"
 	metrics "github.com/containerd/nydus-snapshotter/pkg/metrics/tool"
 	"github.com/containerd/nydus-snapshotter/pkg/prefetch"
+	"github.com/containerd/nydus-snapshotter/pkg/utils/signals"
 )
 
 const (
@@ -61,6 +62,8 @@ type Controller struct {
 	managers []*manager.Manager
 	// httpSever *http.Server
 	addr   *net.UnixAddr
+	uid    int
+	gid    int
 	router *mux.Router
 }
 
@@ -125,7 +128,7 @@ type rafsInstanceInfo struct {
 	ImageID     string `json:"image_id"`
 }
 
-func NewSystemController(fs *filesystem.Filesystem, managers []*manager.Manager, sock string) (*Controller, error) {
+func NewSystemController(fs *filesystem.Filesystem, managers []*manager.Manager, sock string, uid, gid int) (*Controller, error) {
 	if err := os.MkdirAll(filepath.Dir(sock), os.ModePerm); err != nil {
 		return nil, err
 	}
@@ -145,6 +148,8 @@ func NewSystemController(fs *filesystem.Filesystem, managers []*manager.Manager,
 		fs:       fs,
 		managers: managers,
 		addr:     addr,
+		uid:      uid,
+		gid:      gid,
 		router:   mux.NewRouter(),
 	}
 
@@ -155,11 +160,23 @@ func NewSystemController(fs *filesystem.Filesystem, managers []*manager.Manager,
 
 func (sc *Controller) Run() error {
 	log.L.Infof("Start system controller API server on %s", sc.addr)
+	stopChan := signals.SetupSignalHandler()
 	listener, err := net.ListenUnix("unix", sc.addr)
 	if err != nil {
 		return errors.Wrapf(err, "listen to socket %s ", sc.addr)
 	}
 
+	if err := os.Chown(sc.addr.String(), sc.uid, sc.gid); err != nil {
+		return errors.Wrap(err, "chown socket")
+	}
+
+	go func() {
+		<-stopChan
+		if err := listener.Close(); err != nil {
+			log.L.Errorf("Failed to close listener %s, err: %v", sc.addr.String(), err)
+		}
+	}()
+
 	err = http.Serve(listener, sc.router)
 	if err != nil {
 		return errors.Wrapf(err, "system management serving")

snapshot/snapshot.go

@@ -238,7 +238,7 @@ func NewSnapshotter(ctx context.Context, cfg *config.SnapshotterConfig) (snapsho
 	}
 
 	if config.IsSystemControllerEnabled() {
-		systemController, err := system.NewSystemController(nydusFs, fsManagers, config.SystemControllerAddress())
+		systemController, err := system.NewSystemController(nydusFs, fsManagers, config.SystemControllerAddress(), cfg.SystemControllerConfig.UID, cfg.SystemControllerConfig.GID)
 		if err != nil {
 			return nil, errors.Wrap(err, "create system controller")
 		}