diff --git a/cmd/containerd-nydus-grpc/snapshotter.go b/cmd/containerd-nydus-grpc/snapshotter.go index cef899ccb1..4a848e51cd 100644 --- a/cmd/containerd-nydus-grpc/snapshotter.go +++ b/cmd/containerd-nydus-grpc/snapshotter.go @@ -38,6 +38,8 @@ func Start(ctx context.Context, cfg *config.SnapshotterConfig) error { stopSignal := signals.SetupSignalHandler() opt := ServeOptions{ ListeningSocketPath: cfg.Address, + ListeningSocketUID: cfg.UID, + ListeningSocketGID: cfg.GID, EnableCRIKeychain: cfg.RemoteConfig.AuthConfig.EnableCRIKeychain, ImageServiceAddress: cfg.RemoteConfig.AuthConfig.ImageServiceAddress, } @@ -53,6 +55,8 @@ func Start(ctx context.Context, cfg *config.SnapshotterConfig) error { type ServeOptions struct { ListeningSocketPath string + ListeningSocketUID int + ListeningSocketGID int EnableCRIKeychain bool ImageServiceAddress string } @@ -72,6 +76,10 @@ func Serve(ctx context.Context, sn snapshots.Snapshotter, options ServeOptions, return errors.Wrapf(err, "listen socket %q", options.ListeningSocketPath) } + if err := os.Chown(options.ListeningSocketPath, options.ListeningSocketUID, options.ListeningSocketGID); err != nil { + return errors.Wrap(err, "chown socket") + } + if options.EnableCRIKeychain { auth.AddImageProxy(ctx, rpc, options.ImageServiceAddress) } diff --git a/config/config.go b/config/config.go index 8c8ff018e9..8b6a342ae0 100644 --- a/config/config.go +++ b/config/config.go @@ -222,8 +222,12 @@ type DebugConfig struct { } type SystemControllerConfig struct { - Enable bool `toml:"enable"` - Address string `toml:"address"` + Enable bool `toml:"enable"` + Address string `toml:"address"` + // UID to set on the system controller socket + UID int `toml:"uid"` + // GID to set on the system controller socket + GID int `toml:"gid"` DebugConfig DebugConfig `toml:"debug"` } @@ -231,8 +235,12 @@ type SnapshotterConfig struct { // Configuration format version Version int `toml:"version"` // Snapshotter's root work directory - Root string `toml:"root"` - Address string `toml:"address"` + Root string `toml:"root"` + Address string `toml:"address"` + // UID to set on the snapshotter socket + UID int `toml:"uid"` + // GID to set on the snapshotter socket + GID int `toml:"gid"` DaemonMode string `toml:"daemon_mode"` // Clean up all the resources when snapshotter is closed CleanupOnClose bool `toml:"cleanup_on_close"` diff --git a/config/config_test.go b/config/config_test.go index b52a20be45..9bcfd0c617 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -26,6 +26,8 @@ func TestLoadSnapshotterTOMLConfig(t *testing.T) { Version: 1, Root: "/var/lib/containerd/io.containerd.snapshotter.v1.nydus", Address: "/run/containerd-nydus/containerd-nydus-grpc.sock", + UID: 0, + GID: 0, DaemonMode: "dedicated", Experimental: Experimental{ EnableStargz: false, @@ -35,6 +37,8 @@ func TestLoadSnapshotterTOMLConfig(t *testing.T) { SystemControllerConfig: SystemControllerConfig{ Enable: true, Address: "/run/containerd-nydus/system.sock", + UID: 0, + GID: 0, DebugConfig: DebugConfig{ ProfileDuration: 5, PprofAddress: "", diff --git a/pkg/system/system.go b/pkg/system/system.go index 6ce8cc11fa..2e224f9c8c 100644 --- a/pkg/system/system.go +++ b/pkg/system/system.go @@ -31,6 +31,7 @@ import ( "github.com/containerd/nydus-snapshotter/pkg/manager" metrics "github.com/containerd/nydus-snapshotter/pkg/metrics/tool" "github.com/containerd/nydus-snapshotter/pkg/prefetch" + "github.com/containerd/nydus-snapshotter/pkg/utils/signals" ) const ( @@ -61,6 +62,8 @@ type Controller struct { managers []*manager.Manager // httpSever *http.Server addr *net.UnixAddr + uid int + gid int router *mux.Router } @@ -125,7 +128,7 @@ type rafsInstanceInfo struct { ImageID string `json:"image_id"` } -func NewSystemController(fs *filesystem.Filesystem, managers []*manager.Manager, sock string) (*Controller, error) { +func NewSystemController(fs *filesystem.Filesystem, managers []*manager.Manager, sock string, uid, gid int) (*Controller, error) { if err := os.MkdirAll(filepath.Dir(sock), os.ModePerm); err != nil { return nil, err } @@ -145,6 +148,8 @@ func NewSystemController(fs *filesystem.Filesystem, managers []*manager.Manager, fs: fs, managers: managers, addr: addr, + uid: uid, + gid: gid, router: mux.NewRouter(), } @@ -155,11 +160,23 @@ func NewSystemController(fs *filesystem.Filesystem, managers []*manager.Manager, func (sc *Controller) Run() error { log.L.Infof("Start system controller API server on %s", sc.addr) + stopChan := signals.SetupSignalHandler() listener, err := net.ListenUnix("unix", sc.addr) if err != nil { return errors.Wrapf(err, "listen to socket %s ", sc.addr) } + if err := os.Chown(sc.addr.String(), sc.uid, sc.gid); err != nil { + return errors.Wrap(err, "chown socket") + } + + go func() { + <-stopChan + if err := listener.Close(); err != nil { + log.L.Errorf("Failed to close listener %s, err: %v", sc.addr.String(), err) + } + }() + err = http.Serve(listener, sc.router) if err != nil { return errors.Wrapf(err, "system management serving") diff --git a/snapshot/snapshot.go b/snapshot/snapshot.go index 1712045009..bfe34f7f22 100644 --- a/snapshot/snapshot.go +++ b/snapshot/snapshot.go @@ -238,7 +238,7 @@ func NewSnapshotter(ctx context.Context, cfg *config.SnapshotterConfig) (snapsho } if config.IsSystemControllerEnabled() { - systemController, err := system.NewSystemController(nydusFs, fsManagers, config.SystemControllerAddress()) + systemController, err := system.NewSystemController(nydusFs, fsManagers, config.SystemControllerAddress(), cfg.SystemControllerConfig.UID, cfg.SystemControllerConfig.GID) if err != nil { return nil, errors.Wrap(err, "create system controller") }