2016-12-03 01:04:07 +00:00
|
|
|
package allocdir
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"os"
|
|
|
|
"path/filepath"
|
|
|
|
"syscall"
|
|
|
|
|
|
|
|
"golang.org/x/sys/unix"
|
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
// secretDirTmpfsSize is the size of the tmpfs per task in MBs
|
|
|
|
secretDirTmpfsSize = 1
|
|
|
|
|
|
|
|
// secretMarker is the filename of the marker created so Nomad doesn't
|
|
|
|
// try to mount the secrets tmpfs more than once
|
|
|
|
secretMarker = ".nomad-mount"
|
|
|
|
)
|
|
|
|
|
|
|
|
// linkDir bind mounts src to dst as Linux doesn't support hardlinking
|
|
|
|
// directories.
|
|
|
|
func linkDir(src, dst string) error {
|
|
|
|
if err := os.MkdirAll(dst, 0777); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
return syscall.Mount(src, dst, "", syscall.MS_BIND, "")
|
|
|
|
}
|
|
|
|
|
|
|
|
// unlinkDir unmounts a bind mounted directory as Linux doesn't support
|
2017-03-02 23:44:52 +00:00
|
|
|
// hardlinking directories. If the dir is already unmounted no error is
|
|
|
|
// returned.
|
2016-12-03 01:04:07 +00:00
|
|
|
func unlinkDir(dir string) error {
|
2017-03-02 21:20:47 +00:00
|
|
|
if err := syscall.Unmount(dir, 0); err != nil {
|
|
|
|
if err != syscall.EINVAL {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
2016-12-03 01:04:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// createSecretDir creates the secrets dir folder at the given path using a
|
|
|
|
// tmpfs
|
|
|
|
func createSecretDir(dir string) error {
|
|
|
|
// Only mount the tmpfs if we are root
|
|
|
|
if unix.Geteuid() == 0 {
|
|
|
|
if err := os.MkdirAll(dir, 0777); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check for marker file and skip mounting if it exists
|
|
|
|
marker := filepath.Join(dir, secretMarker)
|
|
|
|
if _, err := os.Stat(marker); err == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2020-12-09 19:05:18 +00:00
|
|
|
flags := uintptr(syscall.MS_NOEXEC)
|
2016-12-03 01:04:07 +00:00
|
|
|
options := fmt.Sprintf("size=%dm", secretDirTmpfsSize)
|
|
|
|
if err := syscall.Mount("tmpfs", dir, "tmpfs", flags, options); err != nil {
|
|
|
|
return os.NewSyscallError("mount", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Create the marker file so we don't try to mount more than once
|
|
|
|
f, err := os.OpenFile(marker, os.O_RDWR|os.O_CREATE, 0666)
|
|
|
|
if err != nil {
|
|
|
|
// Hard fail since if this fails something is really wrong
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
f.Close()
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
return os.MkdirAll(dir, 0777)
|
|
|
|
}
|
|
|
|
|
|
|
|
// createSecretDir removes the secrets dir folder
|
|
|
|
func removeSecretDir(dir string) error {
|
|
|
|
if unix.Geteuid() == 0 {
|
2017-03-02 21:20:47 +00:00
|
|
|
if err := unlinkDir(dir); err != nil {
|
2017-03-02 01:18:02 +00:00
|
|
|
// Ignore invalid path errors
|
|
|
|
if err != syscall.ENOENT {
|
|
|
|
return os.NewSyscallError("unmount", err)
|
|
|
|
}
|
2016-12-03 01:04:07 +00:00
|
|
|
}
|
|
|
|
|
2017-03-02 01:18:02 +00:00
|
|
|
}
|
2016-12-03 01:04:07 +00:00
|
|
|
return os.RemoveAll(dir)
|
|
|
|
}
|