You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Please briefly describe the changes your pull request makes.
Similar to what containerd allows, the socket will be chowned to a different user. The main benefit is that is makes the socket callable by users other than root.
Related Issues
Please link to the relevant issue. For example: Fix #123 or Related #456.
Change Details
Please describe your changes in detail:
Test Results
If you have any relevant screenshots or videos that can help illustrate your changes, please add them here.
I started the snapshotter from this branch:
sudo ./containerd-nydus-grpc --config ./nydus.toml
INFO[2025-10-30T17:45:12.958791294+01:00] Start nydus-snapshotter. Version: v0.15.4-10-gf6677ba.m, PID: 204002, FsDriver: fusedev, DaemonMode: multiple
INFO[2025-10-30T17:45:12.963653295+01:00] Run daemons monitor...
INFO[2025-10-30T17:45:12.967405469+01:00] Started system controller on "/containerd-local/sock/nydus-system.sock"
INFO[2025-10-30T17:45:12.967501568+01:00] Start system controller API server on /containerd-local/sock/nydus-system.sock
INFO[2025-10-30T17:45:12.968131017+01:00] setup image proxy keychain target-image-service=/containerd-local/sock/containerd.sock
DEBU[2025-10-30T17:45:12.968258712+01:00] Waiting for CRI service is started...
INFO[2025-10-30T17:45:12.968614159+01:00] connected to backend CRI service
using the following config
version = 1
root = "/containerd-local/io.containerd.snapshotter.v1.nydus"
# The snapshotter's GRPC server socket, containerd will connect to plugin on this socket
address = "/containerd-local/sock/image-service.sock"
uid = 1000
gid = 1000
[system]
# Snapshotter's debug and trace HTTP server interface
enable = true
uid = 1000
gid = 1000
address = "/containerd-local/sock/nydus-system.sock"
which resulted in both the snapshotter and the system socket to be created under my user:
Similar to what containerd allows, the socket will be chowned to a different user. The main benefit is that is makes the socket callable by users other than root.
Signed-off-by: Baptiste Girard-Carrabin <[email protected]>
❌ Patch coverage is 0% with 15 lines in your changes missing coverage. Please review.
✅ Project coverage is 20.89%. Comparing base (036bec7) to head (0d09129). ⚠️ Report is 20 commits behind head on main.
Thanks for the PR! Can we allow configuring (call os.Chmod after net.ListenUnix) the permission 0755 of this sock? To be honest, I don't quite understand why containerd uses UID and GID instead of simpler permission bits.
@imeoer just to make sure I understand, you'd prefer we just chmod 0755 the socket and not add the new uid/gid configs from this PR
OR do you want both to be present (the chmod + the uid/gid)?
I'm fine with either choice, just want to make sure I understand what you prefer
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fricounet
force-pushed
the
fricounet/socket-uid
branch
from
Overview
Please briefly describe the changes your pull request makes.
Similar to what containerd allows, the socket will be chowned to a different user. The main benefit is that is makes the socket callable by users other than root.
Related Issues
Please link to the relevant issue. For example:
Fix #123orRelated #456.Change Details
Please describe your changes in detail:
Test Results
If you have any relevant screenshots or videos that can help illustrate your changes, please add them here.
I started the snapshotter from this branch:
using the following config
which resulted in both the snapshotter and the system socket to be created under my user:
Change Type
Please select the type of change your pull request relates to:
Self-Checklist
Before submitting a pull request, please ensure you have completed the following: